A template is a reusable configuration for virtual machines. When users launch VMs, they can choose from a list of templates in CloudStack.

Specifically, a template is a virtual disk image that includes one of a variety of operating systems, optional additional software such as office applications, and settings such as access control to determine who can use the template. Each template is associated with a particular type of hypervisor, which is specified when the template is added to CloudStack.

CloudStack ships with a default template. In order to present more choices to users, CloudStack administrators and users can create templates and add them to CloudStack.

Creating Templates: Overview

CloudStack ships with a default template for the CentOS operating system. There are a variety of ways to add more templates. Administrators and end users can add templates. The typical sequence of events is:

  1. Launch a VM instance that has the operating system you want. Make any other desired configuration changes to the VM.
  2. Stop the VM.
  3. Convert the volume into a template.

There are other ways to add templates to CloudStack. For example, you can take a snapshot of the VM’s volume and create a template from the snapshot, or import a VHD from another system into CloudStack.

The various techniques for creating templates are described in the next few sections.

Requirements for Templates

  • For XenServer, install PV drivers / Xen tools on each template that you create. This will enable live migration and clean guest shutdown.
  • For vSphere, install VMware Tools on each template that you create. This will enable console view to work properly.

Best Practices for Templates

If you plan to use large templates (100 GB or larger), be sure you have a 10-gigabit network to support the large templates. A slower network can lead to timeouts and other errors when large templates are used.

The Default Template

CloudStack includes a CentOS template. This template is downloaded by the Secondary Storage VM after the primary and secondary storage are configured. You can use this template in your production deployment or you can delete it and use custom templates.

The root password for the default template is “password”.

A default template is provided for each of XenServer, KVM, and vSphere. The templates that are downloaded depend on the hypervisor type that is available in your cloud. Each template is approximately 2.5 GB physical size.

The default template includes the standard iptables rules, which will block most access to the template excluding ssh.

  1. # iptables --list
  2. Chain INPUT (policy ACCEPT)
  3. target prot opt source destination
  4. RH-Firewall-1-INPUT all -- anywhere anywhere
  5. Chain FORWARD (policy ACCEPT)
  6. target prot opt source destination
  7. RH-Firewall-1-INPUT all -- anywhere anywhere
  8. Chain OUTPUT (policy ACCEPT)
  9. target prot opt source destination
  10. Chain RH-Firewall-1-INPUT (2 references)
  11. target prot opt source destination
  12. ACCEPT all -- anywhere anywhere
  13. ACCEPT icmp -- anywhere anywhere icmp any
  14. ACCEPT esp -- anywhere anywhere
  15. ACCEPT ah -- anywhere anywhere
  16. ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
  17. ACCEPT udp -- anywhere anywhere udp dpt:ipp
  18. ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
  19. ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
  20. ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
  21. REJECT all -- anywhere anywhere reject-with icmp-host-

Private and Public Templates

When a user creates a template, it can be designated private or public.

Private templates are only available to the user who created them. By default, an uploaded template is private.

When a user marks a template as “public,” the template becomes available to all users in all accounts in the user’s domain, as well as users in any other domains that have access to the Zone where the template is stored. This depends on whether the Zone, in turn, was defined as private or public. A private Zone is assigned to a single domain, and a public Zone is accessible to any domain. If a public template is created in a private Zone, it is available only to users in the domain assigned to that Zone. If a public template is created in a public Zone, it is available to all users in all domains.

Creating a Template from an Existing Virtual Machine

Once you have at least one VM set up in the way you want, you can use it as the prototype for other VMs.

  1. Create and start a virtual machine using any of the techniques given in “Creating VMs”.

  2. Make any desired configuration changes on the running VM, then click Stop.

  3. Wait for the VM to stop. When the status shows Stopped, go to the next step.

  4. Go into “View Volumes” and select the Volume having the type “ROOT”.

  5. Click Create Template and provide the following:

    • Name and Display Text. These will be shown in the UI, so choose something descriptive.

    • OS Type. This helps CloudStack and the hypervisor perform certain operations and make assumptions that improve the performance of the guest. Select one of the following.

      • If the operating system of the stopped VM is listed, choose it.

      • If the OS type of the stopped VM is not listed, choose Other.

      • If you want to boot from this template in PV mode, choose Other PV (32-bit) or Other PV (64-bit). This choice is available only for XenServere:

        Note

        Generally you should not choose an older version of the OS than the version in the image. For example, choosing CentOS 5.4 to support a CentOS 6.2 image will in general not work. In those cases you should choose Other.

    • Public. Choose Yes to make this template accessible to all users of this CloudStack installation. The template will appear in the Community Templates list. See “Private and Public Templates”.

