Adding a Target Host to a Host Cluster for CodeArts Deploy

This section describes the preparations for adding target hosts to a host cluster. Before adding a host to a created host cluster, you need to perform the following operations on the host.

Prerequisites

A host cluster is available, and you have the permission to add hosts to the cluster.
A host that meets the following requirements is available. (If you do not have a host, purchase one by referring to Purchasing an ECS.)
- A public IP address has been bound.
- A host is configured.
- If you need to monitor a host, you need to create an agency for the host. For details, see Creating an Agency.

This configuration has been completed for Huawei Cloud ECSs (Linux) by default. You do not need to configure it again. However, you need to configure it for Windows ECSs.

Configuring a Linux Host

To ensure that the connectivity verification of the Linux host is successful, ensure that Python is installed on the Linux host and the SELinux mechanism is enabled. The target host must meet the following requirements:

Install Python
Install Python version 2.6 or later. If Python earlier than 2.6 has been installed, run the following commands to install the following modules on the host:
- Ubuntu
```
sudo apt install python-minimal python-simplejson  
```
- CentOS or EulerOS
```
sudo yum install python-minimal python-simplejson 
ln -s /usr/bin/python2 /usr/bin/python
```
Before using Advanced Packaging Tool (APT) or Yellowdog Updater Modified (yum), ensure that an available source has been configured.

Enable SELinux and install libselinux-python
1. Run the following command to check the SELinux status:
```
/usr/sbin/sestatus
```
  Mode corresponding to the value of SELinux:
  
  SELinux=disabled: disabled.
  
  SELinux=enforcing: forcible mode, indicating that all behavior that violates the security policy are prohibited.
  
  SELinux=permissive: indicates that all behavior that violates security policies are not prohibited but are recorded in logs.
2. If SELinux is set to disabled, SELinux is disabled on the host. In this case, perform the following steps to change the SELinux status.
  1. Run the following command to edit the config file of the SELinux:
```
vi /etc/selinux/config
```
  2. Modify the SELinux parameters based on the site requirements.
    SELinux=enforcing: forcible mode, indicating that all behavior that violates the security policy are prohibited.
    
    SELinux=permissive: indicates that all behavior that violates security policies are not prohibited but are recorded in logs.
  3. After the modification, press Esc to exit. Run the following command to save the file and exit.
```
wq
```
  4. Create the hidden file .autorelabel in the root directory, run the following command, and restart the Linux host.
```
touch /.autorelabel
```
3. Run the following commands to install libselinux-python:
  - Ubuntu
```
sudo apt install libselinux-python
```
  - CentOS or EulerOS
```
sudo yum install libselinux-python
```

Configuring the Host Running Windows

To ensure that the Window host connectivity verification succeeds, perform the following operations on target hosts. The following uses a Windows Server 2012 as an example. The configuration modes include automatic script configuration and manual configuration.

For details about how to configure a host running Windows 10, or Windows Server 2016 or Windows Server 2019 as the target host, see the configuration method of Windows Server 2012. For details about how to obtain the script, see Windows2016ConfigureRemotingForAnsible.zip.

For details about how to configure a target host running Windows 7, see the configuration method of Windows 2012. For details about how to obtain the script, see Windows2012ConfigureRemotingForAnsible.

Automatic Script Configuration

To use an automatic configuration script to add a host running Windows Server 2012 as an authorized host, perform the following steps:

Perform Security Configuration, to ensure successful connectivity verification.
Obtain the automatic configuration script.
1. Download Windows2012ConfigureRemotingForAnsible.zip.
2. Decompress Windows2012ConfigureRemotingForAnsible.zip to obtain script Windows2012ConfigureRemotingForAnsible.ps1.
Configure the host.

Log in to the host, open PowerShell, access the directory where script Windows2012ConfigureRemotingForAnsible.ps1 is stored, and run the following command:
```
.\Windows2012ConfigureRemotingForAnsible.ps1
```
The output is as follows:

The system may display a message indicating that the file cannot be loaded and a digital signature is required.

