无法将新的 azure vm 添加到 TrustedHosts
Can't add new azure vm to TrustedHosts
这可能会很长,所以请耐心等待。
目标:使用 terraform 创建一个 azure-vm,azure-devops 发布管道可以在目标机器上使用 Remote PowerShell 步骤来部署和启动 windows 服务。
问题:在使用 Terraform 创建 VM、到 VM 的 RDP 并配置 wsman 和 powershell 以允许 VM 上的远程 PowerShell 之后,我尝试将新的 VM 添加到我本地机器上的 trustedhosts。它失败并显示此消息:
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running
and is accepting requests. Consult the logs and documentation for the
WS-Management service running on the destination, most commonly IIS or
WinRM. If the destination is the WinRM service, run the following
command on the destination to analyze and configure the WinRM service:
"winrm quickconfig".
Error number: -2144108526 0x80338012 The client cannot connect to the
destination specified in the request. Verify that the service on the
destination is running and is accepting requests. Consult the logs and
documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the
WinRM service, run the following command on the destination to analyze
and configure the WinRM service: "winrm quickconfig".
这些是我创建和设置 VM 所遵循的步骤:
- 执行下面的 terraform 脚本来创建虚拟机。它依赖于包含自签名证书的现有密钥库。
- 到虚拟机的 RDP
- 打开命令提示符并执行"WinRM quickconfig"
- 打开powershell并执行:"Install-Module -Name Az -AllowClobber -Scope Current User"
在 Powershell 中,我执行以下命令:
Connect-AzAccount -Tenant [TenantName]
Select-AzSubscription -订阅 [SubscriptionId]
$cert = Get_AzKeyVaultCertificate -VaultName [vaultName] -Name [certificateName]
启用 PSRemoting -SkipNetworkProfileCheck -Force
获取 ChildItem WSMan:\Localhost\Listener | WHERE -属性 键 -EQ "Transport=HTTP" |删除项目 -Recurse
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint -Force
New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Name 'Windows Remote Management (HTTPS-In)' -Profile Any -LocalPort 5986 -Protocol TCP
禁用 NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"
在我的本地主机上,在命令 az 命令行中,我执行:
登录名
winrm 设置 winrm/config/client @{TrustedHosts="[服务器 DNS 名称]"}
这就是事情失败的地方。
为什么我希望它起作用?我之前使用 Azure 门户创建了一个 VM,并使用这些步骤启用 HTTPS PSRemoting。 Azure Devops 能够成功部署到 VM 并通过 HTTPS 在目标机器上使用 运行 PowerShell 步骤启动服务。我还可以将门户创建的 VM 添加到我本地计算机上的受信任主机列表中。
为了让发布管道正常工作,我必须添加一个命令行脚本步骤,将 DNS 名称添加到 TrustedHosts。
我错过了什么阻止我将 terraform 创建的虚拟机添加到我信任的主机?在这一点上,我还没有设置发布管道相信,直到我可以成功地将 terraform 创建的 VM 添加到我的可信主机,没有必要尝试设置发布管道。比较两个 VM 时,我在门户中看到的一个区别是 terraform 创建的 VM 没有计算机名称,而门户创建的 VM 有计算机名称。我还没弄明白为什么。
虽然我无法将 DNS 名称添加到我的 TrustedHosts,但我能够建立安全的 PSSession。
这是 Terraform 脚本:
provider "azurerm" {
version = "1.27.0"
subscription_id = "${var.subscription-id}"
tenant_id = "${var.ad-tenant-id}"
}
resource "azurerm_virtual_network" "vnet" {
name = "${var.vnet-name}"
address_space = ["10.0.0.0/16"]
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
}
resource "azurerm_subnet" "subnet" {
name = "${var.subnet-name}"
resource_group_name = "${var.vm-resource-group-name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.0.1.0/24"
}
resource "azurerm_public_ip" "publicip" {
name = "${var.public-ip-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
allocation_method = "Static"
domain_name_label = "${var.domain-name-label}"
}
resource "azurerm_network_security_group" "nsg" {
name = "${var.security-group-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
security_rule {
name = "RDP"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "WinRM"
priority = 310
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5985-5986"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_network_interface" "nic" {
name = "${var.nic-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
network_security_group_id = "${azurerm_network_security_group.nsg.id}"
enable_accelerated_networking = true
ip_configuration {
name = "${var.ip-config-name}"
subnet_id = "${azurerm_subnet.subnet.id}"
private_ip_address_allocation = "dynamic"
public_ip_address_id = "${azurerm_public_ip.publicip.id}"
}
}
resource "azurerm_virtual_machine" "vm" {
name = "${var.vm-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
network_interface_ids = ["${azurerm_network_interface.nic.id}"]
vm_size = "${var.vm-size}"
storage_os_disk {
name = "${var.disk-name}"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Premium_LRS"
}
delete_os_disk_on_termination = true
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "${var.sku}"
version = "latest"
}
os_profile {
computer_name = "${var.vm-name}"
admin_username = "${var.vm-admin-id}"
admin_password = "${var.vm-admin-password}"
}
os_profile_secrets {
source_vault_id = "${var.keyvault-id}"
vault_certificates {
certificate_url = "${var.cert-secret-id}"
