Cloud computing can help dramatically increase the speed of delivery of new business services. IBM SmartCloud Orchestrator is an integrated cloud automation platform designed to help orchestrate the development, deployment, and management of robust enterprise cloud services. With SmartCloud Orchestrator, you can:
- Accelerate the delivery of cloud services using an orchestration engine.
- Automate the deployment of whole multi-node application topologies.
- Monitor the health, performance, and planning capabilities of the cloud environment.
- Track and analyze the cost of your various cloud resources.
An important task in cloud computing is the creation of the image. This requires knowledge of the underlying operating system, the hypervisor you'll use to deploy the images, and the manager controlling that hypervisor. In this article, we'll take you through this task using Windows as the guest OS.
To begin, let's establish some common terminology and summarize the general process to create a SmartCloud Orchestrator-compatible image. You will be able to easily adapt the process to an already existing image you want to deploy through SmartCloud Orchestrator. We'll explain the common issues found while creating an image, how to debug, and fix them.
Because we use a VMware-based system in this article, we use the VMware terminology. However, you can easily extend the procedure to KVM regions.
We use "image" or "virtual image" to identify the image template, while we use "instance" or "virtual instance" to identify a virtual machine (VM) deployed through SmartCloud Orchestrator.
The steps to create a SmartCloud Orchestrator-compatible image are fairly simple:
- Create an image template in the hypervisor.
- Install the base OS.
- Set and check SmartCloud Orchestrator prerequisites.
- Import the image into Image Construction and Composition Tool component of SmartCloud Orchestrator (ICCT).
- Extend the image in ICCT.
- Synchronize the image in ICCT.
- Capture the image in ICCT.
We'll go into more detail about what each of these mean in the following sections.
For simplicity, we assume the same user will complete the steps, but because different steps in the procedures could be done by different people with different roles, we will specify the needed privileges and roles for each step.
To create a SmartCloud Orchestrator-compatible image, you must have access with admin role to VMware vCenter, and you must have access to ICCT UI (ICCT is single-user, so no role is specified) and the Virtual Image Library component of SmartCloud Orchestrator (VIL) UI.
You must have access to the ISO file corresponding to the OS you would like to install. See the list of operating systems supported in a SmartCloud Orchestrator environment.
For simplicity, let's assume the image is already created in the VMware hypervisor (Step 1) and that the OS is installed (Step 2). So we are already to Step 3, setting and checking the SmartCloud Orchestrator prerequisites.
Set and check the SmartCloud Orchestrator prerequisites
To ensure that the image will successfully deploy through SmartCloud Orchestrator, specific configuration changes are needed. Typically, if one or more prerequisites is missing, the instance is powered on; in the SmartCloud Orchestrator UI, it hangs in "Checking to see if virtual system <system's name> is started" status.
Following is an example of how to configure a Windows 2008 R2 so it is SmartCloud Orchestrator-compatible.
IBM Workload Deployer and Image Construction and Composition Tool components use RXA protocol to connect to the deployed image (at deployment and synchronization time, respectively) and to copy over needed files — the activation engine package, for example.
To ensure that the RXA protocol works properly, you must apply a set of configuration steps in the image.
You must configure the Windows firewall to allow incoming ICMP and RDP connections. To enable Remote Desktop Firewall Exception, go to Start > Computer, right-click, and select Properties, go to the Remote tab and ensure that Allow connections from computers running any version of Remote Desktop is selected, then click Apply. You'll get a "Remote Desktop Firewall exception will be enabled" message; click OK twice.
For ICMP, the predefined rule in the Windows firewall is "File and Printer Sharing (Echo Request – ICMPv4-In)." To edit this configuration, go to Start > Control Panel > System and Security > Windows Firewall, click Advanced Settings, then select Inbound Rules. Look for the rule named "File and Printer Sharing (Echo Request – ICMPv4-In)." Open the rule by double-clicking on it and make sure that:
- Under the Advanced tab, all the profiles (Domain, Private, and Public) to which the rule applies are checked.
- Under the Scope tab that Any IP address is checked.
Port 445 must not be blocked by a firewall. The predefined rule in the Windows firewall for this port is Netlogon Service (NP-In).
For OpenStack, to allow incoming RDP connections, make sure port 3389 is not blocked by a firewall.
