Run Windows guests¶
Available since MOSK 24.1 TechPreview
MOSK enables users to configure and run Windows guests on OpenStack, which allows for optimization of cloud infrastructure for diverse workloads. This section delves into the nuances of achieving seamless integration between the Windows operating system and MOSK clouds.
Supported Windows versions¶
The list of the supported Windows versions includes:
Windows 10 22H2
Windows 11 23H2
Note
While Windows operating system of other versions may function, their compatibility is unverified.
Configuring Windows images or flavors¶
You can configure Windows guests through the image metadata properties
os_distro and os_type or through the flavor extra specs
os:distro and os:type.
Configuration example using image metadata properties:
$ openstack image set $WINDOWS_IMAGE \
--property os_distro=windows \
--property os_type=windows
Also, you have the option to set up Windows guests in a way that supports UEFI Secure Boot and includes an emulated virtual Trusted Platform Module (TPM). This configuration enhances security features for your Windows virtual machines within the OpenStack environment.
Note
Windows 11 imposes a security system requirement, necessitating the activation of UEFI Secure Boot and ensuring that TPM version 2.0 is enabled.
Configuration example for the image with Windows 11:
$ openstack image set $WINDOWS_IMAGE \
--property os_distro=windows \
--property os_type=windows \
--property hw_firmware_type=uefi \
--property hw_machine_type=q35 \
--property os_secure_boot=required \
--property hw_tpm_model=tpm-tis \
--property hw_tpm_version=2.0
Enabling UEFI Secure Boot¶
To confirm support for the UEFI Secure Boot feature, examine the traits associated with the compute node resource provider:
$ COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
$ openstack resource provider trait list $COMPUTE_UUID | grep COMPUTE_SECURITY_UEFI_SECURE_BOOT
| COMPUTE_SECURITY_UEFI_SECURE_BOOT |
You can configure the UEFI Secure Boot support through flavor extra specs or
image metadata properties. For x86_64 hosts, enabling secure boot also
necessitates configuring the use of the Q35 machine type.
MOSK enables you to configure this on a per-guest basis
using the hw_machine_type image metadata property.
Configuration example for the image that meets both requirements:
$ openstack image set $IMAGE \
--property hw_firmware_type=uefi \
--property hw_machine_type=q35 \
--property os_secure_boot=required
Enabling vTPM¶
Caution
MOSK does not support the live migration operation for instances with virtual Trusted Platform Module (vTPM) enabled.
To confirm support for the vTPM feature, examine the traits associated with the compute node resource provider:
$ COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
$ openstack resource provider trait list $COMPUTE_UUID | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_1_2 |
| COMPUTE_SECURITY_TPM_2_0 |
A vTPM can be requested for a server through either flavor extra specs or image metadata properties. There are two supported TPM versions: 1.2 and 2.0, along with two models: TPM Interface Specification (TIS) and Command-Response Buffer (CRB). Notably, the CRB model is only supported with version 2.0.
TPM version |
1.2 |
2.0 |
|---|---|---|
TPM Interface Specification (TIS) model |
||
Command-Response Buffer (CRB) model |
Configuration example for a flavor to use the TPM 2.0 with the TIS model:
$ openstack flavor set $FLAVOR \
--property hw:tpm_version=2.0 \
--property hw:tpm_model=tpm-tis