normalian blog

Let's talk about Microsoft Azure, ASP.NET and Java!

Top > Windows Azure

How to setup your CentOS VMs as VSTS Private Agent

Windows Azure Azure Visual Studio

VSTS is really powerful tool and you can use compute resources from cloud, but you will sometimes want to use your own custom libraries or executable files in you build processes. You can use Private Agent for such cases. In this post,
I will setup private agent with CentOS VM, but please note VSTS offers some platforms agents like below and CentOS isn't supported right now.

Step by Step to setup Private Agent

Follow below three sections.

  1. Create new pool in VSTS portal
  2. Create new “Personal access tokens” in VSTS portal
  3. Setup agent in your VM

1. Create new pool in VSTS portal

Go to “Agent Pools” tab in your VSTS and click “New pool…”.
f:id:waritohutsu:20180216004316j:plain

Input Agent pool name as you need. I recommend to name for each uses.
f:id:waritohutsu:20180216004328j:plain

Download agent package from your agents pool like below.
f:id:waritohutsu:20180216004337j:plain

2. Create new “Personal access tokens” in VSTS portal

Choose “Security” from your account setting.
f:id:waritohutsu:20180216004343j:plain

Create new “Personal access tokens”.
f:id:waritohutsu:20180216004352j:plain

Keep access token from VSTS portal. The value never show without at the time.
f:id:waritohutsu:20180216004407j:plain

3. Setup agent in your VM

Transfer agent package into your VM and extract data. I executed below commands.

# be root
sudo su -

# I have to install below pakcages into your CentOS VM, because VSTS agent offers RedHat but not CentOS
yum install centos-release-dotnet.noarch
yum install rh-dotnetcore11-dotnetcore.x86_64

# setup agent
mkdir /opt/agent
mv vsts-agent-rhel.7.2-x64-2.123.0.tar.gz /opt/agent
tar zxvf vsts-agent-rhel.7.2-x64-2.123.0.tar.gz
chown -R azureuser /opt/agent/

cd /opt/agent/
./config.sh
./run.sh

Your instance will be registered after “./config.sh” execution. You have to execute “./run.sh” to maintain “Online” status.
f:id:waritohutsu:20180216004433j:plain

References

Service Fabric deployment tips - always return “Failed to submit updates for certificate" on Azure Portal

Windows Azure Azure Service Fabric

As you know, Service Fabric uses some various certificates to manage their clusters.

  • Cluster certificate : Client to node security, e.g. Management Endpoints such as Service Fabric Explorer or PowerShell
  • Server certificate: Server (node) to clients, and server (node) to a server (node).
  • Client certificates : Role-Based Access Control (RBAC) – used to limit access to certain cluster operations for different groups of users, e.g. Admin vs User.

You need to register your own certificate into Azure Portal for browsing your cluster and deploy your applications using Visual Studio, and you can register your certificate with Azure Portal like below.
f:id:waritohutsu:20180210091235j:plain

Almost all cases above step will work well, but there is possibility to get below error “Failed to submit updates for certificate" on Azure Portal.
f:id:waritohutsu:20180210091334j:plain

This issues is caused by wrong version API on Azure Portal. Please use below PowerShell command to avoid the error.

Login-AzureRmAccount
Add-AzureRmServiceFabricClientCertificate -ResourceGroupName "your resource group name" -Name "your service fabric cluster name" -Thumbprint "your thumbprint" -Admin

References

Service Fabric deployment tips - Deployment on Azure stops when scripts log "Copying application to image store"

Windows Azure Azure Service Fabric

When you try to deploy ASP.NET Core Stateless applications into Service Fabric on Azure in like below environment.

The deployment might stop when scripts log "Copying application to image store" like below.

