This shows you the differences between two versions of the page.
juju-manual [2016/12/07 12:25] sgiulitti [This is how would look if both listeners are enabled.] |
juju-manual [2016/12/08 21:52] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | Hi guys, I will help you step by step to manually provision a windows machine. :-) | ||
- | |||
- | ====== Introduction ====== | ||
- | |||
- | |||
- | Not long ago, manual provisioning in Juju was possible for linux machines. This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud. | ||
- | |||
- | |||
- | ===== Further notes ===== | ||
- | |||
- | - Please check the internet connection after the OS install on both machines and be sure that they can connect to the internet. | ||
- | - Please make sure the hosted machines can ping one each other. | ||
- | - Please install on client(the controller) the golang compiler and all of the toolchain, | ||
- | - Please install on your client host(the controller, where you will run the commands)some variant http server(example apache, on my machine). | ||
- | |||
- | ==== You need to have 2 machine pre installed with an OS ==== | ||
- | |||
- | Controller (ubuntu release supported by juju) and windows-machine (any windows os supported by juju) | ||
- | |||
- | |||
- | ===== For this example we are are using this: ===== | ||
- | |||
- | |||
- | State Machine | ||
- | | ||
- | |||
- | |||
- | ==== So without further ado let's start the hacking process ==== | ||
- | |||
- | ---- | ||
- | |||
- | |||
- | |||
- | | ||
- | |||
- | '' | ||
- | |||
- | Pop up a bash terminal windows in your controller(juju client machine) and execute din commands in order. | ||
- | |||
- | |||
- | <code bash> | ||
- | go get -v -u https:// | ||
- | go get -v launchpad.net/ | ||
- | cd $GOPATH/ | ||
- | git checkout enable-windows-provisioner | ||
- | godeps -t -u dependencies.tsv | ||
- | </ | ||
- | |||
- | I will supply here a link to the gist where you could download the build script in order to make the process more simpler. | ||
- | |||
- | [[https:// | ||
- | |||
- | Download all scripts in some location ,make them executable and point the path into $PATH env. | ||
- | For example(in my order of things). | ||
- | |||
- | <code bash> | ||
- | SCRIPT_PATH = ~/ | ||
- | mkdir -p $SCRIPT_PATH | ||
- | cd $SCRIPT_PATH | ||
- | https:// | ||
- | mv 3c8f858a3865f3b31a3ee19c58ab2688/ | ||
- | rmdir 3c8f858a3865f3b31a3ee19c58ab2688 | ||
- | chmod u+x * | ||
- | # I usualy do this in my .profile in my $HOME directory. But you can run the line straight in the | ||
- | # shell, be careful when you close the bash session you will lose all variables saved, so put | ||
- | # it somewhere, where scripts will always load when you open a shell.(example .bashrc) | ||
- | export $PATH: | ||
- | </ | ||
- | |||
- | This is how it should look like after the above steps. | ||
- | |||
- | {{: | ||
- | |||
- | === Now you can build the project doing running this command. Read the above Note first before executing this command. === | ||
- | |||
- | <code bash> | ||
- | |||
- | In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/ | ||
- | To make sure. You cand execute this commands in order. | ||
- | |||
- | <code bash> | ||
- | mkdir -p / | ||
- | chown -R $USER:$USER /var/html/* | ||
- | </ | ||
- | |||
- | We need to do this because the state machine will access the metadata and download the fresh jujud binary based on a specific series. | ||
- | |||
- | ====== Step 2 ====== | ||
- | |||
- | '' | ||
- | |||
- | First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, | ||
- | |||
- | ===== This is how would look if both listeners are enabled. ===== | ||
- | |||
- | {{: | ||
- | |||
- | If not you will need to do the steps above. | ||
- | |||
