Many of us might already have virtual machine templates used in System Center VMM and would like to reuse those. Unfortunately this is not possible directly. In case you used Desired State Configuration (DSC) for customization—then you might be able to re-use them as virtual machine extensions (customizations) may be done using DSC. We will look at virtual machine extensions in Chapter 8, Creating PaaS Services in Microsoft Azure Stack.
In case you want to use an existing VHD to ensure that the requirements provided in this chapter are met. To maintain your accounts and other configurations do not run the sysprep command provided. To create a new image, install the required operating system and follow all the steps.
There are a couple of important points to be aware of in order to succeed. At the time of writing these include:
- Generation 1 virtual machines have to be used as Azure Stack TP2 supports VHD only. The VHD must be of fixed size with a maximum size of 1.023 GB. The size must be multiples of 1 MB.
- Any drivers related to physical components like VMware tools or third party software related to physical components like transport interface filter driver used by network analyzation tools must be uninstalled.
There are additional requirements which are based on the installed OS. We will provide the exact steps for Linux Ubuntu Server and below that, steps for Windows Server 2012 R2, here.
So let's start out with Linux. There are some steps which are unique to each Linux derivate. Those are marked, only the Ubuntu Server commands are provided here. The section There is more... at http://www.azurestack.rocks/thereismore, provides links to configuration settings of additional Linux distributions including CentOS, Red Hat Enterprise Linux, Debian, SLES/openSUSE, and Oracle Linux. The Linux general and Ubuntu Server specific requirements are as follows:
- It is recommended to use standard partitions rather than LVM as it will avoid LVM name conflicts with cloned VMs.
- It is required that the kernel supports the UDF file system. During deployment of a VM, the Azure Linux agent must be able to mount a UDF formatted media containing the provisioning configuration.
- Ensure that the SSH server is installed and started at boot time which is usually the default setting.
- Ensure that the Linux Integration Services (LIS) for Hyper-V exists in the kernel. This should be the case for all recent Linux kernel versions based on 3.x.
- The next step is required on Ubuntu Linux Server only. The current repositories must be replaced to use the Azure ones. Therefore edit /etc/apt/sources. List using the following commands:
# sudo sed -i
"s/[a-z][a-z].archive.ubuntu.com/ azure.archive.ubuntu.com/g"
/etc/apt/sources.list #sudo apt-get update
- The following step is required on Ubuntu Linux Server only. As the HWE kernel should be used to update the OS to the latest kernel using the following commands on Ubuntu 12.04 use:
#sudo apt-get update #sudo apt-get install
linux-image-generic-lts-trusty linux-cloud-tools-generic-lts-trusty #sudo apt-get install hv-kvp-daemon-init #sudo apt-get dist-upgrade ## recommended only On Ubuntu 14.04 use #sudo apt-get update #sudo apt-get install
linux-image-virtualc-lts-vivid linux-lts-vivid-tools-common #sudo apt-get install hv-kvp-daemon-init #sudo apt-get dist-upgrade ## recommended only
- Install the Azure Linux Agent on Ubuntu 12.04 or 14.04 the Azure Linux Agent should be available using the package repository by using the following commands:
#sudo apt-get update #sudo apt-get install walinuxagent
- The generic steps are, using the root user to get the agent from GitHub, unpack it, install the Python toolset, and lastly install the agent:
#sudo apt-get install python3-setuptools
- Restart the Linux system and using root move forward with:
#wget https://github.com/Azure/WALinuxAgent/archive/ v2.2.0.tar.gz #tar -vzxf v2.2.0.tar.gz #cd WALinuxAgent-2.2.0 #python setup.py install -register-service #rm v2.2.0.tar.gz -f #rm WALinuxAgent -fR
- On the OS disk do not create a swap partition. Instead use the Azure Linux Agent to create one at the local resource disk (temporary disk) as shown. Edit /etc/waagent.conf using the following values:
ResourceDisk.Format=y ResourceDisk.Filesystem=ext4 ResourceDisk.MountPoint=/mnt/resource ResourceDisk.EnableSwap=y ResourceDisk.SwapSizeMB=XXXX ##note:replace XXXX with your
required value like 4096
- Optional, for debugging, purpose console messages should be sent to the first serial port. Therefore, modify grub or grub2 with the following values:
- Edit /etc/default/grub and on Ubuntu 12.04 and 14.04 change the following line (or add it in case it doesn't exist) to GRUB_CMDLINE_LINUX="console=tty1 console=ttyS0,115200n8 earlyprintk=ttyS0,115200 rootdelay=300" and generate a new config by issuing #sudo update-grub
- In case you use an existing image that is not created on Hyper-V you may have to rebuild the initrd to ensure that hv_vmbus and hv_storevsc kernel modules exist. Using mkinitrd utility this could look as follows:
#sudo mkinitrd -preload=hv_storvsc -preload=hv_vmbus
-v -f initrd-`uname -r`.img `uname -r`.
- As a last step, deprovision (sysprep) the virtual machine by running the following commands:
# sudo waagent -force -deprovision # export HISTSIZE=0 # logout
You are ready to upload your prepared Linux VHD.
To create a new Windows Server image or to check an existing image for compatibility the below steps are recommended, please use an administrative account with an elevated command console or PowerShell window to perform them:
- Check for persistence routes by running: route print. If there is a route in the Persistent Routes section, remove it using route delete.
