 Unfortunately, the organization managed to put the only two Microsoft related sessions exactly the same hour on the same day. So since I still missed the gift of ubiquity, we had to move it around and that's why I actually moved here. And the second problem is that for 80 minutes, it became 40. So the good news is that it's the last one of the day. So when we finish, I will be around as much time as you guys want to talk about whatever topic you want, okay? Okay, open stack and Windows. Here's our rough agenda. So we're gonna talk about Windows as a guest, Windows hypervisor, so Hyper-V, how to integrate with DevStack and RDO, heat and heat templates, okay? Especially the last topic is the main one, which we are interested. So how many of you guys are using Windows as a guest operating system? I mean virtual machines. Okay, good. How many of you guys are using Hyper-V? The two things are, of course, completely unrelated. I mean, there is, you can run your Windows guest operating system on KVM, on Xen, on ASXI, or whatever you prefer, okay? Exactly like you can run Linux machines on top of KVM, whatever, or even Hyper-V, okay? Most of our customers are typically interested in having the Windows workloads on top of Hyper-V for the simple reason that it's the platform made for that, okay? And OpenStack gives you the opportunity to have multiple hypervisors. So for example, you can have 50 KVM nodes and 50 Hyper-V nodes, just as an example, okay? And having all your Linux virtual machines running on KVM and Windows ones running on top of Hyper-V. And that goes completely transparently, you just have to set up the proper property on your glance virtual machine, okay? So that's one of the great advantages here. Okay, Windows as a guest, it can be executed on any hypervisor. No differences compared to Linux for what image handle is for. I mean, with the only exception that, of course, we cannot use AMI, AKI, AMI, AMI images for a simple reason that we don't have a kernel and we don't have a RAM disk, okay? But for the rest, it's identical. We use VHD and VHDX images, okay, instead of QCOW tool or something like that. There is, of course, a big difference in the way in which images are prepared before you deliver them to glance. A Linux image can be just created, and then when you finish, you can just shut it down and move it to glance, okay? A Windows image is a little bit more complicated. You need first to sysprep it, okay? I have a slide about sysprep so we can talk about it later. One more point, important point is related to the fact that most modern hypervisors provide drivers to optimize the virtual machines and to provide some degree of power virtualization, okay? For what is related, for what, let's say, hypervis is concerned, and what Windows is concerned as a guest, all the relative components are already integrated inside of the operating system. So there is absolutely no need to install anything else, okay? If you're running on KVM, you need to install the virtual drivers. If you're running on SXI, you have to run, of course, the VMware tools, and so on, okay? There is one important caveat related to support. Microsoft is going to support you, let's say, your issues that you might have inside of a Windows guest operating system. In the moment in which the entire virtualization stack is certified by Microsoft, let's say, approved by Microsoft. So you cannot just take any virtual drivers, install them on any possible Linux machine running KVM and expect support from Microsoft. Most important, who owns the drivers? I mean, who certifies the drivers must own the code, even if it's open source. So for example, the typical virtual drivers that we are using, okay, are the Fedora one, which are the one provided by Red Hat. So Red Hat is able to certify those drivers, okay? Ubuntu, I mean, Canonical is doing the same thing on their own. But it means that if you guys want another platform, KVM platform, and you want to run Windows guest, and you want to be supported by Microsoft, while the owners of that platform need to rewrite those drivers from scratch, okay? That's an important thing. From a stability perspective, the virtual drivers were pretty critical until some time ago, lots of blue screens and everything. Now I have to say that they are way more stable. But, yeah, the only thing is I don't know what I can say because of NDAs. I gave a little bit of a hint of the fact that they are publishing it, but yeah. So again, for my opinion, the suggestion is take your Windows workloads and put them on top of Hyper-V, okay? It's a very easy to manage platform, I don't see why not doing it. Guest initialization, on Linux, we have cloud in it, okay? Very easy platform, very easy tool. We try to port it to Windows, but it's very Linux related. It's very coupled with, let's say, APIs and tools that you find on the Linux machine, not even POSIX, specific Linux. And sometimes even specific to some distributions. Beside that, it's licensed in GPL and we wanted something in Apache too. So that's why we reward completely the entire tool. It's called cloud-based in it. Actually, that was the code name during development and it just stuck to it. And it's available for free, again, it's open source, it's Apache too. It's currently on our GitHub repository. We are planning to move it to Stackforge. But we are also thinking about using it for other virtualization platforms, okay? So in that case, we will not be able to move to Stackforge. So that's why it's currently still there. The important thing is that we've wrote it in a completely platform-independent way, okay? So all the utilities that are used to do given operations on Windows, for