    • Password Enabled. Choose Yes if your template has the CloudStack password change script installed. See Adding Password Management to Your Templates.

  6. Click Add.

The new template will be visible in the Templates section when the template creation process has been completed. The template is then available when creating a new VM.

Creating a Template from a Snapshot

If you do not want to stop the VM in order to use the Create Template menu item (as described in “Creating a Template from an Existing Virtual Machine”), you can create a template directly from any snapshot through the CloudStack UI.

Uploading Templates from a remote HTTP server

vSphere Templates and ISOs

Warning

If you are uploading a template that was created using vSphere Client, be sure the OVA file does not contain an ISO. If it does, the deployment of VMs from the template will fail

Templates are uploaded based on a URL. HTTP is the supported access protocol. Templates are frequently large files. You can optionally gzip them to decrease upload times.

To upload a template:

  1. In the left navigation bar, click Templates.

  2. Click Register Template.

  3. Provide the following:

    • Name and Description. These will be shown in the UI, so choose something descriptive.

    • URL. The Management Server will download the file from the specified URL, such as http://my.web.server/filename.vhd.gz.

    • Zone. Choose the zone where you want the template to be available, or All Zones to make it available throughout CloudStack.

    • OS Type: This helps CloudStack and the hypervisor perform certain operations and make assumptions that improve the performance of the guest. Select one of the following:

      • If the operating system of the stopped VM is listed, choose it.

      • If the OS type of the stopped VM is not listed, choose Other.

        Note

        You should not choose an older version of the OS than the version in the image. For example, choosing CentOS 5.4 to support a CentOS 6.2 image will in general not work. In those cases you should choose Other.

    • Hypervisor: The supported hypervisors are listed. Select the desired one.

    • Format. The format of the template upload file, such as VHD or OVA.

    • Password Enabled. Choose Yes if your template has the CloudStack password change script installed. See Adding Password Management to Your Templates.

    • Extractable. Choose Yes if the template is available for extraction. If this option is selected, end users can download a full image of a template.

    • Public. Choose Yes to make this template accessible to all users of this CloudStack installation. The template will appear in the Community Templates list. See “Private and Public Templates”.

    • Featured. Choose Yes if you would like this template to be more prominent for users to select. The template will appear in the Featured Templates list. Only an administrator can make a template Featured.

Note that uploading multi-disk templates is also supported.

Note

Templates corresponding to appliances with ‘static properties’ in the OVF (such as virtual appliances) are also supported. CloudStack stores any template properties in the OVF in the database after successful template installation. Once the template is ready, these properties are viewed by selecting the template and clicking on the ‘OVF Properties’ tab.

Bypassing Secondary Storage For KVM templates

CloudStack provides an additional way to register and use templates on KVM.

Instead of registering a template and storing it on secondary storage, the user can opt to skip downloading the template to secondary storage for KVM at template registration. At deployment time, the template is downloaded directly to primary storage from the registered source, instead of being copied from secondary storage.

Supported protocols: HTTP/HTTPS, NFS and metalinks. The protocol is obtained from the template URL.

To enable this option for a template:

  1. In the left navigation bar, click Templates.

  2. Click Register Template.

  3. Select KVM as hypervisor:

    kvm-direct-download.png

    • Direct Download. This option will be shown in the UI when KVM is selected as the hypervisor. Choose Yes to enable the bypassing secondary storage option.
    • Checksum. Optional field. If this field is populated, the checksum is compared to the downloaded template checksum when the template is downloaded to primary storage at deployment time.

After the template is registered, it is automatically available for VM deployments.

For direct downloads over HTTPS, the KVM hosts must have valid certificates. These certificates can be either self-signed or signed and will allow the KVM hosts to access the templates/ISOs and download them.

CloudStack provides some APIs to handle certificates for direct downloads:

  • Upload a certificate to hosts in ‘Up’ state in a zone with id = ZONE_ID:

    1. upload templatedirectdownloadcertificate hypervisor=KVM name=CERTIFICATE_ALIAS zoneid=ZONE_ID certificate=CERTIFICATE_FORMATTED

    where:

    • CERTIFICATE_FORMATTED is the string format of a X509 certificate
    • CERTIFICATE_ALIAS is the alias which will be used to import the certificate on each KVM host

    Note:. These certificates are imported into the /etc/cloudstack/agent/cloud.jks keystore on each KVM host.