- | Open PowerShell console(on the windows machine) and type the following command to enable PowerShell remoting and the WinRM http listner: | ||
- | |||
- | <code powershell> | ||
- | Enable-PSRemoting -Force | ||
- | Set-ExecutionPolicy RemoteSigned | ||
- | winrm quickconfig | ||
- | </ | ||
- | |||
- | {{: | ||
- | |||
- | To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. | ||
- | This guide will use openssl. | ||
- | |||
- | === Download OpenSSL for Windows. === | ||
- | |||
- | [[http:// | ||
- | |||
- | Package Win32/64 OpenSSL vx.x.x Light is more than enough for generating SSL certificate. | ||
- | |||
- | To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section: | ||
- | < | ||
- | [ v3_ca ] | ||
- | extendedKeyUsage = serverAuth | ||
- | subjectAltName = IP: | ||
- | </ | ||
- | |||
- | |||
- | <code powershell> | ||
- | set OPENSSL_CONF=C: | ||
- | |||
- | C: | ||
- | |||
- | C: | ||
- | |||
- | Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert: | ||
- | Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert: | ||
- | |||
- | winrm create winrm/ | ||
- | |||
- | </ | ||
- | |||
- | |||
- | <code powershell> | ||
- | $host = $env: | ||
- | $Cert = New-SelfSignedCertificate -CertstoreLocation Cert: | ||
- | Export-Certificate -Cert $Cert -FilePath C: | ||
- | mport-Certificate -Filepath " | ||
- | Enable-PSRemoting -SkipNetworkProfileCheck -Force | ||
- | New-Item -Path WSMan: | ||
- | New-NetFirewallRule -DisplayName " | ||
- | Add-Content $Env: | ||
- | # now you must reboot the windows machine. | ||
- | </ | ||
- | |||
- | === Note: === | ||
- | Don't forget to add those **'** around the **@{}**. | ||
- | |||
- | |||
- | === Now this should look like in the first powershell screenshot === | ||
- | |||
- | === I can't stress enough this to make sure we can reach the listeners please add execute this lines.=== | ||
- | |||
- | <code powershell> | ||
- | netsh advfirewall firewall add rule name=" | ||
- | winrm set winrm/ | ||
- | </ | ||
- | |||
- | === Now we should make the cert in pem format and copy just pem formated cert over the ubuntu machine === | ||
- | <code powershell> | ||
- | C: | ||
- | cat outcert.pem | ||
- | </ | ||
- | Copy the that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- | ||
- | |||
- | ====== Step 3 ====== | ||
- | |||
- | You need to copy the newly **CA sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on. | ||
- | |||
- | You need to store the file with a specific name of **winrmcacert.crt** | ||
- | |||
- | Please make sure that the CA cert is in pem format. | ||
- | |||
- | <code bash> | ||
- | mkdir -p $HOME/ | ||
- | |||
- | # make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA. | ||
- | cp winrmcacert.crt $HOME/ | ||
- | |||
- | # in order to generate the client certs by juju you must hit the command | ||
- | juju status | ||
- | |||
- | # now move the cacert into x509 | ||
- | cp winrmcacert.crt $HOME/ | ||
- | |||
- | # If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/ | ||
- | |||
- | # if you list the dirs you should have something like this. | ||
- | tree x509/ | ||
- | x509/ | ||
- | ├── winrmcacert.crt | ||
- | ├── winrmclientcert.crt | ||
- | └── winrmclientkey.pem | ||
- | |||
- | |||
- | </ | ||
- | |||
- | ====== Step 4 ====== | ||
- | ( manual provisioning ) | ||
- | |||
- | We need to make a new environmnet frist. (juju bootstrap) | ||
- | |||
- | <code bash> | ||
- | juju bootstrap mycloud --debug manual/ | ||
- | </ | ||
- | |||
- | |||
- | {{: | ||
- | |||
- | |||
- | If you hit juju status we should have an environment set and ready. | ||
- | |||
- | <code bash> | ||
- | juju status | ||
- | </ | ||
- | |||
- | {{: | ||
- | |||
- | Now for the grand finale. | ||
- | |||
- | <code bash> | ||
- | juju add-machine --debug winrm: | ||
- | </ | ||
- | |||
- | |||
- | {{: | ||
- | |||