Virtual Machine

Windows is deployed by cloning a UFIT managed Windows VM template. UFIT manages several Windows Templates, one for each supported Windows OS, that are used to deploy base Windows Server images.

Supported Windows Versions

• Server 2022/2019 GUI/Core

General Information

• All Windows systems are joined to the UFAD (ad.ufl.edu) domain.
• The UFIT provided templates are automatically patched with the latest version of ALL available Windows patches.
• If the primary disk (C:) is larger than the base size (80GB/250GB) of the disk tier it must be manually extended in the OS using Disk Manager post deployment.
• All Windows machines have a PTR record entered in the UF DNS system using the name and IP entered in the request form. If an IP address was pulled from a shared hosting network the chosen IP address will be used.

REQUIREMENTS TO DEPLOY WINDOWS SERVER

During Windows deployments the Administrator password is set to a random 32 character password. Because of this there are some pre-provisioning requirements that must be met in order to access the Windows VM post deployment.

• Create an Active Directory computer object.
• Group policy to enable RDP for users must be applied to the computer object.
• Group policy to add users to allow RDP to the server must be applied to the computer object.
• Group policy to configure firewall to permit RDP traffic to the server must be applied to the computer object.
• When creating new computer object delegate “Join to Domain“ rights to the service account UFAD\eio-svc-vcac-prd.

There are three template GPOs you can copy to enable the requirements above. You will want to copy the GPO objects to unique objects your group owns. You will also want to add a group object to have "Edit settings, delete, modify security" delegation to a group instead of just your user to the new copied GPO.

Linking to these GPOs is not advised--copy them to new and modify to suit your needs.

• • UFIT-Firewall Template (This policy is optional as when you enable remote desktop the firewall rules should be automatically added)
  • UFIT-Local Groups Template
  • UFIT-Remote Desktop Template

RHEL servers are deployed using cloud-init https://cloud-init.io. Cloud init is a platform agnostic Linux deployment tool that can be used to deploy Linux machines to any cloud. UFIT maintains a generic template with the cloud-init agent installed for each supported RHEL version that is cloned upon request. Customers enter a cloud-init user-config that is executed on the server at first boot. Networking is handled via the UF Hosting platform via form inputs.

REQUIREMENTS

There are two requirements:

1. Install VMware tools on the server. In the example below this is done via the package: section.
2. Register the VM with UF RedHat Satellite server. In the example below this is done via the runcmd: section. For further information about registering with the campus satellite server see the following: Red Hat Satellite 6 Register Host

All other options are optional but are best practices and should be implemented.

RHEL 9 CLOUD-INIT USER-DATA EXAMPLE

This cloud config will:

• Delete any lingering SSH keys
• Set the password for root to a random value
• Add randomness to the VM from the Reddit homepage
• Install the VMware Open VM Tools
• Register the OS with UF Satellite
• Disable root login via SSH
• Resize the first disk to use any additional disk space
• Apply all patches for the current OS version
• Add a user called ufuser
• Add an SSH key for ufuser
• Allow sudo without entering a password
• Add ufuser to the sudo group
• Disabled password login for ufuser

#cloud-config
ssh_deletekeys: true
chpasswd:
  list:
    - root: R
random_seed:
  file: /udev/urandom
  command: ["pollinate", "--server=http://reddit.com"]
  command_required: true
package:
  - open-vm-tools
runcmd:
  - curl -o /tmp/bootstrap.py http://satellite.it.ufl.edu/pub/bootstrap.py
  - chmod +x /tmp/bootstrap.py
  - /usr/libexec/platform-python /tmp/bootstrap.py --login="MYSATELLITEUSER" --server=satellite.it.ufl.edu --location="MYLOCATION" --organization="MYSATELLITEORG" --activationkey "MYACTIVATIONKEY" --skip migration --skip-foreman --skip-puppet -v
  - sed -i 's,^PermitRootLogin.*,PermitRootLogin no,g' /etc/ssh/sshd_config
  - echo "Checking if we need to resize the 1st disk"
  - echo "1" > /sys/class/block/sda/device/rescan
  - echo ", +" | sfdisk -N 3 /dev/sda --force
  - partprobe /dev/sda
  - pvresize /dev/sda3
  - yum clean all && yum -y update --security
users:
  - name: ufuser
    ssh-authorized-keys:
      - ssh-rsa THISISMYPUBLICKEY
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    groups: sudo
    lock_passwd: true

RHEL 8 CLOUD-INIT USER-DATA EXAMPLE

This cloud config will:

• Delete any lingering SSH keys
• Set the password for root to a random value
• Add randomness to the VM from the Reddit homepage
• Install the VMware Open VM Tools
• Register the OS with UF Satellite
• Disable root login via SSH
• Resize the first disk to use any additional disk space
• Apply all patches for the current OS version
• Add a user called ufuser
• Add an SSH key for ufuser
• Allow sudo without entering a password
• Add ufuser to the sudo group
• Disabled password login for ufuser

#cloud-config
ssh_deletekeys: true
chpasswd:
  list:
    - root: R
random_seed:
  file: /udev/urandom
  command: ["pollinate", "--server=http://reddit.com"]
  command_required: true
package:
  - open-vm-tools
runcmd:
  - curl -o /tmp/bootstrap.py http://satellite.it.ufl.edu/pub/bootstrap.py
  - chmod +x /tmp/bootstrap.py
  - /usr/libexec/platform-python /tmp/bootstrap.py --login="MYSATELLITEUSER" --server=satellite.it.ufl.edu --location="MYLOCATION" --organization="MYSATELLITEORG" --activationkey "MYACTIVATIONKEY" --skip migration --skip-foreman --skip-puppet -v
  - sed -i 's,^PermitRootLogin.*,PermitRootLogin no,g' /etc/ssh/sshd_config
  - echo "Checking if we need to resize the 1st disk"
  - echo "1" > /sys/class/block/sda/device/rescan
  - echo ", +" | sfdisk -N 3 /dev/sda --force
  - partprobe /dev/sda
  - pvresize /dev/sda3
  - yum clean all && yum -y update --security
users:
  - name: ufuser
    ssh-authorized-keys:
      - ssh-rsa THISISMYPUBLICKEY
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    groups: sudo
    lock_passwd: true

This work flow will deploy a blank VM with no installed operating system. To install an operating system:

1. Request a new blank VM using the "Blank VM" catalog item in the hosting portal.
2. Connect to the VM via a Remote Console session, mount your OS media ISO, and install your OS.
• Installing an OS

The clone VM workflow will allow you to select an existing VM and will clone (copy) the VM. You must have at least one existing VM to clone from. After cloning you can remote console to the VM to perform any initial configuration. When cloning a VM the new clone will be an exact copy of the original, including NIC, Satellite (RHEL), Active Directory (Windows) configurations. The cloned machine will not have network access, so you will need to know the local administrator/root password.

Windows VMs are typically ok to clone regardless of settings. On the cloned machine you will want to perform a few cleanup items:

• Rename the machine
• Disconnect from UFAD
• Clean up the old NIC
• Configure the new NIC with the correct IP
• Join to UFAD

Linux VMs - If the MAC address is defined in the NIC configuration, cloning will result in the NIC coming up on the loopback address and you shouldn't have any issues. If the MAC is not defined in the NIC configuration the NIC may try to start on the same IP as the original and cause a conflict.

• Configure the NIC with the correct IP

All hosted VMs have a default backup job defined to run every day and retain the backup for 7 days. This retention period cannot be changed, but additional backups can be manually initiated and these backups will also be retained for 7 days.

When a VM is destroyed, the backups will age out according to the retention period. No changes need to be made to the backup job.

ON-DEMAND BACKUP

An On-Demand Backup is a snapshot that is retained for the retention period defined by the backup job. It does not impact the retention of existing backups and is just added to the chain.

1. Navigate to VM Actions.
2. From the Action menu, select On-Demand Backup.
3. Click the Submit button.

RECOVER A VM

The Recover VM process first makes a VM backup before performing the restore.

1. Navigate to VM Actions.
2. From the Action menu, select Recover VM.
3. Choose a Recovery Point from the list of available snapshots.
4. Click the Submit button.

RECOVER A VM FILE OR FOLDER

You can perform a file/folder search, and recover the file or folder to the virtual machine. The Recover VM File process first makes a VM backup before performing the restore.

