Obs/bin/ObsDep/content/Powershell/Roles/Common/HostDscBootstrapConfig.psm1
|
<###################################################
# # # Copyright (c) Microsoft. All rights reserved. # # # ##################################################> Import-Module $PSScriptRoot\..\..\Common\NetworkHelpers.psm1 -DisableNameChecking -Verbose:$false | Out-Null Configuration NewComputeBootstrapDscConfiguration { Param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [System.String] $PsDscClient = 'localhost', [Parameter(Mandatory=$false)] [boolean] $EnableDataCenterBridging = $true, [Parameter(Mandatory=$true)] [hashtable] $NicBindingCriteria, [Parameter(Mandatory=$false)] [string] $IDNSProxyForwarders, [Parameter(Mandatory=$true)] [UInt64] $MinimumDiskBytes, [Parameter(Mandatory=$false)] [boolean] $DisableRemoteDesktop = $false ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName DSC.ProcessorPowerManagement Import-DscResource -ModuleName PDT.DSC.Networking Import-DscResource -ModuleName PDT.DSC.HyperV Import-DscResource -ModuleName PDT.DSC.Service Import-DscResource -ModuleName PDT.DSC.Utilities Import-DscResource -ModuleName PDT_MigrationProtocol Import-DscResource -ModuleName AS.Group Import-DscResource -ModuleName AS.DumpOnLargeHost Import-DscResource -ModuleName AS.WmiConfiguration Node $PsDscClient { # Workaround for the physical environment in the lab where WinRM has to be allowed on hosts at pre-deploy stage Log ASZHostDSCSkip { # DependsOn = '[PDTNetFirewallGroup]WinRM' Message = 'ASZ Host DSC Skipped' } <# # Enable the DSC Analytic log to capture verbose output of the configuration during bootstrap PDTEventLog 'DSCAnalytic' { LogName = 'Microsoft-Windows-DSC/Analytic' IsEnabled = $true MaximumSizeInBytes = [int]5Mb } # Allow Link Local Multicast Name Resolution through the # firewall, as lanmanserver needs it. PDTNetFirewallRule 'FPS-LLMNR-In-UDP' { Name = 'FPS-LLMNR-In-UDP' } #As part of the host hardening, we'll disable the following FW rules group PDTNetFirewallGroup 'AllJoyn Router' { Ensure = 'Absent' Name = 'AllJoyn Router' } PDTNetFirewallGroup 'mDNS' { Ensure = 'Absent' Name = 'mDNS' } #subset of CoreNet rules to be disabled PDTNetFirewallRule 'CoreNet-DHCPV6-In' { Ensure = 'Absent' Name = 'CoreNet-DHCPV6-In' } PDTNetFirewallRule 'CoreNet-Teredo-In' { Ensure = 'Absent' Name = 'CoreNet-Teredo-In' } PDTNetFirewallRule 'CoreNet-Teredo-Out' { Ensure = 'Absent' Name = 'CoreNet-Teredo-Out' } if ($DisableRemoteDesktop) { PDTNetFirewallGroup 'Remote Desktop Group' { Ensure = 'Absent' Name = 'Remote Desktop' } } # disable negative DNS cache # if a DNS query results in a negative response because the DNS server does not # have a record, by default the negative response is cached for 15 minutes # this disables the negative cache so the DNS client will be able to attempt # to resolve again - this will improve parallel steps where one step is expecting # another step to have created something in DNS Registry 'MaxNegativeCacheTtl' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' ValueName = 'MaxNegativeCacheTtl' ValueType = 'Dword' ValueData = '0' } # Setting Host/Infra identification for telemetry Registry 'VMType' { Key = 'HKLM:\SOFTWARE\Microsoft\Windows Azure' ValueName = 'VMType' ValueType = 'String' ValueData = 'AS-HOST' } # Wait for lanmanserver (SMB) to be fully available. Waiting # on this guarantees that a set of kernel- and user-mode services # are runnning and ready for use. PDTService lanmanserver { Name = 'lanmanserver' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Turn off deep power management states that reduce compute benchmark # performance. ProcessorPowerManagement C1Only { ComputerName = 'localhost' PowerScheme = '8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c' DeepestCState = 1 } # Enable dump on hosts that have a physical disk large enough to # handle the extra space needed. This will need a reboot to take # effect after initial deployment. Update will automatically add # this key on supported systems at image creation. ASDumpOnLargeHost DumpSettings { DependsOn = "[File]LiveKernelReportPathDirectoryCreation" Name = 'Dump Settings Dependent on Large Host' MinimumDiskBytes = $MinimumDiskBytes } # Ensure the LiveKernelReportsPath is created File LiveKernelReportPathDirectoryCreation { Type = 'Directory' DestinationPath = 'D:\AzureStack\LiveKernelReports' Ensure = "Present" } # Deploying a one-node host using an action plan involves setting # up that host without creating any virtual switches. This # DSC generation script will be handed a configuration which # has no switches and no vNICs. When setting anything else up, # there will be at least one external switch. if ($Node.ExternalSwitchNames.Count -ne 0) { if ($EnableDataCenterBridging) { PDTNetQosDcbxSetting 'Willing' { DependsOn = '[PDTService]lanmanserver' InterfaceAlias = 'Global' Willing = $false } # These next five ensure that SMB traffic and cluster heartbeat gets treated # with great respect by the switches. If you starve # storage and miss cluster heartbeat, the entire stamp can fall apart. PDTNetQosPolicyNetDirectPort 'SMBDirect' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'SMBDirect' NetDirectPort = 445 PriorityValue8021Action = $Node.NetQosPriority } PDTNetQosPolicyNetCluster 'Cluster' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Cluster' PriorityValue8021Action = 5 } PDTNetQosPolicyDefault 'Default' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Default' PriorityValue8021Action = 0 } PDTNetQosFlowControl 'FlowControl' { DependsOn = '[PDTNetQosPolicyNetDirectPort]SMBDirect' ComputerName = 'localhost' Priority = $Node.NetQosPriority } PDTNetQosTrafficClass 'SMBDirect' { DependsOn = @('[PDTNetQosPolicyNetDirectPort]SMBDirect','[PDTNetQosFlowControl]FlowControl') Name = 'SMBDirect' Algorithm = 'ETS' Priority = $Node.NetQosPriority BandwidthPercentage = 50 } PDTNetQosTrafficClass 'Cluster' { DependsOn = @('[PDTNetQosPolicyNetCluster]Cluster','[PDTNetQosFlowControl]FlowControl') Name = 'Cluster' Algorithm = 'ETS' Priority = 5 BandwidthPercentage = 2 } # This setting reserves space in Ethernet frames for network # virtualization metadata. PDTNetAdapterAdvancedProperty 'EncapOverhead' { DependsOn = '[PDTNetQosTrafficClass]SMBDirect' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*EncapOverhead' RegistryValue = 160 } # skip if it is virtual AzureStack $OEMRole = $Parameters.Roles["OEM"].PublicConfiguration $OEMModel = $OEMRole.PublicInfo.UpdatePackageManifest.UpdateInfo.Model if ($OEMModel -notmatch "Hyper-V") { PDTNetAdapterAdvancedProperty 'VirtualSwitchRSS' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*RssOnHostVPorts' RegistryValue = 1 } PDTNetAdapterAdvancedProperty 'DcbxMode' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = 'DcbxMode' RegistryValue = 0 } } # Turn on Quality of Service. PDTNetAdapterQos 'Qos' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' } } # Configure VFP Proxy settings Write-Verbose "Configure VFP Proxy settings on NCHostAgent" -Verbose $gatewayEndpoint = $Parameters.Roles["FabricRingServices"].PublicConfiguration.PublicInfo.RPCommonProperties.ServiceUri $gatewayUriBuilder = New-Object -TypeName System.UriBuilder -ArgumentList $gatewayEndpoint $gatewayPort = $gatewayUriBuilder.Port $gatewayUri = $gatewayUriBuilder.Uri.DnsSafeHost # VFP forwards to Gateway, use the Gateway port value for the services $imdsServiceAddress = '127.0.0.1' $garServiceAddress = $gatewayUri $wireServerServiceAddress = '127.0.0.1' $hostGAPluginServiceAddress = '127.0.0.1' $imdsServicePort = 80 $garServicePort = $gatewayPort $wireServerServicePort = 80 $hostGAPluginServicePort = 32526 # Proxy port values $imdsProxyPort = 15021 $garProxyPort = 15022 $wireServerProxyPort = 15023 $hostGAPluginProxyPort = 15025 Write-Verbose "Making IMDS proxied service registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerAddress' ValueData = $imdsServiceAddress } Registry 'Instance_Metadata_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServiceName' ValueData = 'IMDS' } Registry 'Instance_Metadata_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'Instance_Metadata_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'Instance_Metadata_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making GAR proxied service registry change for MCNP proxy" Registry 'GAR_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerAddress' ValueData = $garServiceAddress } Registry 'GAR_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServiceName' ValueData = 'gar' } Registry 'GAR_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $garServicePort } Registry 'GAR_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'GAR_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyProtocol' ValueData = 'HttpsNoTranslation' } Registry 'GAR_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 1 } Write-Verbose "Making WireServer proxied service registry change for MCNP proxy" Registry 'WireServer_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerAddress' ValueData = $wireServerServiceAddress } Registry 'WireServer_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServiceName' ValueData = 'WireServer' } Registry 'WireServer_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $wireServerServicePort } Registry 'WireServer_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'WireServer_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'WireServer_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making HostGAPlugin proxied service registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerAddress' ValueData = $hostGAPluginServiceAddress } Registry 'HostGAPlugin_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServiceName' ValueData = 'HostGAPlugin' } Registry 'HostGAPlugin_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $hostGaPluginServicePort } Registry 'HostGAPlugin_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'HostGAPlugin_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'HostGAPlugin_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making IMDS infra services registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'Port' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'Instance_Metadata_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making GAR infra services registry change for MCNP proxy" Registry 'GAR_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'Port' ValueType = 'Dword' ValueData = 81 } Registry 'GAR_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'GAR_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making WireServer infra services registry change for MCNP proxy" Registry 'WireServer_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'Port' ValueType = 'Dword' ValueData = 80 } Registry 'WireServer_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'WireServer_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making HostGAPlugin infra services registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'Port' ValueType = 'Dword' ValueData = $hostGAPluginServicePort } Registry 'HostGAPlugin_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'HostGAPlugin_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } # Enabling Windows Error Reporting to create user mode dumps on Host Registry 'Host_Application_LocalDump_DumpType' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpType' ValueType = 'Dword' ValueData = 1 } Registry 'Host_Application_LocalDump_DumpFolder' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpFolder' ValueType = 'ExpandString' ValueData = 'D:\AzureStack\CrashDumps' } Registry 'Host_Application_LocalDump_DumpCount' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpCount' ValueType = 'Dword' ValueData = 1 } # Disable SMB1 in registry, so that Get-SmbServerConfiguration won't report it as active Registry 'SMB1' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' ValueName = 'SMB1' ValueType = 'DWORD' ValueData = '0' } Registry 'RefsScrubNoOplock' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' ValueName = 'RefsScrubNoOplock' ValueType = 'DWORD' ValueData = '1' } Registry 'VSwitchDHCP_LeaseDuration' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'LeaseTime' ValueType = 'DWORD' ValueData = '0xFFFFFFFF' Force = $true Hex = $true } Registry 'VSwitchDHCP_Broadcast' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'IPv4Broadcast' ValueType = 'DWORD' ValueData = '1' Force = $true } Registry 'VSwitchDHCP_Option245WireServer' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'Option245WireServer' ValueType = 'String' ValueData = '168.63.129.16' Force = $true } # Win2021 will have these values by default # Revert back when Win2021 is released with Azure Stack Registry 'Host_PtNicDropLowResourcesPackets' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'PtNicDropLowResourcesPackets' ValueType = 'DWORD' ValueData = '1' } Registry 'Host_MaxVrssQueueAllocatedMBytes' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'MaxVrssQueueAllocatedMBytes' ValueType = 'DWORD' ValueData = '16' } # Set the NCHostAgent service to start automatically and # run in its own process. PDTService 'NCHostAgent' { Name = 'NCHostAgent' StartupType = 'Automatic' State = 'Running' Type = 'own' DependsOn = ` @( '[Registry]Instance_Metadata_Service_Server_Address' '[Registry]Instance_Metadata_Service_Server_Name' '[Registry]Instance_Metadata_Service_Server_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Address' '[Registry]Instance_Metadata_Service_Proxy_Protocol' '[Registry]Instance_Metadata_Service_Enable_Client_Auth' '[Registry]GAR_Service_Server_Address' '[Registry]GAR_Service_Server_Name' '[Registry]GAR_Service_Server_Port' '[Registry]GAR_Service_Proxy_Listening_Port' '[Registry]GAR_Service_Proxy_Listening_Address' '[Registry]GAR_Service_Proxy_Protocol' '[Registry]GAR_Service_Enable_Client_Auth' '[Registry]WireServer_Service_Server_Address' '[Registry]WireServer_Service_Server_Name' '[Registry]WireServer_Service_Server_Port' '[Registry]WireServer_Service_Proxy_Listening_Port' '[Registry]WireServer_Service_Proxy_Listening_Address' '[Registry]WireServer_Service_Proxy_Protocol' '[Registry]WireServer_Service_Enable_Client_Auth' '[Registry]HostGAPlugin_Service_Server_Address' '[Registry]HostGAPlugin_Service_Server_Name' '[Registry]HostGAPlugin_Service_Server_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Address' '[Registry]HostGAPlugin_Service_Proxy_Protocol' '[Registry]HostGAPlugin_Service_Enable_Client_Auth' '[Registry]Instance_Metadata_Service_Infra_Port' '[Registry]Instance_Metadata_Service_Infra_Proxy_Port' '[Registry]Instance_Metadata_Service_Infra_Address' '[Registry]Instance_Metadata_Service_Infra_MAC_Address' '[Registry]GAR_Service_Infra_Port' '[Registry]GAR_Service_Infra_Proxy_Port' '[Registry]GAR_Service_Infra_Address' '[Registry]GAR_Service_Infra_MAC_Address' '[Registry]WireServer_Service_Infra_Port' '[Registry]WireServer_Service_Infra_Proxy_Port' '[Registry]WireServer_Service_Infra_Address' '[Registry]WireServer_Service_Infra_MAC_Address' '[Registry]HostGAPlugin_Service_Infra_Port' '[Registry]HostGAPlugin_Service_Infra_Proxy_Port' '[Registry]HostGAPlugin_Service_Infra_Address' '[Registry]HostGAPlugin_Service_Infra_MAC_Address' '[Registry]VSwitchDHCP_LeaseDuration' '[Registry]VSwitchDHCP_Broadcast' '[Registry]VSwitchDHCP_Option245WireServer' ) } # DNS forwarders Registry 'DNSProxy_Forwarders' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\Parameters" ValueName = "Forwarders" ValueData = $IDNSProxyForwarders } # Start DnsProxy service and make it automatic Write-Verbose "Start DnsProxy