Windows Server 2016 Nano - In Practice on AWS EC2
I have decided NOT to use Windows Server 2016 Nano at this time. The following explains what I got working, and where I got stuck.
I wanted to run custom Windows services compiled with Delphi for win64, and have them serve dynamic web content through IIS using a custom ISAPI extension, as I do on Windows Server 2012 and 2016.
I wanted to work with standalone Nano servers, without being in a corporate domain or using Active Directory. i.e. tcp/ip not "computername" hook-ups.
I used AWS EC2 to launch my Nano instances for testing purposes. That saves the difficulty of making the VHD image etc. It introduces other challenges however, because the starting point is determined by Amazon. I thought IIS would be included by default but it is not.
I already had some Windows Server 2012/2016 systems running on EC2 in Oregon. Those all have normal remote desktop access, with full GUI. It is essential to launch the Nano instance in a network such that you have a "local" connection over tcp/ip. On EC2, this means being in the same region and on the same availability zone, e.g. us-west-2c. In simplest terms, the private IP of the machine that has a GUI needs to be on the same subnet as the private IP of the Nano machine without a GUI.
I upgraded Dot Net and PowerShell (Windows Management Framework) to the latest versions. This gave me PowerShell 5.1. The EC2 machine had a recent version of PowerShell available.
I wanted to be able to remote-PowerShell into the Nano box from anywhere, i.e. from a public network. I wanted to do that over https without enabling the use of any/forged certificates.
I was able to make the self-signed certificate and get that copied onto my with-gui server. Then I was able to download that to my public machine and connect over https.
Some PowerShell tasks were very easy. For example, I launched the instance 9gb instead of 8, and used PowerShell to separate 1gb of that into a separate Drive D: on the Nano machine. Invoke-WebRequest also worked perfectly for transferring files onto the Nano box, and then Expand-Archive worked for unzipping.
I saved the scripts in two sets.
1. On the local server with GUI: BootStrap_VPC_HTTP
2. On the public system i.e. development laptop: Pub_HTTPS
The scripts depend on some ZaphodsMap configuration to get the credentials and ip numbers, but if you fill in your own values, you should be able to make use of them. The idea is to get the self-signed certificate onto the local server with GUI, transfer the cert to the development system, and then connect from there.
One note about the EC2 security settings for inbound traffic to the Nano instance. I opened WinRM-HTTP to the local-server-with-GUI's private IP number. I had to open WinRM-HTTPS to All. I was connecting from inside a Windows guest Virtual Box on Ubuntu host and I was unable to get past the EC2 firewall by opening access to "My IP". I would hope restricted access would work for a regular Windows system that was not inside VirtualBox. I did not have time to test that. At least the default passwords are much longer nowadays on EC2.
After the connection is in place (the "PSSession"), then you can run PowerShell commands from its restricted no-gui subset ("core").
Invoke-Command -Verbose -Session $pubHTTPS -Script {
DIR C:
DIR D:
}
As to what you can do from PowerShell, obviously you can run Start-Process BUT you can only run win64 executables that operate within the confines of the Nano world.
So first I had to determine how to determine which EXEs were plausible win64 binaries. This script was very handy. In my world, these EXEs were ones I wanted to use:
Get-ExecutableType -Path "D:\Apps\Utilities\SVN\CollabNet\svn.exe" #64-bit
Get-ExecutableType -Path "D:\Apps\Utilities\7Zip\7za.exe" #64-bit and this WORKS on NANO.
Get-ExecutableType -Path "D:\Apps\Utilities\SVN\TortoiseSVN\bin\svn.exe" #64-bit
Get-ExecutableType -Path "D:\Apps\HREFTools\MiscUtil\wait.exe" #32-bit
Get-ExecutableType -Path "D:\Apps\Utilities\AWS\CLI\aws.exe" #64-bit
Get-ExecutableType -Path "D:\Program Files\Raize\CS5\Bin\CSDispatcher.exe" #32-bit
I wanted to run custom Windows services compiled with Delphi for win64, and have them serve dynamic web content through IIS using a custom ISAPI extension, as I do on Windows Server 2012 and 2016.
I wanted to work with standalone Nano servers, without being in a corporate domain or using Active Directory. i.e. tcp/ip not "computername" hook-ups.
I used AWS EC2 to launch my Nano instances for testing purposes. That saves the difficulty of making the VHD image etc. It introduces other challenges however, because the starting point is determined by Amazon. I thought IIS would be included by default but it is not.
I already had some Windows Server 2012/2016 systems running on EC2 in Oregon. Those all have normal remote desktop access, with full GUI. It is essential to launch the Nano instance in a network such that you have a "local" connection over tcp/ip. On EC2, this means being in the same region and on the same availability zone, e.g. us-west-2c. In simplest terms, the private IP of the machine that has a GUI needs to be on the same subnet as the private IP of the Nano machine without a GUI.
I upgraded Dot Net and PowerShell (Windows Management Framework) to the latest versions. This gave me PowerShell 5.1. The EC2 machine had a recent version of PowerShell available.
I wanted to be able to remote-PowerShell into the Nano box from anywhere, i.e. from a public network. I wanted to do that over https without enabling the use of any/forged certificates.
I was able to make the self-signed certificate and get that copied onto my with-gui server. Then I was able to download that to my public machine and connect over https.
Some PowerShell tasks were very easy. For example, I launched the instance 9gb instead of 8, and used PowerShell to separate 1gb of that into a separate Drive D: on the Nano machine. Invoke-WebRequest also worked perfectly for transferring files onto the Nano box, and then Expand-Archive worked for unzipping.
