RE: Copy VM with new ID

What he is talking about is Security Identifier (SID) and is specific to Windows. Each Windows machine must have a unique SID in an AD environment. Cloned machines will have identical SID which is bad.

The solution to this problem is sysprep, a Windows tool that will reset SID and other parameters so that each Windows installation is uniquely identifiable. This is something done inside a machine, of course, and is not something that can be done on HV level. VMware, and Hyper-V as seen here, have integrated support for invoking sysprep (or equivalent) during the machine cloning process. This is achieved by sending a signal to the management agent inside a machine (e.g. VMware Guest Tools).

As far as I know, XenServer/XCP-ng management agent is rudimentary and does not have this functionality. In world of XenServer/XCP-ng, machine has to be syspreped manually before it is cloned.

Just to confirm. After copying new install.img to my PXE environment, unattended installation went smoothly with my answer file.

A milestone has been achieved . All of my modules have been merged upstream. I've updated the first post with new info.

That will most probably be all for Ansible 2.8. I'm keeping some improvements and possibly more modules for Ansible 2.9. Currently, I'm thinking about what other modules could be useful so I could implement them. Any suggestion or wish would be much appreciated.

Has anyone been able to install Ubuntu 24.04 in VM from current official ISO? It seems that official ISOs (i.e. installer) still use unpatched kernel 6.8.0-22. Are there any newer ISO builds that I'm not aware of?

EDIT:
Sorry. False alarm. I screwed up my PXE settings. There was some leftover kernel and initrd images from beta versions of ISO. Kernel and initrd from latest ISOs work properly.

@john-c

I feel your pain, however, the main difference between VMware support in Ansible and XenServer/XCP-ng is that VMware has a whole working group with a dozen of regular members and contributors:

https://github.com/ansible/community/wiki/VMware

Major contributors are all Red Hat or VMware employees i.e. people paid to do it. There is no such thing for XenServer/XCP-ng. Citrix never showed any interest in supporting Ansible. Netscaler is the only Citrix product that has a decent Ansible support.

To help you better understand how Ansible as a project works, here are some points from my personal adventure:

• To be able to contribute new modules to Ansible or any of the official collections, you need to implement extensive unit and integration tests. I understand the requirement. Ansible/Red Hat wants to maintain a high level of quality and to easily (and in automated way) detect any regressions. That's all good but implementing tests is harder and more work than implementing modules themselves. What's very very helpful in case of VMware is that there is a whole simulator called govcsim developed by VMware. You can test your modules against the simulator with ease and automate all the tests with little effort. To my knowledge, there is no simulator available for XenAPI. If such simulator does exist, it is most likely kept in secret by Citrix. If Citrix was ever to release this simulator, that would be a HUGE step forward.
• If you want to contribute new modules to Ansible or any of the official collections, someone has to review your code. Not many people are willing to do so and have the power to include your code to Ansible. As a matter of fact, finding reviewers and begging them for help is the hardest thing of all. I had some tremendous luck to acquire the interest of Abhijeet Kasurde, one of the top Ansible guys, to review my code and to eventually include xenserver_guest_* modules into Ansible. The guy handles VMware in Ansible... surprise! My xenserver_guest module was included without any unit or integration tests but for other modules I had to implement them. Luckily, they were simple and I had a luck to find a reviewer for tests also. When I wanted to upgrade xenserver_guest module with new functionality, they required unit and integration tests. I eventually implemented tests for xenserver_guest module but it was a huge undertaking and the amount of code involved easily dwarfed the module itself. I basically ended up implementing a barebone XenAPI simulator. This is where I hit a road block. No one, even the people that initially supported me, wanted to review this monstrosity of test+simulator. It was never included in Ansible.
• If you don't want to rely on external reviewers then you have to form a team, or if possible, a work group. That way you can review each others code and include it in Ansible without external support. Everything is pretty much handled by bots. If you gain a high enough status in Ansible project, you could get permissions to merge the code yourself without relying on anyone, not even bots. Should I mention that I failed to ever find any good Python programmer that is into Ansible and interested enough to form a team with me?
• You can skip all this struggle if you just maintain you own collection of modules but then you cannot rely on existing Ansible tooling that will do all the testing, linting, sanity checks, spell checks and such. You are on your own.

After a lot of struggle I eventually lost any interest as I was wasting a lot of time and life had to go on. Not much people showed interest in xenserver_guest_* Ansible modules either. My employer also ditched XenServer/XCP-ng in favor of VMware a few years back. Even with all the Broadcom/VMware situation, we got a super good deal with Broadcom because of our deployment size and commitment so we are sticking with VMWare.