1. Navigate to VM Actions.
2. From the Action menu, select Recover VM File.
3. Enter a string to search for a file or folder.
4. Select the file or folder to be recovered.
5. Select the version (backup date/time) of the file or folder to be recovered. "8 Copies" shown in the screenshot below indicates the file to be recovered is the same in all eight backups that exist.
6. Selecting “Yes” to overwrite will replace the original file or folder with the backup’s version. Selecting “No” will require an Alternate Restore Path.
7. Enter credentials with access to the guest OS and the file or folder be recovered.
8. Click the Submit button.

You can have a report emailed to you with details of the backup status of all VMs within a group. The email will contain a list of each VM and its backup details along with an attached CSV with the same data.

1. In the hosting portal on the "Catalog" page in the "Virtual Machine" service request the "View VM Backup Status" catalog item.
2. On the View VM Backup Status form, enter a comma separated list of email addresses in the "Email" field that you want the report emailed to and click "Submit".

In certain circumstances you may need to access your Virtual Machine directly using a console session. Common reasons for this are loss of network connectivity, a frozen/locked system, or installing an operating system. The instructions below will show you how to connect to your VM directly via a VMware Console session.

VMRC

For either of these methods to work you will need to download and install the VMware Virtual Machine Remote Console (VMRC) application for your workstation OS.

• You can download and connect to the VM using the VMRC application through VMware vSphere Client

VPN REQUIREMENTS

To connect to the VM via VMRC you must be on the UF Hosting VPN.

• You can get the VPN client from:
  •  https://vpn.ufl.edu
• To connect to the UF Hosting VPN enter your username as:
  • GLID@ufl.edu/cnshosting

CONSOLE USING HOSTING PORTAL

1. Download and install the VMRC application
2. In the UF Hosting portal navigate to the Virtual Machine "Item" you want to console to.
3. On the VM Item select the "Get Standalone VMRC Link" action.
4. Copy the generated URL and paste it into a new browser window.
1. If prompted, enter your GLID and password to authenticate.

To export a VM you will need to log into vCenter, power off the VM and export the VM.

1. Log into the VMware vSphere Client with your GLID.
2. Navigate to your VM, right click and select "Power > Shut Down Guest OS" to gracefully shut down the system or "Power > Power Off" to power it off.
3. Once the VM is powered off, right click it and select "Template > Export OVF Template"
4. Provide a destination and name for the exported VM and click "OK"

In the event the hosting portal is unavailable you can still access your VM by logging directly into the hypervisor management console. Note that only a subset of the functionality is available in the hypervisor management console. Access here is intended to be a backup to the hosting portal.

Click here to access the VMware vSphere Client

CONNECTING VIA CONSOLE SESSION

You will need to connect to the VM via a console session.

• For instructions on connecting via a console session see the "How can I get console access to my VM?" FAQ item.

MOUNTING AN ISO

You will need to mount an ISO to install your OS from.

• For instructions on mounting an ISO see the "How can I mount an ISO on my VM" FAQ item.

BOOTING TO AN ISO

We will be installing the OS from the ISO very similar to how we do it on traditional hardware.

1. Start or restart the VM to get to the BIOS screen by selecting "Player > Power > Power On/Restart Guest".
2. After power on press the "ESC" key to get to the Boot Menu, you will have 6 seconds at the BIOS screen.
3. Select the "CD-ROM Drive" option.
4. Install your OS.

INSTALLING VMWARE TOOLS

You need to install the VMWare tools immediately after you've finished installing the operating system. The VMWare Tools package includes drivers for the virtual video card, disk controller, and network card that the machine needs.

• For more information see the "How do I install the VMware tools?" FAQ item.

If you would like to mount an ISO to your VM to install an operating system or to install software you can do so using the Virtual Machine Remote Console (VMRC) application. See the "How can I get console access to my VM?" FAQ item for instructions on establishing a console session to the VM.

• To connect to the VMRC you must be on the UF Hosting VPN.
• You can find instructions to download and install the VMRC from
  • "How can I get console access to my VM?" 

1. On a VM Item select the "Get Standalone VMRC Link" action.
2. Copy the generated URL and paste it into a new browser window.
1. If prompted, enter your GLID and password to authenticate.
3. Select "Player" in the top left corner of the VMRC application.
4. In the drop down select "Removable Devices > CD/DVD drive 1" and select one of the following:
1. Connect to X:
• This will connect to your local machines CD/DVD drive.
2. Connect to Disk Image File (iso)...
• This will let you select an ISO file to mount.

