Adding a Target Host to a Host Cluster for CodeArts Deploy

Prerequisites

• A host cluster is available, and you have the permission to add hosts to the cluster.
• A host that meets the following requirements is available. (If you do not have a host, purchase one by referring to Purchasing an ECS.)
  • A public IP address has been bound.
  • A host is configured.
  • If you need to monitor a host, you need to create an agency for the host. For details, see Creating an Agency.

Configuring a Linux Host

To ensure that the connectivity verification of the Linux host is successful, ensure that Python is installed on the Linux host and the SELinux mechanism is enabled. The target host must meet the following requirements:

• Install Python
  Install Python version 2.6 or later. If Python earlier than 2.6 has been installed, run the following commands to install the following modules on the host:

  • Ubuntu

    sudo apt install python-minimal python-simplejson  
  • CentOS or EulerOS

    sudo yum install python-minimal python-simplejson 
    ln -s /usr/bin/python2 /usr/bin/python

  NOTE:

  Before using Advanced Packaging Tool (APT) or Yellowdog Updater Modified (yum), ensure that an available source has been configured.

• Enable SELinux and install libselinux-python
  1. Run the following command to check the SELinux status:

     /usr/sbin/sestatus
     NOTE:

     Mode corresponding to the value of SELinux:

     SELinux=disabled: disabled.

     SELinux=enforcing: forcible mode, indicating that all behavior that violates the security policy are prohibited.

     SELinux=permissive: indicates that all behavior that violates security policies are not prohibited but are recorded in logs.

  2. If SELinux is set to disabled, SELinux is disabled on the host. In this case, perform the following steps to change the SELinux status.
     1. Run the following command to edit the config file of the SELinux:

        vi /etc/selinux/config
     2. Modify the SELinux parameters based on the site requirements.

        SELinux=enforcing: forcible mode, indicating that all behavior that violates the security policy are prohibited.

        SELinux=permissive: indicates that all behavior that violates security policies are not prohibited but are recorded in logs.

     3. After the modification, press Esc to exit. Run the following command to save the file and exit.

        wq
     4. Create the hidden file .autorelabel in the root directory, run the following command, and restart the Linux host.

        touch /.autorelabel
  3. Run the following commands to install libselinux-python:
     • Ubuntu

       sudo apt install libselinux-python
     • CentOS or EulerOS

       sudo yum install libselinux-python

Configuring the Host Running Windows

To ensure that the Window host connectivity verification succeeds, perform the following operations on target hosts. The following uses a Windows Server 2012 as an example. The configuration modes include automatic script configuration and manual configuration.

NOTE:

For details about automatic configuration of a host running Windows 10, Windows Server 2016, or Windows Server 2019 as a target host, see the configuration method of Windows Server 2012 and obtain the script.

For details about automatic configuration of a target host running Windows 7, see the configuration method of Windows 2012 and obtain the script.

• Automatic Script Configuration

To use an automatic configuration script to add a host running Windows Server 2012 as an authorized host, perform the following steps:

1. Before configuring the script, check whether you have completed security settings by referring to Configuring a Security Group.
2. Obtain the automatic configuration script.
   1. Download Windows2012ConfigureRemotingForAnsible.zip.
   2. Decompress Windows2012ConfigureRemotingForAnsible.zip to obtain script Windows2012ConfigureRemotingForAnsible.ps1.

3. Configure the host.

   Log in to the host, open PowerShell, access the directory where script Windows2012ConfigureRemotingForAnsible.ps1 is stored, and run the following command:

   .\Windows2012ConfigureRemotingForAnsible.ps1

   The output is as follows.

   

   The system may display a message indicating that the file cannot be loaded and a digital signature is required.

   

   This error occurs because the script cannot be executed in default mode of PowerShell. If this happens, run the following command in PowerShell to change the execution policy to unrestricted:

   set-executionpolicy unrestricted

   Enter Y to confirm the change.

   

4. View the configuration.

   Run the following command in PowerShell:

   winrm e winrm/config/listener

   If the output contains HTTPS and Hostname is not left blank, the listening is successful. The Windows Server 2012 deployment environment is automatically configured.

   

   NOTE:

   If Hostname is left blank in the command output, the host does not have IIS or signature certificate information. In this case, run the following script:

   # Configure WinRM.
   winrm enumerate winrm/config/listener
   winrm quickconfig
   winrm set winrm/config/service/auth '@{Basic="true"}'
   winrm set winrm/config/service/auth '@{CredSSP="true"}'
   winrm set winrm/config/service '@{AllowUnencrypted="true"}'
   # Install IIS.
   Import-Module servermanager
   Add-windowsfeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-ASP,Web-ISAPI-Ext,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Security,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Tools
   # Create a self-signed certificate.
   New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My\ -DnsName 'windows-deploy-connect'
   # View the self-signed certificate.
   ls Cert:\LocalMachine\My
   # Add a secure connection using the created self-signed certificate.
   $windows_test_key=(Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "windows-deploy-connect"}).Thumbprint
   cmd /c "winrm set winrm/config/Listener?Address=*+Transport=HTTPS @{Enabled=`"true`";Port=`"5986`";Hostname=`"windows-deploy-connect`";CertificateThumbprint=`"$windows_test_key`"}"

• Manual Configuration

To manually add a host running Windows Server 2012 as an authorized host, perform the following steps:

1. Change the PowerShell execution policy to unrestricted.

   Open PowerShell as an administrator and run the following command:

   set-executionpolicy unrestricted

   The output is as follows.