certificate_store = "My"
}
}
os_profile_windows_config {
}
tags = {
applicationidentifier = "casa"
applicationrole = "VM"
companycode = "C4"
CostCenterCode = "04-ENG"
Environment = "Dev/Test"
name = "casa-win-services"
owner = "captioncall_eng"
version = "1.0"
}
}
TIA,
达尔文
我考虑过删除这个问题,但也许它会对某些人有所帮助。
事实证明,没有必要将 DNS 名称添加到受信任的主机。发布管道在没有该步骤的情况下工作。
这可能会很长,所以请耐心等待。
目标:使用 terraform 创建一个 azure-vm,azure-devops 发布管道可以在目标机器上使用 Remote PowerShell 步骤来部署和启动 windows 服务。
问题:在使用 Terraform 创建 VM、到 VM 的 RDP 并配置 wsman 和 powershell 以允许 VM 上的远程 PowerShell 之后,我尝试将新的 VM 添加到我本地机器上的 trustedhosts。它失败并显示此消息:
WSManFault Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number: -2144108526 0x80338012 The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
这些是我创建和设置 VM 所遵循的步骤:
- 执行下面的 terraform 脚本来创建虚拟机。它依赖于包含自签名证书的现有密钥库。
- 到虚拟机的 RDP
- 打开命令提示符并执行"WinRM quickconfig"
- 打开powershell并执行:"Install-Module -Name Az -AllowClobber -Scope Current User"
在 Powershell 中,我执行以下命令:
Connect-AzAccount -Tenant [TenantName]
Select-AzSubscription -订阅 [SubscriptionId]
$cert = Get_AzKeyVaultCertificate -VaultName [vaultName] -Name [certificateName]
启用 PSRemoting -SkipNetworkProfileCheck -Force
获取 ChildItem WSMan:\Localhost\Listener | WHERE -属性 键 -EQ "Transport=HTTP" |删除项目 -Recurse
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint -Force
New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Name 'Windows Remote Management (HTTPS-In)' -Profile Any -LocalPort 5986 -Protocol TCP
禁用 NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"
在我的本地主机上,在命令 az 命令行中,我执行: 登录名 winrm 设置 winrm/config/client @{TrustedHosts="[服务器 DNS 名称]"}
这就是事情失败的地方。
为什么我希望它起作用?我之前使用 Azure 门户创建了一个 VM,并使用这些步骤启用 HTTPS PSRemoting。 Azure Devops 能够成功部署到 VM 并通过 HTTPS 在目标机器上使用 运行 PowerShell 步骤启动服务。我还可以将门户创建的 VM 添加到我本地计算机上的受信任主机列表中。
为了让发布管道正常工作,我必须添加一个命令行脚本步骤,将 DNS 名称添加到 TrustedHosts。
我错过了什么阻止我将 terraform 创建的虚拟机添加到我信任的主机?在这一点上,我还没有设置发布管道相信,直到我可以成功地将 terraform 创建的 VM 添加到我的可信主机,没有必要尝试设置发布管道。比较两个 VM 时,我在门户中看到的一个区别是 terraform 创建的 VM 没有计算机名称,而门户创建的 VM 有计算机名称。我还没弄明白为什么。
虽然我无法将 DNS 名称添加到我的 TrustedHosts,但我能够建立安全的 PSSession。
这是 Terraform 脚本:
provider "azurerm" {
version = "1.27.0"
subscription_id = "${var.subscription-id}"
tenant_id = "${var.ad-tenant-id}"
}
resource "azurerm_virtual_network" "vnet" {
name = "${var.vnet-name}"
address_space = ["10.0.0.0/16"]
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
}
resource "azurerm_subnet" "subnet" {
name = "${var.subnet-name}"
resource_group_name = "${var.vm-resource-group-name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.0.1.0/24"
}
resource "azurerm_public_ip" "publicip" {
name = "${var.public-ip-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
allocation_method = "Static"
domain_name_label = "${var.domain-name-label}"
}
resource "azurerm_network_security_group" "nsg" {
name = "${var.security-group-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
security_rule {
name = "RDP"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "WinRM"
priority = 310
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5985-5986"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_network_interface" "nic" {
name = "${var.nic-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
network_security_group_id = "${azurerm_network_security_group.nsg.id}"
enable_accelerated_networking = true
ip_configuration {
name = "${var.ip-config-name}"
subnet_id = "${azurerm_subnet.subnet.id}"
private_ip_address_allocation = "dynamic"
public_ip_address_id = "${azurerm_public_ip.publicip.id}"
}
}
resource "azurerm_virtual_machine" "vm" {
name = "${var.vm-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
network_interface_ids = ["${azurerm_network_interface.nic.id}"]
vm_size = "${var.vm-size}"
storage_os_disk {
name = "${var.disk-name}"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Premium_LRS"
}
delete_os_disk_on_termination = true
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "${var.sku}"
version = "latest"
}
os_profile {
computer_name = "${var.vm-name}"
admin_username = "${var.vm-admin-id}"
admin_password = "${var.vm-admin-password}"
}
os_profile_secrets {
source_vault_id = "${var.keyvault-id}"
vault_certificates {
certificate_url = "${var.cert-secret-id}"
certificate_store = "My"
}
}
os_profile_windows_config {
}
tags = {
applicationidentifier = "casa"
applicationrole = "VM"
companycode = "C4"
CostCenterCode = "04-ENG"
Environment = "Dev/Test"
name = "casa-win-services"
owner = "captioncall_eng"
version = "1.0"
}
}
TIA, 达尔文
我考虑过删除这个问题,但也许它会对某些人有所帮助。
事实证明,没有必要将 DNS 名称添加到受信任的主机。发布管道在没有该步骤的情况下工作。