1. WINDOWS IN THE CLOUD
FROM THE POINT OF VIEW OF A JAVA DEVELOPER USED TO LINUX AND MAC OSX, ON EC2
2. Linux in the Cloud
Your SSH public key is put into the instance metadata
VM images have OpenSSH server installed
Bootstrap package will read the public key from instance
metadata, and add to VM user’s SSH authorized keys list
So you can immediately log in using your private key and
without needing a password
*providing your security group allows it!
Easy!
3. Windows in the Cloud?
SSH is rare in the Windows world
Remote administration commonly done with
RDP: Remote Desktop Protocol
With a new instance in a public cloud, this is
your only option, and is set up automatically
But other remote management features can be
enabled later, or be part of an Enterprise cloud
4. Wait, I need a mouse?
Yes - you need to log in with an RDP viewer to do
anything useful
Once logged in, install better remote management
tools that let you automate
Difficult to script this part, especially from Java
And... you can’t log in to an RDP session with a
key pairs like SSH. You need to get the password.
5. What’s the password?
The cloud provider’s bootstrap software will:
randomly-generate a password
assign it to the Administrator account
fetch the public key from the instance metadata
encrypt the password with the public key
store the encrypted data blob in the instance metadata
Then you must:
retrieve the encrypted data blob from the instance metadata
decrypt the data using your private key to get the password
(jclouds can help you with these steps)
start RDP session and log in with the password
6. WinRM: Windows
Remote Management
An implementation of WS-Management: a DMTF
standard to remotely access and manage systems
and devices
Includes Remote Shell functionality - good
There’s a free Java client: overthere by XebiaLabs
Runs something "Over there" - great!
7. How to enable WinRM
If the remote host is running Windows Server 2003 R2, you will need to enable WinRM. As the Administrator user, go to theAdd/Remove System Components feature in the Control Panel and add WinRm
under the section Management and Monitoring Tools.
1. On the remote host, as the Administrator user, open a Command Prompt and follow the steps below.
2. Configure WinRM to allow basic authentication:
winrm set winrm/config/service/Auth @{Basic="true"}
3. Configure WinRM to allow unencrypted SOAP messages:
winrm set winrm/config/service @{AllowUnencrypted="true"}
4. Configure WinRM to provide enough memory to the commands that you are going to run, e.g. 1024 MB:
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}
5. To use the WINRM_HTTP connection type, create an HTTP WinRM listener:
winrm create winrm/config/listener?Address=*+Transport=HTTP
6. To use the WINRM_HTTPS connection type, follow the steps below:
1. (optional) Create a self signed certificate for the remote host by installing selfssl.exe from the IIS 6 resource kit and running the command below or by following the instructions in this blog by
Hans Olav:
C:Program FilesIIS ResourcesSelfSSL>selfssl.exe /T /N:cn=HOSTNAME /V:3650
2. Open a PowerShell window and enter the command below to find the thumbprint for the certificate for the remote host:
PS C:Windowssystem32> Get-childItem cert:LocalMachineRoot | Select-String -pattern HOSTNAME
3. Create an HTTPS WinRM listener for the remote host using the certificate you've just found:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOSTNAME"; CertificateThumbprint="THUMBPRINT"}
For more information on WinRM, please refer to the online documentation at Microsoft's DevCenter.
Taken from the online documentation of Overthere - https://github.com/xebialabs/overthere
9. Turn it into an AMI
If you make an AMI at this point, it will be stuck with the
same password for each new instance you make from it
So, “reseal” the VM, then create an AMI from it
"C:Program FilesAmazonEc2ConfigServiceEc2Config.exe" -sysprep
On the first boot after “resealing”:
New SIDs will be generated (Windows stuff)
EC2 will generate a new, random password
So this AMI can be safely shared with everyone
10. Am I done yet?
No... now you need to install the software
packages needed by your application.
11. Am I done yet?
No... now you need to install the software
packages needed by your application.
You are on your own from here!