Prerequisites for Creating a Host Cluster

Prerequisites

• A project is available. If no project is available, create one.
• You have the permission to edit projects. If you do not have the permission, contact the project administrator to grant the permission.
• A host is available. If no host is available, see Applying for an ECS.
• The proxy has been configured by referring to Configuring a Proxy Host and Security Configuration.
• The target host has been configured by referring to Configuring a Target Host and Security Configuration.
• Ensure that you have created a resource pool before using self-hosted resource pool as an execution host.

Preparations

Before verifying host connectivity, perform the following operations as required:

• A target host or proxy is available. For details about how to apply for a host, see (Optional) Applying for an ECS.
• An EIP is available. For details about how to apply for an EIP, see (Optional) Applying for an EIP.
  

  When applying for an ECS, you can apply for an EIP. For details, see (Optional) Applying for an EIP.

  Configure a security group for the created ECS by referring to Security Configuration.

Security Configuration

To ensure successful host connectivity, configure the host as follows:

• If your host is a newly applied cloud host, configure the port by referring to Configuring a Security Group.
• If you have your own host, configure the port by referring to Configuring the Firewall.

Configuring a Security Group

Before verifying host connectivity, configure a security group and enable some ports. Otherwise, the connectivity verification may fail. (The following uses a Linux host as an example.)

1. Go to the console. In the upper left corner of the page, choose Service List > Compute > Elastic Cloud Server. The Elastic Cloud Server page is displayed.
2. Click the target ECS. On the ECS details page, click the Security Groups tab. Click a security group ID. On the page that is displayed, click Manage Rules and then click Inbound Rules.

   

3. Click Fast-Add Rules and set the parameters as follows:

   

   • For Linux hosts, enable port 22 in the inbound rule. For Windows hosts, enable ports 54, 5985, and 5986 in the inbound rule when adding the target host or proxy host. Set the remote end to 0.0.0.0/0 (open the preceding ports for all IP addresses).
     

     If you have high security requirements on the overall deployment process and the preceding ports cannot be opened to all IP addresses, add the following IP addresses to the security group and remove port restrictions. Otherwise, host connectivity verification cannot be performed.

     China (all regions):

     Singapore:
     114.119.185.21
     Sao Paulo:
     159.138.214.24
     Mexico:
     122.8.183.54
     110.238.80.148
     Santiago:
     119.8.154.190
     Türkiye:
     101.44.36.238
     Riyadh:
     101.46.48.174
     Cairo:
     101.46.64.14
     Johannesburg:
     159.138.166.36

     The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.

   • Remove the inbound restriction on the port of the application deployed on the host (for example, port 8080 of the Tomcat application or all ports of other applications must be enabled in the inbound direction). Otherwise, the application cannot be accessed.
   • Remove the restriction on the outbound direction or at least make ports 80 and 443 accessible.

Configuring firewalls

Check the firewall configuration of the host and configure the firewall to allow the SSH protocol port to be accessed. Otherwise, the connectivity verification fails. The following part describes how to configure the firewall for different operating systems.

• Linux Firewall Configurations

  Table 1 Linux firewall configurations

  OS Series	Configuration Method
  CentOS/EulerOS/UnionTechOS	Check whether the SSH software package is installed on the local host. rpm -qa | grep ssh If the command output contains openssh-server, the SSH software package has been installed. If no SSH software package is available, run the following command: yum install openssh-server Enable the SSH service. service sshd start Open the sshd configuration file. vi /etc/ssh/sshd_config Delete the comment tag before the listening port number. Restart the SSH service. Run the following command: sudo service sshd restart Check whether port 22 is enabled. netstat -ntpl | grep 22 NOTE: If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. Add the following command to the end of the sshd_config file and save the file: AllowUsers {User}@{IP} Restart the SSH service: sudo service sshd restart User: whitelisted username. IP: whitelisted IP address. The whitelist should contain CodeArts IP address range. China (all regions): Singapore: 114.119.185.21 Sao Paulo: 159.138.214.24 Mexico: 122.8.183.54 110.238.80.148 Santiago: 119.8.154.190 Türkiye: 101.44.36.238 Riyadh: 101.46.48.174 Cairo: 101.46.64.14 Johannesburg: 159.138.166.36 The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.
  Debian	Log in to the system as the root user and install the ufw. apt install ufw Enable port 22. ufw allow 22/tcp Check whether port 22 is enabled. ufw status If ufw is in the inactive status, run the following command to start ufw: ufw enable NOTE: If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. Run the following command to add an IP address to the whitelist: ufw allow from {IP} to any port 22 IP: whitelisted IP address. The whitelist should contain CodeArts IP address range. Check the ufw rule list: ufw status numbered Disable the SSH connection rule (disable the rule whose source IP address is Anywhere to implement whitelist restriction). ufw delete {Number} Number: Number of the rule to be disabled. China (all regions): Singapore: 114.119.185.21 Sao Paulo: 159.138.214.24 Mexico: 122.8.183.54 110.238.80.148 Santiago: 119.8.154.190 Türkiye: 101.44.36.238 Riyadh: 101.46.48.174 Cairo: 101.46.64.14 Johannesburg: 159.138.166.36 The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.
  Ubuntu	Check the IP address of the local host. ifconfig Check whether the 22 port is occupied. netstat -nltp|grep 22 If no port process exists, run the following commands in sequence: sudo apt-get install openssh-server sudo apt-get install ufw sudo ufw enable sudo ufw allow 22 NOTE: If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. Run the following command to add an IP address to the whitelist: sudo ufw allow from {IP} to any port 22 IP: whitelisted IP address. The whitelist should contain CodeArts IP address range. Check the ufw rule list: ufw status numbered Disable the SSH connection rule (disable the rule whose source IP address is Anywhere to implement whitelist restriction). ufw delete {Number} Number: Number of the rule to be disabled. China (all regions): Singapore: 114.119.185.21 Sao Paulo: 159.138.214.24 Mexico: 122.8.183.54 110.238.80.148 Santiago: 119.8.154.190 Türkiye: 101.44.36.238 Riyadh: 101.46.48.174 Cairo: 101.46.64.14 Johannesburg: 159.138.166.36 The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.

• Windows Firewall Configurations

  This section uses Windows Server 2012 as an example.

1. Choose Windows Firewall on the control panel of the Windows host.

   

2. Click Advanced settings.

   

3. Click Inbound Rules.

   

4. Click New Rule.

   

5. Set Rule Type to Port and click Next.

   

6. Select TCP and Specific local ports, enter port 5986, and click Next.

   

7. Select Allow the connection, and click Next.

   

8. Select all the options for Profile and click Next.

   

9. Enter a rule name and click Finish.

   

10. Repeat steps 1 to 9 to add an inbound rule for the proxy listening port, for example, port 54.
11. If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. (Optional)
    1. Choose Windows Firewall on the control panel of the Windows host.

       

    2. Click Advanced settings.

       

    3. Click Inbound Rules.

       

    4. Click New Rule.

       

    5. Set Rule Type to Custom and click Next.

       

    6. Set Program to All programs and click Next.
    7. Set Protocal type to TCP, set Local port to Specific Ports, enter port 5986, and click Next.

       

    8. In the Scope area, select Any IP address for Which local IP addresses does this rule apply to? and select These IP addresses for Which remote IP addresses does this rule apply to?, enter a whitelisted IP address and click Next.

       

    9. Select Allow the connection, and click Next.

       

    10. Select all the options for Profile and click Next.

        

    11. Enter a rule name and click Finish.

        

    12. Repeat steps 1 to 11 to add an inbound rule for the proxy listening port, for example, port 54.