Creating a Windows Stemcell for vSphere Using stembuild (Beta)

This topic describes how to create a BOSH stemcell for Pivotal Application Service (PAS) for Windows on VMware vSphere using stembuild.

Overview

A BOSH stemcell is a versioned operating system image. You must create a BOSH stemcell for Windows before you can deploy either PAS for Windows or PKS Windows worker-based clusters, on vSphere.

The BOSH stemcell that you create in this topic is based on Windows Server 2019.

To create a Windows stemcell for vSphere, you create a base Windows VM from a volume-licensed ISO and subsequently maintain that base template with all Windows recommended security updates, but without the BOSH dependencies.

This Windows VM, with security updates, serves as the base for all future stemcells produced from clones of that base VM. This enables you to build new stemcells without having to run Windows Updates from scratch each time. You can also use a “snapshot” feature to maintain an updated Windows image that does not contain the BOSH dependencies.

Pivotal recommends installing any available critical updates, and then rebuilding the stemcell from a clone of the original VM.

If you already have a BOSH stemcell for Windows on vSphere, see Monthly Stemcell Upgrades.

Prerequisites

Before you create a BOSH stemcell for Windows on vSphere, you must have:

  • A vSphere environment.

  • A Windows Server 2019 ISO, build number: 17763, from Microsoft Developer Network (MSDN) or Volume Licensing Service Center (VLSC). You can use an evaluation copy for testing, but Pivotal does not recommend an evaluation copy for production, as the licensing expires.

    Note: The Windows Server 2019 ISO must be a clean, base ISO file. A clean ISO file has no custom scripts or tooling. For example, the ISO must have no logging or antivirus tools installed.

  • A download of the stembuild command line interface (CLI) from a release in Pivotal Stemcells (Windows) on Pivotal Network.

    • To build a Windows stemcell for PASW, use the vSphere stembuild CLI for Windows corresponding to both the operating system of your local host and the stemcell version that you want to build.
    • To build a Windows stemcell for PKS, use the vSphere stembuild CLI for Windows v2019.7 or later.
  • Microsoft Local Group Policy Object Utility (LGPO) downloaded to the same folder as your stembuild CLI.

  • The minimum vCenter user permissions required to use stembuild for vSphere stemcells, specifically:

    • VirtualMachine.GuestOperations.Modify
    • VirtualMachine.GuestOperations.Execute
    • VirtualMachine.GuestOperations.Query
    • VirtualMachine.Config.AddRemoveDevice
    • VirtualMachine.Interact.SetCDMedia
    • VApp.Export
    • System.Anonymous*
    • System.Read*
    • System.View*

Permissions marked with an * are generated upon creating a new user in vCenter and cannot be set within the vCenter UI.

Step 1: Create a Base VM for the BOSH Stemcell

This section describes how to create, configure, and verify a base VM for Windows from a volume-licensed ISO.

Upload the Windows Server 2019 ISO

To upload the Windows Server 2019 ISO to vSphere:

  1. Log in to the vSphere Web Client.

    Note: The instructions in this topic are based on vSphere v6.0.

  2. Click Storage and select a datastore.

  3. Select or create a folder where you want to upload the Windows Server 2019 ISO.

  4. Click Upload a File and select the Windows Server 2019 ISO.

You can use the scp utility instead of the vSphere Web Client to copy the file directly to the datastore server.

Create and Customize a Base VM

To create and customize a base VM:

  1. In the vSphere Web Client, click the VMs and Templates view to display the inventory objects.

  2. Right-click an object and select New Virtual Machine > New Virtual Machine.

  3. On the Select a creation type page, select Create a new virtual machine and click Next. New vm

  4. On the Select a name and folder page:

    1. Enter a name for the VM.
    2. Select a location for the VM.
    3. Click Next.
  5. On the Select a compute resource page, select a compute resource to run the VM and click Next.

  6. On the Select storage page:

    1. Select a VM Storage Policy.
    2. Select the destination datastore for the VM configuration files and virtual disks.
    3. Click Next.
  7. On the Select compatibility page, for the Compatible with configuration setting, select ESXi 6.0 and later and click Next.

  8. On the Select a guest OS page:

    1. For Guest OS Family, select Windows.
    2. For Guest OS Version, select Microsoft Windows Server 2019. If Microsoft Windows Server 2019 is not available, select Microsoft Windows Server 2016.
    3. Click Next.
  9. On the Customize hardware page, configure the VM hardware using the information below and click Next.

    1. For New Hard disk, specify 30 GB or greater.
    2. For New CD\DVD Drive:
      1. Select Datastore ISO File.
      2. Select the Windows Server 2019 ISO file you uploaded to your datastore and click OK.
      3. Enable the Connect At Power On checkbox.
  10. Review the configuration settings on the Ready to complete page and click Finish.