  • Revoke a certificate from every host in ‘Up’ state in a zone with id = ZONE_ID:

    1. revoke templatedirectdownloadcertificate hypervisor=KVM name=CERTIFICATE_ALIAS zoneid=ZONE_ID
  • It is also possible to revoke a certificate from a specific host within a zone:

    1. revoke templatedirectdownloadcertificate hypervisor=KVM name=CERTIFICATE_ALIAS zoneid=ZONE_ID hostid=HOST_ID
  • After a certificate is revoked from a host within a zone, it can be re-uploaded to the host:

    1. upload templatedirectdownloadcertificate hypervisor=KVM name=CERTIFICATE_ALIAS zoneid=ZONE_ID certificate=CERTIFICATE_FORMATTED hostid=HOST_ID

As new hosts may be added to a zone which do not include a certificate which was previously uploaded to pre-existing hosts.

CloudStack provides a way to synchronize certificates across all the connected hosts in each zone. The global setting ‘direct.download.certificate.background.task.interval’ defines the interval in which the synchronization task will run. This task will:

  • Iterate through each enabled zone
  • Enumerate the connected hosts in a zone
  • Check which hosts are missing the certificates which have been already uploaded to other hosts
  • Upload missing certificates to hosts

Uploading Templates and ISOs from a local computer

It’s also possible to upload an already prepared template or an ISO from your local computer. The steps are similar as when Uploading a template/ISO from a remote HTTP server, except that you need to choose a local template/ISO file from your PC. For this feature to work, your SSVMs must be supporting HTTPS (for more info please visit “Using a SSL Certificate for the Console Proxy”).

Example GUI dialog of uploading Template/ISO from local (browser) is given below:

Upload Template from local

Upload ISO from local

Note that uploading multi-disk templates is also supported.

Sharing templates with other accounts/projects

When adding a template, the owner can choose to make template public or to keep it private. Once the template is created, the owner can choose to share this template so that other accounts/projects can also use the template.

Currently, the template owner can share his template with:

  • other accounts inside his own domain (i.e. can’t share the template with other accounts in the subdomain of his domain or any other domains)
  • projects where he belongs to (i.e. projects where he is the owner/creator or other projects where he has been joined)

Template permissions can be changed via updateTemplatePermissions API call or via GUI. It is supported to add, remove or reset (remove all) template permissions.

When adding or removing permissions to/from a template, it is required to specify account/project name which is being added/removed from the template permissions.

Global setting “allow.user.view.all.domain.accounts” has a default value of “false”. This makes sure that when a regular user (of a “User” role) wants to share a template via GUI, he will not be shown the list of all accounts in his domain and he will need to know the name of the destination account with which he is sharing the template. This makes sense in public clouds where each account of a single domain is a different tenant/customer and privacy is imperative. In this case, the user will be presented with an input field to enter the account name, as on the images below:

USharing template with account "user2"

Sharing the template with account “user2”

Revoking permissions from account "user2"

Revoking permissions from account “user2”

But in environments where privacy within a domain is not an issue, setting “allow.user.view.all.domain.accounts” setting to “true” will make sure that the user, who is sharing the template, will be presented a more user-friendly multi-select list, listing all the accounts in his domain. This is shown in the images below;

Sharing template with just account "user8"

Sharing the template with just account “user8”

Sharing template with 2 specific projects

Sharing template with 2 specific projects

Revoking permissins from account "user8"

Revoking permissions from account “user8”

Revoking permsissons from both projects previously added

Revoking permissions from both projects previously added

Finally, template permissions can be reset:

Reseting (removing all) permissions

Resetting (removing all) permissions

Warning

Project-owned templates are not supported to be shared outside of the Project, and if attempted to do so, a proper error message is shown.

Exporting Templates

End users and Administrators may export templates from the CloudStack. Navigate to the template in the UI and choose the Download function from the Actions menu.

Creating a Linux Template

Linux templates should be prepared using this documentation in order to prepare your linux VMs for template deployment. For ease of documentation, the VM which you are configuring the template on will be referred to as “Template Master”. This guide currently covers legacy setups which do not take advantage of UserData and cloud-init and assumes openssh-server is installed during installation.

An overview of the procedure is as follow:

  1. Upload your Linux ISO.

    For more information, see “Adding an ISO”.

  2. Create a VM Instance with this ISO.

    For more information, see “Creating VMs”.

  3. Prepare the Linux VM

  4. Create a template from the VM.

    For more information, see “Creating a Template from an Existing Virtual Machine”.

The following steps will prepare a basic Linux installation for templating.

  1. Installation

    It is good practice to name your VM something generic during installation, this will ensure components such as LVM do not appear unique to a machine. It is recommended that the name of “localhost” is used for installation.

    Warning

    For CentOS, it is necessary to take unique identification out of the interface configuration file, for this edit /etc/sysconfig/network-scripts/ifcfg-eth0 and change the content to the following.

