Windows Instances on OpenStack

Windows images can run on OpenStack but the operating system is a resource hog and not really very cloud friendly itself, for example it's not very happy just running from a snapshot without first going through an arcane sysprep incantation.

OpenStack is also not very developed in terms of providing easy access to the features you need to use Windows VMs so you will need to use the CLI for some actions, which also add complexity.

But if you really want/need windows here's how.

Prerequisites

Key Pair

To retrieve the Administrator password for you VM you will need a key pair setup. This is the same as is used for ssh access on Linux VMs, but in this case the public key is used to encrypt the password rather than authenticate an ssh session.

If you have an existing key in OpenStack use that, if not connect to ubuntu-login.csail.mit.edu and generate a key pair in your AFS home directory and upload the public part to OpenStack.

For step by step directions see the OpenStackSSHKey page

API Credentials

You will also need your API credentials from https://nimbus.csail.mit.edu/horizon/project/access_and_security/api_access/openrc/ these are stored as environment variable and the resulting openrc.sh file should be stored in your AFS home directory. As downloaded this shell fragment does not contain your OpenStack password or any equivalent credential so it does not need to be considered private.

Security Group

By default only outbound (and related inbound) traffic is permitted on OpenStack systems. See OpenStack#Security_Groups for full details. In this case we will need to permit inbound remote desktop traffic on port 3389:

  1. got to https://nimbus.csail.mit.edu/horizon/project/access_and_security/security_groups/create/
  2. give the new group a descriptive name, for example "remote desktop" and 'create' it
  3. select "Manage Rules" for your new group
  4. select "add rule"
  5. select "RDP" from the 'Rule' drop down menu
  6. (optional) set CIDR mask to restict where rdp connections can come from
    • the default 0.0.0.0/0 allows connections from any where on the internet
    • specify 128.52.128/18 to allow only from other OpenStack VMs
    • specify 128.30.0.0/16 to allow only from CSAIL addresses outside OpenStack (includes CSAILPrivate wireless but not unauthenticated wirteless)
    • if you need to specify multiple disjoint ranges (for example OpenStack and non OpenStack CSAIL networks) repeat the add rule process multiple times

Launch VM

Currently the 'windows2012' image is not public as it isn't tested enough for us to be sure it's ready for wide spread use, but if you would like access for testing purposes just ask help@csail.mit.edu

Since Windows requires sysprep prior to snapshotting we currently recommend launching windows systems as Persistent VMs.

Don't for get to:
  • associate your key so you can retrieve the administrator password
  • set the security group so remote desktop sessions can connect

First boot of a Windows system takes a rather long time (15min or so), if you are used to the 30-60sec boot times of Linux VMs just be patient...

Connect

Do not use the VNC desktop provided by the web interface.

Do connect using a remote desktop client.

The VNC applet sends traffic over an unsecured connection, most browsers will rightly complain about this insecure content on the secure page. This is occasionally useful for debugging but id you ever type a password through it you've sent it in (essentially) clear text over the internet, which is a bad thing.

Once your VM has booted you will need to retrieve the administrator password using the 'nova' command line. It is possible to install 'python-novaclient' on windows, but I have not done it so for now I recommend using the tools installed on ubuntu-login.csail.mit.edu:
# source the API Credentials
[jon@daphne ~]$ source ~/openrc.sh 
Please enter your OpenStack Password:
# get password assuming instance name is 'wintest' 
# and private key is in~/.ssh/priv/id_rsa
[jon@daphne ~]$ nova get-password wintest ~/.ssh/priv/id_rsa
Enter pass phrase for /afs/csail.mit.edu/u/j/jon/.ssh/priv/id_rsa:
xV6zQjcICmfR9Q

Note if the VM is not finished it's first boot setup the above command will not prompt for your key paraphrase and will return a blank password. If this happens wait 5min and try again, if after 30min it's still blank something is likely wrong.

Once you do get the password you should be able to make a remote desktop connection to your VM's IP address as the user 'administrator' with the password you just received.

Known Issues

  • Time is configured auto update from CSAIL's NTP server, but often needs to be manually kicked under Date & Time -> "Internet Time"
  • more?

-- JonProulx - 23 Feb 2015
Topic revision: 23 Feb 2015, JonProulx
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology