Help Center> CodeArts Deploy> User Guide> Managing Basic Resources> Managing Host Clusters> Host Connection Mode> Configuring a Target Host
Updated on 2024-01-15 GMT+08:00
View PDF

Configuring a Target Host

Before adding a host to a created host cluster, you need to perform the following operations on the host:

This configuration has been completed for Huawei Cloud ECSs (Linux) by default. You do not need to configure it again. However, you need to configure it for Windows ECSs.

Configuring a Linux Host

To ensure that the connectivity verification of the Linux host is successful, ensure that Python is installed on the Linux host and the SELinux mechanism is enabled. The target host must meet the following requirements:

  • Install Python
    Install Python version 2.6 or later. If Python earlier than 2.6 has been installed, run the following commands to install the following modules on the host:
    • Ubuntu
      sudo apt install python-minimal python-simplejson
    • CentOS or EulerOS
      sudo yum install python-minimal python-simplejson 
ln -s /usr/bin/python2 /usr/bin/python

    Before using Advanced Packaging Tool (APT) or Yellowdog Updater, Modified (yum), ensure that an available source has been configured.

  • Enable SELinux and install libselinux-python
    1. Run the following command to check the SELinux status:
      /usr/sbin/sestatus

      Mode corresponding to the value of SELinux:

      SELinux=disabled: disabled.

      SELinux=enforcing: forcible mode, indicating that all behavior that violates the security policy are prohibited.

      SELinux=permissive: indicates that all behavior that violates security policies are not prohibited but are recorded in logs.

    2. If SELinux is set to disabled, SELinux is disabled on the host. In this case, perform the following steps to change the SELinux status.
      1. Run the following command to edit the config file of the SELinux:
        vi /etc/selinux/config
      2. Modify the SELinux parameters based on the site requirements.

        SELinux=enforcing: forcible mode, indicating that all behavior that violates the security policy are prohibited.

        SELinux=permissive: indicates that all behavior that violates security policies are not prohibited but are recorded in logs.

      3. After the modification, press Esc to exit. Run the following command to save the file and exit.
        wq
      4. Create the hidden file .autorelabel in the root directory, run the following command, and restart the Linux host.
        touch /.autorelabel
    3. Run the following commands to install libselinux-python:
      • Ubuntu
        sudo apt install libselinux-python
      • CentOS or EulerOS
        sudo yum install libselinux-python

Configuring the Host Running Windows

To ensure that the Window host connectivity verification succeeds, perform the following operations on target hosts. The following uses a Windows Server 2012 as an example. The configuration modes include automatic script configuration and manual configuration.

For details about how to configure a host running Windows 10, or Windows Server 2016 or Windows Server 2019 as the target host, see the configuration method of Windows Server 2012. For details about how to obtain the script, see Windows2016ConfigureRemotingForAnsible.zip.

For details about how to configure a target host running Windows 7, see the configuration method of Windows 2012. For details about how to obtain the script, see Windows2012ConfigureRemotingForAnsible.

  • Automatic Script Configuration

To use an automatic configuration script to add a host running Windows Server 2012 as an authorized host, perform the following steps:

  1. Perform security configuration by referring to Security Configuration, to ensure successful connectivity verification.
  2. Obtain the automatic configuration script.

    1. Download Windows2012ConfigureRemotingForAnsible.zip.
    2. Decompress Windows2012ConfigureRemotingForAnsible.zip to obtain script Windows2012ConfigureRemotingForAnsible.ps1.

  3. Configure the host.

    Log in to the host, open PowerShell, access the directory where script Windows2012ConfigureRemotingForAnsible.ps1 is stored, and run the following command:

    .\Windows2012ConfigureRemotingForAnsible.ps1

    The output is as follows:

    The system may display a message indicating that the file cannot be loaded and a digital signature is required.

    This error occurs because the script cannot be executed in default mode of PowerShell. If this happens, run the following command in PowerShell to change the execution policy to unrestricted:

    set-executionpolicy unrestricted

    Enter Y to confirm the change.