    1. DEVICE=eth0
    2. TYPE=Ethernet
    3. BOOTPROTO=dhcp
    4. ONBOOT=yes

    The next steps updates the packages on the Template Master.

    • Ubuntu

      1. sudo -i
      2. apt-get update
      3. apt-get upgrade -y
      4. apt-get install -y acpid ntp
      5. reboot
    • CentOS

      1. ifup eth0
      2. yum update -y
      3. reboot
  2. Password management

    Note

    If preferred, custom users (such as ones created during the Ubuntu installation) should be removed. First ensure the root user account is enabled by giving it a password and then login as root to continue.

    1. sudo passwd root
    2. logout

    As root, remove any custom user accounts created during the installation process.

    1. deluser myuser --remove-home

    See Adding Password Management to Your Templates for instructions to setup the password management script, this will allow CloudStack to change your root password from the web interface.

  3. Hostname Management

    CentOS configures the hostname by default on boot. Unfortunately Ubuntu does not have this functionality, for Ubuntu installations use the following steps.

    • Ubuntu

      The hostname of a Templated VM is set by a custom script in /etc/dhcp/dhclient-exit-hooks.d, this script first checks if the current hostname is localhost, if true, it will get the host-name, domain-name and fixed-ip from the DHCP lease file and use those values to set the hostname and append the /etc/hosts file for local hostname resolution. Once this script, or a user has changed the hostname from localhost, it will no longer adjust system files regardless of its new hostname. The script also recreates openssh-server keys, which should have been deleted before templating (shown below). Save the following script to /etc/dhcp/dhclient-exit-hooks.d/sethostname, and adjust the permissions.

      1. #!/bin/sh
      2. # dhclient change hostname script for Ubuntu
      3. oldhostname=$(hostname -s)
      4. if [ $oldhostname = 'localhost' ]
      5. then
      6. sleep 10 # Wait for configuration to be written to disk
      7. hostname=$(cat /var/lib/dhcp/dhclient.eth0.leases | awk ' /host-name/ { host = $3 } END { printf host } ' | sed 's/[";]//g' )
      8. fqdn="$hostname.$(cat /var/lib/dhcp/dhclient.eth0.leases | awk ' /domain-name/ { domain = $3 } END { printf domain } ' | sed 's/[";]//g')"
      9. ip=$(cat /var/lib/dhcp/dhclient.eth0.leases | awk ' /fixed-address/ { lease = $2 } END { printf lease } ' | sed 's/[";]//g')
      10. echo "cloudstack-hostname: Hostname _localhost_ detected. Changing hostname and adding hosts."
      11. printf " Hostname: $hostname\n FQDN: $fqdn\n IP: $ip"
      12. # Update /etc/hosts
      13. awk -v i="$ip" -v f="$fqdn" -v h="$hostname" "/^127/{x=1} !/^127/ && x { x=0; print i,f,h; } { print $0; }" /etc/hosts > /etc/hosts.dhcp.tmp
      14. mv /etc/hosts /etc/hosts.dhcp.bak
      15. mv /etc/hosts.dhcp.tmp /etc/hosts
      16. # Rename Host
      17. echo $hostname > /etc/hostname
      18. hostname -b -F /etc/hostname
      19. echo $hostname > /proc/sys/kernel/hostname
      20. # Recreate SSH2
      21. export DEBIAN_FRONTEND=noninteractive
      22. dpkg-reconfigure openssh-server
      23. fi
      24. ### End of Script ###
      25. chmod 774 /etc/dhcp/dhclient-exit-hooks.d/sethostname

    Warning

    The following steps should be run when you are ready to template your Template Master. If the Template Master is rebooted during these steps you will have to run all the steps again. At the end of this process the Template Master should be shutdown and the template created in order to create and deploy the final template.

  4. Remove the udev persistent device rules

    This step removes information unique to your Template Master such as network MAC addresses, lease files and CD block devices, the files are automatically generated on next boot.

    • Ubuntu

      1. rm -f /etc/udev/rules.d/70*
      2. rm -f /var/lib/dhcp/dhclient.*
    • CentOS

      1. rm -f /etc/udev/rules.d/70*
      2. rm -f /var/lib/dhclient/*
  5. Remove SSH Keys

    This step is to ensure all your Templated VMs do not have the same SSH keys, which would decrease the security of the machines dramatically.

    1. rm -f /etc/ssh/*key*
  6. Cleaning log files

    It is good practice to remove old logs from the Template Master.

