This guide describes the thought process of creating a Windows virtual machine base image (the Golden Image) in vSphere.
Currently, the Windows Machine Config Operator (WMCO) stable version supports:
- Windows Server 2022 Long-Term Servicing Channel (must contain the OS-level container networking patch KB5012637)
Please note that Windows Server 2019 is unsupported, as patch KB4565351 is not included. This is a requirement of the hybrid OVN Kubernetes networking with a custom VXLAN port feature.
To start with, create a new virtual machine in vSphere from the selected Windows Server distribution using the ISO image. See vSphere documentation for installation guidelines. Ensure that the virtual hardware version meets the OpenShift infrastructure requirements.
Install VMware Tools version 11.0.6 or greater. See the VMware Tools documentation for more information.
Ensure the VMware Tools Windows service is running and will start on boot, You can query the VMTools service by
running the following PowerShell command:
Get-Service -Name VMTools | Select Status, StartType Ensure the VMware Tools configuration file tools.conf is present in the following location:
C:\ProgramData\VMware\VMware Tools\tools.conf
In case the configuration file does not exist, VMware Tools installs an example configuration file in the same directory as the location above, or you can download it from the open-vm-tools repository.
Uncomment the exclude-nics option in the tools.conf file and clear any existing values, the value must be
empty (no value), to ensure that any vNIC generated on the Windows VM by the hybrid-overlay won't be excluded,
allowing VMware Tools to report the IP addresses in vCenter.
exclude-nics=Alternatively, you can run the provided PowerShell script configure-vm-tools.ps1
that downloads the example configuration file, disables the network interface exclusion and creates the tools.conf
file in the expected location.
Ensure the virtual machine has a valid IP address in vCenter. Refer to the IP Addresses section in the Summary tab
of the vSphere Web Client or run the ipconfig command in the Windows VM.
Install and configure the OpenSSH Server on the Windows virtual machine with automatic startup and key based-authentication. See Microsoft documentation to install using PowerShell. Given we are setting up SSH access for an administrator, please follow the Microsoft documentation to deploy the public key. This public key must corresspond to private key present in the secret.
Alternatively, you can use the PowerShell script install-openssh.ps1 to programmatically install and configure the OpenSSH Server:
./install-openssh.ps1 <path/to/public_key_file>where, <path/to/public_key_file> is the path to the public key file corresponding to the private key.
Ensure the SSH service is running and that it will start on boot by running the following PowerShell command:
Get-Service -Name "ssh*" | Select Name, Status, StartType where, both installed services ssh-agent and sshd must have status Running and start type Automatic.
Ensure the OpenSSH Server installation successfully created an inbound firewall rule enabling access to the above service (sshd) by running the following PowerShell command:
Get-NetFirewallRule -DisplayName "*ssh*"In case no firewall rule exist, you must create it by running the following PowerShell command:
New-NetFirewallRule -DisplayName 'OpenSSH Server (sshd)' -LocalPort 22 -Enabled True -Direction Inbound -Protocol TCP -Action Allow Create new firewall rules in the Windows VM to allow incoming connections for container logs and metrics:
New-NetFirewallRule -DisplayName "ContainerLogsPort" -LocalPort 10250 -Enabled True -Direction Inbound -Protocol TCP -Action Allow -EdgeTraversalPolicy Allow
New-NetFirewallRule -DisplayName "WindowsExporter" -LocalPort 9182 -Enabled True -Direction Inbound -Protocol TCP -Action Allow -EdgeTraversalPolicy AllowEnsure that you have the latest Windows Server updates installed.
Alternatively, you can use the PowerShell script install-updates.ps1 to programmatically download and install the updates:
./install-updates.ps1Note that you will have to perform multiple updates and reboots to ensure all the updates are applied.
To deploy the Windows VM as a reusable image, you have to first generalize the VM removing computer-specific information
such as installed drivers. Running the sysprep command with a unattend answer file generalizes the image and
makes it ready for future deployments, maintaining all the changes needed for the WMCO installation.
A reference unattend.xml file is provided; it cannot be used directly. You must customize it
replacing the MyPassword placeholder with the desired password for the Administrator account; it prevents the built-in
Administrator account from having a blank password by default. It's recommended to follow the Microsoft best
practices for choosing the password.
Please note that, the ComputerName value in the unattend.xml file must follow the
Kubernetes' names specification. The latter,
also applies to Guest OS customization performed on the resulting template while creating new VMs.
Before executing the sysprep command, clone the VM and then run sysprep command in the cloned VM. To execute
the sysprep command use:
C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /shutdown /unattend:<path/to/unattend.xml>where <path/to/unattend.xml> is the path to the customized answer file.
Note: There is a limit
on how many times you can run the sysprep command.
Once the sysprep command completes the Windows virtual machine will power off.
You must not use or power on this virtual machine anymore.
Next, you need to convert this virtual machine, in Power-Off status, to a Template as shown in Figure 1.
 |
|---|
| Figure 1. Steps to convert a VM to Template in vCenter |
In order to use the recently created template, enter the template name in the machineset.
apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
spec:
template:
spec:
providerSpec:
template: <Windows Virtual Machine Template Name>