Run Windows guests

Available since MOSK 24.1 TechPreview

MOSK enables users to configure and run Windows guests on OpenStack, which allows for optimization of cloud infrastructure for diverse workloads. This section delves into the nuances of achieving seamless integration between the Windows operating system and MOSK clouds.

Supported Windows versions

The list of the supported Windows versions includes:

  • Windows 10 22H2

  • Windows 11 23H2

Note

While Windows operating system of other versions may function, their compatibility is unverified.

Configuring Windows images or flavors

You can configure Windows guests through the image metadata properties os_distro and os_type or through the flavor extra specs os:distro and os:type.

Configuration example using image metadata properties:

$ openstack image set $WINDOWS_IMAGE \
   --property os_distro=windows \
   --property os_type=windows

Also, you have the option to set up Windows guests in a way that supports UEFI Secure Boot and includes an emulated virtual Trusted Platform Module (TPM). This configuration enhances security features for your Windows virtual machines within the OpenStack environment.

Note

Windows 11 imposes a security system requirement, necessitating the activation of UEFI Secure Boot and ensuring that TPM version 2.0 is enabled.

Configuration example for the image with Windows 11:

$ openstack image set $WINDOWS_IMAGE \
   --property os_distro=windows \
   --property os_type=windows \
   --property hw_firmware_type=uefi \
   --property hw_machine_type=q35 \
   --property os_secure_boot=required \
   --property hw_tpm_model=tpm-tis \
   --property hw_tpm_version=2.0

Enabling UEFI Secure Boot

To confirm support for the UEFI Secure Boot feature, examine the traits associated with the compute node resource provider:

$ COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
$ openstack resource provider trait list $COMPUTE_UUID | grep COMPUTE_SECURITY_UEFI_SECURE_BOOT
| COMPUTE_SECURITY_UEFI_SECURE_BOOT |

You can configure the UEFI Secure Boot support through flavor extra specs or image metadata properties. For x86_64 hosts, enabling secure boot also necessitates configuring the use of the Q35 machine type. MOSK enables you to configure this on a per-guest basis using the hw_machine_type image metadata property.

Configuration example for the image that meets both requirements:

$ openstack image set $IMAGE \
   --property hw_firmware_type=uefi \
   --property hw_machine_type=q35 \
   --property os_secure_boot=required

Enabling vTPM

Caution

MOSK does not support the live migration operation for instances with virtual Trusted Platform Module (vTPM) enabled.

To confirm support for the vTPM feature, examine the traits associated with the compute node resource provider:

$ COMPUTE_UUID=$(openstack resource provider list --name $HOST -f value -c uuid)
$ openstack resource provider trait list $COMPUTE_UUID | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_1_2 |
| COMPUTE_SECURITY_TPM_2_0 |

A vTPM can be requested for a server through either flavor extra specs or image metadata properties. There are two supported TPM versions: 1.2 and 2.0, along with two models: TPM Interface Specification (TIS) and Command-Response Buffer (CRB). Notably, the CRB model is only supported with version 2.0.

TPM versions and models support matrix

TPM version

1.2

2.0

TPM Interface Specification (TIS) model

Command-Response Buffer (CRB) model

Configuration example for a flavor to use the TPM 2.0 with the TIS model:

$ openstack flavor set $FLAVOR \
   --property hw:tpm_version=2.0 \
   --property hw:tpm_model=tpm-tis