    1. cat /dev/null > /var/log/audit/audit.log 2>/dev/null
    2. cat /dev/null > /var/log/wtmp 2>/dev/null
    3. logrotate -f /etc/logrotate.conf 2>/dev/null
    4. rm -f /var/log/*-* /var/log/*.gz 2>/dev/null
  7. Setting hostname

    In order for the Ubuntu DHCP script to function and the CentOS dhclient to set the VM hostname they both require the Template Master’s hostname to be “localhost”, run the following commands to change the hostname.

    1. hostname localhost
    2. echo "localhost" > /etc/hostname
  8. Set user password to expire

    This step forces the user to change the password of the VM after the template has been deployed.

    1. passwd --expire root
  9. Clearing User History

    The next step clears the bash commands you have just run.

    1. history -c
    2. unset HISTFILE
  10. Shutdown the VM

    Your now ready to shutdown your Template Master and create a template!

    1. halt -p
  11. Create the template!

    You are now ready to create the template, for more information see “Creating a Template from an Existing Virtual Machine”.

Note

Templated VMs for both Ubuntu and CentOS may require a reboot after provisioning in order to pickup the hostname.

Creating a Windows Template

Windows templates must be prepared with Sysprep before they can be provisioned on multiple machines. Sysprep allows you to create a generic Windows template and avoid any possible SID conflicts.

Note

(XenServer) Windows VMs running on XenServer require PV drivers, which may be provided in the template or added after the VM is created. The PV drivers are necessary for essential management functions such as mounting additional volumes and ISO images, live migration, and graceful shutdown.

An overview of the procedure is as follows:

  1. Upload your Windows ISO.

    For more information, see “Adding an ISO”.

  2. Create a VM Instance with this ISO.

    For more information, see “Creating VMs”.

  3. Follow the steps in Sysprep for Windows Server 2008 R2 (below) or Sysprep for Windows Server 2003 R2, depending on your version of Windows Server

  4. The preparation steps are complete. Now you can actually create the template as described in Creating the Windows Template.

For Windows 2008 R2, you run Windows System Image Manager to create a custom sysprep response XML file. Windows System Image Manager is installed as part of the Windows Automated Installation Kit (AIK). Windows AIK can be downloaded from Microsoft Download Center.

Use the following steps to run sysprep for Windows 2008 R2:

Note

The steps outlined here are derived from the excellent guide by Charity Shelbourne, originally published at Windows Server 2008 Sysprep Mini-Setup.

  1. Download and install the Windows AIK

    Note

    Windows AIK should not be installed on the Windows 2008 R2 VM you just created. Windows AIK should not be part of the template you create. It is only used to create the sysprep answer file.

  2. Copy the install.wim file in the \sources directory of the Windows 2008 R2 installation DVD to the hard disk. This is a very large file and may take a long time to copy. Windows AIK requires the WIM file to be writable.

  3. Start the Windows System Image Manager, which is part of the Windows AIK.

  4. In the Windows Image pane, right click the Select a Windows image or catalog file option to load the install.wim file you just copied.

  5. Select the Windows 2008 R2 Edition.

    You may be prompted with a warning that the catalog file cannot be opened. Click Yes to create a new catalog file.

  6. In the Answer File pane, right click to create a new answer file.

  7. Generate the answer file from the Windows System Image Manager using the following steps:

    1. The first page you need to automate is the Language and Country or Region Selection page. To automate this, expand Components in your Windows Image pane, right-click and add the Microsoft-Windows-International-Core setting to Pass 7 oobeSystem. In your Answer File pane, configure the InputLocale, SystemLocale, UILanguage, and UserLocale with the appropriate settings for your language and country or region. Should you have a question about any of these settings, you can right-click on the specific setting and select Help. This will open the appropriate CHM help file with more information, including examples on the setting you are attempting to configure.

      sysmanager.png

    2. You need to automate the Software License Terms Selection page, otherwise known as the End-User License Agreement (EULA). To do this, expand the Microsoft-Windows-Shell-Setup component. High-light the OOBE setting, and add the setting to the Pass 7 oobeSystem. In Settings, set HideEULAPage true.

      software-license.png

    3. Make sure the license key is properly set. If you use MAK key, you can just enter the MAK key on the Windows 2008 R2 VM. You need not input the MAK into the Windows System Image Manager. If you use KMS host for activation you need not enter the Product Key. Details of Windows Volume Activation can be found at http://technet.microsoft.com/en-us/library/bb892849.aspx

    4. You need to automate is the Change Administrator Password page. Expand the Microsoft-Windows-Shell-Setup component (if it is not still expanded), expand UserAccounts, right-click on AdministratorPassword, and add the setting to the Pass 7 oobeSystem configuration pass of your answer file. Under Settings, specify a password next to Value.

      change-admin-password.png

      You may read the AIK documentation and set many more options that suit your deployment. The steps above are the minimum needed to make Windows unattended setup work.

