RE: Copy VM with new ID

What he is talking about is Security Identifier (SID) and is specific to Windows. Each Windows machine must have a unique SID in an AD environment. Cloned machines will have identical SID which is bad.

The solution to this problem is sysprep, a Windows tool that will reset SID and other parameters so that each Windows installation is uniquely identifiable. This is something done inside a machine, of course, and is not something that can be done on HV level. VMware, and Hyper-V as seen here, have integrated support for invoking sysprep (or equivalent) during the machine cloning process. This is achieved by sending a signal to the management agent inside a machine (e.g. VMware Guest Tools).

As far as I know, XenServer/XCP-ng management agent is rudimentary and does not have this functionality. In world of XenServer/XCP-ng, machine has to be syspreped manually before it is cloned.

Just to confirm. After copying new install.img to my PXE environment, unattended installation went smoothly with my answer file.

A milestone has been achieved . All of my modules have been merged upstream. I've updated the first post with new info.

That will most probably be all for Ansible 2.8. I'm keeping some improvements and possibly more modules for Ansible 2.9. Currently, I'm thinking about what other modules could be useful so I could implement them. Any suggestion or wish would be much appreciated.

Has anyone been able to install Ubuntu 24.04 in VM from current official ISO? It seems that official ISOs (i.e. installer) still use unpatched kernel 6.8.0-22. Are there any newer ISO builds that I'm not aware of?

EDIT:
Sorry. False alarm. I screwed up my PXE settings. There was some leftover kernel and initrd images from beta versions of ISO. Kernel and initrd from latest ISOs work properly.

@BSmithITGuy said in Ubuntu 22.04.5 custom template - additional steps missing from documentation:

If you are trying to create an Ubuntu template and are having trouble on XCP-NG 8.3 (some or all probably applies to previous versions), keep reading.

Very nice. Very thorough. This inspired me to share a relevant part of my cleanup script. Maybe it will be of some additional help to everyone:

echo "Resetting machine ID..."
> /etc/machine-id
rm -f /etc/machine-info

echo "Cleaning APT cache..."
apt-get clean

echo "Removing netplan configuration..."
# Ubuntu < 24.04
rm -f /etc/netplan/00-installer-config.yaml
# Ubuntu >= 24.04
rm -f /etc/netplan/50-cloud-init.yaml

echo "Cloud-init cleanup..."
if [[ -f "/etc/cloud/clean.d/99-installer" ]]; then
    chmod a-x /etc/cloud/clean.d/99-installer
fi

# Ubuntu < 24.04
rm -f /etc/cloud/cloud.cfg.d/99-installer.cfg /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
# Ubuntu >= 24.04
rm -f /etc/cloud/cloud.cfg.d/90-installer-network.cfg

if [[ -x "$(command -v cloud-init)" ]]; then
    cloud-init clean --logs --seed
else
    echo "  No cloud-init detected. Skipping cloud-init cleanup!"
fi

echo "Removing SSH host keys..."
find /etc/ssh/ -type f -name 'ssh_host_*' -delete

The code is self explanatory but here are some additional tips:

• It's nice to do cleanup of APT cache. This will free up some space but also force the user to update APT cache on first run after VM has been provisioned. If APT cache is not cleaned, it will grow stale over time inside a template and, after some time, package installation in new VMs will start to break. Doing apt update before any package installation is good practice but people tend to easily forget it. This will force them to do it.
• Ubuntu installer relies on some cloud-init config for some first boot setup which has to be removed if cloud-init is to be used once again for provisioning VMs. You correctly identified these files for removal but there is a difference in Ubuntu older than 24.04 and Ubuntu 24.04 and newer.
• The reason I do chmod a-x /etc/cloud/clean.d/99-installer is to prevent cloud-init from removing /etc/cloud/ds-identify.cfg when doing cloud-init clean (default behavior). Because I override the default /etc/cloud/ds-identify.cfg, I don't want cloud-init clean to remove it. I remove all the other files explicitly. Additional note, /etc/cloud/clean.d/99-installer should not be removed. It should just be chmoded because it is part of the cloud-init package and will reappear on cloud-init package update.
• It's better to use cloud-init clean --logs --seed command to clean any runtime cloud-init leftovers and logs instead of removing them explicitly like rm -rf /var/lib/cloud/instance.
• SSH host keys should be removed so that they can be regenerated on first boot of newly provisioned VM. If you don't do it, all your VMs will have same host keys which could be considered as security issue.

