User Tools

Site Tools


juju-manual

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
juju-manual [2016/12/07 16:22]
sgiulitti
juju-manual [2016/12/08 21:52] (current)
Line 1: Line 1:
-Hi guys, I will help you step by step to manually provision a windows machine. :-)+Hi guys, I will help you step by step to manual provision a windows machine. :-)
  
 ====== Introduction ====== ====== Introduction ======
  
- +Not long ago, manual provisioning in Juju was possible for linux machines.  
-Not long ago, manual provisioning in Juju was possible for linux machines. This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud. +This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud.
  
 ===== For this example we are are using this: ===== ===== For this example we are are using this: =====
- 
  
        State Machine   : xenial ubuntu   | 10.10.10.101)        State Machine   : xenial ubuntu   | 10.10.10.101)
        Windows Machine : windows 2012 r2 | 10.10.10.102)        Windows Machine : windows 2012 r2 | 10.10.10.102)
- 
  
 ==== So without further ado let's start the hacking process ==== ==== So without further ado let's start the hacking process ====
- 
----- 
- 
  
  
- ====== Step 1 ======+====== Step 1 ======
  
  '' This step will be entirly on the controller. Seting up the environ for manual compiling, instaling build scripts, make the process more automated''  '' This step will be entirly on the controller. Seting up the environ for manual compiling, instaling build scripts, make the process more automated''
Line 28: Line 22:
 <code bash>  <code bash> 
 go get -v -u https://github.com/hoenirvili/juju/... go get -v -u https://github.com/hoenirvili/juju/...
-go get -v launchpad.net/godeps+go get -v -u launchpad.net/godeps
 cd $GOPATH/src/github.com/juju/juju cd $GOPATH/src/github.com/juju/juju
 git checkout enable-windows-provisioner git checkout enable-windows-provisioner
Line 39: Line 33:
  
 Download all scripts in some location ,make them executable and point the path into $PATH env.  Download all scripts in some location ,make them executable and point the path into $PATH env. 
 +
 For example(in my order of things). For example(in my order of things).
  
Line 55: Line 50:
 </code> </code>
  
-=== Now you can build the project doing running this command. Read the above Note first before executing this command. === +=== Now you can build the project running this command ===  
- +<code bash>   
-<code bash>  makejuju.sh enable-windows-provisioner  </code>+makejuju.sh enable-windows-provisioner  
 +</code>
  
 In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/var/html/** (default on **ubuntu** systems). In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/var/html/** (default on **ubuntu** systems).
Line 67: Line 63:
 </code> </code>
  
-We need to do this because the state machine will access the metadata and download the fresh jujud binary based on a specific series.+We need to do this because the state machine will access the metadata and download the jujud binary based on series.
     
 ====== Step 2 ====== ====== Step 2 ======
  
-''This setup will show how to create and manage a WinRM(windows remote manager) listeners, how to setup a  CA cert for secure interactions with the WinRM protocol.''+''This setup will show how to create and manage a WinRM(windows remote manager) listeners, how to setup a  https listner cert for https interactions with the WinRM protocol.''
  
 First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, using this protocol in order to fully provision the machine. First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, using this protocol in order to fully provision the machine.
- 
-===== This is how would look if both listeners are enabled  ===== 
- 
-{{:winrm_display_listeners.png?nolink|}} 
  
 If not you will need to do the steps above. If not you will need to do the steps above.
Line 87: Line 79:
 Set-ExecutionPolicy RemoteSigned Set-ExecutionPolicy RemoteSigned
 winrm quickconfig winrm quickconfig
 +# this will let us use the http listener with password auth
 +winrm set winrm/config/service '@{AllowUnencrypted="true"}'
 +
 +# make sure this settings are set like this.
 +winrm set winrm/config/client '@{TrustedHosts="*"}'
 +winrm set winrm/config/client/auth '@{Basic="true"}'
 +winrm set winrm/config/client/auth '@{Certificate="true"}'
 +winrm set winrm/config/service/auth '@{Basic="true"}'
 +winrm set winrm/config/service/auth '@{Certificate="true"}'
 +winrm set winrm/config/service '@{AllowRemoteAccess="true"}'
 +
 </code> </code>
- 
-{{:winrmquickconfig.png?nolink|}} 
  
 To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert.
Line 101: Line 102:
  
 To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section: To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section:
-<code>+<code bash>
 [ v3_ca ] [ v3_ca ]
 extendedKeyUsage = serverAuth extendedKeyUsage = serverAuth
Line 109: Line 110:
  
 <code powershell> <code powershell>
- 
 set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
- 
 cd C:\Users\Administrator cd C:\Users\Administrator
- 
 C:\OpenSSL-Win64\bin\openssl.exe req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout winrmcacert.key -out winrmcacert.cer -subj "/CN=maas-win2k12r2" C:\OpenSSL-Win64\bin\openssl.exe req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout winrmcacert.key -out winrmcacert.cer -subj "/CN=maas-win2k12r2"
- 
 C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass: C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass:
- 
 Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My
 +############################################################################################
 +# THIS IS ONLY IF YOU WANT TO TEST THE CA VERIFICATION ON THE HOST WITH Enter-PSSession cmd
 Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root
 +############################################################################################ 
 +winrm set winrm/config/service/auth '@{Certificate="true"}' 
 +winrm set winrm/config/client/auth '@{Certificate="true"}'
 winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}' winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}'
 +netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
 </code> </code>
  