Install Windows Server

To install Windows Server on the base VM:

  1. After creating the VM, click Power > Power On in the Actions tab for your VM. Power on

  2. Select Windows Server 2019 Standard. Windows version

  3. Select Custom installation.

  4. Complete the installation process and enter a password for the Administrator user.

Verify OS

To verify that you are using the correct OS version, run the following PowerShell command on the base VM:

System.Environment]::OSVersion.Version

The output should display the following:

[System.Environment]::OSVersion.Version
Major    Minor    Build    Revision
----     ----     -----    --------
10        0       17763    0

Install VMware Tools

To install VMware Tools on the base VM:

  1. In the vSphere Web Client, right-click the base VM and select Guest OS > Install VMware Tools.

  2. Navigate to the D: drive and run setup64.exe.

    Note: The VMware Tools install window might appear behind the Command Prompt window.

  3. Restart the VM to complete the installation.

Step 2: Configure the Base VM

To configure the base VM network settings and install Windows updates:

  1. From the vSphere Web Client, right-click the base VM and select Open Console.

  2. On the command line, enter sconfig to run the SConfig utility.

  3. On the Server Configuration page, enter 6 for Download and Install Updates.

  4. Enter A to search for all updates.

  5. For Select an option, enter A to install all updates. You may need to restart the base VM while installing the updates.

  6. On the Server Configuration page, enter 8 for Network Settings.

  7. On the Network Settings page:

    1. Under Available Network Adapters, enter the number that corresponds to your network adapter.
    2. Enter 1 to set the network adapter address.
    3. Enter S to set a static IP address.
    4. Enter a static IP address.
    5. Enter a subnet mask, or leave the field blank to use the default value.
    6. Enter the default gateway.
    7. Enter 13 to exit to the command line.
  8. From the vSphere Web Client, select Actions > Edit Settings.

  9. In the CD/DVD drive 1 row, disable the Connected checkbox to remove the CD drive.

  10. Restart the VM.

  11. After the VM restarts, verify that you can ping the IP address you assigned to the base VM.

Step 3: Clone the Base VM

To clone the base VM:

  1. From the vSphere Web Client, power down the base VM.

  2. Right-click the base VM.

  3. Select Clone > Clone to Virtual Machine. This clone is your target VM. Clone vm

  4. Save the base VM. You run Windows updates on this VM for future stemcells.

Step 4: Construct the BOSH Stemcell

Before constructing the BOSH stemcell, collect the following information from the vCenter Web Client Inventory > VMs and Templates tab:

  • Target VM IP address
  • Target VM username
  • Target VM password
  • vCenter inventory path to the target VM in the /MY-DATA-CENTER/vm/MY-FOLDER/MY-VM format where:
    • MY-DATA-CENTER is the name of the data center.
    • vm is a static string.
    • MY-FOLDER is the name of the folder that contains the VM. If the target VM is not in a folder, use the /MY-DATA-CENTER/vm/MY-VM format instead.
    • MY-VM is the name of the target VM.
  • vCenter username
  • vCenter password
  • vCenter URL

Note: The target VM must be routable from your local host. Before running the construct command, ensure you are logged out of the target VM.

To construct the BOSH stemcell, run the following command from the folder where you downloaded the CLI:

./STEMBUILD-BINARY construct -vm-ip TARGET-VM-IP -vm-username TARGET-USERNAME -vm-password TARGET-VM-PASSWORD -vcenter-url VCENTER-URL -vcenter-username VCENTER-USERNAME -vcenter-password VCENTER-PASSWORD -vm-inventory-path INVENTORY-PATH

Where:

  • STEMBUILD-BINARY is the stembuild file for the version of your local host operating system and the version of the stemcell that you want to build. For example, stembuild-windows-2019-2.
  • TARGET-VM-IP is the IP address of your target VM.
  • TARGET-USERNAME is the username of an account with Administrator privileges.
  • TARGET-VM-PASSWORD is the password for the Administrator account. The password must be enclosed in single quotes.
  • VCENTER-URL is the URL of your vCenter.
  • VCENTER-USERNAME is the username of your account in vCenter.
  • VCENTER-PASSWORD is your password. The password must be enclosed in single quotes.
  • INVENTORY-PATH is the vCenter inventory path to the target VM.

Note: This operation may take up to an hour to complete and results in a powered-off target Windows VM in your vSphere environment. During construct execution, the WinRM connection terminates. This behavior is expected, and the construct command is still being executed. Do not attempt to re-run the construct command.