VMware tools are required to be installed on all VMs.

VMWARE TOOLS OVERVIEW

VMware Tools is a suite of utilities that enhances the performance of the virtual machines guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality.

If you are deploying a VM using the "Clone", "Windows Server", or "Red Hat Enterprise Linux" (using UFIT kickstarts with version 7 or above), VMware Tools will automatically be installed.

If you deploy a "Blank VM" and install your own OS or use the RHEL catalog item with a custom kickstart you will need to install VMware Tools.

INSTALLING AND UPDATING VMWARE TOOLS LINUX

The supported method for deploying and managing VMware Tools on Linux OS's is to utilize the open-vm-tools package through the OS. The primary purpose for open-vm-tools is to enable operating system vendors and/or communities and virtual appliance vendors to bundle VMware Tools into their product releases. open-vm-tools is the open source implementation of VMware Tools and consists of a suite of virtualization utilities that improves the functionality, administration, and management of virtual machines within a VMware environment.

Installing open-vm-tools on Linux

INSTALLING VMWARE TOOLS WINDOWS

When deploying Windows VMs using the "Windows Server" catalog item in the self service portal, VMware tools are automatically installed.

If you deploy a "Blank VM" and install the Windows OS you will need to manually install VMware Tools.

1. In the UF Hosting portal under the "Deployments" tab, select the deployment that contains the VM you want to update.
2. Select the VM from the Components tab in the Deployment.
3. Click the cog wheel next to the VM Component and select "Install Tools".
• If this process doesn't complete successfully you can mount the tools ISO by running the "Mount Tools" action.
4. In the OS install the VMware Tools from the mounted media.

Upgrading VMware Tools Windows

VMware Tools are configured to automatically check the installed version and on Windows machines, update if necessary at each reboot.

If you want to manually update the VMware Tools you can run the "Upgrade Tools" action in the self service portal.

1. In the UF Hosting portal under the "Deployments" tab, select the deployment that contains the VM you want to update.
2. Select the VM from the Components tab in the Deployment.
3. Click the cog wheel next to the VM Component and select "Upgrade Tools".
• If this process doesn't complete successfully you can mount the tools ISO by running the "Mount Tools" action and install manually in the OS.

VM NICS

VMs created via the portal can only have one NIC. If you would like to add additional NICs to your VM please submit a help ticket.

VM NICs are placed on a single VLAN and can access any subnet on that VLAN.

NETWORKS

Customers can either request their own networks to use for their VMs or they can utilize one of our "shared" hosting networks.

When using a custom network the requestor will be required to provide an IP address. A PTR record of the VMs FQDN will be created in Infoblox if the VM is in the ad.ufl.edu domain.

When using a shared hosting network an IP address will automatically be assigned to your VM and a PTR record of the VMs FQDN will be created in Infoblox. An ITSM ticket will be created on the requestors behalf and sent to the DNS team to associate the IP address with the requestors unit and possibly create DNS A Records.

NETWORK ACLS

For more detailed instructions on how to request custom network ACLs see the "How can I permit traffic to my hosted VM IP address?" item.

PRIVATE HOSTING NETWORK

Please note: Default ACLs are already in place on the private hosting network to allow connections from UFAD's servers, the UF security scanners, the UF name servers, and port 22 (SSH) and 3389 (RDP) from anyone on UF 10.0.0.0/16 IP space.

PUBLIC HOSTING NETWORK

Please note: There are no default ACLs on the public networks. This means that ACLs will need to be filed to open ports for incoming connections that need to communicate with any virtual machine.

ACLs can be done on a per port level, a per machine (IP) level, or a per-network range model or any combination of the previous. ACLs can be restricted at the protocol level as well - UDP, TCP, both, ICMP.

In most cases customers are listed as "subnet managers" for the IPs on which their VMs reside. This allows you to directly request ACL changes from Network Services. To request ACL changes immediately, put any requested ACLs in the VM request form in a comma separated format. This will generate an ITSM ticket on your behalf to Network Services requesting the ACLs you entered in the form. You can also request ACLs later by submitting a help ticket directly to Network Services.