  8. Save the answer file as unattend.xml. You can ignore the warning messages that appear in the validation window.

  9. Copy the unattend.xml file into the c:\windows\system32\sysprep directory of the Windows 2008 R2 Virtual Machine

  10. Once you place the unattend.xml file in c:\windows\system32\sysprep directory, you run the sysprep tool as follows:

    1. cd c:\Windows\System32\sysprep
    2. sysprep.exe /oobe /generalize /shutdown

    The Windows 2008 R2 VM will automatically shut down after sysprep is complete.

Earlier versions of Windows have a different sysprep tool. Follow these steps for Windows Server 2003 R2.

  1. Extract the content of \support\tools\deploy.cab on the Windows installation CD into a directory called c:\sysprep on the Windows 2003 R2 VM.

  2. Run c:\sysprep\setupmgr.exe to create the sysprep.inf file.

    1. Select Create New to create a new Answer File.
    2. Enter “Sysprep setup” for the Type of Setup.
    3. Select the appropriate OS version and edition.
    4. On the License Agreement screen, select “Yes fully automate the installation”.
    5. Provide your name and organization.
    6. Leave display settings at default.
    7. Set the appropriate time zone.
    8. Provide your product key.
    9. Select an appropriate license mode for your deployment
    10. Select “Automatically generate computer name”.
    11. Type a default administrator password. If you enable the password reset feature, the users will not actually use this password. This password will be reset by the instance manager after the guest boots up.
    12. Leave Network Components at “Typical Settings”.
    13. Select the “WORKGROUP” option.
    14. Leave Telephony options at default.
    15. Select appropriate Regional Settings.
    16. Select appropriate language settings.
    17. Do not install printers.
    18. Do not specify “Run Once commands”.
    19. You need not specify an identification string.
    20. Save the Answer File as c:\sysprep\sysprep.inf.
  3. Run the following command to sysprep the image:

    1. c:\sysprep\sysprep.exe -reseal -mini -activated

    After this step the machine will automatically shut down

Importing Amazon Machine Images

The following procedures describe how to import an Amazon Machine Image (AMI) into CloudStack when using the XenServer hypervisor.

Assume you have an AMI file and this file is called CentOS_6.2_x64. Assume further that you are working on a CentOS host. If the AMI is a Fedora image, you need to be working on a Fedora host initially.

You need to have a XenServer host with a file-based storage repository (either a local ext3 SR or an NFS SR) to convert to a VHD once the image file has been customized on the Centos/Fedora host.

Note

When copying and pasting a command, be sure the command has pasted as a single line before executing. Some document viewers may introduce unwanted line breaks in copied text.

To import an AMI:

  1. Set up loopback on image file:

    1. # mkdir -p /mnt/loop/centos62
    2. # mount -o loop CentOS_6.2_x64 /mnt/loop/centos54
  2. Install the kernel-xen package into the image. This downloads the PV kernel and ramdisk to the image.

    1. # yum -c /mnt/loop/centos54/etc/yum.conf --installroot=/mnt/loop/centos62/ -y install kernel-xen
  3. Create a grub entry in /boot/grub/grub.conf.

    1. # mkdir -p /mnt/loop/centos62/boot/grub
    2. # touch /mnt/loop/centos62/boot/grub/grub.conf
    3. # echo "" > /mnt/loop/centos62/boot/grub/grub.conf
  4. Determine the name of the PV kernel that has been installed into the image.

    1. # cd /mnt/loop/centos62
    2. # ls lib/modules/
    3. 2.6.16.33-xenU 2.6.16-xenU 2.6.18-164.15.1.el5xen 2.6.18-164.6.1.el5.centos.plus 2.6.18-xenU-ec2-v1.0 2.6.21.7-2.fc8xen 2.6.31-302-ec2
    4. # ls boot/initrd*
    5. boot/initrd-2.6.18-164.6.1.el5.centos.plus.img boot/initrd-2.6.18-164.15.1.el5xen.img
    6. # ls boot/vmlinuz*
    7. boot/vmlinuz-2.6.18-164.15.1.el5xen boot/vmlinuz-2.6.18-164.6.1.el5.centos.plus boot/vmlinuz-2.6.18-xenU-ec2-v1.0 boot/vmlinuz-2.6.21-2952.fc8xen

    Xen kernels/ramdisk always end with “xen”. For the kernel version you choose, there has to be an entry for that version under lib/modules, there has to be an initrd and vmlinuz corresponding to that. Above, the only kernel that satisfies this condition is 2.6.18-164.15.1.el5xen.