- Remove the WinHTTPproxy by using:
netsh winhttp reset proxy
- Configure the disk SAN policy by using: diskpart san policy=onlineall.
- Configure UTC Time Zone and the startup type of the Windows time (232time) service:
REG ADD
HKLMSYSTEMCurrentControlSet ControlTimeZoneInformation
/v RealTimeIsUniversal /t REG_DWORD /d 1 sc config w32time start = auto
- Ensure that the following Windows services are set to their default values. Then configure them use the following commands:
sc config bfe start= auto sc config dcomlaunch start= auto sc config dhcp start= auto sc config dnscache start= auto sc config IKEEXT start= auto sc config iphlpsvc start= auto sc config PolicyAgent start= demand sc config LSM start= auto sc config netlogon start= demand sc config netman start= demand sc config NcaSvc start= demand sc config netprofm start= demand sc config NlaSvc start= auto sc config nsi start= auto sc config RpcSs start= auto sc config RpcEptMapper start= auto sc config termService start= demand sc config MpsSvc start= auto sc config WinHttpAutoProxySvc start= demand sc config LanmanWorkstation start= auto sc config RemoteRegistry start= auto
Ensure that the Remote Desktop configurations are correct by doing the following:
- Remove any self-signed certificates tied to the Remote Desktop Protocol (RDP) listener—open elevated command or PowerShell window:
REG DELETE "HKLMSYSTEMCurrentcontrolSetControl
Terminal ServerWinStationsRDP-Tcp SSLCertificateSHA1Hash"
- Configure keep-alive values for RDP service:
REG ADD
"HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
/v KeepAliveEnable /t REG_DWORD /d 1 /f REG ADD
"HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
/v KeepAliveInterval /t REG_DWORD /d 1 /f
- Configure authentication mode values for RDP service:
REG ADD "HKLMSYSTEMCurrentControlSetControlTerminal
ServerWinStationsRDP-Tcp" /v UserAuthentication
/t REG_DWORD /d 1 /f REG ADD "HKLMSYSTEMCurrentControlSetControlTerminal
ServerWinStationsRDP-Tcp" /v SecurityLayer /t REG_DWORD
/d 1 /f REG ADD "HKLMSYSTEMCurrentControlSetControlTerminal
ServerWinStationsRDP-Tcp" /v fAllowSecProtocolNegotiation
/t REG_DWORD /d 1 /f
- Configure authentication mode values for RDP service:
REG ADD "HKLMSYSTEMCurrentControlSetControlTerminal Server"
/v fDenyTSConnections /t REG_DWORD /d 0 /f
- Ensure that PowerShell Remote service is available (through Windows firewall)—open administrative PowerShell windows and type:
Enable-PSRemoting -force
- Ensure that the following Windows Firewall rules are configured for inbound/outbound connections:
netsh advfirewall firewall set rule group="Remote Desktop"
new enable=yes netsh advfirewall firewall set rule group="Core Networking"
new enable=yes
- Ensure that the following Windows Firewall rules are configured for outbound connections:
netsh advfirewall firewall set rule dir=out
name="Network Discovery (LLMNR-UDP-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (NB-Datagram-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (NB-Name-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (Pub-WSD-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (SSDP-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (UPnPHost-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (UPnP-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (WSD Events-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (WSD EventsSecure-Out)" new enable=yes netsh advfirewall firewall set rule dir=out
name="Network Discovery (WSD-Out)" new enable=yes
- Ensure that the following Windows Firewall rules are configured for inbound connections:
netsh advfirewall firewall set rule dir=in
name="File and Printer Sharing (Echo Request - ICMPv4-In)"
new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (LLMNR-UDP-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (NB-Datagram-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (NB-Name-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (Pub-WSD-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (SSDP-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (UPnP-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Network Discovery (WSD EventsSecure-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Windows Remote Management (HTTP-In)" new enable=yes netsh advfirewall firewall set rule dir=in
name="Windows Remote Management (HTTP-In)" new enable=yes
- Ensure that the following Boot Configuration Database (BCD) values are configured:
bcdedit /set {bootmgr} integrityservices enable bcdedit /set {default} device partition=C: bcdedit /set {default} integrityservices enable bcdedit /set {default} recoveryenabled Off bcdedit /set {default} osdevice partition=C: bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
- Ensure that Windows Management Instrumentation (WMI) repository is consistent by entering the following:
winmgmt /verifyrepository
- Reboot virtual machine to ensure RDP connections are functional after all the previous configuration changes. Login by using the local administrator. In case local administrator does not have the correct permissions, open Group Policy editor and go to:
Computer ConfigurationWindows SettingsSecurity
SettingsLocal PoliciesUser Rights Assignment
- And activate the following policy:
Allow log on through Remote Desktop Services
- Optional, install the Azure virtual machine agent and run the installer. This is required in order to use VM extensions. The download link is https://go.microsoft.com/fwlink/p/?LinkID=394789.
- Optional, there are several updates and hotfixes recommended to enhance stability of the virtual machine. These include: KB2904100, KB3140410, KB313061, KB3033930, and KB3115224.
- As a last step, sysprep the virtual machine by running the following commands in the elevated command window:
%windir%system32sysprepSysprep.exe
- In the System Preparation Tool Window under System Cleanup Action select System Out-of-Box Experience and ensure that Generalize is selected.
- In Shutdown option, ensure that Shutdown is selected.
- Click on the OK to start sysprep. You are ready to upload the VHD file.