Some typical ACL requests might be:

• open ports 80,443 (tcp) for all ip addresses for virtual-apache-server.somebody.ufl.edu
• open incoming connections to port 22 using tcp to host virtual-apache-server.somebody.ufl.edu from all hosts on campus
• allow all incoming connections to host virtual-apache-server.somebody.ufl.edu from all hosts on network 10.241.33.0/24
• allow incoming connections to ports 135-139 using tcp, port 135 using udp, and port 445 using tcp to hosts on ranges 10.241.33.0/24, 128.227.156.0/24
• Allow all connections to virtual hosts 10.241.33.200-225 from all hosts on networks 128.227.0.240/27 using tcp or udp
• permit icmp traffic to virtual host virtual-apache-server.somebody.ufl.edu from host 128.227.0.240

GROUP RESOURCE LIMITATIONS

To prevent any one group from consuming all available infrastructure resources each business group is allocated an infrastructure resource reservation for each VMware compute cluster which limits the amount of Memory, Disk, and Networks available to a group. UFIT currently has one hosting compute cluster per datacenter. When a group reaches their resource limit new deployments and modifications that go over the limits will fail. When this happens UFIT will increase the limit for the specific resource that has reached the limit.

The default resource limits are as follows:

• Memory - 128GB
• Disk - 4000GB in each tier
• Network - Public and Private Shared Hosting Networks
• If your group has any custom networks those will be added to your reservation.

VM RESOURCE LIMITATIONS

To allow for simple maintenance and efficiency there are default limits on the resources that can be allocated to a VM.

• vCPU - 4
• Memory - 16GB
• Disk - 4000GB per disk
• If you need a larger volume you can extend the volume in the OS using LVM or Disk Manager.

If you feel you need more than the limits please submit a help ticket and UFIT will discuss options with you.

Statistics regarding CPU usage, memory utilization, network performance, and disk performance for your hosted virtual machine are available from the VMware Client. You can view real-time sampled stats, historical statistics for a number of hours, days, weeks, or months, and export these figures to Excel spreadsheet format for further analysis.

1. Sign in to the VMware vSphere Client with your GLID
2. Select your VM from the Navigator pane on the left.
3. In the VM properties pane in the center or right, select the "Monitor" tab.
4. On the monitor page select the "Performance" button.
• By default you will see "real time" performance statistics including the last day.

For more information about advanced performance monitoring features please see https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.monitoring.doc/GUID-17857489-FA76-4EFC-827B-D1C647F818CC.html.

Sizing and Performance

Be sure to follow our sizing and performance recommendations if you choose to modify your VM. See more info about sizing under the "My VM is running slow how can I make it faster?" FAQ item.

Yes, see the sizing and performance FAQ for more information.

See the sizing and performance FAQ for more information.

When configuring a virtual machine a Guest Operating System type is required. vSphere uses this information to set the appropriate default values, name files associated with the virtual machine, adjust performance settings, and work around special behaviors and bugs in the guest operating system. If the operating system you plan to install is not listed in the wizard, select Other for both the operating system and version. Because of this its important that the Guest Operating System type is set correctly.

When upgrading the operating system on a virtual machine the Guest Operating System setting should be updated before the operating system is upgraded. If this is not done the operating system could encounter issues after the upgrade.

There is no self-service functionality to update the Guest Operating System setting. To update the setting submit a ticket at assigned to the Virtual Machine Hosting queue with the name of the VM being upgraded and the operating system version you're upgrading to.

You can take snapshots of VMs to provide a short-term copy of the VM to revert to in the event a change made to the VM does not go as planned. When you create a VM snapshot a new hidden disk file gets created and all changes to the VM are written to the new hidden disk. Because of this the disk can grow rapidly. It is strongly suggested that you retain snapshots only as long as their required. You will be billed for the disk space consumed by the snapshot disk file at the same rate as the disk tier the real disk is provisioned on while the snapshot file exists.

Snapshots should be kept for the shortest period of time possible. Snapshots can consume disk space quickly and can degrade VM performance.

Snapshots can be taken and manged through the "Snapshot" actions of a VM "Item". There are three snapshot actions available:

1. Create Snapshot
2. Delete Snapshot
3. Revert to Snapshot

Snapshots have the following limitations:

• Maximum of 3 concurrent snapshots per VM
• Snapshots will be automatically deleted after 14 days