service and make it automatic" -Verbose PDTService 'DnsProxy' { Name = 'DnsProxy' StartupType = 'Automatic' State = 'Running' Type = 'own' SkipIfNotFound = $true # This service is in RS1 but not in RS5, so set this to true to skip configuration on RS5. DependsOn = @('[PDTService]NCHostAgent', '[Registry]DNSProxy_Forwarders') } # DNS Proxy Service - Port and ProxyPort $idnsPort = 53 # DNS Proxy service port Registry 'DNSProxyService_Port' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "Port" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service proxy port Registry 'DNSProxyService_ProxyPort' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "ProxyPort" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS IP Address $cloudRole = $Parameters.Roles["Cloud"].PublicConfiguration $dnsIPAddress = $cloudRole.PublicInfo.NetworkConfiguration.iDNS.Endpoint # If the value is not defined, assign it a predefined value if (-not $dnsIPAddress) { $dnsIPAddress = "168.63.129.16" } # DNS Proxy service IP Address Registry 'DNSProxyService_IP' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "IP" ValueData = $dnsIPAddress DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service MAC $dnsProxyServiceMAC = "22-22-22-22-22-22" #A random mac address used to redirect the dns traffic, applied through vfp rules. These rules are created by the NCHostagent on reading the registry. Registry 'DNSProxyService_MAC' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "MAC" ValueData = $dnsProxyServiceMAC DependsOn = '[PDTService]NCHostAgent' } # Comment out this config for now. This firewall group is basically the same as the 4 firewall rules below combined. # Once switching to RS5, the 4 firewall rules should be removed and use this firewall group instead. # PDTNetFirewallGroup 'DNS Proxy Firewall' # { # Ensure = 'Present' # Name = 'DNS Proxy Firewall' # } # Enable some firewall rules needed by DNSProxy service PDTNetFirewallRule 'DnsProxy-TCP-In' { Name = 'DnsProxy-TCP-In' } PDTNetFirewallRule 'DnsProxy-UDP-In' { Name = 'DnsProxy-UDP-In' } PDTNetFirewallRule 'DnsProxy-TCP-Out' { Name = 'DnsProxy-TCP-Out' } PDTNetFirewallRule 'DnsProxy-UDP-Out' { Name = 'DnsProxy-UDP-Out' } # Wait for the Virtual Machine Management Service (VMMS) to start # before calling into it to create virtual switches. PDTService VMMS { Name = 'VMMS' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Specify that VM live migrations should be performed using the SMB # protocol. Live migration configuration is only relevant for multi-node configurations. $physicalNodes = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node if ($physicalNodes.Count -gt 1) { PDT_MigrationProtocol SMB { DependsOn = '[PDTService]VMMS' ComputerName = 'localhost' Protocol = 'SMB' MaximumLiveMigrations = 1 SmbLiveMigrationBandwidthBytesPerSecond = 750MB } } # This gets filled in with all the things that should be in their # desired state before the PDTNetIPv6 (below) is configured. Specifically, # the switches should be built, the switch extensions should be installed # and the vNICs should be built. $IPv6Dependencies = @() # Build all the internal and external switches that the Cloud Definition # calls for. Install the Azure Switch extension on exactly one switch. # If there are internal switches, pick that one. $extensionOnExternalSwitch = $true foreach ($switchName in $Node.InternalSwitchNames) { # Internal switches bind to no NICs. PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' SwitchType = 'Private' Name = $switchName } # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" $extensionOnExternalSwitch = $false } # VMSwitch ID must remain the same across host reimages (in P&U case), so MD5 hash of the host name # (which is not changed across host reimages) is used as GUID for the VMSwitch ID. $encoding = New-Object System.Text.UnicodeEncoding $hostNameBytes = $encoding.GetBytes($Node.NodeName.ToLower()) $memstream = New-Object System.IO.MemoryStream -ArgumentList @(100) try { $memstream.Write($hostNameBytes, 0, $hostNameBytes.Count) $memstream.Seek(0, [System.IO.SeekOrigin]::Begin) $hash = Get-FileHash -InputStream $memstream -Algorithm MD5 $vmswitchId = [Guid]::Parse($hash.Hash) } finally { if($memstream -ne $null) { $memstream.Close() } } $UnboundNICDependencies = @() foreach ($switchName in $Node.ExternalSwitchNames) { # Bind external switches to all NICs that go fast (at least 10Gb.) switch ($NicBindingCriteria.NetAdapterCriteriaType) { 'Speed' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName SwitchType = 'External' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue } } 'AdvancedProperty' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName Id = $vmswitchId SwitchType = 'External' NetAdapterCriteriaType = 'AdvancedProperty' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue LoadBalancingAlgorithm = 'HyperVPort' } } default { throw "Unhandled switch binding criteria $($NicBindingCriteria.NetAdapterCriteriaType)" } } # Record this as something that the unbound NICs rule depends on. $UnboundNICDependencies += "[PDTVMSwitch]$switchName" if ($extensionOnExternalSwitch) { # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" } else { $IPv6Dependencies += "[PDTVMSwitch]$switchName" } } # Enable IPv6 on all interfaces. (Should this depend on the NICs, not # the switches? Or is the point to do this before vNICs are built?) PDTNetIPv6 'IPv6' { DependsOn = $IPv6Dependencies ComputerName = 'localhost' } # Stop ISATAP. Not needed on stamp and groupthink says that it was # causing problems in some of our testing environments. PDTNetISATAP 'ISATAP' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' Ensure = 'Absent' } # Ensure that all NICs not in use for virtualization are disabled. # For One-Node, skip this step as it has been checked elsewhere that it has only active NIC. if(-not $Node.InternalSwitchNames) { PDTNetUnboundNIC 'DisableUnboundNICs' { DependsOn = $UnboundNICDependencies ComputerName = 'localhost' State = 'Disabled' } } # One-node deployments don't have a domain on the host. If there is # one, however, record the DNS suffix. if ($Node.DomainFQDN) { PDTNetGlobalDNS 'GlobalDNSSuffixes' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' SuffixList = $Node.DomainFQDN } } # This gets filled in with management OS NIC names $ManagementOSNicNames = @() # Set up the vNICs on the host. $RdmaNICs = @() $RdmaNICNames = @() $FirewallGroups = @{} foreach ($nicName in $Node.NicNames) { Write-Verbose "Creating vNIC $nicName on Node $($Node.NodeName)." # Create (or delete) the vNIC itself. if ([string]::IsNullOrEmpty($Node.("${nicName}MacAddress"))) { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") PriorityTag = 'On' } } else { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") MacAddress = $Node.("${nicName}MacAddress") PriorityTag = 'On' } } # Record these as VFP Firewall rules will depend on these. $ManagementOSNicNames += "[PDTVMNetworkAdapterManagementOS]$nicName" # If the vNIC above was being created, set RDMA state # and assign an IP address. if ($Node.("${nicName}Ensure") -ne 'Absent') { if ($Node.("${nicName}Rdma")) { Write-Verbose "VNIC $nicName is a RDMA NIC on Node $($Node.NodeName). Add it to RdmaNICs list." PDTNetAdapterRdma $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName } $RdmaNICs += "[PDTNetAdapterRdma]$nicName" $RdmaNICNames += "$nicName" } # In one-node host scenario, if the vNIC above was created with physical NIC's MAC address, the vNIC would get either # a DHCP IP address (if PNIC is using DHCP) or a static IP copied from the PNIC (if PNIC is using static IP). In either case, # there is no need to set the IP address explicitly again. # The "DoNotSetIPAddress" flag is only set to TRUE in one-node scenario. if (!$Node.("${nicName}DoNotSetIPAddress")) { $defGateway = $Node.("${nicName}IPv4DefaultGateway") $useDefaultGateway = $Node.("${nicName}UseDefaultGateway") if ($useDefaultGateway -eq $true) { Write-Verbose "VNIC $nicName is using default gateway $defGateway on Node $($Node.NodeName)." } else { Write-Verbose "VNIC $nicName is not using default gateway on Node $($Node.NodeName)." } $registerThisConnectionsAddress = $Node.("${nicName}RegisterThisConnectionsAddress") if ($useDefaultGateway -eq $true) { # this is to configure IP for HostNic which has default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DefaultGateway = $defGateway DnsRegistration = $registerThisConnectionsAddress } } else { # this is to configure IPs for Storage NICs which do not have default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DnsRegistration = $registerThisConnectionsAddress } } $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTNetIPAddress]$nicName" Profile = $netProfile Name = $nicName } } } else { $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" Profile = $netProfile Name = $nicName } } } $firewallRules = $Node.("${nicName}FirewallRules") foreach ($rule in $firewallRules) { $groupName = $rule.Group if (-not $FirewallGroups.$groupName) { $FirewallGroups.$groupName = New-Object PSObject -Property @{Enabled = $rule.Enabled; InterfaceAlias = @()} } $FirewallGroups.$groupName.InterfaceAlias += $nicName } } } # Set up the firewall rules for MCNP Proxy, depends on the Management OS Nic Write-Verbose "Setting firewall rules for MCNP proxy" xFirewall 'HostGAPlugin Proxy Rule (Inbound)' { Name = 'HostGAPlugin Proxy Rule (Inbound)' DisplayName = 'HostGAPlugin Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($hostGAPluginProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'WireServer Proxy Rule (Inbound)' { Name = 'WireServer Proxy Rule (Inbound)' DisplayName = 'WireServer Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($wireServerProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Outbound' { Name = 'Instance-Metadata-Server-Proxy-Outbound' DisplayName = 'Instance-Metadata-Server-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Inbound' { Name = 'Instance-Metadata-Server-Proxy-Inbound' DisplayName = 'Instance-Metadata-Server-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Outbound' { Name = 'GAR-Proxy-Outbound' DisplayName = 'GAR-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Inbound' { Name = 'GAR-Proxy-Inbound' DisplayName = 'GAR-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } # Make policies about which pNICs are used for RDMA via each vNIC. if ($RdmaNICs.Count -ne 0) { PDTNetRDMARoutes 'RDMARoutes' { Name = 'Storage*' DependsOn = $RdmaNICs Strategy = 'roundrobin' } } foreach ($group in $FirewallGroups.GetEnumerator()) { $depends = ($group.Value.InterfaceAlias | ForEach-Object {'[PDTVMNetworkAdapterManagementOS]' + $_}) if ($group.Value.Enabled) { $ensure = 'Present' } else { $ensure = 'Absent' } PDTNetFirewallGroup $group.Name { DependsOn = $depends Name = $group.Key InterfaceAlias = $group.Value.InterfaceAlias Ensure = $ensure } } # ASZ - No ASDK mode # Multi-node hosts are hatched already joined to a domain, so we can # add administrators here. # if ($physicalNodes.Count -gt 1) # { $firstPhysicalNode = $physicalNodes | Select-Object -First 1 $localAdmins = $firstPhysicalNode.LocalAdmins.Admin ASGroup 'LocalAdministrators' { DependsOn = $depends GroupName = 'Administrators' MembersToInclude = $localAdmins.Name } # } # In Multi-cluster scenario, the hosts' storage NICs should have static routes to other clusters' storage networks if (IsNetworkSchemaVersion2021($Parameters)) { Write-Verbose "This deployment is using network schema version 2021, which support multiple Scale Units." $localClusterId = $Node.RefClusterId Write-Verbose "Finding local storage network for cluster $($localClusterId) on Node $($Node.NodeName)." $localNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $localClusterId $localClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC1" $localClusterStorageNetwork = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorageNetworkName} if ($localClusterStorageNetwork) { Write-Verbose "Storage Network $localClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $localClusterStorageNetworkName was not found for Node $($Node.NodeName)." } Write-Verbose "Finding local storage2 network for cluster $($localClusterId) on Node $($Node.NodeName)." $localClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC2" $localClusterStorage2Network = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorage2NetworkName} if ($localClusterStorage2Network) { Write-Verbose "Storage2 Network $localClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $localClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $allOtherClusters = $Parameters.Roles["Cluster"].PublicConfiguration.Clusters.Node | Where-Object { $_.Id -ne $localClusterId } # for each additional SU, create two static routes for each storage VNIC on local cluster node, so that there will be 4 such routes per SU: # 1. To other SU's Storage network 1 via vNIC1's default gateway # 2. To other SU's Storage network 2 via vNIC1's default gateway # 3. To other SU's Storage network 1 via vNIC2's default gateway # 4. To other SU's Storage network 2 via vNIC2's default gateway foreach ($otherCluster in $allOtherClusters) { Write-Verbose "Finding storage network in cluster $($otherCluster.Name) for Node $($Node.NodeName)." $otherClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC1" $otherClusterNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $otherCluster.Name $otherClusterStorageNetwork = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorageNetworkName} if ($otherClusterStorageNetwork) { Write-Verbose "Storage Network $otherClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $otherClusterStorageNetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix = $otherClusterStorageNetwork.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage network $destinationPrefix for Node $($Node.NodeName)." $otherClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC2" $otherClusterStorage2Network = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorage2NetworkName} if ($otherClusterStorage2Network) { Write-Verbose "Storage2 Network $otherClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $otherClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix2 = $otherClusterStorage2Network.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage2 network $destinationPrefix2 for Node $($Node.NodeName)." foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $destinationPrefix via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix NextHop = $nextHop } Write-Verbose "Creating static route to $destinationPrefix2 via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix2" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix2 NextHop = $nextHop } } } } # This will increase the default WMI limit of 4096 WMI HandlesPerHost to 8192. # We believe this will avoid some of our WMI throttling errors and WMI service crashes WmiConfiguration 'WmiQuotaConfig' { ComputerName = "localhost" HandlesPerHost = 8192 } # When NAS cluster(s) integrated, the hosts' storage NICs should have static routes to the NAS storage networks # So that Blob data traffic can go through the storage NICs $nasClusters = $Parameters.Roles["NasCluster"].PublicConfiguration.NasClusters.Node foreach ($nasCluster in $nasClusters) { $nasName = $nasCluster.Name $nasStorageSubnet = $nasCluster.NasClusterNetworks.StorageNetwork.Subnet Write-Verbose "Found NasCluster:[$nasName], StorageSubnet:[$nasStorageSubnet]" -Verbose foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $nasStorageSubnet via NextHop $nextHop for NIC $rdmaNicName on Node $($Node.NodeName)." -Verbose if (-not $nasStorageSubnet -or -not $nextHop) { throw "Invalid static route parameter" } xRoute "$rdmaNicName-$nasStorageSubnet" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $nasStorageSubnet NextHop = $nextHop } } } } #> } } Export-ModuleMember -Function NewComputeBootstrapDscConfiguration # SIG # Begin signature block # MIInwQYJKoZIhvcNAQcCoIInsjCCJ64CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDmFCyiASpkQQ42 # 7UjzkweDZpTBLQz8ff+ygPosqgc6aaCCDXYwggX0MIID3KADAgECAhMzAAADTrU8 # esGEb+srAAAAAANOMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI5WhcNMjQwMzE0MTg0MzI5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDdCKiNI6IBFWuvJUmf6WdOJqZmIwYs5G7AJD5UbcL6tsC+EBPDbr36pFGo1bsU # p53nRyFYnncoMg8FK0d8jLlw0lgexDDr7gicf2zOBFWqfv/nSLwzJFNP5W03DF/1 # 1oZ12rSFqGlm+O46cRjTDFBpMRCZZGddZlRBjivby0eI1VgTD1TvAdfBYQe82fhm # WQkYR/lWmAK+vW/1+bO7jHaxXTNCxLIBW07F8PBjUcwFxxyfbe2mHB4h1L4U0Ofa # +HX/aREQ7SqYZz59sXM2ySOfvYyIjnqSO80NGBaz5DvzIG88J0+BNhOu2jl6Dfcq # jYQs1H/PMSQIK6E7lXDXSpXzAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUnMc7Zn/ukKBsBiWkwdNfsN5pdwAw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMDUxNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAD21v9pHoLdBSNlFAjmk # mx4XxOZAPsVxxXbDyQv1+kGDe9XpgBnT1lXnx7JDpFMKBwAyIwdInmvhK9pGBa31 # TyeL3p7R2s0L8SABPPRJHAEk4NHpBXxHjm4TKjezAbSqqbgsy10Y7KApy+9UrKa2 # kGmsuASsk95PVm5vem7OmTs42vm0BJUU+JPQLg8Y/sdj3TtSfLYYZAaJwTAIgi7d # hzn5hatLo7Dhz+4T+MrFd+6LUa2U3zr97QwzDthx+RP9/RZnur4inzSQsG5DCVIM # pA1l2NWEA3KAca0tI2l6hQNYsaKL1kefdfHCrPxEry8onJjyGGv9YKoLv6AOO7Oh # JEmbQlz/xksYG2N/JSOJ+QqYpGTEuYFYVWain7He6jgb41JbpOGKDdE/b+V2q/gX # UgFe2gdwTpCDsvh8SMRoq1/BNXcr7iTAU38Vgr83iVtPYmFhZOVM0ULp/kKTVoir # IpP2KCxT4OekOctt8grYnhJ16QMjmMv5o53hjNFXOxigkQWYzUO+6w50g0FAeFa8 # 5ugCCB6lXEk21FFB1FdIHpjSQf+LP/W2OV/HfhC3uTPgKbRtXo83TZYEudooyZ/A # Vu08sibZ3MkGOJORLERNwKm2G7oqdOv4Qj8Z0JrGgMzj46NFKAxkLSpE5oHQYP1H # tPx1lPfD7iNSbJsP6LiUHXH1MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGaEwghmdAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAANOtTx6wYRv6ysAAAAAA04wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIPqjjog4gM+uXz+LWS1sg/2b # A5C7PfmGL8UIwSvh3t6iMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAs2FU6ZzKQMuJPtwI8ld9jC3EDTLwm2GXD46/BnJCSuvcfCYjqsJKtB8w # Xume/77uLojExLytlnC5E06k1byGtKV4ZoPVOP/l9DTdOOqyhze2szjW1G9zbdFU # V+hahrPe5/ljR+jUNCDHK0tr2YPrvxLNlc/ealfRZpnvT5c/Agzw6uVOWc+Jv/Uj # 3sqkCnqUWEb+IlZroC87FRQaJ9H8I4R/UAeDVLzyvyAOxVxRz0aNnFMuLyemggUT # 5YJh8njM9r2qnTobvEveCb6cTXJYN9xC8PyORT8qF1YLmog28Nw9SewQcTlybNwW # wjxZ90Wu9K0uMT/o9/H5jaKpLYKSK6GCFyswghcnBgorBgEEAYI3AwMBMYIXFzCC # FxMGCSqGSIb3DQEHAqCCFwQwghcAAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFYBgsq # hkiG9w0BCRABBKCCAUcEggFDMIIBPwIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCCBpZTTmIn7CRoyGt6E6y8q5SeHAC6E4DTPQGFeIq3ARQIGZQuU30s8 # GBIyMDIzMDkyMjA4MzIxMS43OFowBIACAfSggdikgdUwgdIxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVs # YW5kIE9wZXJhdGlvbnMgTGltaXRlZDEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046 # RkM0MS00QkQ0LUQyMjAxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNl # cnZpY2WgghF7MIIHJzCCBQ+gAwIBAgITMwAAAbn2AA1lVE+8AwABAAABuTANBgkq # hkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ # MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u # MSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMjA5 # MjAyMDIyMTdaFw0yMzEyMTQyMDIyMTdaMIHSMQswCQYDVQQGEwJVUzETMBEGA1UE # CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z # b2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVy # YXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkZDNDEtNEJE # NC1EMjIwMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIC # IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA40k+yWH1FsfJAQJtQgg3EwXm # 5CTI3TtUhKEhNe5sulacA2AEIu8JwmXuj/Ycc5GexFyZIg0n+pyUCYsis6Odietu # hwCeLGIwRcL5rWxnzirFha0RVjtVjDQsJzNj7zpT/yyGDGqxp7MqlauI85ylXVKH # xKw7F/fTI7uO+V38gEDdPqUczalP8dGNaT+v27LHRDhq3HSaQtVhL3Lnn+hOUosT # TSHv3ZL6Zpp0B3LdWBPB6LCgQ5cPvznC/eH5/Af/BNC0L2WEDGEw7in44/3zzxbG # RuXoGpFZe53nhFPOqnZWv7J6fVDUDq6bIwHterSychgbkHUBxzhSAmU9D9mIySqD # FA0UJZC/PQb2guBI8PwrLQCRfbY9wM5ug+41PhFx5Y9fRRVlSxf0hSCztAXjUeJB # LAR444cbKt9B2ZKyUBOtuYf/XwzlCuxMzkkg2Ny30bjbGo3xUX1nxY6IYyM1u+Wl # wSabKxiXlDKGsQOgWdBNTtsWsPclfR8h+7WxstZ4GpfBunhnzIAJO2mErZVvM6+L # i9zREKZE3O9hBDY+Nns1pNcTga7e+CAAn6u3NRMB8mi285KpwyA3AtlrVj4RP+Vv # RXKOtjAW4e2DRBbJCM/nfnQtOm/TzqnJVSHgDfD86zmFMYVmAV7lsLIyeljT0zTI # 90dpD/nqhhSxIhzIrJUCAwEAAaOCAUkwggFFMB0GA1UdDgQWBBS3sDhx21hDmgmM # TVmqtKienjVEUjAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNV # HR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Ny # bC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYI # KwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy # MDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMI # MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAzdxns0VQdEywsrOO # Xusk8iS/ugn6z2SS63SFmJ/1ZK3rRLNgZQunXOZ0+pz7Dx4dOSGpfQYoKnZNOpLM # FcGHAc6bz6nqFTE2UN7AYxlSiz3nZpNduUBPc4oGd9UEtDJRq+tKO4kZkBbfRw1j # euNUNSUYP5XKBAfJJoNq+IlBsrr/p9C9RQWioiTeV0Z+OcC2d5uxWWqHpZZqZVzk # Bl2lZHWNLM3+jEpipzUEbhLHGU+1x+sB0HP9xThvFVeoAB/TY1mxy8k2lGc4At/m # RWjYe6klcKyT1PM/k81baxNLdObCEhCY/GvQTRSo6iNSsElQ6FshMDFydJr8gyW4 # vUddG0tBkj7GzZ5G2485SwpRbvX/Vh6qxgIscu+7zZx4NVBC8/sYcQSSnaQSOKh9 # uNgSsGjaIIRrHF5fhn0e8CADgyxCRufp7gQVB/Xew/4qfdeAwi8luosl4VxCNr5J # R45e7lx+TF7QbNM2iN3IjDNoeWE5+VVFk2vF57cH7JnB3ckcMi+/vW5Ij9IjPO31 # xTYbIdBWrEFKtG0pbpbxXDvOlW+hWwi/eWPGD7s2IZKVdfWzvNsE0MxSP06fM6Uc # r/eas5TxgS5F/pHBqRblQJ4ZqbLkyIq7Zi7IqIYEK/g4aE+y017sAuQQ6HwFfXa3 # ie25i76DD0vrII9jSNZhpC3MA/0wggdxMIIFWaADAgECAhMzAAAAFcXna54Cm0mZ # AAAAAAAVMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAxODMyMjVa # MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT # HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIICIjANBgkqhkiG9w0BAQEF # AAOCAg8AMIICCgKCAgEA5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1 # V/YBf2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY6GB9 # alKDRLemjkZrBxTzxXb1hlDcwUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmv # Haus9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl3GoPz130/o5Tz9bshVZN7928 # jaTjkY+yOSxRnOlwaQ3KNi1wjjHINSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3t # pK56KTesy+uDRedGbsoy1cCGMFxPLOJiss254o2I5JasAUq7vnGpF1tnYN74kpEe # HT39IM9zfUGaRnXNxF803RKJ1v2lIH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2K26o # ElHovwUDo9Fzpk03dJQcNIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNOwTM5TI4C # vEJoLhDqhFFG4tG9ahhaYQFzymeiXtcodgLiMxhy16cg8ML6EgrXY28MyTZki1ug # poMhXV8wdJGUlNi5UPkLiWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9QBXps # xREdcu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6HXtqPnhZyacaue7e3PmriLq0C # AwEAAaOCAd0wggHZMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYE # FCqnUv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQWBBSfpxVdAF5iXYP05dJlpxtT # NRnpcjBcBgNVHSAEVTBTMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNo # dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5o # dG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD # AEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZW # y4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5t # aWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAt # MDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0y # My5jcnQwDQYJKoZIhvcNAQELBQADggIBAJ1VffwqreEsH2cBMSRb4Z5yS/ypb+pc # FLY+TkdkeLEGk5c9MTO1OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpT # Td2YurYeeNg2LpypglYAA7AFvonoaeC6Ce5732pvvinLbtg/SHUB2RjebYIM9W0j # VOR4U3UkV7ndn/OOPcbzaN9l9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3 # +SmJw7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWKNsIdw2FzLixre24/LAl4FOmR # sqlb30mjdAy87JGA0j3mSj5mO0+7hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSw # ethQ/gpY3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+c23Kjgm9swFXSVRk2XPXfx5b # RAGOWhmRaw2fpCjcZxkoJLo4S5pu+yFUa2pFEUep8beuyOiJXk+d0tBMdrVXVAmx # aQFEfnyhYWxz/gq77EFmPWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/AsGConsX # HRWJjXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU5nR0 # W2rRnj7tfqAxM328y+l7vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEGahC0 # HVUzWLOhcGbyoYIC1zCCAkACAQEwggEAoYHYpIHVMIHSMQswCQYDVQQGEwJVUzET # MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV # TWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFu # ZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkZD # NDEtNEJENC1EMjIwMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2 # aWNloiMKAQEwBwYFKw4DAhoDFQDHYh4YeGTnwxCTPNJaScZwuN+BOqCBgzCBgKR+ # MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT # HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUAAgUA # 6LdkvjAiGA8yMDIzMDkyMjA4NTYzMFoYDzIwMjMwOTIzMDg1NjMwWjB3MD0GCisG # AQQBhFkKBAExLzAtMAoCBQDot2S+AgEAMAoCAQACAg1YAgH/MAcCAQACAhPKMAoC # BQDouLY+AgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEA # AgMHoSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQADgYEAQm9iSq0IOL5FLpWE # chS2lLaSXHets0abzwtnPFhR+50tG4o2Kkf9V14BvBkP08A9znR6szFyynSrCAvO # JRR2UMCB2wSupsf5NEvz9N/3DlBqzkgLI4ryCLrc4mwlrTX0OhlZRoV8UDUBa6Li # afgNaNoC1lezHIfjF2O6CfrwPwwxggQNMIIECQIBATCBkzB8MQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt # ZS1TdGFtcCBQQ0EgMjAxMAITMwAAAbn2AA1lVE+8AwABAAABuTANBglghkgBZQME # AgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJ # BDEiBCAEL4mm1BcjbbpNeOHEYVpWgSOGoymoAlRwh9k0tz4niTCB+gYLKoZIhvcN # AQkQAi8xgeowgecwgeQwgb0EIGTrRs7xbzm5MB8lUQ7e9fZotpAVyBwal3Cw6iL5 # +g/0MIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAG5 # 9gANZVRPvAMAAQAAAbkwIgQgG5EM1Zmo1gEwCu37TYtl/hVraRtp3qmNyEH77RET # 5Q0wDQYJKoZIhvcNAQELBQAEggIAFrmhmz8qTq09zpbj1ZtnWn+WVCvvz8H4Q1TE # PC29XsWCSRhxA6uFhvTS+U6/ACrphFG0ZVnljcxYw+Fx+Orp3RmlTdormGdM2il8 # h7vVNIReFHEk5LLAs7Ohucqg3G155Dg6WZIufsDNYvGJOh/SHE/E5wVRa0Wg+BLf # XZ19QJI7KMGGbMVxxK1zitUcQxFY6EbVRq2/pPduZMKm5xtrn+SWI+ofKU4emwos # LyTbFHwCDyWQCVpcF2TJmaAH93CtbGDAofikox/etjAu53Gy6IY2FTxojYGK5XFv # EI/Ijth5lYoQWv1PF3TMJSUCBb1/chixkNP9WHMvNlVaffzQRULs3VWa92PuLfo/ # oa3ote9WUdE/4OI9f2+SotBXUXG8PY763vwsIumcMDwts82R7IaWYjd6Ulu0Uq85 # VVBWiN33SlL0zhauQD5mncIiC989ZPXOQvWoseqgvXDzRw/GiHIwk+Y/ZJL1EXqo # 2hMz1Uc27XE2VteTaEXxIOeP96A4H91Fi+BleiD0OmuQbDXT7uRYQ54nbUfjvL6L # BnN2ImW5ZdBZS04n3QJ/c5jqeJYbfEpbNEhJhwJTeJyMYvwSbv7YAH2bz4cOXLKb # 4tHkSTeKrzewv5/FloUlcDdtW4Yile0QeG8BBmW+REHUlV9dwK7v/ZOpPQCvEPxS # fVATrYg= # SIG # End signature block |