example, creating a user, I don't know, reading a logo, assigning an IP address or whatever, are inside classes which are instantiated to some factories and everything. So the main idea behind this is that you can take another operating system and port very easily cloud-based in it to it. Actually, we are already in the process of doing this for FreeBSD. So if you guys have any workload based on FreeBSD, just let me know. And I will only gladly in the meta-testers list. Okay, cloud-based in it is 100% Python code. So one of our main goals in all the work that we are doing in bridging the Microsoft world and the OpenStack world is that whatever we do has to be very friendly for the typical OpenStack DevOps, okay? Which means no C-sharp code, no.net, no C++, okay? Pure Python. It might be a little bit more helpful on our side. Because for example, there are stuff like extending the volumes on the operating system, which are entirely based on interfacing with calm classes and interfaces and doing things that actually are already quite painful to do in C-sharp. You can imagine how they are in Python. We do a lot of C-types, for example, for interfacing directly with the native APIs, stuff like that, okay? But it works perfectly well. So it's plugin-based, so you can add any plugin that's architecture. And cloud-based in it, when it starts, it simply loops to enable plugins, the ones that you are enabling inside of your configuration file. And each plugin has a separate status. So if one plugin for any reason fails, it will be re-executed anyway at the next boot. Besides that, in the plugin, you can even decide if you want to execute it at any boot or just once, okay? All this configuration stays in the registry. So it's very easy to residence on. Another important thing is wrapped in a Windows service. So you can just even restart it like a typical net start cloud-based in it, and so. It has an installer, so very, very user-friendly for Windows users. The only important stuff that it's gonna ask you, it's okay, the username that you want to assign. This is actually your cloud administrator username, okay, that you have. It's code-admin, not to interfere with administrator, it's also for security reasons. One of the best practices in Microsoft is to always disable your administrator user, okay, in order to avoid attacks which are the typically script-kiddy type of things in which they just go out for the administrator user. That user will be a member of that list of groups, in this case, administrators. And we have an option to let you also pass the administrator password in clear text as part of the metadata. As it used to be until SX, for example, okay? Before, I mean, in SX in the full open-stack implementation. Not in Windows, of course, because we came afterwards. Next thing, we have a network adapter. So by default, it will take the first one. So if you just leave it at field blank, when it boots, it will just take the first network adapter available. And it will bind there, and it will assign the IP addresses if you have a, for example, a Nova network if you have a static network configured. Otherwise, of course, it goes in the ACP. That's it. That's everything you need to have for the configuration, unless you need to do anything at the rest. In that case, you just open the configuration file. It's a regular open-stack type ENI file. So very easy, nothing different. Now, let's talk a little bit about SysPrep, because that's what everybody's usually asking about. I mean, why do we have to SysPrep, I mean? Actually, you don't have to SysPrep. It's not necessary. You can SysPrep. SysPrep prepares a Windows image to be distributed. Okay, in any scenario, for example, if you buy a new laptop or a tablet, a Windows one, I mean, when it starts, it's gonna ask you, okay, all the configurations that typically do during setup, okay? This is so-called out-of-the-box experience, OBE. The same thing happened on the server side, okay? You can automate it, of course. That's what we do. So we don't have, of course, to have the users answering about what time zone you want to be, and stuff like that, okay? It will be quite hard. SysPrep does also a very important thing, which is called generalization. It's replacing the so-called SID, okay? Every user, every computer, or whatever, in the Microsoft world has an ID which identifies it in a unique way. If you just clone the image, you will end up with having two systems with the same SID. Until some time ago, it was popular belief that if you do this, some catastrophe will happen. Especially due to the fact that Active Directory might use it to identify the system. So if I have two to be the same SID, it will happen. What actually happens is that Active Directory is not using the SID at all. So actually, this is just a myth. This, for example, an application, PSGetSid by Mark Marcinovich, this is Dernas, a company acquired by Microsoft, which is providing you a way to generate, to get, actually, the SID for your machine. There is also another tool called New SID, which is also letting you generate a new SID on the machine. But it's totally unsupported by Microsoft. And incidentally, by them in the moment in which they got acquired by Microsoft. So here's an important blog post by Mark Marcinovich, Distinguished Engineer in Microsoft, okay? So as I was saying, SISpriping altogether can be avoided, but make sure not to confuse SISpriping and generating a new SID. So SISpriping is a big thing that does a lot of things, including generating the new SID. For example, services like WSUS rely on some configurations which are resetted during SISpriping. So if you plan to use WSUS to distribute