C:\Users\xxxxxxxx\source\repos\FabricApp01\Web1\bin\Debug\netcoreapp2.0\win7-x64\Web1.dllWeb1 -> C:\Users\xxxxxxxx\source\repos\FabricApp01\Web1\obj\Debug\netcoreapp2.0\win7-x64\PubTmp\Out\FabricApp01 -> C:\Users\xxxxxxxx\source\repos\FabricApp01\FabricApp02\pkg\Debug-------- Package: Project: FabricApp01
succeeded, Time elapsed: 00:00:18.7823627 --------3>Started executing script
'Deploy-FabricApplication.ps1'.3>powershell -NonInteractive -NoProfile
-WindowStyle Hidden -ExecutionPolicy Bypass -Command ".
'C:\Users\xxxxxxxx\source\repos\FabricApp01\FabricApp01\Scripts\Deploy-FabricApplication.ps1'
-ApplicationPackagePath
'C:\Users\xxxxxxxx\source\repos\FabricApp01\FabricApp01\pkg\Debug'
-PublishProfileFile
'C:\Users\xxxxxxxx\source\repos\FabricApp01\FabricApp01\PublishProfiles\Cloud.xml'
-DeployOnly:$false -ApplicationParameter:@{} -UnregisterUnusedApplicationVersionsAfterUpgrade
$false -OverrideUpgradeBehavior 'None' -OverwriteBehavior
'SameAppTypeAndVersion' -SkipPackageValidation:$false -ErrorAction Stop" 3>Copying application to image store.

This issue is already known in Copy-ServiceFabricApplicationPackage hangs forever · Issue #813 · Azure/service-fabric-issues · GitHub. You need to remove your "Local Cluster" when you deploy your applications into your cluster on Azure.
f:id:waritohutsu:20180209092112p:plain

After removing Local Cluster, you can deploy your applications into Service Fabric on Azure.

Step by step how to setup Service Fabric Explorer on Azure

Windows Azure Azure Service Fabric

This article introduce how to setup the environment on Azure. Service Fabric offers Microservices and containerized architecture on Microsoft Azure, and it's secure with multiple certificates for the clusters.

  • Create Key Vault
  • Create Service Fabric
  • Create Certificate and install into your computer
  • Register your certificate into your Service Fabric
  • Access Service Fabric Explorer

Create Key Vault

You need to setup a "Key vault" instance like below and it's OK to use existing one if you have already your "Key vault" instance, because Service Fabric depends on Key Vault
f:id:waritohutsu:20180209081056p:plain

Create Service Fabric

Create your Service Fabric cluster following below steps. You need to choose "Operating system" adjusting to your applications.
f:id:waritohutsu:20180209081308p:plain

"Node types" is similar with "Cloud Service Roles". VM Scale sets will be created as a number of "Node type count", and specify your "Node type name" and instance type for your "Node Type".
f:id:waritohutsu:20180209081443p:plain

Setup up your cluster security. Please note "Click to hide advanced access policies" at first, and add "Enable access ..." as your Access policies on your Key Vault instance, because it's mandatory to setup. Input your "Certificate name" for your internal cluster communication.
f:id:waritohutsu:20180209081534p:plain

Verify your cluster info and execute to create it.
f:id:waritohutsu:20180209081803p:plain

Create Certificate and install into your computer

You need to create and register new certificate to communicate between your client machine and your cluster. At first, execute below command to create new certificate and you need to input some passwords for the certificates.

# I tried "C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\makecert and PVK2PFX", but its path depends on your computer platform
makecert -sv yourprivatekeyfile.pvk -n "CN=Daichi Isami" yourcertfile.cer -b 02/14/2018 -e 12/31/2020 -r
PVK2PFX -pvk yourprivatekeyfile.pvk -spc yourcertfile.cer -pfx yourpfxfile.pfx -po <your password>

After creating your certificate, just double click it and install certificate into your compute with clicking below button. you need to input password when you create this certificate.
f:id:waritohutsu:20180216070141p:plain

Next, execute "mmc" on PowerShell. Choose "File" -> "Add/Remove Snap-in..." and add "Certificates" as "My user account" like below.
f:id:waritohutsu:20180216070515p:plain

Choose "Certificates - Current User" -> "Personal" in left side and chose your certificate among certificates in central box. Now, you can pick up "Thumbprint" of you certificate like below.
f:id:waritohutsu:20180216070951p:plain

Register your certificate into your Service Fabric

Before proceed this step, you need to confirm your cluster status as "Ready". It might wait more than 20 minute. You might get “failed to submit updates for certificate” error if you proceed this step before that.
Register your certificate into your Service Fabric cluster in Azure Portal. Choose "Security" tab and "Add.." button.
f:id:waritohutsu:20180209082342p:plain

Select "Authentication type" as Admin client to deploy and upgrade your cluster. Input your saved thumbprint into "Certificate thumbprint" and save it.
f:id:waritohutsu:20180209083110p:plain

After this, it takes about 30 minutes to complete this step.
f:id:waritohutsu:20180209083121p:plain