   

   Enter Y to confirm the change.

2. Configure Windows remote management (WinRM).
   1. Run the following commands in PowerShell:

      winrm enumerate winrm/config/listener
      winrm quickconfig
      winrm set winrm/config/service/auth '@{Basic="true"}'
      winrm set winrm/config/service/auth '@{CredSSP="true"}'
      winrm set winrm/config/service '@{AllowUnencrypted="true"}'
   2. Run the following command to check whether the configuration is successful:

      winrm get winrm/config/service/auth

      If the values of Basic, Kerberos, and CredSSP are all true, the configuration is successful.

      

3. Install the certificate.
   1. Open Server Manager, and start IIS.
   2. Click Add roles and features > Next, as shown in the following figure.

      

   3. On the Installation Type page, select the first option and click Next.

      

   4. Go to the Server Roles page and select Web Server (IIS).

      

   5. Go to the Features page, select .NET Framework 4.5, and click Next.
   6. Go to the Role Services page, select IIS Management Scripts and Tools and Management Service, and click Next to complete the installation.

      

4. Add a certificate.
   1. Press Windows+R to open the Run dialog box, enter the inetmgr command for opening the IIS management window, and click OK.
   2. Open IIS Manager, and double-click Server Certificates.

      

   3. On the Server Certificates page, click Create Self-Signed Certificate.

      

   4. In the Specify Friendly Name dialog box, enter the certificate name and click OK.

      

   5. Run the following command to view the certificate in PowerShell:

      ls Cert:\LocalMachine\My

      If the following two columns of data are displayed, the certificate is added.

      

   6. Use the certificate to listen to the HTTPS port and configure a secure connection.

      The commands are in the following format:

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="User-defined port; default: 5986";Hostname="Certificate domain name";CertificateThumbprint="Certificate key value"}
      NOTE:

      • Hostname is the value in the Subject column in the preceding step.
      • CertificateThumbprint is the value behind "CN=" next to the Thumbprint column in the preceding step. Every two characters are separated by a space.

      Enter the following commands in the command prompt, as shown in the following figure.

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986";Hostname="XXXXXXXXXXXXXXXX";CertificateThumbprint="DF D7 02 1D F6 AB E2 78 C2 0D 87 4C FC 15 5F 16 D3 33 24 2A"}
      NOTE:

      Run the command in the command prompt and separate every two characters in the value of Thumbprint with a space. Otherwise, the connectivity verification may fail. If the characters are not separated by spaces, delete the signatures and add them again.

      

      NOTE:

      If the system displays a message indicating that the service cannot create the resource because it already exists, run the following command to delete the resource and perform this step again:

      winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
   7. Run the following command to check whether the listening is successful in PowerShell:

      winrm e winrm/config/listener

      If the output contains HTTPS, the listening is successful.

      

5. Before verifying the connectivity, check whether you have completed security settings by referring to Configuring a Security Group.

Obtaining the Linux Key

1. Check whether the key exists on the host.

   Log in to the host and run the following command to switch to user root:

   sudo su root

   Run the following command to view the key file:

   ls  ~/.ssh 
   • If a message is displayed indicating that the directory does not exist or the ~/.ssh directory does not contain the id_rsa file, generate a key.
   • If the id_rsa file exists in the ~/.ssh directory, use the existing key file or generate a new one.

2. Generate a key.
   Perform the following steps:

   1. Generate a key.

      ssh-keygen -t rsa
   2. When the following information is displayed, press Enter.

      

   3. When the following information is displayed, press Enter. By default, no password is set. (Setting the password will fail the key verification of CodeArts Deploy.)

      

   4. When the following information is displayed, press Enter.

      

   5. If the following information is displayed, the key has been generated:

      

   6. Run the following command to view the key file generated in the .ssh directory. The id_rsa and id_rsa.pub files store the generated private key and public key, respectively.

      ls  ~/.ssh 

      

3. Check information about the key generated.
   Run the following command:

   cat ~/.ssh/id_rsa

   • If the key prefix is -----BEGIN RSA PRIVATE KEY-----, the key is correct. Copy the key and save it to the local PC. Enter the key when adding a host or proxy.
   • If the key prefix is -----BEGIN OPENSSH PRIVATE KEY-----, the key is incorrect. Run the following command to generate a new key:

     ssh-keygen -m PEM -t rsa

4. Authorize the key.

   Run the following command to add the public key to the authorized_keys file of the host:

   cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
   NOTE:

   • To perform operations on the authorized_keys file, you must have the permission to operate the id_rsa and id_rsa.pub files.
   • When the key is used for connectivity verification, the username must be the name of the user who operates the authorized_keys file.
   • Do not copy unnecessary spaces when manually copying the key. Otherwise, the connectivity verification may fail.