updates to your systems, you might incur into trouble, okay? But the biggest reason why we keep on SISpriping our machines is that Microsoft refuses to support you if you don't do it, okay? Yeah, that's the main thing. If you don't need WSUS, if you don't think about getting support by Microsoft, then just forget about SISpriping and go with it. I mean, the deal is that you will save something like probably 20 seconds during boot time, okay? Because you just boot straight into the machine without having to do all this around it. All of our images are, of course, SISpriped. Because we need to provide a scenario in which every user can have, of course, a situation in which they get support by Microsoft if they use it. We cannot just do it. Especially considering the evaluation images which are official. The good news, of course, about SISpriping is that it can be completely and absolutely automated. So what we do at the end of cloud-based in it during the setup, is that we give to the user an option to run SISpriped, providing an unattended XML file which contains all the unattended configuration that will automatically generate a SISpriped machine that when it boots, it will never ask anything to the user. It will just reboot once or twice, of course, because that's what SISpriped does, okay? But for the rest, it will never ask anything to the user, and it will go straight up to the boot, just requiring some extra time. One important thing that we put inside of that XML file is that persist all device installs because otherwise, SISpriped will reset the driver cache so that the drivers will be reinstalled at the next round. So without that specific instruction, you will not be able to have VMware tools or extend server tools, for example, okay? But don't worry, we automate everything for you, okay? OOB and the hostname, one of the things that OOB does is setting the machine hostname, but that hostname has to be inside of the unattended XML. The problem is that we have it in the OpenStack metadata. We have a way that we are testing right now, and it works pretty well, to fetch anyway the hostname from the metadata, okay? And assign it during this phase through a script that we run inside of the SISpriped part, okay? It works, and if this works, we will spare one reboot cycle. Because unfortunately, still nowadays when you change hostname in Microsoft, you need to reboot the machine. That's something that we hope to change very soon, but it's one of these things that comes straight from the middle ages, and we still have to keep it. Metadata, OpenStack metadata can be obtained in multiple ways. So the traditional HTTP metadata, config drive, EC2 style, and so on. All those are supported by CloudBase in it. Including the fact that they 169.254 by default, that range of addresses cannot be routed, okay? So we just inject a simple hack in which we point that specific address to the default gateway. So it goes directly through Nova Network or through, typically to Neutron, and so everything happens transparently for you. Here's a list of the most important plugins. Create user, set user password, set hostname, SSH public keys, extend volumes, user data. Now we're just talking a little bit about the most important here. So the create user plugin creates a user and adds it to the local administrator script. And random password is used at this stage as it's needed to create the user profile. So it creates the user, then it logs in with that user and creates the user profile. Options, username, and the groups were reported. The stuff that I showed you before on the graphical interface. Password management, unlike Linux, Windows does not support SSH public key logins, yet. Okay, so you have two options. Either you pass the passport during boot, and during Nova boot you pass meta, admin, pass, whatever. That's a regular Nova boot command, okay? Or, since this is a very bad idea, because that specific password would be in clear text, you can just let the guest generate it. That's a new feature which starts from Gisli. Okay, if you have set the admin password and you are allowing it by allowing the inject user password option. And the configuration file, it will use that one. If not, the random one is generated and it's encrypted with a Sage public key. Which means that only the private key will decrypt it, okay? Very important. It works only when you have the HTTP metadata, not when you have config drive, very important. Can be retrieved using the private key, so Nova get password, machine name, and your private key. So, if you think that you don't have to assign a key pair when you boot a machine in Windows, it's wrong, you need it. Even if you're not using directly as a Sage, okay? That's very important. User data, so all the customer configuration happens in the user data. User data means that you have a range of scripts that you can run. And we are allowing Windows patches, typically an OCMD type format, the bat file, okay? PowerShell, that's a big deal because you can do basically everything inside of the machine with it. Bash, okay? We support that as well. And multi-part, starting with the Havana release. Which means that we support heat. And we can enable every type of possible workloads like exchange, SQL Server, Active Directory, I don't know, SharePoint. You name it, okay? Actually, a big part of the original session was meant to be on this. But since we have half an hour, let's see what we can do. Very important, we have an official Windows Server evaluation image available for free for download. You know that Microsoft releases every time that there is a new operating system, there is also a free evaluation image, which will