All in all, if Ansible support for XenServer/XCP-ng and Xen Orchestra on par with VMware support is ever to see the light of day, these prerequisites are required:

• Publicly available XenAPI simulator is a must
• A working group of at least three people with knowledge in Python, Ansible and XenAPI committed to the cause
• Possibly corporate and financial backing by Citrix, Vates? or some other third party

Having any official Ansible support for XenServer/XCP-ng was (and is) a miracle to this day. A miracle I was blessed with and a huge learning experience for me.

Sorry for the long post. It is not my intention to discourage people but I think everyone should understand why XenServer/XCP-ng does not enjoy better Ansible support. There is much much more to it than just having a willingness to do anything.

@Ruskofff said in Ansible and XCP-ng:

Edit : I found the Ansible module you talking about @cheese (with the other topic talking about Ansible on XenServer). I could start from this point for the deployment of VM yes. Seems good for me !

This is the thread:

https://xcp-ng.org/forum/topic/159/deploy-vms-using-ansible

I'm the author of the module. The thread is a little outdated but I will update it ASAP. Feel free to ask me anything regarding the module.

Hi guys,

Sorry if this looks like shameless self promotion but for a few weeks now I've been working on Ansible module for managing XenServer/XCP-ng VMs - first of it's kind if I'm not mistaken. The module is in line with what Ansible offers for VMWare and there is a pull request to mainline it. What I would love is for anyone willing to help, and already familiar with Ansible, is to spare some time to test the module since the only way to test it is against real hardware. Of course, the module should not be tested in production environments.

UPDATE: 2019-03-01

Some of my Ansible modules have been merged upstream and are currently available in development version of Ansible. Ansible 2.8 will be the first official release to include these modules.

My work is currently centered around these three modules:

• xenserver_guest - upstreamed - used for deployment of new VMs from templates and reconfiguration of existing VMs.
• xenserver_guest_facts - upstreamed - used for getting VM facts (useful XenServer/XCP-ng VM params).
• xenserver_guest_powerstate - upstreamed - used for controlling VM power state (running/halted/suspended), graceful shutdown and reboot etc.

For anyone interested in using/testing these modules, upstreamed modules can be acquired by cloning Ansible repo from GitHub (or downloading the ZIP archive) and running Ansible from source. Instructions can be found here:

https://docs.ansible.com/ansible/devel/installation_guide/intro_installation.html#running-from-source

To use the modules, you will also need XenAPI.py from here:

https://raw.githubusercontent.com/xapi-project/xen-api/master/scripts/examples/python/XenAPI.py

Copy the file to your Python site-packages (e.g. /usr/lib/python2.7/site-packages/ on CentOS 7).

You can get module documentation by running this command:

$ ansible-doc <module_name>

or from official Ansible docs (upstreamed modules only):

• https://docs.ansible.com/ansible/devel/modules/xenserver_guest_module.html#xenserver-guest-module
• https://docs.ansible.com/ansible/devel/modules/xenserver_guest_facts_module.html#xenserver-guest-facts-module
• https://docs.ansible.com/ansible/devel/modules/xenserver_guest_powerstate_module.html#xenserver-guest-powerstate-module

CHANGELOG:

• Fixed a bug on XenServer 7.1 with Cumulative Update where a version could not be properly detected, causing an exception.

Thanks.

@DustinB While that may be true, the reality is that VMware and Microsoft have integrated such functionality in their virtualization products and it has become de facto standard. Users are expecting such functionality and taking it for granted. No one is bothering with sysprep any more. This is one of those things that makes the life much easier and which XenServer/XCP-ng should support to stay relevant in the market.

Maybe something can be done trough Cloudbase-Init? I have not delved into that.

@TeddyAstie Is the list of "issues and limitations" of nested virtualization under Xen documented somewhere?

What he is talking about is Security Identifier (SID) and is specific to Windows. Each Windows machine must have a unique SID in an AD environment. Cloned machines will have identical SID which is bad.

The solution to this problem is sysprep, a Windows tool that will reset SID and other parameters so that each Windows installation is uniquely identifiable. This is something done inside a machine, of course, and is not something that can be done on HV level. VMware, and Hyper-V as seen here, have integrated support for invoking sysprep (or equivalent) during the machine cloning process. This is achieved by sending a signal to the management agent inside a machine (e.g. VMware Guest Tools).

As far as I know, XenServer/XCP-ng management agent is rudimentary and does not have this functionality. In world of XenServer/XCP-ng, machine has to be syspreped manually before it is cloned.

@cairoti It's explained here:

https://docs.xenserver.com/en-us/citrix-hypervisor/dr/machine-failures.html#master-failures

Quote:

If you repair or replace the server that was the original master, you can simply bring it up, install the Citrix Hypervisor software, and add it to the pool. Since the Citrix Hypervisor servers in the pool are enforced to be homogeneous, there is no real need to make the replaced server the master.