Line 128: Line 128:
 === Note: === === Note: ===
 Don't forget to add those **'** around the **@{}**. Don't forget to add those **'** around the **@{}**.
- 
- 
-=== Now this should look like in the first powershell screenshot === 
- 
-=== I can't stress enough this to make sure we can reach the listeners please add execute this lines.=== 
- 
-<code powershell> 
-netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986 
-winrm set winrm/config/service '@{AllowUnencrypted="true"}' # this will let us use the http listener with password auth 
-</code> 
- 
-=== Now we should make the cert in pem format and copy just pem formated cert over the ubuntu machine === 
-<code powershell> 
-C:\OpenSSL-Win64\bin\openssl.exe x509 -inform DER -in C:\Users\Administrator\cert -out outcert.pem -text 
-cat outcert.pem 
-</code> 
- 
-Copy the that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- 
  
 ====== Step 3 ====== ====== Step 3 ======
  
-You need to copy the newly **CA sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on.+You need to copy the newly **sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on.
  
 You need to store the file with a specific name of **winrmcacert.crt** You need to store the file with a specific name of **winrmcacert.crt**
  
-Please make sure that the CA cert is in pem format.+Please make sure that the server cert is in pem format.
  
 <code bash> <code bash>
 mkdir -p $HOME/.local/share/juju/x509 mkdir -p $HOME/.local/share/juju/x509
- 
 # make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA. # make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA.
 cp winrmcacert.crt $HOME/.local/share/juju/ cp winrmcacert.crt $HOME/.local/share/juju/
- 
 # in order to generate the client certs by juju you must hit the command # in order to generate the client certs by juju you must hit the command
 juju status juju status
- 
-# now move the cacert into x509 
-cp winrmcacert.crt $HOME/.local/share/juju/x509 
- 
 # If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/.local/share/juju/x509 # If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/.local/share/juju/x509
- 
 # if you list the dirs you should have something like this. # if you list the dirs you should have something like this.
 tree x509/ tree x509/
Line 175: Line 150:
 ├── winrmclientcert.crt ├── winrmclientcert.crt
 └── winrmclientkey.pem └── winrmclientkey.pem
- 
- 
 </code> </code>
  
Line 188: Line 161:
 </code> </code>
  
 +Now for the grand finale.
  
-{{:bootstrapconfigmanual.png?nolink|}}+<code bash> 
 +juju add-machine --debug winrm:Administrator@10.10.10.101 
 +</code>
  
  
-If you hit juju status we should have an environment set and ready.+======= Manually adding the Client certs on the target windows machine ======
  
-<code bash> +Pop up a powershell windows and type these lines with your own credentials in it.
-juju status +
-</code>+
  
-{{:jujustatus.png?nolink|}}+<code powershell> 
 +$username = "Administrator" 
 +$password = "Pa$$sword" 
 +$pfx_password = "SomePfxPassword" 
 +$certThumb = "PASTE-HERE-CLIENT-CERT-THUMBPRINT" 
 +$CN = "CN OF THE CLIENT CERT"
  
-Now for the grand finale.+$secure_password = ConvertTo-SecureString $password -AsPlainText -Force 
 +$pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force
  
-<code bash> +Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\My -Passsword $pfx_secure_password 
-juju add-machine --debug winrm:Administrator@10.10.10.101 +Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Passsword $pfx_secure_password
-</code>+
  
 +$cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password
  
-{{:winrmaddmachine.png?nolink|}}+# CREATE WINRM CERT MAPPING 
 +New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $certThumb -Subject $CN -Uri * -Credential $cred -Force
  
 +# Test client connection with client cert auth without skipping the CA
 +Test-WSMan -ComputerName $env:COMPUTERNAME -Authentication ClientCertificate -CertificateThumbprint $certThumb
  
 +# test client connection with client cert auth and skip the CA verification and CN check
 +$opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck
 +Enter-PSSession -ComputerName $env:COMPUTERNAME -CertificateThumbprint $thumbprint -Authentication Default -SessionOption $opt
  
-======= More helpfull commands ====== 
  
-<code powershell> +# Remove Client mapping (in case you want to remove it) 
-$host = $env:COMPUTERNAME +# THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN 
-$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName $host +Remove-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_* -Recurse -force | Out-null
-Export-Certificate -Cert $Cert -FilePath C:\Users\Administrator\cert +
-Import-Certificate -Filepath "C:\Users\Administrator\cert" -CertStoreLocation "Cert:\LocalMachine\Root" +
-Enable-PSRemoting -SkipNetworkProfileCheck -Force +
-New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force +
-New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP +
-Add-Content $Env:SystemRoot\system32\drivers\etc\hosts "192.168.100.102 $host" +
-# now you must reboot the windows machine.+
 </code> </code>
- 
juju-manual.1481120547.txt.gz · Last modified: 2016/12/07 16:22 (external edit)