last for 180 days, okay? So we got the authorization for Microsoft to take the image, repackage it with all the OpenStack-related tools that we need, like Cloudbase and it, okay? Close it and put it there for download. So if you go on our website, cloudbase.it, you can just download your image, put it in glance. We have them available for KVM, for Hyper-V and so on. So that's the best and easiest way to test it, okay? It's complete with Virtuaio. For example, the KVM drivers have already the Virtuaio in place, okay? So we don't have to think what version do I need and so on. Just take it, run it, and off you go. It's also, as I was saying, and when you download it, you have to accept the Microsoft license, okay? It's a very custom license that we got. It's basically the evaluation license plus a statement which tells you that you can use it only in testing environments for OpenStack, okay? So you cannot use it for any production scenario. The important thing is that in Windows, you can enable anyway. I mean, let's say you can change licensing, okay? For example, changing for the evaluation version to a fully licensed one by using that script. So if you run that script inside of a user data script, from that moment on, the image is perfectly licensed. The part that is not legal, in this case, is the fact that for the moment in which it boots, to the moment in which you're running the script, you're totally unlicensed, okay? So I have to warn you about this small detail, okay? We got an enormous amount of requests about how do you build an image for Windows? So we say, hey, we are doing this forever. Why don't we just publish the script that you're using to do that? Here you go. On that GitHub side, you have all the scripts. It's totally unattended, meaning that you start it and it will do automatically everything for you. Here is the KVM example. You just said, in this case, I'm setting a variable with the name of the file, the floppy image that we're using, the virtual ISO. And in this case, it's the evaluation ISO, but it can be anything, okay? The idea is to support any version of Windows from 2008 upwards. Now we tested it on 2012 and 2012 for true, of course. So we are creating, as you can see, the QCOW2 image. Afterward, we're just running KVM with all the required parameters. For example, we gave it two gigs of RAM, two processors. We attached the first CD-ROM to the ISO, okay, with Windows. And a second one to the virtual one. Plus, we are adding also FDA, so floppy disk, to the floppy. The floppy will contain an unattended XML file. So Windows, when it starts, it looks for this file. And if it finds it, it just goes on and does the entire installation. Exactly like Linux with kickstart file or preceding. With a small difference that in Linux, you'll have any way to tell it, okay, boot from the kickstart. Here it goes up automatically. Okay, the rest is more or less irrelevant, except the fact that you have even the VNC enabled. So if you want to monitor what's going on, you can just bind to that part. Let me show you an example. So let's take, for example, this image over here. I could show you the same example inside of, normally, we do all of our tests either on a laptop or on another machine, in which we have a physical machine. We run Hyper-V as a virtual machine inside of it. And inside of Hyper-V, we're running the guests, okay? So we have the so-called nested virtualization. Very easy, very simple. You have a development environment up in minutes. I didn't want to start the machine now. Settings, the only important thing to notice here is that the first disk is connected to the ISO, okay? The second one in this case has the VMware tools. We're running on VMware, so that's how we generate it. And the floppy disk is connected to the auto-attended floppy, okay? Which connects, which is a simple floppy image which contains the unattended XML. Easy, we started. Since this machine has already been created, I just have to tell it to boot from DVD, okay? That's it, it will do everything for you automatically. And most important, it will install also the Windows Update. So it will install the drivers that you need. The cloud-based wallpaper in this case, and when it's over, it will also run Windows Update. And since Windows Update requires typically also reboot, it will do updates, reboot. Do I have more updates, yes, install reboot? It keeps on going like this until it finishes them, even if it takes three hours, okay? Normally it's just like half an hour. It depends really on the version of Windows. The older, the longer. When it's over, it will install cloud-based init and sysprep, okay? All you have to do is just let the install go, and the machine will shut down automatically. When it shuts down, you can take it and put it in glass. Simple, no? Okay, now it's starting. I'm not, of course, staying here to watch it going, just to give you an example. I'm sorry? Yeah, sure. I mean, I can show you also the script how they work. What happens is that, let me show you. Okay, here we go. This is the repository, okay? Hope it's visible enough. So this is the out on attended XML file, okay? So what is doing the first step here is that it's downloading an external file, which is this one, okay? I made it here. It's downloading this file from GitHub, which is called specialize.ps1 in a specific position. In the next step, it's actually executing it. Then you have two additional scripts which are executing during logon and during first logon. In order to be exact, first logon and after logon, okay? The difference is that this script here will run as system user, and the machine is not yet ready. You have no WMI, almost nothing