Pexip Secure Scheduler for Web installation

This section contains instructions for deploying in Azure. It covers preparing disk images for use, running the images script, and creating a VM instance.

See Preparing your Azure environment for general information on setting up Azure resources.

Preparing disk images for use

Before you can use the published Scheduler for Web disk images, you must copy them into your Azure environment. This guide refers to a disk image copied into your Azure environment as a prepared disk image. All deployment operations use prepared disk images.

The following PowerShell script copies the published VHD to your storage account (into a storage container called vm-images) and then creates an image from that VHD so that it may be used to deploy VM instances.

You must edit the variables in the script to provide the name of the:

• Azure subscription ($subscriptionName)
• region (location) to use ($regionName)
• resource group ($resourceGroupName)
• storage account ($storageAccountName)
• Scheduler for Web version-build number to use ($version — currently 5-2-0-548-0-0 for v5.2 software).

# Name of your Azure subscription
$subscriptionName = ""
# Name of the Azure region (location) to use
$regionName = ""
# Name of the resource group to use
$resourceGroupName = ""
# Name of the storage account to copy the disk images into
$storageAccountName = ""
# Name of the container within the storage account to copy the disk images into
$containerName = "vm-images"
# Version of Pexip Web Scheduler to copy
$version = "5-2-0-548-0-0"

# Add your Azure account to the PowerShell environment
Import-Module Az -MinimumVersion 9.0.1
Connect-AzAccount

# Set the current subscription
Get-AzSubscription -SubscriptionName $subscriptionName | Select-AzSubscription

# Obtain the access key for the storage account
$storageAccountKey = Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName
If($storageAccountKey.GetType().Name -eq "StorageAccountKeys") {
    # Az.Storage < 1.1.0
    $storageAccountKey = $storageAccountKey.Key1
} Else {
    # Az.Storage 1.1.0
    $storageAccountKey = $storageAccountKey[0].Value
}            

# Create the storage access context
$ctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

# Create the container
New-AzStorageContainer -Name $containerName -Context $ctx

# Start copying the Pexip Web Scheduler image
$mgmt = Start-AzStorageBlobCopy -AbsoluteUri "https://pexipas.blob.core.windows.net/scheduling-core/$version/scheduling-core.vhd" -DestContainer $containerName -DestBlob "pexip-scheduler-node-$version.vhd" -DestContext $ctx

# Wait for the image to finish copying
$status = Get-AzStorageBlobCopyState -Blob $mgmt.Name -Container $containerName -Context $ctx
While($status.Status -eq "Pending") {
    $status
    $status = Get-AzStorageBlobCopyState -Blob $mgmt.Name -Container $containerName -Context $ctx
    Start-Sleep 10
}
$status


# Create Azure image from the vhd file
$imageConfigMgmt = New-AzImageConfig -Location $regionName
$osDiskVhdUriMgmt = $mgmt.ICloudBlob.Uri.AbsoluteUri
Set-AzImageOsDisk -Image $imageConfigMgmt -OsType "Linux" -OsState "Generalized" -StorageAccountType "Premium_LRS" -BlobUri $osDiskVhdUriMgmt
$imageMgmt = New-AzImage -Image $imageConfigMgmt -ImageName "pexip-scheduler-node-image" -ResourceGroupName $resourceGroupName


# Print out the prepared disk image resource IDs for later use
"Pexip Web Scheduler disk image resource ID:   " + $imageMgmt.Id

Running the images script via your Windows client

To run the PowerShell script from your Windows PC, you need to connect your local machine to Azure:

1. From your PC, run PowerShell ISE as Administrator by right-clicking on it and selecting Run as Administrator.

   

2. When in PowerShell run the following two commands:

   1. Install-Module -Name Az -MinimumVersion 9.0.1 -MaximumVersion 9.7.1 -AllowClobber -Scope AllUsers

      This installs the Azure Resource Manager modules from the PowerShell Gallery.

   2. Install-Module Azure

      This installs the Azure Service Management module from the PowerShell Gallery.

   If you get any prompts while running these commands, select Y for Yes.

   See https://docs.microsoft.com/en-gb/powershell/azure/ for more information about Azure PowerShell.

3. Copy and paste the PowerShell script from above into a text editor and add in your Subscription Name, Region Name, Resource Group Name and Storage Account name (where shown below), and then save the file as a .ps1 file.

   

4. Run the script:

   1. Close the file, right-click on it and select Run with PowerShell.

   2. You are prompted to login, so enter your Azure login credentials.

      If you are using multi-factor authentication, and your credentials are already populated, you may need to manually retype them for the authentication process to complete successfully.

   3. The script will run and copy the images over to your Azure environment. This takes approximately 10 minutes

5. You can use the Azure portal to confirm when the VHD file has been copied across and the image has been created. From the Azure portal go to your Azure dashboard and select your Resource Group. You will see the appliance prepared disk image.

Now that you have your prepared disk image in your Azure environment, you can use it to create the VM instance in Azure in which you can deploy the appliance.

Creating a VM instance

To deploy Scheduler for Web within Azure you must create an Azure VM instance and then use that instance to host the Scheduler for Web appliance.

To create the VM instance:

1. Create a new resource group to hold the instance.

   1. Go to Resource Groups and select + Create.
   2. Select your Subscription and enter your Resource group name, such as pexscheduler.
   3. Select your Region, and then select Review + Create.
   4. On the Summary page, select Create.

2. Deploy the instance into the new resource group. This procedure describes how to do this via the Azure portal using an ARM template provided by Pexip:

   1. You can deploy the Scheduler for Web instance via one of the standard ARM templates that are provided by Pexip (and are also used for deploying Pexip Infinity), as shown in this table.
   2. Enter the Basics by selecting your Subscription, Resource group and Location (region).