  5. Based on your findings, create an entry in the grub.conf file. Below is an example entry.

    1. default=0
    2. timeout=5
    3. hiddenmenu
    4. title CentOS (2.6.18-164.15.1.el5xen)
    5. root (hd0,0)
    6. kernel /boot/vmlinuz-2.6.18-164.15.1.el5xen ro root=/dev/xvda
    7. initrd /boot/initrd-2.6.18-164.15.1.el5xen.img
  6. Edit etc/fstab, changing “sda1” to “xvda” and changing “sdb” to “xvdb”.

    1. # cat etc/fstab
    2. /dev/xvda / ext3 defaults 1 1
    3. /dev/xvdb /mnt ext3 defaults 0 0
    4. none /dev/pts devpts gid=5,mode=620 0 0
    5. none /proc proc defaults 0 0
    6. none /sys sysfs defaults 0 0
  7. Enable login via the console. The default console device in a XenServer system is xvc0. Ensure that etc/inittab and etc/securetty have the following lines respectively:

    1. # grep xvc0 etc/inittab
    2. co:2345:respawn:/sbin/agetty xvc0 9600 vt100-nav
    3. # grep xvc0 etc/securetty
    4. xvc0
  8. Ensure the ramdisk supports PV disk and PV network. Customize this for the kernel version you have determined above.

    1. # chroot /mnt/loop/centos54
    2. # cd /boot/
    3. # mv initrd-2.6.18-164.15.1.el5xen.img initrd-2.6.18-164.15.1.el5xen.img.bak
    4. # mkinitrd -f /boot/initrd-2.6.18-164.15.1.el5xen.img --with=xennet --preload=xenblk --omit-scsi-modules 2.6.18-164.15.1.el5xen
  9. Change the password.

    1. # passwd
    2. Changing password for user root.
    3. New UNIX password:
    4. Retype new UNIX password:
    5. passwd: all authentication tokens updated successfully.
  10. Exit out of chroot.

    1. # exit
  11. Check etc/ssh/sshd_config for lines allowing ssh login using a password.

    1. # egrep "PermitRootLogin|PasswordAuthentication" /mnt/loop/centos54/etc/ssh/sshd_config
    2. PermitRootLogin yes
    3. PasswordAuthentication yes
  12. If you need the template to be enabled to reset passwords from the CloudStack UI or API, install the password change script into the image at this point. See Adding Password Management to Your Templates.

  13. Unmount and delete loopback mount.

    1. # umount /mnt/loop/centos54
    2. # losetup -d /dev/loop0
  14. Copy the image file to your XenServer host’s file-based storage repository. In the example below, the Xenserver is “xenhost”. This XenServer has an NFS repository whose uuid is a9c5b8c8-536b-a193-a6dc-51af3e5ff799.

    1. # scp CentOS_6.2_x64 xenhost:/var/run/sr-mount/a9c5b8c8-536b-a193-a6dc-51af3e5ff799/
  15. Log in to the Xenserver and create a VDI the same size as the image.

    1. [root@xenhost ~]# cd /var/run/sr-mount/a9c5b8c8-536b-a193-a6dc-51af3e5ff799
    2. [root@xenhost a9c5b8c8-536b-a193-a6dc-51af3e5ff799]# ls -lh CentOS_6.2_x64
    3. -rw-r--r-- 1 root root 10G Mar 16 16:49 CentOS_6.2_x64
    4. [root@xenhost a9c5b8c8-536b-a193-a6dc-51af3e5ff799]# xe vdi-create virtual-size=10GiB sr-uuid=a9c5b8c8-536b-a193-a6dc-51af3e5ff799 type=user name-label="Centos 6.2 x86_64"
    5. cad7317c-258b-4ef7-b207-cdf0283a7923
  16. Import the image file into the VDI. This may take 10–20 minutes.

    1. [root@xenhost a9c5b8c8-536b-a193-a6dc-51af3e5ff799]# xe vdi-import filename=CentOS_6.2_x64 uuid=cad7317c-258b-4ef7-b207-cdf0283a7923
  17. Locate a the VHD file. This is the file with the VDI’s UUID as its name. Compress it and upload it to your web server.

    1. [root@xenhost a9c5b8c8-536b-a193-a6dc-51af3e5ff799]# bzip2 -c cad7317c-258b-4ef7-b207-cdf0283a7923.vhd > CentOS_6.2_x64.vhd.bz2
    2. [root@xenhost a9c5b8c8-536b-a193-a6dc-51af3e5ff799]# scp CentOS_6.2_x64.vhd.bz2 webserver:/var/www/html/templates/

Converting a Hyper-V VM to a Template

To convert a Hyper-V VM to a XenServer-compatible CloudStack template, you will need a standalone XenServer host with an attached NFS VHD SR. Use whatever XenServer version you are using with CloudStack, but use XenCenter 5.6 FP1 or SP2 (it is backwards compatible to 5.6). Additionally, it may help to have an attached NFS ISO SR.