To view the status of construct:

  1. Log in to the target VM.

  2. Start PowerShell.

  3. Run:

    Get-Content -Path "C:\provision\log.log" -Wait
    

Step 5: Package the BOSH Stemcell

To package the BOSH stemcell:

  1. Gather the vCenter Web Client VMs and Templates information that you recorded in the previous step:

    • vCenter inventory path to the target VM in the /MY-DATA-CENTER/vm/MY-FOLDER/MY-VM format, where:
      • MY-DATA-CENTER is the name of the data center.
      • vm is a static string.
      • MY-FOLDER is the name of the folder that contains the VM. If the target VM is not in a folder, use the /MY-DATA-CENTER/vm/MY-VM format instead.
      • MY-VM is the name of the target VM.
    • vCenter username
    • vCenter password
    • vCenter URL
  2. Shut down the VM. If you do not shut down the VM before you continue to the next step, the package command fails stating that the storage location for the VM could not be read.

  3. To package the BOSH stemcell, run the following PowerShell command from your local host:

    ./STEMBUILD-BINARY package -vcenter-url VCENTER-URL -vcenter-username VCENTER-USERNAME -vcenter-password VCENTER-PASSWORD -vm-inventory-path INVENTORY-PATH
    

    Where:

    • STEMBUILD-BINARY is the stembuild file for the version of your local host operating system and the version of the stemcell that you want to build. For example, stembuild-windows-2019-2.
    • VCENTER-URL is the URL of your vCenter.
    • VCENTER-USERNAME is the username of your account in vCenter.
    • VCENTER-PASSWORD is your password. The password must be enclosed in single quotes.
    • INVENTORY-PATH is the vCenter inventory path to the target VM.

      Note: This command creates a stemcell on your local host in the folder where you ran the command and might take up to 30 minutes to complete.

Step 6: Upload the BOSH Stemcell to Ops Manager

To upload the BOSH stemcell to Ops Manager:

  1. In Ops Manager, navigate to Stemcell Library.

  2. Upload your BOSH stemcell.

  3. Deploy the PAS for Windows tile.

Monthly Stemcell Upgrades

After Microsoft releases operating system updates, you should upgrade your BOSH stemcell. Microsoft typically releases Windows updates on the second Tuesday of each month.

To upgrade your BOSH stemcell:

  1. Install Windows Updates on the base VM.

  2. Clone the Base VM.

  3. Construct the BOSH Stemcell.

  4. Package the BOSH Stemcell.

  5. Replace the existing stemcell in the Ops Manager stemcell library with this new stemcell.

  6. Deploy the PAS for Windows tile.

Known Issues

Authentication Error with Special Characters in stembuild Commands

Symptom

You authenticate with vCenter and see the following error:

./out/stembuild: ServerFaultCode: Cannot complete login due to an incorrect user name or password.
vcenter_client - unable to validate url: vcenter.example.com

Explanation

stembuild uses govc libraries. These libraries cannot parse the special characters /, #, and :. This results in errors when authenticating with vCenter.

You might also experience this issue on Windows if your password includes a single quote character, '. This also affects the Inventory path if it contains a single quote or a space.

Workaround

If your vCenter username or password contains /, #, or :, or ' on Windows, set the following environment variables:

  • Linux:

    export GOVC_USERNAME=VCENTER-USERNAME
    export GOVC_PASSWORD=VCENTER-PASSWORD
    
  • Windows:

    set GOVC_USERNAME=VCENTER-USERNAME
    set GOVC_PASSWORD=VCENTER-PASSWORD
    set GOVC_PATH=VCENTER-INVENTORY-PATH
    

Where:

  • VCENTER-USERNAME is your vCenter account username. For example, johndoe.
  • VCENTER-PASSWORD is your vCenter account password. For example, pass#word.
  • VCENTER-INVENTORY-PATH is the location of your VM in the cluster inventory.

If you use other special characters, add single quotes around the input parameters, or set them in an environment variable as described above.

For example:

  • Linux:

    ./STEMBUILD-BINARY package -vcenter-url VCENTER-URL -vcenter-username 'admin@' -vcenter-password VCENTER-PASSWORD -vm-inventory-path INVENTORY-PATH
    
  • Windows:

    set GOVC_PASSWORD=A_Strange!PAssword@Here#1
    ./STEMBUILD-BINARY package -vcenter-url VCENTER-URL -vcenter-username %GOVC_USERNAME% -vcenter-password %GOVC_PASSWORD% -vm-inventory-path %GOVC_PATH%
    

    Note: Windows environment variables do not automatically override vCenter command line parameters, so you must specify the environment variables in the vCenter command as shown above.