Preparing for Adding a Host to a Host Cluster

Preparations

A target host or proxy is available. For details about how to apply for a host, see (Optional) Applying for an ECS.
An EIP is available. You can create one when applying for an ECS or anytime by referring to (Optional) Applying for an EIP.
Configure a security group for the created ECS by referring to Configuring a Security Group.
To ensure successful host connectivity, configure the host as follows:
- If your host is a newly applied ECS, configure the port by referring to Configuring a Security Group.
- If you use your own host, configure the port by referring to Configuring the Firewall.

Configuring a Security Group

Before verifying host connectivity, configure a security group and enable some ports. Otherwise, the connectivity verification may fail. (The following uses a Linux host as an example.)

Go to the console, and choose Service List > Compute > Elastic Cloud Server. The Elastic Cloud Server page is displayed.
Click the target ECS. On the ECS details page, click the Security Groups tab. Click a security group ID. On the page that is displayed, click Manage Rules > Inbound Rules.
Click Fast-Add Rules and set the parameters as follows:
- For Linux hosts, enable port 22 in the inbound rule. For Windows hosts, enable ports 54, 5985, and 5986 in the inbound rule when adding the target host or proxy host. Set the remote end to 0.0.0.0/0 (open the preceding ports for all IP addresses).
  If you have high security requirements on the overall deployment process and the preceding ports cannot be opened to all IP addresses, add the following IP addresses to the security group and remove port restrictions. Otherwise, host connectivity verification cannot be performed.
  
  China (all regions):
```
Singapore:
114.119.185.21
Sao Paulo:
159.138.214.24
Mexico:
122.8.183.54
110.238.80.148
Santiago:
119.8.154.190
Türkiye:
101.44.36.238
Riyadh:
101.46.48.174
Cairo:
101.46.64.14
Johannesburg:
159.138.166.36
```
  The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.
- Remove the inbound restriction on the port of the application deployed on the host (for example, port 8080 of the Tomcat application or all ports of other applications must be enabled in the inbound direction). Otherwise, the application cannot be accessed.
- Remove the restriction on the outbound direction or at least make ports 80 and 443 accessible.

Configuring the Firewall

Check the firewall configuration of the host to make sure that the firewall allows access to the SSH protocol. Otherwise, the connectivity verification may fail. The following part describes how to configure the firewall for different OSs.

Linux firewall configurations

**Table 1** **Linux firewall configurations**
OS Series	Configuration Method
CentOS/EulerOS/UnionTechOS	Check whether the SSH software package is installed on the local host. rpm -qa \| grep ssh If the command output contains openssh-server, the SSH software package has been installed. If no SSH software package is available, run the following command: yum install openssh-server Enable the SSH service. service sshd start Open the sshd configuration file. vi /etc/ssh/sshd_config Delete the comment tag before the listening port number. Restart the SSH service. sudo service sshd restart Check whether port 22 is enabled. netstat -ntpl \| grep 22 NOTE: If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. Add the following command to the end of the sshd_config file and save the file: AllowUsers {User}@{IP} Restart the SSH service. sudo service sshd restart User: whitelisted username. IP: whitelisted IP address. The whitelist should contain CodeArts IP address range. China (all regions): Singapore: 114.119.185.21 Sao Paulo: 159.138.214.24 Mexico: 122.8.183.54 110.238.80.148 Santiago: 119.8.154.190 Türkiye: 101.44.36.238 Riyadh: 101.46.48.174 Cairo: 101.46.64.14 Johannesburg: 159.138.166.36 The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.
Debian	Log in to the system as the root user and install the ufw command. apt install ufw Enable port 22. ufw allow 22/tcp Check whether port 22 is enabled. ufw status If the UFW status is inactive, run the following command to start UFW: ufw enable NOTE: If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. Run the following command to add an IP address to the whitelist: ufw allow from {IP} to any port 22 IP: whitelisted IP address. The whitelist should contain CodeArts IP address range. Check the rule list of UFW: ufw status numbered Disable the SSH connection rule (disable the rule whose source IP address is Anywhere to implement whitelist restriction). ufw delete {Number} {Number} indicates the number of the rule to be disabled. China (all regions): Singapore: 114.119.185.21 Sao Paulo: 159.138.214.24 Mexico: 122.8.183.54 110.238.80.148 Santiago: 119.8.154.190 Türkiye: 101.44.36.238 Riyadh: 101.46.48.174 Cairo: 101.46.64.14 Johannesburg: 159.138.166.36 The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.
Ubuntu	Check the IP address of the local host. ifconfig Check whether the 22 port is occupied. netstat -nltp\|grep 22 If no port process exists, run the following commands in sequence: sudo apt-get install openssh-server sudo apt-get install ufw sudo ufw enable sudo ufw allow 22 NOTE: If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. Run the following command to add an IP address to the whitelist: sudo ufw allow from {IP} to any port 22 IP: whitelisted IP address. The whitelist should contain CodeArts IP address range. Check the rule list of UFW: ufw status numbered Disable the SSH connection rule (disable the rule whose source IP address is Anywhere to implement whitelist restriction). ufw delete {Number} {Number} indicates the number of the rule to be disabled. China (all regions): Singapore: 114.119.185.21 Sao Paulo: 159.138.214.24 Mexico: 122.8.183.54 110.238.80.148 Santiago: 119.8.154.190 Türkiye: 101.44.36.238 Riyadh: 101.46.48.174 Cairo: 101.46.64.14 Johannesburg: 159.138.166.36 The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.

Windows firewall configurations:
This section uses Windows Server 2012 as an example.

Choose Windows Firewall on the control panel of the Windows host.
Click Advanced settings.
Click Inbound Rules.
Click New Rule.
Set Rule Type to Port and click Next.
Select TCP and Specific local ports, enter port 5986, and click Next.
Select Allow the connection, and click Next.
Select all the options for Profile and click Next.
Enter a rule name and click Finish.
Repeat steps 1 to 9 to add an inbound rule for the proxy listening port, for example, port 54.
If you have high security requirements on the overall deployment process and do not want to open the preceding ports to all IP addresses, you can configure an IP address whitelist. (Optional)
1. Choose Windows Firewall on the control panel of the Windows host.
2. Click Advanced settings.
3. Click Inbound Rules.
4. Click New Rule.
5. Set Rule Type to Custom and click Next.
6. Set Program to All programs and click Next.
7. Set Protocol type to TCP and Local port to Specific Ports, enter port 5986, and click Next.
8. In the Scope area, select Any IP address for Which local IP addresses does this rule apply to? and select These IP addresses for Which remote IP addresses does this rule apply to?, enter a whitelisted IP address and click Next.
9. Select Allow the connection, and click Next.
10. Select all the options for Profile and click Next.
11. Enter a rule name and click Finish.
12. Repeat steps 1 to 11 to add an inbound rule for the proxy listening port, for example, port 54.