User Tools

Site Tools


juju-manual

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

juju-manual [2016/12/08 21:52]
sgiulitti [Step 2]
juju-manual [2016/12/08 21:52]
Line 1: Line 1:
-Hi guys, I will help you step by step to manual provision a windows machine. :-) 
  
-====== Introduction ====== 
- 
-Not long ago, manual provisioning in Juju was possible for linux machines. ​ 
-This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud. 
- 
-===== For this example we are are using this: ===== 
- 
-       State Machine ​  : xenial ubuntu ​  | 10.10.10.101) 
-       ​Windows Machine : windows 2012 r2 | 10.10.10.102) 
- 
-==== So without further ado let's start the hacking process ==== 
- 
- 
-====== Step 1 ====== 
- 
- ''​ This step will be entirly on the controller. Seting up the environ for manual compiling, instaling build scripts, make the process more automated''​ 
-   Pop up a bash terminal windows in your controller(juju client machine) and execute din commands in order. 
-    
- 
-<code bash> ​ 
-go get -v -u https://​github.com/​hoenirvili/​juju/​... 
-go get -v -u launchpad.net/​godeps 
-cd $GOPATH/​src/​github.com/​juju/​juju 
-git checkout enable-windows-provisioner 
-godeps -t -u dependencies.tsv 
-</​code>​ 
- 
-I will supply here a link to the gist where you could download the build script in order to make the process more simpler. 
- 
-[[https://​gist.github.com/​hoenirvili/​3c8f858a3865f3b31a3ee19c58ab2688]] 
- 
-Download all scripts in some location ,make them executable and point the path into $PATH env.  
- 
-For example(in my order of things). 
- 
-<code bash> 
-SCRIPT_PATH = ~/​Documents/​scripts/​ 
-mkdir -p $SCRIPT_PATH 
-cd $SCRIPT_PATH 
-https://​gist.github.com/​3c8f858a3865f3b31a3ee19c58ab2688.git 
-mv 3c8f858a3865f3b31a3ee19c58ab2688/​* $SCRIPT_PATH 
-rmdir 3c8f858a3865f3b31a3ee19c58ab2688 
-chmod u+x * 
-# I usualy do this in my .profile in my $HOME directory. But you can run the line straight in the  
-# shell, be careful when you close the bash session you will lose all variables saved, so put  
-# it somewhere, where scripts will always load when you open a shell.(example .bashrc) 
-export $PATH:​$HOME/​Documents/​scripts 
-</​code>​ 
- 
-=== Now you can build the project running this command ===  
-<code bash>  ​ 
-makejuju.sh enable-windows-provisioner ​ 
-</​code>​ 
- 
-In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/​var/​html/​** (default on **ubuntu** systems). 
-To make sure. You cand execute this commands in order. 
- 
-<code bash> 
-mkdir -p /​var/​html/​toolsdir 
-chown -R $USER:$USER /var/html/* 
-</​code>​ 
- 
-We need to do this because the state machine will access the metadata and download the jujud binary based on series. 
-   
-====== Step 2 ====== 
- 
-''​This setup will show how to create and manage a WinRM(windows remote manager) listeners, how to setup a  https listner cert for https interactions with the WinRM protocol.''​ 
- 
-First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate,​ using this protocol in order to fully provision the machine. 
- 
-If not you will need to do the steps above. 
- 
-Open PowerShell console(on the windows machine) and type the following command to enable PowerShell remoting and the WinRM http listner: 
- 
-<code powershell>​ 
-Enable-PSRemoting -Force 
-Set-ExecutionPolicy RemoteSigned 
-winrm quickconfig 
-# this will let us use the http listener with password auth 
-winrm set winrm/​config/​service '​@{AllowUnencrypted="​true"​}'​ 
-winrm set winrm/​config/​client '​@{TrustedHosts="​*"​}'​ 
-winrm set winrm/​config/​client/​auth '​@{Basic="​true"​}'​ 
-winrm set winrm/​config/​client/​auth '​@{Certificate="​true"​}'​ 
-winrm set winrm/​config/​service/​auth '​@{Basic="​true"​}'​ 
-winrm set winrm/​config/​service/​auth '​@{Certificate="​true"​}'​ 
-winrm set winrm/​config/​service '​@{AllowRemoteAccess="​true"​}'​ 
- 
-</​code>​ 
- 
-To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. 
-This guide will use openssl. 
- 
-=== Download OpenSSL for Windows. === 
- 
-[[http://​slproweb.com/​products/​Win32OpenSSL.html]] 
- 
-Package Win32/64 OpenSSL vx.x.x Light is more than enough for generating SSL certificate. 
- 
-To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section: 
-<code bash> 
-[ v3_ca ] 
-extendedKeyUsage = serverAuth 