I saved the scripts in two sets.
1. On the local server with GUI: BootStrap_VPC_HTTP
2. On the public system i.e. development laptop: Pub_HTTPS
The scripts depend on some ZaphodsMap configuration to get the credentials and ip numbers, but if you fill in your own values, you should be able to make use of them. The idea is to get the self-signed certificate onto the local server with GUI, transfer the cert to the development system, and then connect from there.
One note about the EC2 security settings for inbound traffic to the Nano instance. I opened WinRM-HTTP to the local-server-with-GUI's private IP number. I had to open WinRM-HTTPS to All. I was connecting from inside a Windows guest Virtual Box on Ubuntu host and I was unable to get past the EC2 firewall by opening access to "My IP". I would hope restricted access would work for a regular Windows system that was not inside VirtualBox. I did not have time to test that. At least the default passwords are much longer nowadays on EC2.
After the connection is in place (the "PSSession"), then you can run PowerShell commands from its restricted no-gui subset ("core").
Invoke-Command -Verbose -Session $pubHTTPS -Script {
DIR C:
DIR D:
}
As to what you can do from PowerShell, obviously you can run Start-Process BUT you can only run win64 executables that operate within the confines of the Nano world.
So first I had to determine how to determine which EXEs were plausible win64 binaries. This script was very handy. In my world, these EXEs were ones I wanted to use:
Get-ExecutableType -Path "D:\Apps\Utilities\SVN\CollabNet\svn.exe" #64-bit
Get-ExecutableType -Path "D:\Apps\Utilities\7Zip\7za.exe" #64-bit and this WORKS on NANO.
Get-ExecutableType -Path "D:\Apps\Utilities\SVN\TortoiseSVN\bin\svn.exe" #64-bit
Get-ExecutableType -Path "D:\Apps\HREFTools\MiscUtil\wait.exe" #32-bit
Get-ExecutableType -Path "D:\Apps\Utilities\AWS\CLI\aws.exe" #64-bit
Get-ExecutableType -Path "D:\Program Files\Raize\CS5\Bin\CSDispatcher.exe" #32-bit
Yes. Out of all those candidates of command line programs, the only command line tool that actually showed output when used on the Nano box was: 7za.exe. The other ones, to my great disappointment, never showed any output and as far as I could measure, never did anything. So one of my big obstacles: no svn.exe command line can be used on Nano right now.
MSI files do not work either by the way. I made ZIP files for my tests, and then used PowerShell Expand-Archive to get the contents out.
To be crystal clear about what I mean about no output, let me show you two commands that work locally but not on the remote Nano box.
Write-Output "Testing 7za"
& "D:\Apps\Utilities\7Zip\7za.exe" --help 2>&1 | % ToString | Out-String
Write-Output "Testing aws cli"
& "D:\Apps\Utilities\AWS\CLI\aws.exe" --version 2>&1 | % ToString | Out-String
Run locally on my Windows 10 Pro system, both 7za and aws.exe display output on the screen.
Run remotely, only 7za shows anything. Here is the remote syntax:
Invoke-Command -Verbose -Session $pubHTTPS -Script {
Write-Output "Testing 7za"
& "D:\Apps\Utilities\7Zip\7za.exe" --help 2>&1 | % ToString | Out-String
Write-Output "Testing aws cli"
& "D:\Apps\Utilities\AWS\CLI\aws.exe" --version 2>&1 | % ToString | Out-String
}
IIS for Static Files in Default Web Site - Easy
Under things that did work, IIS was easy to install. (Thanks.)
Invoke-Command -Verbose -Session $pubHTTPS -Script {
# FYI optional
# Get-CimInstance win32_operatingsystem | Select-Object Version
#
Save-Module -Path "$env:programfiles\WindowsPowerShell\Modules\" -Name NanoServerPackage -minimumVersion 1.0.1.0
Import-PackageProvider NanoServerPackage
# FYI optional
# Find-Package -ProviderName NanoServerPackage
#
Install-Package -ProviderName NanoServerPackage -Name Microsoft-NanoServer-IIS-Package
Start-Service WAS
Start-Service W3SVC
# at this point, I got a response for http://x.x.x.x/ using the public IP on the EC2 box.
Import-Module IISAdministration
# optional
# Get-IISSite "Default Web Site"
dism /Enable-Feature /online /featurename:IIS-ApplicationDevelopment
dism /Enable-Feature /online /featurename:IIS-ISAPIExtensions
}
ISAPI Extension
So then I thought I would copy my isapi DLL up to the Nano server and test it. Ha, think again. Tragically, the Copy-Item cmdlet has bugs when used -ToSession. My syntax:
Write-Output "whAppliance"
Copy-Item -ToSession $pubHTTPS -Path "D:\Projects\webhubdemos\Servers\LiteMore\drivedroot\whAppliance" -Destination "D:\whAppliance" -Recurse
It ran slowly and flashed various things but in the end, only a small fraction of the files were copied. I found someone else saying that Copy-Item skipped the first folder. That was not my experience. It seemed to copy a little, starting from the top alphabetically, and then it gave up. i.e. if there were 5 files in the root, only 1 file was copied, and the first level of subdirectories was created but none of the contents were copied. i.e. extremely useless.
Summary: it is time to give up and wait for the industry to more fully adopt the Nano platform. I support the goal. For me, right now, this is much too difficult.
Comments
AWS Online Training
.NET Online Training