  4. View the configuration.

    Run the following command in PowerShell:

    winrm e winrm/config/listener

    If the output contains HTTPS and Hostname is not left blank, the listening is successful. The Windows Server 2012 deployment environment is automatically configured.

    If Hostname is left blank in the command output, the host does not have IIS or signature certificate information. In this case, run the following script:

    # Configure WinRM.
winrm enumerate winrm/config/listener
winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{CredSSP="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
# Install IIS.
Import-Module servermanager
Add-windowsfeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-ASP,Web-ISAPI-Ext,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Security,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Tools
# Create a self-signed certificate.
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My\ -DnsName 'windows-deploy-connect'
# View the self-signed certificate.
ls Cert:\LocalMachine\My
# Add a secure connection using the created self-signed certificate.
$windows_test_key=(Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "windows-deploy-connect"}).Thumbprint
cmd /c "winrm set winrm/config/Listener?Address=*+Transport=HTTPS @{Enabled=`"true`";Port=`"5986`";Hostname=`"windows-deploy-connect`";CertificateThumbprint=`"$windows_test_key`"}"

  • Manual Configuration

To manually add a host running Windows Server 2012 as an authorized host, perform the following steps:

  1. Change the PowerShell execution policy to unrestricted.

    Open PowerShell as an administrator and run the following command:

    set-executionpolicy unrestricted

    The output is as follows:

    Enter Y to confirm the change.

  2. Configure WinRM.

    1. Run the following commands in PowerShell:
      winrm enumerate winrm/config/listener
winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{CredSSP="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    2. Run the following command to check whether the configuration is successful:
      winrm get winrm/config/service/auth

      If the values of Basic, Kerberos, and CredSSP are all true, the configuration is successful.

  3. Install the certificate.

    1. Open Server Manager, and start IIS.
    2. Click Add roles and features > Next, as shown in the following figure.

    3. On the Installation Type page, select the first option and click Next.

    4. Go to the Server Roles page and select Web Server (IIS).

    5. Go to the Features page, select .NET Framework 4.5, and click Next.
    6. Go to the Role Services page, select IIS Management Scripts and Tools and Management Service, and click Next to complete the installation.

  4. Add a certificate.

    1. Press Windows+R to open the Run dialog box, enter the inetmgr command for opening the IIS management window, and click OK.
    2. Open IIS Manager, and double-click Server Certificates.

    3. On the Server Certificates page, click Create Self-Signed Certificate.

    4. In the Specify Friendly Name dialog box, enter the certificate name and click OK.

    5. Run the following command to view the certificate in PowerShell:
      ls Cert:\LocalMachine\My

      If the following two columns of data are displayed, the certificate is added.

    6. Use the certificate to listen to the HTTPS port and configure a secure connection.

      The commands are in the following format:

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="User-defined port; default: 5986";Hostname="Certificate domain name";CertificateThumbprint="Certificate key value"}
      • Hostname is the value in the Subject column in the preceding step.
      • CertificateThumbprint is the value in the Thumbprint column in the preceding step. Every two characters are separated by a space.

      Enter the following commands in the command prompt, as shown in the following figure.

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986";Hostname="XXXXXXXXXXXXXXXX";CertificateThumbprint="DF D7 02 1D F6 AB E2 78 C2 0D 87 4C FC 15 5F 16 D3 33 24 2A"}

      Run the command in the command prompt and separate every two characters in the value of Thumbprint with a space. Otherwise, the connectivity verification may fail. If the characters are not separated by spaces, delete the signatures and add them again.

      If the system displays a message indicating that the service cannot create the resource because it already exists, run the following command to delete the resource and perform this step again:

      winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
    7. Run the following command to check whether the listening is successful in PowerShell:
      winrm e winrm/config/listener

      If the output contains HTTPS, the listening is successful.

  5. Ensure that security configuration has been performed by referring to Security Configuration to ensure successful connectivity verification.
Parent topic: Host Connection Mode