set up. But you can do the basic like installing drivers. The first logon is perfect for a variety that doesn't require reboots, okay? And the logon is for the finishing touches. So what you can do is, for example, fork this repository and do all the changes that you want. Talking about your question right now. Logon script, here we go. This is the logon script. It will install a PowerShell module that help us in installing the Windows updates, okay? And then it's just brutally installing all the updates. W install, accept all, ignore reboot, okay? Then afterwards, it say, if we need to reboot, then go with a reboot. Else, remove yourself from the list of tasks that need to be executed at boot. Install klobe is in it, and sysprep. So here, for example, is the last step. So you can see sysprep.exe generalize or be shut down and attend passing the extra-attended XML file. Easy, simple, okay? If you need to customize this process, be free. With all the updates or whatever you prefer to install. Again, all you need to do is just to fork this repository, update the paths inside of then attended or you don't know it. And that's it. For a simple reason, there are three scripts which run. The first one is the specialized and runs before the system is ready, okay? The other ones have to run in a scenario in which the user has already logged on. It's called autologon, okay? And the first script, the first logon, runs only the first logon, so automatically it will disappear from the list of tasks that run on the next boot. But since with the updates, we need to boot multiple times, we cannot use the first logon because it will work only the first time, okay? And for the other ones, since they have to execute at every boot, they become regular logon scripts, okay? And if we don't remove them over there, we will disprove the image and then we'll start all the time. So we just let them reboot and when we are done, we remove it. That way, as you can see, we are also disabling autologon by removing the corresponding registry key. And it's the last step, so we're sure that also in case of exception, it will block there. One important thing is that whatever error happens, the machine will not never go on, it will never get spread. So if you just let it go, it will never shut down. And you can inspect the machine to see what went wrong. The only things that could go wrong, of course, is that download failed or stuff like that, because of transient status. In this case, you get an exception, it will print out the error and wait for you to press enter. So just to be sure that you're not distributing an image which is wrecked up, okay? This part of our continuous integration system as well, when we release the new images, what happens is that whenever there is a new version of cloud in it, cloud-based in it, okay? This image gets automatically generated. It gets through all the testing, automated. And when it's over, it gets uploaded to the website, okay? So it's the same identical stuff that we use. Sorry? Yeah, that's correct, because WinRM is using basic IAS for the distribution, okay? Okay, let me introduce this topic. So people usually ask, can't you have SSH on Windows? I mean, why the heck do I have to use a user interface? You don't. There is this WinRM, it executes remote commands, VHTB, HTTPS. It can be used for remote PowerShell or from Linux. Here are some configuration examples that you can see here. Just a second, sorry. That's the one. WinRM is a little bit tricky to set up. Why? Because it's very easy to set it up in a domain. It's very easy to set it up outside of a domain with plain HTTP and basic authentication, meaning that your passwords are traveling in clear text. Both of them are a no-go in a cloud environment. So the only alternative is it doesn't accept self-signed certificates, is to create a CAE, generate a certificate, put the CAE certificate in the local trusted CAEs, and assign the certificate locally, okay? So that's actually what this script does. You're using OpenSSL. So it will download OpenSSL, generate, wait. So OpenSSL, okay, assign permission on the folder so that it will be private for everybody, except administrator for security. Generate all the SSL bits that you need for the CAE, and then it will start with OpenSSL request, create a request for the CAE certificate. It will sign it, and it will create a certificate request for the server with all the proper extensions because it need also to have specific certificate extensions for that. It will import the CAE, import the server certificate, and then finally it will configure WinRM. So this way you have out of the box everything. Very important also to expect to have the computer name as the CN of the certificate. That's why you can see that we take the environment computer name image. So you run this small script after just installing in an attended way OpenSSL, which can be done like this. With these four lines you just install OpenSSL, okay? And this thing will be incorporated in cloud-based in it in the four coming weeks, okay? So one new plugin will let you also have WinRM ready out of the box. Okay, you have Linux client, for example, Python, BI, WinRM. So no need of anything complicated. Let me see, for example, maybe if I put the right address in my work. I'm missing something here. Just a second, I have the right script over here. Okay, here we go. I don't know if you can see it because of course it's. So with this script here that I'm just running, I'm executing a PowerShell. Inside of the PowerShell I tell it, run getVM and it's telling me the list of virtual machines which are running right now, okay? So I could stop the VM directly from