This error occurs because the script cannot be executed in default mode of PowerShell. If this happens, run the following command in PowerShell to change the execution policy to unrestricted:
```
set-executionpolicy unrestricted
```
Enter Y to confirm the change.

View the configuration.

Run the following command in PowerShell:

winrm e winrm/config/listener

If the output contains HTTPS and Hostname is not left blank, the listening is successful. The Windows Server 2012 deployment environment is automatically configured.

Click to enlarge

If Hostname is left blank in the command output, the host does not have IIS or signature certificate information. In this case, run the following script:

# Configure WinRM.
winrm enumerate winrm/config/listener
winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{CredSSP="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
# Install IIS.
Import-Module servermanager
Add-windowsfeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-ASP,Web-ISAPI-Ext,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Security,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Tools
# Create a self-signed certificate.
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My\ -DnsName 'windows-deploy-connect'
# View the self-signed certificate.
ls Cert:\LocalMachine\My
# Add a secure connection using the created self-signed certificate.
$windows_test_key=(Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "windows-deploy-connect"}).Thumbprint
cmd /c "winrm set winrm/config/Listener?Address=*+Transport=HTTPS @{Enabled=`"true`";Port=`"5986`";Hostname=`"windows-deploy-connect`";CertificateThumbprint=`"$windows_test_key`"}"

Manual Configuration

To manually add a host running Windows Server 2012 as an authorized host, perform the following steps:

Change the PowerShell execution policy to unrestricted.

Open PowerShell as an administrator and run the following command:
```
set-executionpolicy unrestricted
```
The output is as follows.

Enter Y to confirm the change.

Configure Windows remote management (WinRM).

Run the following commands in PowerShell:

winrm enumerate winrm/config/listener
winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{CredSSP="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

Run the following command to check whether the configuration is successful:
```
winrm get winrm/config/service/auth
```
If the values of Basic, Kerberos, and CredSSP are all true, the configuration is successful.

Install the certificate.
1. Open Server Manager, and start IIS.
2. Click Add roles and features > Next, as shown in the following figure.
3. On the Installation Type page, select the first option and click Next.
4. Go to the Server Roles page and select Web Server (IIS).
5. Go to the Features page, select .NET Framework 4.5, and click Next.
6. Go to the Role Services page, select IIS Management Scripts and Tools and Management Service, and click Next to complete the installation.
Add a certificate.
1. Press Windows+R to open the Run dialog box, enter the inetmgr command for opening the IIS management window, and click OK.
2. Open IIS Manager, and double-click Server Certificates.
3. On the Server Certificates page, click Create Self-Signed Certificate.
4. In the Specify Friendly Name dialog box, enter the certificate name and click OK.
5. Run the following command to view the certificate in PowerShell:
```
ls Cert:\LocalMachine\My
```
  If the following two columns of data are displayed, the certificate is added.
6. Use the certificate to listen to the HTTPS port and configure a secure connection.
  The commands are in the following format:
```
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="User-defined port; default: 5986";Hostname="Certificate domain name";CertificateThumbprint="Certificate key value"}
```
  - Hostname is the value in the Subject column in the preceding step.
  - CertificateThumbprint is the value behind "CN=" next to the Thumbprint column in the preceding step. Every two characters are separated by a space.
  Enter the following commands in the command prompt, as shown in the following figure.
```
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986";Hostname="XXXXXXXXXXXXXXXX";CertificateThumbprint="DF D7 02 1D F6 AB E2 78 C2 0D 87 4C FC 15 5F 16 D3 33 24 2A"}
```
  Run the command in the command prompt and separate every two characters in the value of Thumbprint with a space. Otherwise, the connectivity verification may fail. If the characters are not separated by spaces, delete the signatures and add them again.
  If the system displays a message indicating that the service cannot create the resource because it already exists, run the following command to delete the resource and perform this step again:
```
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
```
7. Run the following command to check whether the listening is successful in PowerShell:
```
winrm e winrm/config/listener
```
  If the output contains HTTPS, the listening is successful.
Ensure that security configuration has been performed by referring to Security Configuration to ensure successful connectivity verification.