@john-c

I feel your pain, however, the main difference between VMware support in Ansible and XenServer/XCP-ng is that VMware has a whole working group with a dozen of regular members and contributors:

https://github.com/ansible/community/wiki/VMware

Major contributors are all Red Hat or VMware employees i.e. people paid to do it. There is no such thing for XenServer/XCP-ng. Citrix never showed any interest in supporting Ansible. Netscaler is the only Citrix product that has a decent Ansible support.

To help you better understand how Ansible as a project works, here are some points from my personal adventure:

• To be able to contribute new modules to Ansible or any of the official collections, you need to implement extensive unit and integration tests. I understand the requirement. Ansible/Red Hat wants to maintain a high level of quality and to easily (and in automated way) detect any regressions. That's all good but implementing tests is harder and more work than implementing modules themselves. What's very very helpful in case of VMware is that there is a whole simulator called govcsim developed by VMware. You can test your modules against the simulator with ease and automate all the tests with little effort. To my knowledge, there is no simulator available for XenAPI. If such simulator does exist, it is most likely kept in secret by Citrix. If Citrix was ever to release this simulator, that would be a HUGE step forward.
• If you want to contribute new modules to Ansible or any of the official collections, someone has to review your code. Not many people are willing to do so and have the power to include your code to Ansible. As a matter of fact, finding reviewers and begging them for help is the hardest thing of all. I had some tremendous luck to acquire the interest of Abhijeet Kasurde, one of the top Ansible guys, to review my code and to eventually include xenserver_guest_* modules into Ansible. The guy handles VMware in Ansible... surprise! My xenserver_guest module was included without any unit or integration tests but for other modules I had to implement them. Luckily, they were simple and I had a luck to find a reviewer for tests also. When I wanted to upgrade xenserver_guest module with new functionality, they required unit and integration tests. I eventually implemented tests for xenserver_guest module but it was a huge undertaking and the amount of code involved easily dwarfed the module itself. I basically ended up implementing a barebone XenAPI simulator. This is where I hit a road block. No one, even the people that initially supported me, wanted to review this monstrosity of test+simulator. It was never included in Ansible.
• If you don't want to rely on external reviewers then you have to form a team, or if possible, a work group. That way you can review each others code and include it in Ansible without external support. Everything is pretty much handled by bots. If you gain a high enough status in Ansible project, you could get permissions to merge the code yourself without relying on anyone, not even bots. Should I mention that I failed to ever find any good Python programmer that is into Ansible and interested enough to form a team with me?
• You can skip all this struggle if you just maintain you own collection of modules but then you cannot rely on existing Ansible tooling that will do all the testing, linting, sanity checks, spell checks and such. You are on your own.

After a lot of struggle I eventually lost any interest as I was wasting a lot of time and life had to go on. Not much people showed interest in xenserver_guest_* Ansible modules either. My employer also ditched XenServer/XCP-ng in favor of VMware a few years back. Even with all the Broadcom/VMware situation, we got a super good deal with Broadcom because of our deployment size and commitment so we are sticking with VMWare.

All in all, if Ansible support for XenServer/XCP-ng and Xen Orchestra on par with VMware support is ever to see the light of day, these prerequisites are required:

• Publicly available XenAPI simulator is a must
• A working group of at least three people with knowledge in Python, Ansible and XenAPI committed to the cause
• Possibly corporate and financial backing by Citrix, Vates? or some other third party

Having any official Ansible support for XenServer/XCP-ng was (and is) a miracle to this day. A miracle I was blessed with and a huge learning experience for me.

Sorry for the long post. It is not my intention to discourage people but I think everyone should understand why XenServer/XCP-ng does not enjoy better Ansible support. There is much much more to it than just having a willingness to do anything.

@Ruskofff said in Ansible and XCP-ng:

Edit : I found the Ansible module you talking about @cheese (with the other topic talking about Ansible on XenServer). I could start from this point for the deployment of VM yes. Seems good for me !

This is the thread:

https://xcp-ng.org/forum/topic/159/deploy-vms-using-ansible

I'm the author of the module. The thread is a little outdated but I will update it ASAP. Feel free to ask me anything regarding the module.

Hi guys,

Sorry if this looks like shameless self promotion but for a few weeks now I've been working on Ansible module for managing XenServer/XCP-ng VMs - first of it's kind if I'm not mistaken. The module is in line with what Ansible offers for VMWare and there is a pull request to mainline it. What I would love is for anyone willing to help, and already familiar with Ansible, is to spare some time to test the module since the only way to test it is against real hardware. Of course, the module should not be tested in production environments.

UPDATE: 2019-03-01

Some of my Ansible modules have been merged upstream and are currently available in development version of Ansible. Ansible 2.8 will be the first official release to include these modules.

