On 11/15/2013 08:41 AM, Bob Doolittle wrote:
Hi,
I had a question on IRC regarding sysprep/sealing of Windows VMs and use in Pools. Basically, if you follow the Quick Start Guide, it says to seal the VM and shut it down before making the Template.
My problem with this is that when you start a VM from the Pool, it takes forever to unseal - i.e. to repersonalize itself. That's a bad experience from a VDI perspective - you want the user to get a desktop they can start using ASAP.
that's why Pools have "auto start VMs" - you can define you want the pool to always keep X VMs up and running and ready for the users.
Itamar responded to me directly via e-mail:
bobdrad: on your question of windows VMs from pool - you can start them once with an admin for the sysprep to happen, then shut them down. admin launch of VMs doesn't create a stateless snapshot and manipulates the VM itself.
This raises some questions. I'd love to understand this better.
He's asked me to cross this conversation onto the Users list now.
1. My understanding is that a Pool clones VMs on demand from a template. So how does the admin "launch" the template? I thought the only way to exercise a pool is from the User Portal. Is it sufficient to do that as Admin? I thought the persistence only came when launching a VM from the Admin Portal.
The VM is created as part of pool creation. an admin can start the VM from webadmin as well. unless admin will flag the runvm action with stateless, it will change the VM. i.e., the admin will be starting the VMs created in the pool, not the tempalte itself. caveat: for windows VMs, if the VM is doing the sysprep by the admin (persistently), you need to change the domain policy to avoid the computer account password change (will cause the VM to lose connectivty to the domain after 90 days). hence the auto starting VMs is better for some use cases.
2. My understanding of "sealing" a system is that this depersonalizes it - e.g. removes hostname, prepares network for reinitialization, etc. And that the next time the system boots up it re-personalizes. So if one were to restart it, even as admin, this would reverse the sealing process, which would seem to make sealing in the first place pointless.
What am I missing? At the moment I don't see the point of sealing a VM before putting it into the Pool (assuming you're using DHCP, anyway). What happens if you don't?
its considered microsoft best practice. there is also a security concern if the VMs are not part of a domain, since they would have the same SID. other caveats may apply, but may be good enough for your use case.
Thanks, Bob
P.S. I note the behavior of Fedora vs RHEL 6 is quite different in this regard. If you follow the "sealing" process on the Quick Start page for Fedora it seems to have no visible effect, but on RHEL 6 it puts you through a re-personalization dialog which is rather extensive (and again, not really suitable for VDI use). _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users