This repository contains the code used to build images containing the base operating system and tools that are required by all Windows resources. Images can be created for Hyper-V.
The current process will install Windows 2016 Server Core, i.e. without UI, on the disk and will then configure the following tools and services:
- Consul - Provides service discovery for the environment as well as a distributed key-value store.
- Consul-Template - Renders template files based on
information stored in the
Consulkey-value store and the Vault secret store. - Filebeat - Tails file logs and sends them onto the central log storage server. The version of Filebeat installed is a modified version that sends logs to a message queue.
- Winlogbeat - Tails the Windows event logs and sends them onto the central log storage server. The version of Winlogbeat installed is a modified version that sends logs to a message queue.
- Telegraf - Captures metrics for the resource and forwards them onto the time series database for storage and processing.
- Unbound - A local DNS resolver to allow resolving DNS requests via Consul for the environment specific requests and external DNS servers for all other requests.
- WinRM is enabled on the standard ports.
- The firewall is enabled and blocks all ports except the ports that are explicitly opened.
- All available updates will be applied.
- A single administrator level user is added called
thebigkahuna. - A set of standard applications are installed as mentioned above.
- Configurations for
ConsulandUnboundshould be provided via the provisioning CD when a new machine is created from the base image. All other services and applications should obtain their configuration viaConsul-Templateand theConsulkey-value store.
For provisoning reasons a Windows service called provisioning is added which:
- Read the files on the DVD drive and:
- Disable WinRM if the
allow_winrm.jsonfile does not exist - Copy the configuration files and certificates for consul and unbound
- Enable all the Windows services for the afore mentioned services
- Execute the resource specific provisioning steps found in the
Initialize-CustomResourcefunction in thec:\ops\provisioning\Initialize-CustomResource.ps1file.
- Disable WinRM if the
- Sets the host name to
cv<SHORT_NAME>-<MAJOR><MINOR><PATCH>-<3_CHARACTER_RANDOM_STRING>where<SHORT_NAME>- Is a four character short version of the name of the resource<MAJOR>- The major version number<MINOR>- The minor version number<PATCH>- The patch version number<3_CHARACTER_RANDOM_STRING>- A random string of 3 characters
- Eject the DVD if the provisioning files were obtained from DVD
- Restart the machine to ensure that all changes are locked in and so that the machine comes up with the new machine name
Note that the Windows machine name is considerably shorter than the Linux machine name. This is due to the fact that Windows machine names are NetBios compliant and thus can only be 15 characters in length.
For Consul there are a number of configuration files that are expected in the provisioning location. For server and client nodes they are:
- consul/consul_region.json - Contains the Consul datacenter and domain information
- consul/consul_secrets.json - Contains the gossip encrypt key
- consul/client/consul_client_location.json - Contains the configuration entries that tell Consul how to connect to the cluster
For examples on how to configure for Hyper-V please look at the configuration folder in the calvinverse.configuration repository.
For Unbound one configuration file is expected. This file is expected to be found in the provisioning location at: unbound/unbound_zones.conf and it is expected to contain the unbound zone information.
For examples on how to configure for Hyper-V please look at the configuration folder in the calvinverse.configuration repository.
Logs are collected via the Filebeat and Winlogbeat if the Consul-Template service has been provided with the appropriate credentials to allow the logs to be pushed to a RabbitMQ exchange. If no credentials are provided then no logs will be captured.
For file logs the exchange the log messages are pushed to is determined by the
Consul Key-Value key at config/services/queue/logs/filelog/exchange on the
vhost defined by the config/services/queue/logs/filelog/vhost
K-V key. The filelog routing key is applied to each log message.
For Windows event logs the exchange the log messages are pushed to is determined by the
Consul Key-Value key at config/services/queue/logs/eventlog/exchange on the
vhost defined by the config/services/queue/logs/eventlog/vhost
K-V key. The filelog routing key is applied to each log message.
Metrics are collected through different means.
- Metrics for Consul are collected by Consul sending StatsD metrics to Telegraf.
- Metrics for Unbound are collected by Telegraf pulling the metrics.
- System metrics, e.g. CPU, disk, network and memory usage, are collected by Telegraf.
The build process follows the standard procedure for building Calvinverse images. Because the base image is build during this process the following differences exist.
- In order to build a Hyper-V image the following properties need to be specified as part of the
command line used to build the image:
ShouldCreateHyperVImageshould be set totrue- The Windows Server ISO is obtained from the internal storage as defined by the MsBuild
property
IsoDirectory. It is expected that the ISO is calledwindows_server_1803_updates.iso. In order to reduce the amount of time needed to create the base image it is recommended to merge as many Windows update into the ISO prior to use.
- A number of additional scripts and configuration files have to be gathered. Amongst these files is
the Windows
unattend.xmlfile. The unattend file contains the OS configuration and it is provided to the machine when booting from the ISO initially. - Once Packer has created the VM it will additionally
- Add the OS ISO as a secondary DVD drive
- Start the machine and provide the boot command which points the machine to the ISO and the location of the unattend
file. The OS installation will start and during this process the unattend file is read leading the machine to be
configured with
- A US english culture
- In the UTC timezone
- A single administrator user called
thebigkahuna
- Once the OS is installed the standard process will be followed
The base image should never be deployed to live running infrastructure hence it will not be needing deploy information.