My work is currently centered around these three modules:

• xenserver_guest - upstreamed - used for deployment of new VMs from templates and reconfiguration of existing VMs.
• xenserver_guest_facts - upstreamed - used for getting VM facts (useful XenServer/XCP-ng VM params).
• xenserver_guest_powerstate - upstreamed - used for controlling VM power state (running/halted/suspended), graceful shutdown and reboot etc.

For anyone interested in using/testing these modules, upstreamed modules can be acquired by cloning Ansible repo from GitHub (or downloading the ZIP archive) and running Ansible from source. Instructions can be found here:

https://docs.ansible.com/ansible/devel/installation_guide/intro_installation.html#running-from-source

To use the modules, you will also need XenAPI.py from here:

https://raw.githubusercontent.com/xapi-project/xen-api/master/scripts/examples/python/XenAPI.py

Copy the file to your Python site-packages (e.g. /usr/lib/python2.7/site-packages/ on CentOS 7).

You can get module documentation by running this command:

$ ansible-doc <module_name>

or from official Ansible docs (upstreamed modules only):

• https://docs.ansible.com/ansible/devel/modules/xenserver_guest_module.html#xenserver-guest-module
• https://docs.ansible.com/ansible/devel/modules/xenserver_guest_facts_module.html#xenserver-guest-facts-module
• https://docs.ansible.com/ansible/devel/modules/xenserver_guest_powerstate_module.html#xenserver-guest-powerstate-module

CHANGELOG:

• Fixed a bug on XenServer 7.1 with Cumulative Update where a version could not be properly detected, causing an exception.

Thanks.

@BSmithITGuy said in Ubuntu 22.04.5 custom template - additional steps missing from documentation:

If you are trying to create an Ubuntu template and are having trouble on XCP-NG 8.3 (some or all probably applies to previous versions), keep reading.

Very nice. Very thorough. This inspired me to share a relevant part of my cleanup script. Maybe it will be of some additional help to everyone:

echo "Resetting machine ID..."
> /etc/machine-id
rm -f /etc/machine-info

echo "Cleaning APT cache..."
apt-get clean

echo "Removing netplan configuration..."
# Ubuntu < 24.04
rm -f /etc/netplan/00-installer-config.yaml
# Ubuntu >= 24.04
rm -f /etc/netplan/50-cloud-init.yaml

echo "Cloud-init cleanup..."
if [[ -f "/etc/cloud/clean.d/99-installer" ]]; then
    chmod a-x /etc/cloud/clean.d/99-installer
fi

# Ubuntu < 24.04
rm -f /etc/cloud/cloud.cfg.d/99-installer.cfg /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
# Ubuntu >= 24.04
rm -f /etc/cloud/cloud.cfg.d/90-installer-network.cfg

if [[ -x "$(command -v cloud-init)" ]]; then
    cloud-init clean --logs --seed
else
    echo "  No cloud-init detected. Skipping cloud-init cleanup!"
fi

echo "Removing SSH host keys..."
find /etc/ssh/ -type f -name 'ssh_host_*' -delete

The code is self explanatory but here are some additional tips:

• It's nice to do cleanup of APT cache. This will free up some space but also force the user to update APT cache on first run after VM has been provisioned. If APT cache is not cleaned, it will grow stale over time inside a template and, after some time, package installation in new VMs will start to break. Doing apt update before any package installation is good practice but people tend to easily forget it. This will force them to do it.
• Ubuntu installer relies on some cloud-init config for some first boot setup which has to be removed if cloud-init is to be used once again for provisioning VMs. You correctly identified these files for removal but there is a difference in Ubuntu older than 24.04 and Ubuntu 24.04 and newer.
• The reason I do chmod a-x /etc/cloud/clean.d/99-installer is to prevent cloud-init from removing /etc/cloud/ds-identify.cfg when doing cloud-init clean (default behavior). Because I override the default /etc/cloud/ds-identify.cfg, I don't want cloud-init clean to remove it. I remove all the other files explicitly. Additional note, /etc/cloud/clean.d/99-installer should not be removed. It should just be chmoded because it is part of the cloud-init package and will reappear on cloud-init package update.
• It's better to use cloud-init clean --logs --seed command to clean any runtime cloud-init leftovers and logs instead of removing them explicitly like rm -rf /var/lib/cloud/instance.
• SSH host keys should be removed so that they can be regenerated on first boot of newly provisioned VM. If you don't do it, all your VMs will have same host keys which could be considered as security issue.

@bufanda said in Automating VM builds on XO with Redhat AAP (Ansible):

... as far as I know there is no collection that is able to manage VMs and sadly Satellite's virt-who doesn't seem to have XenOrchestra support at the moment and since RedHat is pushing OpenShift I don't think it will ever come.

