Hi guys, I will help you step by step to manual provision a windows machine. :-) ====== Introduction ====== Not long ago, manual provisioning in Juju was possible for linux machines. This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud. ===== For this example we are are using this: ===== State Machine : xenial ubuntu | 10.10.10.101) Windows Machine : windows 2012 r2 | 10.10.10.102) ==== So without further ado let's start the hacking process ==== ====== Step 1 ====== '' This step will be entirly on the controller. Seting up the environ for manual compiling, instaling build scripts, make the process more automated'' Pop up a bash terminal windows in your controller(juju client machine) and execute din commands in order. go get -v -u https://github.com/hoenirvili/juju/... go get -v -u launchpad.net/godeps cd $GOPATH/src/github.com/juju/juju git checkout enable-windows-provisioner godeps -t -u dependencies.tsv I will supply here a link to the gist where you could download the build script in order to make the process more simpler. [[https://gist.github.com/hoenirvili/3c8f858a3865f3b31a3ee19c58ab2688]] Download all scripts in some location ,make them executable and point the path into $PATH env. For example(in my order of things). SCRIPT_PATH = ~/Documents/scripts/ mkdir -p $SCRIPT_PATH cd $SCRIPT_PATH https://gist.github.com/3c8f858a3865f3b31a3ee19c58ab2688.git mv 3c8f858a3865f3b31a3ee19c58ab2688/* $SCRIPT_PATH rmdir 3c8f858a3865f3b31a3ee19c58ab2688 chmod u+x * # I usualy do this in my .profile in my $HOME directory. But you can run the line straight in the # shell, be careful when you close the bash session you will lose all variables saved, so put # it somewhere, where scripts will always load when you open a shell.(example .bashrc) export $PATH:$HOME/Documents/scripts === Now you can build the project running this command === makejuju.sh enable-windows-provisioner In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/var/html/** (default on **ubuntu** systems). To make sure. You cand execute this commands in order. mkdir -p /var/html/toolsdir chown -R $USER:$USER /var/html/* We need to do this because the state machine will access the metadata and download the jujud binary based on series. ====== Step 2 ====== ''This setup will show how to create and manage a WinRM(windows remote manager) listeners, how to setup a https listner cert for https interactions with the WinRM protocol.'' First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, using this protocol in order to fully provision the machine. If not you will need to do the steps above. Open PowerShell console(on the windows machine) and type the following command to enable PowerShell remoting and the WinRM http listner: Enable-PSRemoting -Force Set-ExecutionPolicy RemoteSigned winrm quickconfig # this will let us use the http listener with password auth winrm set winrm/config/service '@{AllowUnencrypted="true"}' # make sure this settings are set like this. winrm set winrm/config/client '@{TrustedHosts="*"}' winrm set winrm/config/client/auth '@{Basic="true"}' winrm set winrm/config/client/auth '@{Certificate="true"}' winrm set winrm/config/service/auth '@{Basic="true"}' winrm set winrm/config/service/auth '@{Certificate="true"}' winrm set winrm/config/service '@{AllowRemoteAccess="true"}' To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. This guide will use openssl. === Download OpenSSL for Windows. === [[http://slproweb.com/products/Win32OpenSSL.html]] Package Win32/64 OpenSSL vx.x.x Light is more than enough for generating SSL certificate. To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section: [ v3_ca ] extendedKeyUsage = serverAuth subjectAltName = IP:192.168.100.102 set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg cd C:\Users\Administrator C:\OpenSSL-Win64\bin\openssl.exe req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout winrmcacert.key -out winrmcacert.cer -subj "/CN=maas-win2k12r2" C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass: Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My ############################################################################################ # THIS IS ONLY IF YOU WANT TO TEST THE CA VERIFICATION ON THE HOST WITH Enter-PSSession cmd Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root ############################################################################################ winrm set winrm/config/service/auth '@{Certificate="true"}' winrm set winrm/config/client/auth '@{Certificate="true"}' winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}' netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986 === Note: === Don't forget to add those **'** around the **@{}**. ====== Step 3 ====== You need to copy the newly **sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on. You need to store the file with a specific name of **winrmcacert.crt** Please make sure that the server cert is in pem format. mkdir -p $HOME/.local/share/juju/x509 # make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA. cp winrmcacert.crt $HOME/.local/share/juju/ # in order to generate the client certs by juju you must hit the command juju status # If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/.local/share/juju/x509 # if you list the dirs you should have something like this. tree x509/ x509/ ├── winrmcacert.crt ├── winrmclientcert.crt └── winrmclientkey.pem ====== Step 4 ====== ( manual provisioning ) We need to make a new environmnet frist. (juju bootstrap) juju bootstrap manual/10.10.10.101 mymanual --debug --config agent-metadata-url=http://10.10.10.10/toolsdir/tools --config agent-stream=devel Now for the grand finale. juju add-machine --debug winrm:Administrator@10.10.10.101 ======= Manually adding the Client certs on the target windows machine ====== Pop up a powershell windows and type these lines with your own credentials in it. $username = "Administrator" $password = "Pa$$sword" $pfx_password = "SomePfxPassword" $certThumb = "PASTE-HERE-CLIENT-CERT-THUMBPRINT" $CN = "CN OF THE CLIENT CERT" $secure_password = ConvertTo-SecureString $password -AsPlainText -Force $pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\My -Passsword $pfx_secure_password Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Passsword $pfx_secure_password $cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password # CREATE WINRM CERT MAPPING New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $certThumb -Subject $CN -Uri * -Credential $cred -Force # Test client connection with client cert auth without skipping the CA Test-WSMan -ComputerName $env:COMPUTERNAME -Authentication ClientCertificate -CertificateThumbprint $certThumb # test client connection with client cert auth and skip the CA verification and CN check $opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck Enter-PSSession -ComputerName $env:COMPUTERNAME -CertificateThumbprint $thumbprint -Authentication Default -SessionOption $opt # Remove Client mapping (in case you want to remove it) # THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN Remove-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_* -Recurse -force | Out-null