   3. Complete the Settings (these are based on the template's parameters):

      Name	Description
      Vm Image ID	The Resource ID of the Azure image (which is in the style /subscriptions/mysubscriptionid/resourceGroups/myressourcegroup/providers/Microsoft.Compute/images/myimage). This resource ID can be obtained from the Azure portal by selecting your Resource Group used for shared resources, and then selecting Scheduler for Web image, going to Settings > Properties, and then copying the displayed Resource ID. Selecting the image resource ID
      Dns Domain Name Label	The domain name label (i.e. hostname) for the Virtual Machine. When deploying an instance with a public IP address, this label must be the host part only — the name must not contain any periods.
      Ip Address	The statically-assigned private IP address for the Virtual Machine. This must be within the IP range of your Virtual Network. Note that the first and last IP addresses of each subnet are reserved for protocol conformance, along with the x.x.x.1-x.x.x.3 addresses of each subnet, which are used for Azure services.
      Admin Credential	For password-based authentication templates, you must supply a password to the template (Azure requires a strong password, such as a mix of upper case, lower case and numeric characters) but you still have to use the default credentials on first boot of the Virtual Machine. For SSH key-based templates, this is the public SSH key for logging into the Virtual Machine (e.g. ssh-rsa AAA.... user@host). Do not use the Generate new key pair option (as this will generate an error) but instead use an existing public key or a key already stored in Azure.
      Vm Size	The size of the Virtual Machine (typically D4ls v5 ). You can change the Size later from within the Azure portal (Virtual Machine settings), if required. Azure regularly updates the instance types that can be deployed in each region. Therefore, you may receive a "The requested size for resource <name> is currently not available in location <region> zones" style error when deploying a node.
      Diagnostics Storage Account Name	The name of the storage account to use for boot diagnostics. This can be the same storage account that is used to hold the prepared disk images. Note that this storage account cannot use Premium storage.
      Network Name	The name of the Virtual Network to connect to.
      Network Subnet Name	The name of the Virtual Network subnet in which to place the Virtual Machine.
      Network Security Group Name	The name of the Network Security Group to apply to the Virtual Machine.
      Network Resource Group	The name of the Resource Group containing the Virtual Network and Network Security Group.

   4. Select Next.
   5. Review the legal terms.
   6. Select Create to deploy the instance.

3. It can sometimes take several minutes for your instance to be created and start running. You can use the Azure portal to monitor the status of your new instance.

   If the instance deployment fails, review the Azure event diagnostics to help identify the problem.

4. You can now complete the deployment of the Scheduler for Web appliance.

To replace the built-in X.509 SSL certificate on the Scheduler for Web appliance with a custom-created certificate:

1. Create a text file called courts-core.pem which contains the following items in this specific order:

   • server certificate
   • server private key (which must be unencrypted)
   • DH parameters (mandatory, 4096 bits); these parameters can be generated through the openssl dhparam command, for example:
     /usr/bin/openssl dhparam -out dhparam.pem 4096
   • one or more intermediate CA certificates (a server certificate will normally, but not always, have one or more intermediate CA certificates)

   Note that the contents MUST be in this specific order for the certificate to work properly.

   The first section with the server certificate should contain a single entry in the format:

   -----BEGIN CERTIFICATE-----
   <certificate>
   -----END CERTIFICATE-----

   The second section with the server private key should contain a single entry in the format (although it may instead show 'BEGIN RSA PRIVATE KEY'):

   -----BEGIN PRIVATE KEY-----
   <private key>
   -----END PRIVATE KEY-----

   The DH parameters section should contain a single entry in the format:

   -----BEGIN DH PARAMETERS-----
   <parameters>
   -----END DH PARAMETERS-----

   Finally, there will normally be one or more intermediate CA certificates, where each intermediate has a section in the following format:

   -----BEGIN CERTIFICATE-----
   <certificate>
   -----END CERTIFICATE-----

2. Using the SCP file transfer protocol, upload the courts-core.pem file to the /tmp folder of the . This can be done using for instance WinSCP (www.winscp.net) or the ’scp’ command-line utility for Linux/macOS, using a command such as:

   scp courts-core.pem pexip@10.0.0.10:/tmp

3. After the courts-core.pem file has been transferred into the /tmp folder, connect over SSH to the Scheduler for Web appliance, log in as user pexip and run the following commands, one at a time:

   sudo cp /etc/nginx/ssl/courts-core.pem /etc/nginx/ssl/courts-core.pem.backup

   sudo mv /tmp/courts-core.pem /etc/nginx/ssl/courts-core.pem

4. Run the following command to check the new certificate:

   sudo nginx -t

   If the certificate is OK, the response should look like this:

   $ sudo nginx -t
   [sudo] password for pexip: 
   nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
   nginx: configuration file /etc/nginx/nginx.conf test is successful

   However, if the certificate is missing, the response will look similar to this:

   $ sudo nginx -t
   [sudo] password for pexip: 
   nginx: [emerg] cannot load certificate "/etc/nginx/ssl/courts-core.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/nginx/ssl/courts-core.pem, r) error:10000080:BIO routines::no such file)
   nginx: configuration file /etc/nginx/nginx.conf test failed

5. If the certificate is OK, you can run this command to apply the new certificate:

   sudo systemctl reload nginx

After these commands have been run, the Scheduler for Web appliance should now be operational and using the new certificate.

If any problem occurs with the replaced certificate, the previous certificate can be restored using the following commands:

sudo cp /etc/nginx/ssl/courts-core.pem.backup /etc/nginx/ssl/courts-core.pem

sudo systemctl restart nginx

If you rerun the installation wizard you are given the option Do you want to regenerate self-signed SSL certificates? Ensure that you answer "no" to this option if you want to preserve your own certificate.