You might have to disable User Account Control if your account is not a domain user account. If you have a domain user account, ensure that the local and the target machine are both members of a Windows domain.
If you are a member of a local administrators group and you use a local user account, you must perform administrative tasks on the target machine.
Disable User Account Control when you administer a workstation with a Security Account Manager local user account. If you do not disable this option, you do not connect as a full administrator and cannot perform administrative tasks. To disable User Account Control:
- Click Start > Run, enter
regedit, click OK or press Enter.
- Locate and click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\System.
- If the LocalAccountTokenFilterPolicy registry entry does not exist, on
the Edit menu, choose New and click DWORD Value.
LocalAccountTokenFilterPolicy, press Enter, right-click LocalAccountTokenFilterPolicy, and click Modify. In the Value data field, enter
1and click OK.
- Restart the computer.
Check that User Account Control is set to default by going to
Start, then in Search programs and
Ensure that Enable NetBIOS over TCP/IP is selected for the network connections properties of the computer. From the Control Panel, go to Network and Dial-Up Connections > Properties > Internet Protocol (TCP/IP) > Advanced > WINS > Enable NetBIOS over TCP/IP.
Note: Before you create the template, remember to disconnect any ISO file you may have added to the image (typically to install the OS) because it interferes with the image activation logic (the activation engine passes the configuration instructions through an ISO file).
When you create an image template, ensure that it has only one network card; you can add more at deployment time using the NIC add-ons.
Wait for VIL to discover the image
After the template is prepared, you can see the image in VIL UI. Because VIL discovers new images in VMWare every two minutes, a short delay might happen between when the capture completes and when you see the image in VIL. VIL has two operational repositories for the same VMWare region, one for OpenStack and one for VMWare. The latter is identified by the small chain icon.
The OpenStack repository is populated collecting information from Glance. The VMWare repository is populated by talking directly to VMWare. At the end, their content should be exactly the same. If there are discrepancies (for example, the image is shown in one repository and not the other) you can force the synchronization from VIL UI by selecting an operational repository, then selecting Actions > Synchronize repositories. Wait for the synchronization task to complete before issuing the synchronization on the second repository.
You cannot import the image into ICCT until you see it in the VIL.
Note: If you plan to manage a large environment, to help accelerate VIL performance, we suggest you configure VIL not to see the deployed images.
Import the image in ICCT
VMware templates are not immediately consumable by SmartCloud Orchestrator because they are lacking the activation engine. The activation engine is a set of binaries responsible for the personalization and de-personalization of the image. It is responsible for assigning, at deployment time, the correct network configuration to the instance (for example, hostname, IP address, DNS, gateway), and the new password to the administrator user, setting up the product key, and triggering the setup of the specific software customization scripts you may have added into the image through ICCT software bundles. This piece of software is installed and configured inside the image template by ICCT.
For simplicity, let's assume that no software bundles and no personalities are added to the image. For more information, see Working with IBM Image Construction and Composition Tool.
The image must be listed in the VIL OpenStack operational repository and successfully basic-indexed before you can import the image in ICCT.
Despite its name, the import process is not copying and retrieving the disks of the image. Instead, it involves creating a pointer to that image and generating the proper image metadata. By metadata, we mean the collection of artifacts that describe that image at pattern design time and at image deploy time — how many parts (personalities) are included in the image, which parameters are configurable by the end user at deployment time (root password, for example), and which parameters are configured by the provisioning engine at deployment time (DNS, for example).
To import the image, log in to ICCT UI. We do not specify any role here since ICCT is single-user. Click Build and manage images.
If you have multiple systems, ensure that you are pointing to the right cloud provider (select it from the upper-right drop-down list) and click the Import from Cloud Provider icon.
Select the newly created image and click Add.
Extend the image in ICCT
The extension process is the first step in the creation of a new SmartCloud Orchestrator-compatible virtual image. This step does not involve OpenStack or the hypervisor; it is self-contained in ICCT. It creates another image object inside ICCT and copies the metadata from the base image.
To extend an image from ICCT, click the Extend icon from the image window into the GUI.
The status of the image in ICCT being "Out of sync" reflects that there is no image in the hypervisor that corresponds to the extended one.
Also of note is that the extended image has an additional software bundle.
ICCT at the extension stage is promising to install that software bundle, but so far nothing has been added to the image. Remember the image is not yet existing in the hypervisor.