For Linux VMs, you may need to do some preparation in Hyper-V before trying to get the VM to work in XenServer. Clone the VM and work on the clone if you still want to use the VM in Hyper-V. Uninstall Hyper-V Integration Components and check for any references to device names in /etc/fstab:

  1. From the linux_ic/drivers/dist directory, run make uninstall (where “linux_ic” is the path to the copied Hyper-V Integration Components files).
  2. Restore the original initrd from backup in /boot/ (the backup is named *.backup0).
  3. Remove the “hdX=noprobe” entries from /boot/grub/menu.lst.
  4. Check /etc/fstab for any partitions mounted by device name. Change those entries (if any) to mount by LABEL or UUID. You can get that information with the blkid command.

The next step is make sure the VM is not running in Hyper-V, then get the VHD into XenServer. There are two options for doing this.

Option one:

  1. Import the VHD using XenCenter. In XenCenter, go to Tools>Virtual Appliance Tools>Disk Image Import.
  2. Choose the VHD, then click Next.
  3. Name the VM, choose the NFS VHD SR under Storage, enable “Run Operating System Fixups” and choose the NFS ISO SR.
  4. Click Next, then Finish. A VM should be created.

Option two:

  1. Run XenConvert, under From choose VHD, under To choose XenServer. Click Next.
  2. Choose the VHD, then click Next.
  3. Input the XenServer host info, then click Next.
  4. Name the VM, then click Next, then Convert. A VM should be created.

Once you have a VM created from the Hyper-V VHD, prepare it using the following steps:

  1. Boot the VM, uninstall Hyper-V Integration Services, and reboot.
  2. Install XenServer Tools, then reboot.
  3. Prepare the VM as desired. For example, run sysprep on Windows VMs. See “Creating a Windows Template”.

Either option above will create a VM in HVM mode. This is fine for Windows VMs, but Linux VMs may not perform optimally. Converting a Linux VM to PV mode will require additional steps and will vary by distribution.

  1. Shut down the VM and copy the VHD from the NFS storage to a web server; for example, mount the NFS share on the web server and copy it, or from the XenServer host use sftp or scp to upload it to the web server.
  2. In CloudStack, create a new template using the following values:
    • URL. Give the URL for the VHD
    • OS Type. Use the appropriate OS. For PV mode on CentOS, choose Other PV (32-bit) or Other PV (64-bit). This choice is available only for XenServer.
    • Hypervisor. XenServer
    • Format. VHD

The template will be created, and you can create instances from it.

Adding Password Management to Your Templates

CloudStack provides an optional password reset feature that allows users to set a temporary admin or root password as well as reset the existing admin or root password from the CloudStack UI.

To enable the Reset Password feature, you will need to download an additional script to patch your template. When you later upload the template into CloudStack, you can specify whether reset admin/root password feature should be enabled for this template.

The password management feature works always resets the account password on instance boot. The script does an HTTP call to the virtual router to retrieve the account password that should be set. As long as the virtual router is accessible the guest will have access to the account password that should be used. When the user requests a password reset the management server generates and sends a new password to the virtual router for the account. Thus an instance reboot is necessary to effect any password changes.

If the script is unable to contact the virtual router during instance boot it will not set the password but boot will continue normally.

Use the following steps to begin the Linux OS installation:

  1. Download the latest version of the cloud-set-guest-password script from the repository:

  2. Rename the file:

    1. mv cloud-set-guest-password.in cloud-set-guest-password
  3. Copy this file to /etc/init.d.

    On some Linux distributions, copy the file to /etc/rc.d/init.d.

  4. Run the following command to make the script executable:

    1. chmod +x /etc/init.d/cloud-set-guest-password
  5. Depending on the Linux distribution, continue with the appropriate step.

    On Fedora, CentOS/RHEL, and Debian, run:

    1. chkconfig --add cloud-set-guest-password

Download the installer, CloudInstanceManager.msi, from the Download page and run the installer in the newly created Windows VM.

Deleting Templates

Templates may be deleted. In general, when a template spans multiple Zones, only the copy that is selected for deletion will be deleted; the same template in other Zones will not be deleted. The provided CentOS template is an exception to this. If the provided CentOS template is deleted, it will be deleted from all Zones.

When templates are deleted, the VMs instantiated from them will continue to run. However, new VMs cannot be created based on the deleted template.