Preparing Windows templates

Windows guests have neither Cloudbase-Init nor OpenSSH Server preinstalled by default. You need to install and configure them manually.

To install Cloudbase-Init and OpenSSH Server inside a Windows virtual machine

1. Log in to a Windows VM.

2. Create a new administrator account that will be used for SSH connections and log in with it.

3. To install and configure OpenSSH Server:

   1. Run Windows PowerShell with administrator privileges and set the execution policy to unrestricted to be able to run scripts:

      Copy

      > Set-ExecutionPolicy Unrestricted

   2. Download OpenSSH Server (for example, from the GitHub repository), extract the archive into the C:\Program Files directory, and then install it by running:

      Copy

      > & 'C:\Program Files\OpenSSH-Win64\install-sshd.ps1'

   3. Start the sshd service and set its startup type to “Automatic”:

      Copy

      > net start sshd
      > Set-Service sshd -StartupType Automatic

   4. Open TCP port 22 for the OpenSSH service in the Windows Firewall:

      • On Windows 8.1, Windows Server 2012, and newer versions, run:

        Copy

        > New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName OpenSSH

      • On Windows Server 2008/2008 R2, run:

        Copy

        > netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22

   5. Open the C:\ProgramData\ssh\sshd_config file:

      Copy

      > notepad 'C:\ProgramData\ssh\sshd_config'

      Comment out the following lines at the end of the file:

      Copy

      #Match Group administrators
      #AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

      Save the changes.

   6. Create the .ssh directory in C:\Users\<current_user> and an empty authorized_keys file inside it:

      Copy

      > cd C:\Users\<current_user>
      > mkdir .ssh
      > notepad .\.ssh\authorized_keys

      Remove the .txt extension from the created file:

      Copy

      > move .\.ssh\authorized_keys.txt .\.ssh\authorized_keys

   7. Modify the permissions for the created file to disable inheritance:

      Copy

      > icacls .\.ssh\authorized_keys /inheritance:r

4. Download Cloudbase-Init from https://cloudbase.it/cloudbase-init/#download, and then install it by following the procedure from the Installation section at https://cloudbase.it/cloudbase-init/.

   1. The password for the user specified during the Cloudbase-Init installation will be reset on the next VM startup. If this user does not exist, a new user account will be created. You will be able to log in with this account by using the key authentication method or you can set a new password with a customization script. If there are multiple Windows users at the image preparation time, the passwords for other users will not be changed.

   2. When the Cloudbase-Init installation is complete, do not select the option to run Sysprep before clicking Finish. Otherwise, you will not be able to modify cloudbase-init.conf.

5. Run Windows PowerShell with administrator privileges and open the file C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf:

   Copy

   > notepad 'C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf'

   Add metadata_services and plugins on two lines:

   Copy

   metadata_services=\
   cloudbaseinit.metadata.services.configdrive.ConfigDriveService,\
   cloudbaseinit.metadata.services.httpservice.HttpService
   plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,\
   cloudbaseinit.plugins.windows.ntpclient.NTPClientPlugin,\
   cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,\
   cloudbaseinit.plugins.windows.createuser.CreateUserPlugin,\
   cloudbaseinit.plugins.common.networkconfig.NetworkConfigPlugin,\
   cloudbaseinit.plugins.windows.licensing.WindowsLicensingPlugin,\
   cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin,\
   cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,\
   cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin,\
   cloudbaseinit.plugins.common.userdata.UserDataPlugin,\
   cloudbaseinit.plugins.windows.winrmlistener.ConfigWinRMListenerPlugin,\
   cloudbaseinit.plugins.windows.winrmcertificateauth.\
   ConfigWinRMCertificateAuthPlugin,\
   cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin

   Make sure to remove all backslashes in the lines above.

   Save the changes.