-subjectAltName = IP:​192.168.100.102 
-</​code>​ 
- 
- 
-<code powershell>​ 
-set OPENSSL_CONF=C:​\OpenSSL-Win64\bin\openssl.cfg 
-cd C:​\Users\Administrator 
-C:​\OpenSSL-Win64\bin\openssl.exe req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout winrmcacert.key -out winrmcacert.cer -subj "/​CN=maas-win2k12r2"​ 
-C:​\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "​maas-win2k12r2"​ -passout pass: 
-Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:​\LocalMachine\My 
-############################################################################################​ 
-# THIS IS ONLY IF YOU WANT TO TEST THE CA VERIFICATION ON THE HOST WITH Enter-PSSession cmd 
-Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:​\LocalMachine\Root 
-############################################################################################​ 
-winrm set winrm/​config/​service/​auth '​@{Certificate="​true"​}'​ 
-winrm set winrm/​config/​client/​auth '​@{Certificate="​true"​}'​ 
-winrm create winrm/​config/​Listener?​Address=*+Transport=HTTPS '​@{Hostname="​maas-win2k12r2";​CertificateThumbprint="​THUMBPRINT"​}'​ 
-netsh advfirewall firewall add rule name="​Windows Remote Management (HTTPS-In)"​ dir=in action=allow protocol=TCP localport=5986 
-</​code>​ 
- 
- 
-=== Note: === 
-Don't forget to add those **'** around the **@{}**. 
- 
-====== Step 3 ====== 
- 
-You need to copy the newly **sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on. 
- 
-You need to store the file with a specific name of **winrmcacert.crt** 
- 
-Please make sure that the server cert is in pem format. 
- 
-<code bash> 
-mkdir -p $HOME/​.local/​share/​juju/​x509 
-# make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA. 
-cp winrmcacert.crt $HOME/​.local/​share/​juju/​ 
-# in order to generate the client certs by juju you must hit the command 
-juju status 
-# If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/​.local/​share/​juju/​x509 
-# if you list the dirs you should have something like this. 
-tree x509/ 
-x509/ 
-├── winrmcacert.crt 
-├── winrmclientcert.crt 
-└── winrmclientkey.pem 
-</​code>​ 
- 
-====== Step 4 ====== 
-( manual provisioning ) 
- 
-We need to make a new environmnet frist. (juju bootstrap) 
- 
-<code bash> 
-juju bootstrap manual/​10.10.10.101 mymanual --debug --config agent-metadata-url=http://​10.10.10.10/​toolsdir/​tools --config agent-stream=devel 
-</​code>​ 
- 
-Now for the grand finale. 
- 
-<code bash> 
-juju add-machine --debug winrm:​Administrator@10.10.10.101 
-</​code>​ 
- 
- 
-======= Manually adding the Client certs on the target windows machine ====== 
- 
-Pop up a powershell windows and type these lines with your own credentials in it. 
- 
-<code powershell>​ 
-$username = "​Administrator"​ 
-$password = "​Pa$$sword"​ 
-$pfx_password = "​SomePfxPassword"​ 
-$certThumb = "​PASTE-HERE-CLIENT-CERT-THUMBPRINT"​ 
-$CN = "CN OF THE CLIENT CERT" 
- 
-$secure_password = ConvertTo-SecureString $password -AsPlainText -Force 
-$pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force 
- 
-Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:​\LocalMachine\My -Passsword $pfx_secure_password 
-Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:​\LocalMachine\Root -Passsword $pfx_secure_password 
- 
-$cred = New-Object System.Management.Automation.PSCredential "​$ENV:​COMPUTERNAME\$username",​ $secure_password 
- 
-# CREATE WINRM CERT MAPPING 
-New-Item -Path WSMan:​\localhost\ClientCertificate -Issuer $certThumb -Subject $CN -Uri * -Credential $cred -Force 
- 
-# Test client connection with client cert auth without skipping the CA 
-Test-WSMan -ComputerName $env:​COMPUTERNAME -Authentication ClientCertificate -CertificateThumbprint $certThumb 
- 
-# test client connection with client cert auth and skip the CA verification and CN check 
-$opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck 
-Enter-PSSession -ComputerName $env:​COMPUTERNAME -CertificateThumbprint $thumbprint -Authentication Default -SessionOption $opt 
- 
- 
-# Remove Client mapping (in case you want to remove it) 
-# THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN 
-Remove-Item -Path WSMan:​\localhost\ClientCertificate\ClientCertificate_* -Recurse -force | Out-null 
-</​code>​ 
juju-manual.txt · Last modified: 2016/12/08 21:52 (external edit)