my Mac this way. That's actually what we do. If you take this script here, this script will create an Hyper-V external virtual switch. Where do we use it? Does anybody of you use DevStack? RDO? Anybody? Okay. So here we have a script that does a complete RDO configuration from scratch, totally unattended. And at the end, it will configure Hyper-V as well, okay? So all the environment that you see here that I'm using for the demos is created with one click. Including the Windows Parts, which is automatically executed via Bash. Okay, we saw this part. Now let me talk about the main topic that I had in mind, okay? I will go a little bit over time, but since they moved my one hour and 20 minutes session to one with 40 minutes, it's definitely not going to be my problem. Of course, if you have to leave, no problem. Again, I will be available in any time for any discussion or additional request that you have. So, heat. Who knows about heat? Okay, perfect. Heat is kind of a very useful tool, okay? The side effect that it comes straight out of the cloud formation from Amazon, okay? Like, quite a lot of things in OpenStack if you want this kind of a ripoff of something which already exists, okay? In this case, it's a very good thing. What is missing so far are heat templates or anybody who bothered to create heat templates for Windows. For the simple reason that the tools were not available, now they are cloud-based in it. By the way, the multi-part part has been created also with the help of Mirantis, okay? Which is also using in their Murano tool. We have templates for Active Directory, Exchange, SharePoint, SQL Server, IES. No need to know the provisioning details. Let me get straight to what we need, okay? Setting up heat in DevStack is very easy. One line with just the services. In RDO, it's a little bit more complicated. And so far, for Havana, there are no public resources about how to do it. I'm gonna publish this thing in a series of blog posts that we have about RDO as well, okay? But of course, this is not a session on RDO, I'm not entering into details. Okay, here is a simple template. So what do we need? We need a key name, because even if we don't use SSH, we need that for the password. We need an instance type, small, big, a flavor, okay? We need the operating system image, the front font. If you have multiple networks that that specific user can use, okay? Specific tenant. It's very important to specify what subnet you wanna assign. That's something that you don't find in the usual examples out there. And this is just an example of a property that we're gonna do. Simply called message in which you put up string. And here is the important part. This template will have one single server called sample server, in which you have image ID, instance type, subnet ID, key name, user data, and so on. And then in the user data, that's the important part. That's pure partial. In order to execute it, I put as a first lane a comment which says PS1, partial, underscore CS native, meaning that it's gonna run in 64 bits, okay? And then it's pure simple one per line, even with a simple Linux type new line, okay? The first line says stopping case of exceptions. The second one says simply put the string message inside of the file message. Easy, no? Let's do an example about it, okay? Our environment here is made out of four servers. Because we consider that when you test stuff, you have to do it in something which is as close as possible, similar to a production environment. So all in ones are absolutely useless, okay? Unless you have absolutely no memory. So the main idea here is that we have one controller server containing all the PIs and everything, one network server using Neutron, one compute node using libvert and KVM in this case. Now it's down just to save some memory. And we have a Hyper-V node which is up, okay? We're using Open-V switch. And if you do Neutron agent list, as you can see, the Hyper-V corresponding agent is up and running together with the rest, okay? The only one which is down is the one in the compute node for libvert because it's down by itself. Okay, now hit list. We have a failed attempt that I was doing before coming here. So hit delete mix to one. Now let's get, for example, okay, this let's go straight to a more complicated template. So I can explain it to you while the system boots. This one is creating a domain controller. How do we boot it? Here is the booting instruction. We just specify the path to the template. We specify the parameters in which you say, hey, instance type, sminy, which is something between the small and tiny because they don't have it, so it's one gigabyte of memory, key name, subnetad that we're using, domain name, which is called hksummet.local, domain net bias name, hksummet, save mode administrative password, whatever. That's the only thing that I don't like, that we have to put the password in clear text, but that's a limitation on in hit so far. We need the subnet. I'm gonna fetch it directly out of neutral. So if I run like this, I get the older definition of the subnet, but since we need only the ID, we do just a little bit of oak magic. And we get it inside of a variable, okay? And then let's take this template. Okay, create in progress. It's called ADDC1. Hit event list. Okay, create complete. Does this mean that it's finished? No, it's finished at provisioning. If I do now a novel list, I see that the machine is already active. That's on Hyper-V. Hyper-V is blazing fast in pulling up machines, okay? Especially because we cache locally the Glance images and we create a differential disk. Okay, KVM does it as well, but as expected behavior, it's a little bit faster with