Access Service Fabric Explorer

Access Service Fabric Explorer URL like https://"your cluster name"."your region".cloudapp.azure.com:19080/Explorer/index.html#/, and choose proper certificate installed into your compute.
f:id:waritohutsu:20180216072725p:plain

You can watch Service Fabric Explorer on your cluster
f:id:waritohutsu:20180209083302p:plain

References

Quick introduction for portal sites of Microsoft Azure

Windows Azure Azure

Do you know how many portal sites Microsoft Azure has? Almost all users access only "Microsoft Azure Portal". "Microsoft Azure Portal" manages all Azure resources such like VMs, App Service, SQL Database and others. In addition the portal site, Microsoft Azure also offers two other different portal sites as "Enterprise Azure Portal" and "Azure Account Portal".

  • "Enterprise Azure Portal" manages Azure subscriptions, subscription administrators and billing reports. This portal is mainly used by billing administrator in your company.
  • "Azure Account Portal" manages all Azure resources. This portal is mainly used by developers.
  • "Microsoft Azure Portal" is mainly used for create, transfer, cancel subscriptions. This portal is mainly used by developers.

f:id:waritohutsu:20171231160454p:plain

You don't need to use "Enterprise Azure Portal" if there are no EA contract with Microsoft in your company. Almost all users who use only "Pay-As-You-Go" Azure subscriptions need to use only "Azure Account Portal" and "Microsoft Azure Portal".

References

Enable to access Azure subscriptions across Azure AD tenants

Windows Azure Azure

All Azure subscriptions are associated to an Azure AD tenant. As you know, you can use some different Azure AD tenants like below. This sometimes causes some issues, but you can learn how to use these features properly though this post.
f:id:waritohutsu:20171229161730p:plain:w200
Azure AD also manages your "School or Work Account" in your organization. You have to choose account type whether "School or Work Account" or "Microsoft Account"/"Personal Account" when you login Azure. This account types can express simply like below.

  • "Microsoft Account" and "Personal Account" are technically same, and they are managed by Microsoft services. They were called "LIVE ID" in past.
  • "School or Work Account" is managed by your own Azure AD tenant such like "xxxxx.onmicrosoft.com", and you can assign custom domain name for your tenant as "contoso.com" and others.

As far as I have tried, it's easy to access subscriptions across Azure AD tenants using "Microsoft Account". But almost all companies use "School or Work Account" for governance perspective. Because "Microsoft Account"s are managed by Microsoft, so it's difficult to enable or disable their accounts immediately.
It's needed to invite other Azure AD tenant users into your Azure AD tenant when you want to grant other Azure AD tenant users to access your subscriptions associated with your Azure AD tenant.

How to enable to access subscriptions from other Azure AD tenant users

There are two steps to grant your subscriptions to other Azure AD tenant users.

  1. Invite the users into your Azure AD tenant
  2. Assign IAM roles

Invite the users into your Azure AD tenant

Refer Inviting Microsoft Account users to your Azure AD-secured VSTS tenant | siliconvalve or follow below steps.

  1. Login to portal.azure.com
  2. Login with your Global Admin credentials of your AD tenant
  3. Go to Azure Active Directory option on the blade
  4. In the next blade you will find an option of “user setting”
  5. Under “User setting” kindly check the option “admin and users in guest inviter role can invite”
  6. The option “admin and users in guest inviter role can invite” should be yes
  7. After that, go to users and groups in the same blade and click on “all users”
  8. Under all users, you will see the option “New guest user”
  9. After clicking on that, you can invite the user of other AD tenants.
  10. Once the user will accept the invitation, you can give access to the resource under the subscription of your AD tenant.

Assign IAM roles

Refer Add or change Azure admin subscription roles | Microsoft Docs.

References

How to change AAD tenant associated to your subscriptions

Windows Azure Azure

You have already known how to create your own AAD tenant, but it sometimes causes some issues. As you know, all Azure subscriptions should be associated to an AAD tenant. You should change the AAD tenant of your subscriptions when you create new AAD tenant. You can learn how to change AAD tenant associated to your subscriptions in this post.

Step by step how to change AAD tenant in Azure portal

Choose your subscription need to change AAD tenant and click "Change directory" button like below.
f:id:waritohutsu:20171229163802p:plain

Choose your new AAD tenant should be associated your subscription.
f:id:waritohutsu:20171229163910p:plain

You can check its completion with portal notification like below, but it needed a few minutes to reflect into portal in my case. Please wait without hurry.
f:id:waritohutsu:20171229163958p:plain

References