But there was a wish for a colletion on the DevOps Megathread
https://xcp-ng.org/forum/post/88993

There are Ansible modules for managing VMs in the comunity.general collection. They just don't do it through XO but through XenServer/XCP-ng hosts (or pool masters) directly, using XenAPI. Search for xenserver_* modules in Ansible documentation.

@DustinB While that may be true, the reality is that VMware and Microsoft have integrated such functionality in their virtualization products and it has become de facto standard. Users are expecting such functionality and taking it for granted. No one is bothering with sysprep any more. This is one of those things that makes the life much easier and which XenServer/XCP-ng should support to stay relevant in the market.

Maybe something can be done trough Cloudbase-Init? I have not delved into that.

@TeddyAstie Is the list of "issues and limitations" of nested virtualization under Xen documented somewhere?

What he is talking about is Security Identifier (SID) and is specific to Windows. Each Windows machine must have a unique SID in an AD environment. Cloned machines will have identical SID which is bad.

The solution to this problem is sysprep, a Windows tool that will reset SID and other parameters so that each Windows installation is uniquely identifiable. This is something done inside a machine, of course, and is not something that can be done on HV level. VMware, and Hyper-V as seen here, have integrated support for invoking sysprep (or equivalent) during the machine cloning process. This is achieved by sending a signal to the management agent inside a machine (e.g. VMware Guest Tools).

As far as I know, XenServer/XCP-ng management agent is rudimentary and does not have this functionality. In world of XenServer/XCP-ng, machine has to be syspreped manually before it is cloned.

@cairoti It's explained here:

https://docs.xenserver.com/en-us/citrix-hypervisor/dr/machine-failures.html#master-failures

Quote:

If you repair or replace the server that was the original master, you can simply bring it up, install the Citrix Hypervisor software, and add it to the pool. Since the Citrix Hypervisor servers in the pool are enforced to be homogeneous, there is no real need to make the replaced server the master.

Now, there is a catch. I'm not sure what happens with the old master from a pool perspective after a new master is delegated. Is it still considered (and shown) as member of the pool just shut down, or is it kicked out of the pool? Anyway, if old master is returned to the pool, i.e. a join operation is performed, then it's configuration is reset and it will not cause any conflict.

If you don't want to risk anything, the best way to go is to remove old master from the pool, reinstall it and re-add it. That's the clean way. The reinstall will make old master forget it was ever a master

@bug-meister This means that VM was running at the CPU feature level of the original host when you added a new host. For a VM to drop the CPU feature level to a level of the new host, it has to be shutdown and started again. After that, VM should be able to migrate in both ways.

The CPU feature level of a pool is determined by the CPU feature level of a host that has the lowest CPU feature level (new host in your example) but is not applied retroactively to already running VMs.

Because of these issues, it is not advisable to have pools with mixed CPU models/generations.

@irtaza9 bro, believe it or not, I already answered your question . If you have your templates in XVA format and want to have them accessible to all your pool members, you have to put them on a shared SR. They will still be per pool. I don't do not know of a way to have them centralized so that they are available cross pool.

Update:

Theoretically an NFS shared SR could be mounted to multiple pools but it would have to be read only except for one pool. I have not seen something like that in action.

@irtaza9 The way you are describing your intent and what you are trying to accomplish makes me think you are doing it the wrong way. Cloud-ready or not, your templates have to be XenServer/XCP-ng ready. To accomplish that you have two options:

• Create an empty VM from one of built in default templates, boot an ISO/PXE and install your system. Add XenServer/XCP-ng guest tools and cloud-init to the VM, shutdown and convert the VM to the template. You can automate this process using Packer or Ansible if needed.

• Import your VM template from OVA/OVF.

NFS ISO library is ment to be used only for ISOs. While you can store qcow2 images on it, they will not be shown. Qcow2 images are disk images, not templates... at least not in a sense of XenServer/XCP-ng.

To create a VM in XenServer/XCP-ng using qcow2 image, you have to:

1. Store the image to some shared SR of NFS or SMB type (not NFS ISO library)
2. Create a VDI associated with the qcow2 image file
3. Create an empty VM using one of builtin default templates and attach the VDI to the VM

@olivierlambert Maybe a suggestion for XO dev team to implement a way to filter out default templates from drop down menus and other listings in XO. There are a lot of them and they can pretty much spam the lists.

Idea could be to show only "real" templates by default but let the user chose an option to include builtin/default templates, snapshots, and other shut down VMs that can be used as templates.