VHDs. Okay, here is the machine. Now we have one running VM. Just to show it even from here, from the Mac, it's showing that the VM is running here, okay? We can look what's going on. That's the VM coming up. That's the generalization files after sysprep. Please note that this is a virtual machine running inside of a virtual machine, which is running on my Mac, okay? So be patient if it takes a little bit of time. Okay, now it got up. Now sysprep is, sorry, cloud-based init is starting. It will take a little bit of time. It will restart the machine, do the effect that changes the host name, it will reboot, okay? And afterwards, it will run, see, rebooting. It will run the remaining plugins, which in this case, we can look at them. The last one of them is gonna be, of course, the Active Directory template. So here is the relevant part. The rest, it's what I already showed you. That's a completely standard template for heat, okay? So nothing, no magic, nothing completely different. All the important magic happens here, those simple lines. It might not be a little bit awkward to write everything inside there, having enough to terminate the strings, putting commas and everything, okay? So one smart solution is put this stuff on a script that you can download via web, and here, put simply the download script. The other smart thing is that what we do most of the time is using Puppet or Chef. So here, you just install the Chef agent or the Puppet agent, and you just go with it later. How many Puppet users here? Chef? No Chef? Okay. Chef, still, okay. Solstack, yay, cool. I love Solstack. Okay, so what I like here, generally speaking, is the fact that the variables, for example, that Safe Mode Administrator Password, okay, comes out of the parameters that you pass it and goes straight inside of the script. So it's very easy to compose these things. It's also very easy to get crazy when it goes beyond 100 lines, as I was saying. But you can pass it as parameters to a big script that will do everything, and then you are back in a safe harbor to say so. So, install Windows Feature, active directory services, and here is one trick. The Administrator Password still exists, but it's available only. You have to go on the console, no network access, okay, when the console is at the password. But for the Windows perspective, the password is blank. If you try to install, to do a DC promo right now, it will fail telling you that Administrator must have a password. So the first thing that we do is to assign a password to the Administrator. And I commented out also two instructions to disable the local user. Import module, RDS deployment, Safe Mode Pace for password. We need, of course, to transform it in a secure password and secure text, okay. And finally, we're not using DC promo, here we do it entirely in PowerShell. Install ADDS forest, domain name, and we pass the variable for the domain name, NetBios name, we pass the password for the NetBios name, and Safe Mode Administrator Password, okay. And I leave all the rest like for the folder. We install also DNS, of course. So let's see what's going on here. Okay, now it finished the first part, and it's waiting to do the second part. At this stage, we can even get in, be a RDP into the machine, because anyway, it finished all the previous steps. And as you can see, a new user called admin showed up. What can we do? As I was telling you, the admin password can be retrieved with the trick that I was saying. So let's get it out. So here I have a simple script that does something simple. Retrieves, given the name, the virtual machine ID. It will get his port, assign a floating IP, so that we can connect to RDP, because the machines are using VLANs right now internally. So they are on a separate network. And finally, after assigning the floating IP, we do a getPassword, and we get a password. And from there, all we have to do is to go to RDP. Voila, okay. That's the password that got generated. In order to decrypt it, you needed to have absolutely that ID, R, A, C, key one, okay? So, look, in the meantime, it finished also the Active Directory deployment, so we can just wait for the machine to reboot. No reason to connect now. Just one thing, if you look at that console that you see, that's free RDP, connecting to the Hyper-V console, okay, and from there, getting the internal machine running. And we are running on top of the free Hyper-V. The free Hyper-V doesn't have that tool. So that's actually a contribution that we did together with the free RDP guys. Okay, machine back up and running. Here I have a configuration option, okay? It's just configured just to go. I assigned a specific floating IP, okay? So I have just to connect here. Accept certificate, yes, thank you. Only thing is that now, yeah, now since I rebooted, I don't need, I cannot use this once anymore because it's not a local machine anymore. It became a domain controller. So if I try, it's gonna fail, okay? So what I have to do is put domain, backslash administrator, and the password. And here I go. Just be a little bit patient. I was saying it's a virtual machine running inside of a virtual machine, okay? Thank you. Even the group policy that we had for assigning our background remained, so, perfect. Okay, that's the first building block. The next thing that we can do, it's easy. You can take any possible script that you can have. For example, here I have a, that was the next example I wanted to show you. Here is how to create a very simple website. Add Windows feature with all the features that you need for IAS, okay? Import module by the administrator, create website. That's it. Put this stuff in the hit template in the