Unable to distribute to European regions about azvmimagebuilder HOT 9 CLOSED

Hi apologies for the delay in response. You need to give the Image Builder Service Principal contributor permissions to the SIG resource group or Managed Image resource group you are distributing too. If you look at the Quick Starts, https://github.com/danielsollondon/azvmimagebuilder/tree/master/solutions/5_PowerShell_deployments#step-1-set-up-environment-and-variables

its this PowerShell that sets that up:

New-AzRoleAssignment -ObjectId ef511139-6170-438e-a6e1-763dc31bdf74 -Scope /subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup -RoleDefinitionName Contributor

Please LMK if this resolves your issue.

from azvmimagebuilder.

Hi Daniel, Thanks for the information, I found in my environment I had to give it the ObjectID of the Azure Virtual Machine Image Builder application

which appears to be different depending on the tenant used.

While this solved the permissions issue I then got a timeout issue, specifically:

The resource operation completed with terminal provisioning state 'Failed'
Failed in building/customizing image: Failed while waiting for packerizer: Timeout waiting for microservice to complete: 'context deadline exceeded'

I do a number of significant customisation of the image in question, is this causing the backend authentication to timeout as its not refreshing the access token?

The initial request was sent at 2019-11-27T10:22:36.1266117Z, it was accepted at 2019-11-27T10:22:38.5261225Z and the error was produced at 2019-11-27T12:22:53.6304462Z.

from azvmimagebuilder.

The image builder only uses the token on when you submit the template initially to the service, not during the image build time. The error you are hitting is because the image customization exceeded it a customization timeout. What is your current timeout set to? Also, have you looked in the customization logs? https://github.com/danielsollondon/azvmimagebuilder/blob/master/troubleshootingaib.md#image-build-errors--troubleshooting

Let me know if you cannot see anything in the logs.

from azvmimagebuilder.

Thanks for the assistance, I definitely brain farted on out issue 🤦‍♂ Looking into the logs deeper I see an endless stream of:

[963a94eb-b4db-414f-8f8d-7c140c6bb01d] PACKER OUT     azure-arm: IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE

Looking in the sysprep logs I discovered the following errors:

2019-12-03 08:40:51, Error      [0x0f0082] SYSPRP LaunchDll:Failure occurred while executing 'DscCore.dll,SysPrep_Cleanup', returned error code 0x2
2019-12-03 08:40:51, Error      [0x0f0070] SYSPRP RunDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x2[gle=0x00000006]
2019-12-03 08:40:51, Error      [0x0f00ae] SYSPRP WinMain:Hit failure while processing sysprep cleanup external providers; hr = 0x80070002[gle=0x00000006]

One of the things my customization do is install the latest stable PowerShell version from github, I wasn't able to identify if dsccore.dll is related to this or not though. Any thoughts would be greatly appreciated.

from azvmimagebuilder.

Np, you're hitting a SysPrep failure, to test your theory, can you remove your the updating PowerShell step, and any dependent steps. If that does not work, I did a search on the internet, and found this: MicrosoftDocs/azure-docs#43893, not sure if it is related?? If you know a SysPrep command that works for what you are doing, you can override the SysPrep command that we execute; https://github.com/danielsollondon/azvmimagebuilder/blob/master/troubleshootingaib.md#vms-created-from-aib-images-do-not-create-successfully

Please keep me updated here, I would like to get your issues resolved.

from azvmimagebuilder.

I've narrowed the issue down to the installation of Office365, SSMS, RSAT or VS2019. I'm just in the process of adding them in one at a time to see which causes the failure and I'll report back once I have a definitive answer

from azvmimagebuilder.

I think I've found the issue, on our main subscription we enforce an Azure Policy to distribute the MMA and Dependency agents to ensure that we are monitoring and tracking all VMs in the sub. Unfortunately this also picks up the Image Builder VM. I couldn't find an easy way to exclude Image Builder at a resource group level as I am rebuilding the resource regularly so the resource group keeps changing.

As a work around I've moved the Image Builder resources to a separate subscription and I'm using a Shared Image Gallery to share the images back into the original subscription. Is there any way to exclude the image builder VMs from normal, prebuilt Azure Policies?

from azvmimagebuilder.

Thanks for the update, I'm glad its working, I am checking with internal teams to see what options we have here.

from azvmimagebuilder.

We now have EU region support:
https://github.com/danielsollondon/azvmimagebuilder#march-2020-updates

Thanks!

from azvmimagebuilder.