Friday, January 13, 2017

VSTS - Private Build Server

Private Build Server


Introduction

This week I am helping a team that is hosting their code in Visual Studio Team Services (VSTS in short) and they want a continuous delivery pipeline, that builds and deploys their software on their internal servers which reside ‘on premise’. These internal servers do not have access to the internet by design and process of allowing a server to connect to the internet requires traversing an exceptionally heavy approval process taking weeks to months.

Concept

Our intention is to setup a Build Agent within the internal network that connects to their VSTS site(https://<<youraccount>>.visualstudio.com). The connection has to go through a proxy that will only allow traffic to websites that has been whitelisted. Using the on premise Build Agent in this setup, we will be able to trigger a build and/or release from VSTS that will run on the Build Agent. Because of policy reasons we are not allowed to run the build agent on a target server, so we use the Build Agent to perform the necessary steps to deploy to a Target Server for a release.

Setup

First we need to create a Personal Access Token (PAT), which we will use to initially setup the Build Agent with VSTS.

Steps to take:
1. Go to VSTS (https://<youraccount>.visualstudio.com) and log in. 2. Open up your profile and select ‘Security’

3. Fill in the Description, select the correct account and select ‘Agent Pools (read, manage) as scope.
4. After it generate the token, make a copy of it and store it in a safe place, as you cannot get the token again.

Secondly we need to download and unzip the agent, by going to the Agent queues of your team project.

Before you start configuring the agent, you have to configure the proxy of the agent. The agent will read a .proxy file where you have unzipped the agent. You can create the proxy file by running the following command in PowerShell:

echo http://<<your-proxy-server>>:8888 | Out-File .proxy

Now we are ready to run the config.cmd.

1. Enter the url to your account on VSTS.
2. Choose PAT.
3. Enter the PAT you retrieved.
4. Enter the agent pool.
5. Enter the agent name.

As you can see, we got an error. Unfortunately the problem was not clear to me, as I went through the guide (https://www.visualstudio.com/en-us/docs/build/admin/agents/v2-windows) step by step. The firewall team has added https://<<youraccount>>.visualstudio.com to the whitelist for the Build Agent. After turning on fiddler the problem became clear.

The agent is connecting to a second url https://<<youraccount>>.vssps.visualstudio.com.

After adding the second url to the proxy whitelist, we could connect the agent to VSTS.

Package Management

If you want to use the package management extension, you have to add another url to the proxy: https://<<youraccount>>.pkgs.visualstudio.com

Conclusion

When making use of a proxy when you are connecting your ‘on premise’ Build Agent to VSTS, you have to whitelist not only https://<<youraccount>>.visualstudio.com, but also https://<<youraccount.vssps.visualstudio.com and https://<<youraccount>>.pkgs.visualstudio.com. I hope this post will help others with connecting their Build Servers to VSTS in an enterprise environment.

No comments:

Post a Comment