Now, there is a catch. I'm not sure what happens with the old master from a pool perspective after a new master is delegated. Is it still considered (and shown) as member of the pool just shut down, or is it kicked out of the pool? Anyway, if old master is returned to the pool, i.e. a join operation is performed, then it's configuration is reset and it will not cause any conflict.

If you don't want to risk anything, the best way to go is to remove old master from the pool, reinstall it and re-add it. That's the clean way. The reinstall will make old master forget it was ever a master

@bug-meister This means that VM was running at the CPU feature level of the original host when you added a new host. For a VM to drop the CPU feature level to a level of the new host, it has to be shutdown and started again. After that, VM should be able to migrate in both ways.

The CPU feature level of a pool is determined by the CPU feature level of a host that has the lowest CPU feature level (new host in your example) but is not applied retroactively to already running VMs.

Because of these issues, it is not advisable to have pools with mixed CPU models/generations.

@irtaza9 bro, believe it or not, I already answered your question . If you have your templates in XVA format and want to have them accessible to all your pool members, you have to put them on a shared SR. They will still be per pool. I don't do not know of a way to have them centralized so that they are available cross pool.

Update:

Theoretically an NFS shared SR could be mounted to multiple pools but it would have to be read only except for one pool. I have not seen something like that in action.

@irtaza9 The way you are describing your intent and what you are trying to accomplish makes me think you are doing it the wrong way. Cloud-ready or not, your templates have to be XenServer/XCP-ng ready. To accomplish that you have two options:

• Create an empty VM from one of built in default templates, boot an ISO/PXE and install your system. Add XenServer/XCP-ng guest tools and cloud-init to the VM, shutdown and convert the VM to the template. You can automate this process using Packer or Ansible if needed.

• Import your VM template from OVA/OVF.

NFS ISO library is ment to be used only for ISOs. While you can store qcow2 images on it, they will not be shown. Qcow2 images are disk images, not templates... at least not in a sense of XenServer/XCP-ng.

To create a VM in XenServer/XCP-ng using qcow2 image, you have to:

1. Store the image to some shared SR of NFS or SMB type (not NFS ISO library)
2. Create a VDI associated with the qcow2 image file
3. Create an empty VM using one of builtin default templates and attach the VDI to the VM

@olivierlambert Maybe a suggestion for XO dev team to implement a way to filter out default templates from drop down menus and other listings in XO. There are a lot of them and they can pretty much spam the lists.

Idea could be to show only "real" templates by default but let the user chose an option to include builtin/default templates, snapshots, and other shut down VMs that can be used as templates.

@irtaza9 Isn't it dangerous to remove default templates? They are used to create VMs from scratch by booting ISO image (or PXE) and installing a system. In a sense, they are not real templates. They are just metadata related to particular guest OS that describe expected guest OS of the VM instantiated from it, resource limits and restrictions, virtualization type (i.e. PV vs HVM) etc. XenServer/XCP-ng is using this metadata to possibly activate OS specific optimizations or workarounds. In VMware world the equivalent is more or less the so called Guest ID.

How do you intend to create VM templates? You can always just import premade templates from external sources or use "Other install media" as a base but it could introduce some issues later like XenServer/XCP-ng having more strict restrictions on resources (CPUs, number of disks, number of network interfaces...) compared to templates created by using some of these built in default "templates".

I would strongly advise you against removing default templates.

@Byte0 When xe utility is running on a XenServer/XCP-ng host itself, without any additional connection related command line parameters, it defaults to using XenAPI Unix socket:

# ls -la /var/xapi/xapi
srwxr-xr-x 1 root root 0 feb 18 11:07 /var/xapi/xapi

Since this socket is owned by root user and writable only by root user and only accessible from inside the dom0 system, then it is assumed to be safe and xe does not require any kind of authentication. xe can freely send API requests trough the socket.

So can PowerShell module do the same? Possibly, but PowerShell is way less documented than, let's say, Python modules, so I can't tell without looking at the code.

To check it yourself, you will first have to install PowerShell modules on XenServer/XCP-ng itself and make it work in standard way (Connect-XenServer). Then take a look at PowerShell modules source code to see if there is any trace of support for XenAPI Unix socket. If there is none and you are good with PowerShell, maybe you can add support for Unix socket.

For XenAPI Python modules you can use either http/httpd or unix socket connection.

Update:

A few Googles later. It seems that PowerShell does not have support for Unix sockets at all. It requires some kind of TCP to Unix socket proxy like socat. So making XenAPI PowerShell modules work over Unix socket could be non trivial undertaking and some considerable hacking would be required.