script, off you go. Another thing I wanted to show you is mixed templates. We're gonna publish on our website one of my favorite ones, which is using exchange server. So you have one server active directory, one server exchange server with all the features except the age. And in the front, a Linux machine running reverse proxy for the Microsoft hour plus SMTP demon plus spam assassin and anti-virus and so on. So it's very important security-wise because this way somebody has to break inside of that machine and go behind, exactly. And it will have a separate isolated network connecting the domain controller, the back port, let's say, of the SMTP one and the other one. It can fit all inside of a template. And here is a starting point. You have two separate resources. This time a Linux one and a Windows one, okay? The Linux one will go directly on top of KVM because the image is set to have as an image property QMO. And the other one will go on Hyper-V. One single template, easy. And there you can put your scripts. You can see a PowerShell one and one and a simple batch in the other one. So whatever that can be scripted can be put in a heat template. Very, very easy. So at that point it's just a matter of thinking about every possible Windows workload and put it there. That's what actually we're gonna do in the next weeks. Okay, I think I'm quite over time. Yep. So, questions? 8.1, oh, it's the same. I can show you I could take the same identical template and do an unattended setup of 8.1. 8.1 is the client version. Windows Server 2012 for R2 is the server version. Same identical core. I'm sorry? 2008. Yeah? So 2008 we tested it. The scripts that are online right now contain one instruction in an attended file which got added later. So we'll have to separate, so remove that instruction and create a separated and attended file for download. But it works that way of doing an attended installation starts with 2008. So for that moment onward, everything is working. But he's saying as a guest, I guess. Yes. Yeah. Server-wise we support Hyper-V from 2008 R2 onwards with limited feature. And, but my suggestion is to R2 2012. Okay? R2, yeah. For example, some of the silo-meter features are available only in 2012 R2. Peter is from Microsoft by the way. So he's speaking with authoritative points of view. Yes? Yeah. Of course it does. I mean that's, but we don't have to add anything. It will just leverage the feature that we have already in OpenStack. For example, I can just run this hit template three times and I will generate three completely autonomous environments. And if I have, for example, three tenants which have three separate subnets, since they're using VLANs or GRE and so on, they will not see each other. Yeah? We have quite a bit of experience for our own servers. Just as an example, I'm showing there that specific machine has one network adapter which is connected on VLAN 1,000. So if on the same machine you have another, let's say virtual machine which is connected on 1,001, even if they share the same identical physical network adapter going out, they will never be able to see the traffic. So it's fully pure multi-tenant. From a licensed perspective, Microsoft gives you a very simple option for the operating system. You get SPLA license, they're damn cheap, okay? You get a data center version. It's less than 100 bucks per processor. So you have, for example, two, not core socket, I mean, okay? So you have two of them. And per month, you pay roughly less than 200 bucks, for sure, okay? And you have unlimited virtualization rates. So let's say that you put the density of 70 virtual machine per host, it will cost you roughly $2 per machine per month. So as close to zero as possible. So all the arguments like Linux is cheaper, they, yeah, it's cheaper by $2. That's why most of the public cloud vendors out there, they put the Linux machine and Windows machine at the same price. Some of them, they change it, it's just a matter of priority. This doesn't apply, of course, if you have SQL server, if you have exchange, but again, even exchange, you just pay one SPLA license per user. Something, the basic one is ridiculous on the $1 per month, I believe, something like this. So just don't think about Microsoft licensing as in the old way, like, I need one server, I have to buy one license, okay? You just rent them month by month. The annoying part is that the granularity is the month. So if you spin them up day by day or week by week, you still have to pay them for entire month. But since you pay them for the entire server, so let's say that you have five different users that are using exchange, okay? You just sum the total number of clients that they have and that's what you pay off. And the customer, of course, is paying you the corresponding value. So Microsoft is not asking you how much each customer is paying, just interested in the total value. And it's actually you declaring to Microsoft how much you use. It's only annoying because it has to be done month by month. Okay, more questions? I don't think I got it. Then they have some mechanism in which you can be able to go on a script on the instantiation of that version. Yeah. And at that point, if you inject the script to the server on RAM? Yeah, for example, this Hyper-V machine here, it's automatically installed and it has been RAM installed already during the sysprep part. The state, machine state, which you want. But it's up to the, most of the cases, it's up to the customer. Yeah. Some sort of ability to run a script. Azure has them as well, for example. Azure has them as well. Okay, guys, if you don't have any other questions, I will close the session here. Thanks for coming.