Table of Contents

Hi guys, I will help you step by step to manual provision a windows machine. :-)

Introduction

Not long ago, manual provisioning in Juju was possible for linux machines. This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud.

For this example we are are using this:

     State Machine   : xenial ubuntu   | 10.10.10.101)
     Windows Machine : windows 2012 r2 | 10.10.10.102)

So without further ado let's start the hacking process

Step 1

This step will be entirly on the controller. Seting up the environ for manual compiling, instaling build scripts, make the process more automated

 Pop up a bash terminal windows in your controller(juju client machine) and execute din commands in order.
 
go get -v -u https://github.com/hoenirvili/juju/...
go get -v -u launchpad.net/godeps
cd $GOPATH/src/github.com/juju/juju
git checkout enable-windows-provisioner
godeps -t -u dependencies.tsv

I will supply here a link to the gist where you could download the build script in order to make the process more simpler.

https://gist.github.com/hoenirvili/3c8f858a3865f3b31a3ee19c58ab2688

Download all scripts in some location ,make them executable and point the path into $PATH env.

For example(in my order of things).

SCRIPT_PATH = ~/Documents/scripts/
mkdir -p $SCRIPT_PATH
cd $SCRIPT_PATH
https://gist.github.com/3c8f858a3865f3b31a3ee19c58ab2688.git
mv 3c8f858a3865f3b31a3ee19c58ab2688/* $SCRIPT_PATH
rmdir 3c8f858a3865f3b31a3ee19c58ab2688
chmod u+x *
# I usualy do this in my .profile in my $HOME directory. But you can run the line straight in the 
# shell, be careful when you close the bash session you will lose all variables saved, so put 
# it somewhere, where scripts will always load when you open a shell.(example .bashrc)
export $PATH:$HOME/Documents/scripts

Now you can build the project running this command

makejuju.sh enable-windows-provisioner 

In the uploadtools.sh file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is /var/html/ (default on ubuntu systems). To make sure. You cand execute this commands in order.

mkdir -p /var/html/toolsdir
chown -R $USER:$USER /var/html/*

We need to do this because the state machine will access the metadata and download the jujud binary based on series.

Step 2

This setup will show how to create and manage a WinRM(windows remote manager) listeners, how to setup a https listner cert for https interactions with the WinRM protocol.

First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, using this protocol in order to fully provision the machine.

If not you will need to do the steps above.

Open PowerShell console(on the windows machine) and type the following command to enable PowerShell remoting and the WinRM http listner:

Enable-PSRemoting -Force
Set-ExecutionPolicy RemoteSigned
winrm quickconfig
# this will let us use the http listener with password auth
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
 
# make sure this settings are set like this.
winrm set winrm/config/client '@{TrustedHosts="*"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Certificate="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Certificate="true"}'
winrm set winrm/config/service '@{AllowRemoteAccess="true"}'

To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. This guide will use openssl.

Download OpenSSL for Windows.

http://slproweb.com/products/Win32OpenSSL.html

Package Win32/64 OpenSSL vx.x.x Light is more than enough for generating SSL certificate.

To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section:

[ v3_ca ]
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.100.102
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
cd C:\Users\Administrator
C:\OpenSSL-Win64\bin\openssl.exe req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout winrmcacert.key -out winrmcacert.cer -subj "/CN=maas-win2k12r2"
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass:
Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My
############################################################################################
# THIS IS ONLY IF YOU WANT TO TEST THE CA VERIFICATION ON THE HOST WITH Enter-PSSession cmd
Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root
############################################################################################
winrm set winrm/config/service/auth '@{Certificate="true"}'
winrm set winrm/config/client/auth '@{Certificate="true"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}'
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986

Note:

Don't forget to add those ' around the @{}.

Step 3

You need to copy the newly sever cert on the controller(juju client) in a specific x509 config folder where juju will look on.

You need to store the file with a specific name of winrmcacert.crt

Please make sure that the server cert is in pem format.

mkdir -p $HOME/.local/share/juju/x509
# make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA.
cp winrmcacert.crt $HOME/.local/share/juju/
# in order to generate the client certs by juju you must hit the command
juju status
# If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/.local/share/juju/x509
# if you list the dirs you should have something like this.
tree x509/
x509/
├── winrmcacert.crt
├── winrmclientcert.crt
└── winrmclientkey.pem

Step 4

( manual provisioning )

We need to make a new environmnet frist. (juju bootstrap)

juju bootstrap manual/10.10.10.101 mymanual --debug --config agent-metadata-url=http://10.10.10.10/toolsdir/tools --config agent-stream=devel

Now for the grand finale.

juju add-machine --debug winrm:Administrator@10.10.10.101

Manually adding the Client certs on the target windows machine

Pop up a powershell windows and type these lines with your own credentials in it.

$username = "Administrator"
$password = "Pa$$sword"
$pfx_password = "SomePfxPassword"
$certThumb = "PASTE-HERE-CLIENT-CERT-THUMBPRINT"
$CN = "CN OF THE CLIENT CERT"
 
$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
$pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force
 
Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\My -Passsword $pfx_secure_password
Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Passsword $pfx_secure_password
 
$cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password
 
# CREATE WINRM CERT MAPPING
New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $certThumb -Subject $CN -Uri * -Credential $cred -Force
 
# Test client connection with client cert auth without skipping the CA
Test-WSMan -ComputerName $env:COMPUTERNAME -Authentication ClientCertificate -CertificateThumbprint $certThumb
 
# test client connection with client cert auth and skip the CA verification and CN check
$opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck
Enter-PSSession -ComputerName $env:COMPUTERNAME -CertificateThumbprint $thumbprint -Authentication Default -SessionOption $opt
 
 
# Remove Client mapping (in case you want to remove it)
# THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN
Remove-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_* -Recurse -force | Out-null