The Enablement Bundle is responsible to install the correct version of the activation engine if not already installed and to configure it.
Synchronize the image in ICCT
Synchronizing the image in ICCT creates a virtual instance starting from the base image, and adds the Enablement Bundle and all the software bundles you may have added during the previous step to that instance. While performing this action, ICCT interacts only with OpenStack (through iaasgateway); no other components are directly involved in this process. (Workload Deployer does not enter in to the synchronization game.)
To start the synchronization, click the Synchronize button.
You are asked to select a flavor, a network, a cloud provider, and to specify the root password. This password is the one set into the image when you installed the OS. Click Next.
Be careful entering information in the Synchronize the image panel. The majority of synchronization failures happen because of data entered incorrectly. For example: Using a password that is not the actual administrator password or specifying the wrong network prevents ICCT connecting (through RXA) to the image and moving the binaries for the enablement bundle and the other software bundles you added when extending the image. Specifying a too-small flavor also prevents OpenStack from creating the image.
Be sure to enter the product key, then click Done.
After synchronization completes, the status of the image is set to synchronized.
Note: It is important to correctly configure the hostname resolution otherwise the RXA connection between ICCT and the deployed image times out and the synchronization fails.
In case of synchronization failure, you can:
- Look at ICCT traces (/drouter/ramdisk2/mnt/raid-volume/raid0/logs/trace/trace.log).
- Check that the instance is actually created in OpenStack. Run nova list, ensure that the image (named ICCT <a number>) is present in the output and its status is ACTIVE.
- Check that you can connect by Remote Desktop to the instance.
- If the image is in ERROR state in OpenStack, use
nova show <image UUID>to get additional details on the failure. If there is nothing meaningful there, consider that what ICCT does is the analogous of this command:
nova boot –flavor<flavor id> --image <image id> --net-id net-if=<net uuid> <a name of your choice>, where
<flavor id>is the flavor ID that corresponds to the flavor you selected at synchronization time;
<image id>is the UUID of the base image in Glance (you can check it using glance image-list), and
<net uuid>is the UUIS of the network that corresponds to the network selected at synchronization time. (You can check it using nova-manage network list.) If this command fails, investigate /var/log/nova/smartcloud.log and/or /root/.SCE31/logs/skc-0.log for the root cause.
- If you use SmartCloud Orchestrator 2.3 without fixpack 1, note the
name of the network connection, it must be Local Area Connection
or the image will not have an assigned IP address.
Fixpack 1 removed this limitation.
Capture the image in ICCT
This is the final step that actually generates a new image you can later import in SmartCloud Orchestrator and deploy as part of a pattern.
Capturing an image through ICCT triggers actions to:
- Depersonalize the instance — that is, /opt/ibm/ae/AE.sh –reset is run in the instance
- Shut down the instance
- Convert the VM in a template
- Create an image in OpenStack
- Associate its own metadata to the image in OpenStack
All of these actions are automatically done and do not require human interaction. For the capture step, ICCT talks only to OpenStack through iaasgateway; no other components are involved. OpenStack "talks" to VMWare (through SmartCloud driver and SmartCloud Entry).
To capture, simply click Capture.
After the capture process is done, the status shows as completed.
The image is ready to be used in SmartCloud Orchestrator:
- Wait for the newly created image to be discovered and indexed by VIL.
- Register the image in Workload Deployer.
- Create a virtual system pattern.
- Add the newly registered image to the pattern.
- Deploy the pattern.
Note: When provisioning, be sure to specify a valid product key and administrator password that adhere to Windows policies and thereby avoid a sysprep fail.
Now you know how to create a SmartCloud Orchestrator-compatible image for a Windows environment. We've provided instruction for the mechanisms needed to complete the process to satisfy OS, hypervisor, and hypervisor manager requirements for various images to deploy in a Windows environment.
You should now be able to easily and smoothly prepare a SmartCloud Orchestrator-compatible image for Windows.
- Visit the IBM SmartCloud Orchestrator Information Center.
- Get additional IBM SmartCloud Orchestrator product information.
- Follow developerWorks on Twitter.
- Check out some developerWorks demos.
- Participate in the developerWorks community.
Dig deeper into Cloud computing on developerWorks
Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.
Complete cloud software, infrastructure, and platform knowledge.
Software development in the cloud. Register today to create a project.
Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.