3:51 p.m.
On 11/15/2013 08:41 AM, Bob Doolittle wrote:
Hi,
I had a question on IRC regarding sysprep/sealing of Windows VMs and use
in Pools. Basically, if you follow the Quick Start Guide, it says to
seal the VM and shut it down before making the Template.
My problem with this is that when you start a VM from the Pool, it takes
forever to unseal - i.e. to repersonalize itself. That's a bad
experience from a VDI perspective - you want the user to get a desktop
they can start using ASAP.
that's why Pools have "auto start VMs" - you can define you want the
pool to always keep X VMs up and running and ready for the users.
Itamar responded to me directly via e-mail:
> bobdrad: on your question of windows VMs from pool - you can start
> them once with an admin for the sysprep to happen, then shut them down.
> admin launch of VMs doesn't create a stateless snapshot and
> manipulates the VM itself.
This raises some questions. I'd love to understand this better.
He's asked me to cross this conversation onto the Users list now.
1. My understanding is that a Pool clones VMs on demand from a template.
So how does the admin "launch" the template? I thought the only way to
exercise a pool is from the User Portal. Is it sufficient to do that as
Admin? I thought the persistence only came when launching a VM from the
Admin Portal.
The VM is created as part of pool creation.
an admin can start the VM from webadmin as well.
unless admin will flag the runvm action with stateless, it will change
the VM.
i.e., the admin will be starting the VMs created in the pool, not the
tempalte itself.
caveat: for windows VMs, if the VM is doing the sysprep by the admin
(persistently), you need to change the domain policy to avoid the
computer account password change (will cause the VM to lose connectivty
to the domain after 90 days).
hence the auto starting VMs is better for some use cases.
2. My understanding of "sealing" a system is that this depersonalizes it
- e.g. removes hostname, prepares network for reinitialization, etc. And
that the next time the system boots up it re-personalizes. So if one
were to restart it, even as admin, this would reverse the sealing
process, which would seem to make sealing in the first place pointless.
What am I missing? At the moment I don't see the point of sealing a VM
before putting it into the Pool (assuming you're using DHCP, anyway).
What happens if you don't?
its considered microsoft best practice. there is also a security concern
if the VMs are not part of a domain, since they would have the same SID.
other caveats may apply, but may be good enough for your use case.
Thanks,
Bob
P.S. I note the behavior of Fedora vs RHEL 6 is quite different in this
regard. If you follow the "sealing" process on the Quick Start page for
Fedora it seems to have no visible effect, but on RHEL 6 it puts you
through a re-personalization dialog which is rather extensive (and
again, not really suitable for VDI use).
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users