Obs/bin/ObsDep/content/Powershell/Roles/Common/HostDscBootstrapConfig.psm1
|
<###################################################
# # # Copyright (c) Microsoft. All rights reserved. # # # ##################################################> Import-Module $PSScriptRoot\..\..\Common\NetworkHelpers.psm1 -DisableNameChecking -Verbose:$false | Out-Null Configuration NewComputeBootstrapDscConfiguration { Param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [System.String] $PsDscClient = 'localhost', [Parameter(Mandatory=$false)] [boolean] $EnableDataCenterBridging = $true, [Parameter(Mandatory=$true)] [hashtable] $NicBindingCriteria, [Parameter(Mandatory=$false)] [string] $IDNSProxyForwarders, [Parameter(Mandatory=$true)] [UInt64] $MinimumDiskBytes, [Parameter(Mandatory=$false)] [boolean] $DisableRemoteDesktop = $false ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName DSC.ProcessorPowerManagement Import-DscResource -ModuleName PDT.DSC.Networking Import-DscResource -ModuleName PDT.DSC.HyperV Import-DscResource -ModuleName PDT.DSC.Service Import-DscResource -ModuleName PDT.DSC.Utilities Import-DscResource -ModuleName PDT_MigrationProtocol Import-DscResource -ModuleName AS.Group Import-DscResource -ModuleName AS.DumpOnLargeHost Import-DscResource -ModuleName AS.WmiConfiguration Node $PsDscClient { # Workaround for the physical environment in the lab where WinRM has to be allowed on hosts at pre-deploy stage Log ASZHostDSCSkip { # DependsOn = '[PDTNetFirewallGroup]WinRM' Message = 'ASZ Host DSC Skipped' } <# # Enable the DSC Analytic log to capture verbose output of the configuration during bootstrap PDTEventLog 'DSCAnalytic' { LogName = 'Microsoft-Windows-DSC/Analytic' IsEnabled = $true MaximumSizeInBytes = [int]5Mb } # Allow Link Local Multicast Name Resolution through the # firewall, as lanmanserver needs it. PDTNetFirewallRule 'FPS-LLMNR-In-UDP' { Name = 'FPS-LLMNR-In-UDP' } #As part of the host hardening, we'll disable the following FW rules group PDTNetFirewallGroup 'AllJoyn Router' { Ensure = 'Absent' Name = 'AllJoyn Router' } PDTNetFirewallGroup 'mDNS' { Ensure = 'Absent' Name = 'mDNS' } #subset of CoreNet rules to be disabled PDTNetFirewallRule 'CoreNet-DHCPV6-In' { Ensure = 'Absent' Name = 'CoreNet-DHCPV6-In' } PDTNetFirewallRule 'CoreNet-Teredo-In' { Ensure = 'Absent' Name = 'CoreNet-Teredo-In' } PDTNetFirewallRule 'CoreNet-Teredo-Out' { Ensure = 'Absent' Name = 'CoreNet-Teredo-Out' } if ($DisableRemoteDesktop) { PDTNetFirewallGroup 'Remote Desktop Group' { Ensure = 'Absent' Name = 'Remote Desktop' } } # disable negative DNS cache # if a DNS query results in a negative response because the DNS server does not # have a record, by default the negative response is cached for 15 minutes # this disables the negative cache so the DNS client will be able to attempt # to resolve again - this will improve parallel steps where one step is expecting # another step to have created something in DNS Registry 'MaxNegativeCacheTtl' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' ValueName = 'MaxNegativeCacheTtl' ValueType = 'Dword' ValueData = '0' } # Setting Host/Infra identification for telemetry Registry 'VMType' { Key = 'HKLM:\SOFTWARE\Microsoft\Windows Azure' ValueName = 'VMType' ValueType = 'String' ValueData = 'AS-HOST' } # Wait for lanmanserver (SMB) to be fully available. Waiting # on this guarantees that a set of kernel- and user-mode services # are runnning and ready for use. PDTService lanmanserver { Name = 'lanmanserver' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Turn off deep power management states that reduce compute benchmark # performance. ProcessorPowerManagement C1Only { ComputerName = 'localhost' PowerScheme = '8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c' DeepestCState = 1 } # Enable dump on hosts that have a physical disk large enough to # handle the extra space needed. This will need a reboot to take # effect after initial deployment. Update will automatically add # this key on supported systems at image creation. ASDumpOnLargeHost DumpSettings { DependsOn = "[File]LiveKernelReportPathDirectoryCreation" Name = 'Dump Settings Dependent on Large Host' MinimumDiskBytes = $MinimumDiskBytes } # Ensure the LiveKernelReportsPath is created File LiveKernelReportPathDirectoryCreation { Type = 'Directory' DestinationPath = 'D:\AzureStack\LiveKernelReports' Ensure = "Present" } # Deploying a one-node host using an action plan involves setting # up that host without creating any virtual switches. This # DSC generation script will be handed a configuration which # has no switches and no vNICs. When setting anything else up, # there will be at least one external switch. if ($Node.ExternalSwitchNames.Count -ne 0) { if ($EnableDataCenterBridging) { PDTNetQosDcbxSetting 'Willing' { DependsOn = '[PDTService]lanmanserver' InterfaceAlias = 'Global' Willing = $false } # These next five ensure that SMB traffic and cluster heartbeat gets treated # with great respect by the switches. If you starve # storage and miss cluster heartbeat, the entire stamp can fall apart. PDTNetQosPolicyNetDirectPort 'SMBDirect' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'SMBDirect' NetDirectPort = 445 PriorityValue8021Action = $Node.NetQosPriority } PDTNetQosPolicyNetCluster 'Cluster' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Cluster' PriorityValue8021Action = 5 } PDTNetQosPolicyDefault 'Default' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Default' PriorityValue8021Action = 0 } PDTNetQosFlowControl 'FlowControl' { DependsOn = '[PDTNetQosPolicyNetDirectPort]SMBDirect' ComputerName = 'localhost' Priority = $Node.NetQosPriority } PDTNetQosTrafficClass 'SMBDirect' { DependsOn = @('[PDTNetQosPolicyNetDirectPort]SMBDirect','[PDTNetQosFlowControl]FlowControl') Name = 'SMBDirect' Algorithm = 'ETS' Priority = $Node.NetQosPriority BandwidthPercentage = 50 } PDTNetQosTrafficClass 'Cluster' { DependsOn = @('[PDTNetQosPolicyNetCluster]Cluster','[PDTNetQosFlowControl]FlowControl') Name = 'Cluster' Algorithm = 'ETS' Priority = 5 BandwidthPercentage = 2 } # This setting reserves space in Ethernet frames for network # virtualization metadata. PDTNetAdapterAdvancedProperty 'EncapOverhead' { DependsOn = '[PDTNetQosTrafficClass]SMBDirect' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*EncapOverhead' RegistryValue = 160 } # skip if it is virtual AzureStack $OEMRole = $Parameters.Roles["OEM"].PublicConfiguration $OEMModel = $OEMRole.PublicInfo.UpdatePackageManifest.UpdateInfo.Model if (@("Virtual Machine", "Hyper-V") -notcontains $OEMModel) { PDTNetAdapterAdvancedProperty 'VirtualSwitchRSS' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*RssOnHostVPorts' RegistryValue = 1 } PDTNetAdapterAdvancedProperty 'DcbxMode' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = 'DcbxMode' RegistryValue = 0 } } # Turn on Quality of Service. PDTNetAdapterQos 'Qos' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' } } # Configure VFP Proxy settings Write-Verbose "Configure VFP Proxy settings on NCHostAgent" -Verbose $gatewayEndpoint = $Parameters.Roles["FabricRingServices"].PublicConfiguration.PublicInfo.RPCommonProperties.ServiceUri $gatewayUriBuilder = New-Object -TypeName System.UriBuilder -ArgumentList $gatewayEndpoint $gatewayPort = $gatewayUriBuilder.Port $gatewayUri = $gatewayUriBuilder.Uri.DnsSafeHost # VFP forwards to Gateway, use the Gateway port value for the services $imdsServiceAddress = '127.0.0.1' $garServiceAddress = $gatewayUri $wireServerServiceAddress = '127.0.0.1' $hostGAPluginServiceAddress = '127.0.0.1' $imdsServicePort = 80 $garServicePort = $gatewayPort $wireServerServicePort = 80 $hostGAPluginServicePort = 32526 # Proxy port values $imdsProxyPort = 15021 $garProxyPort = 15022 $wireServerProxyPort = 15023 $hostGAPluginProxyPort = 15025 Write-Verbose "Making IMDS proxied service registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerAddress' ValueData = $imdsServiceAddress } Registry 'Instance_Metadata_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServiceName' ValueData = 'IMDS' } Registry 'Instance_Metadata_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'Instance_Metadata_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'Instance_Metadata_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making GAR proxied service registry change for MCNP proxy" Registry 'GAR_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerAddress' ValueData = $garServiceAddress } Registry 'GAR_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServiceName' ValueData = 'gar' } Registry 'GAR_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $garServicePort } Registry 'GAR_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'GAR_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyProtocol' ValueData = 'HttpsNoTranslation' } Registry 'GAR_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 1 } Write-Verbose "Making WireServer proxied service registry change for MCNP proxy" Registry 'WireServer_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerAddress' ValueData = $wireServerServiceAddress } Registry 'WireServer_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServiceName' ValueData = 'WireServer' } Registry 'WireServer_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $wireServerServicePort } Registry 'WireServer_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'WireServer_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'WireServer_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making HostGAPlugin proxied service registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerAddress' ValueData = $hostGAPluginServiceAddress } Registry 'HostGAPlugin_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServiceName' ValueData = 'HostGAPlugin' } Registry 'HostGAPlugin_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $hostGaPluginServicePort } Registry 'HostGAPlugin_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'HostGAPlugin_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'HostGAPlugin_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making IMDS infra services registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'Port' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'Instance_Metadata_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making GAR infra services registry change for MCNP proxy" Registry 'GAR_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'Port' ValueType = 'Dword' ValueData = 81 } Registry 'GAR_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'GAR_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making WireServer infra services registry change for MCNP proxy" Registry 'WireServer_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'Port' ValueType = 'Dword' ValueData = 80 } Registry 'WireServer_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'WireServer_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making HostGAPlugin infra services registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'Port' ValueType = 'Dword' ValueData = $hostGAPluginServicePort } Registry 'HostGAPlugin_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'HostGAPlugin_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } # Enabling Windows Error Reporting to create user mode dumps on Host Registry 'Host_Application_LocalDump_DumpType' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpType' ValueType = 'Dword' ValueData = 1 } Registry 'Host_Application_LocalDump_DumpFolder' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpFolder' ValueType = 'ExpandString' ValueData = 'D:\AzureStack\CrashDumps' } Registry 'Host_Application_LocalDump_DumpCount' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpCount' ValueType = 'Dword' ValueData = 1 } # Disable SMB1 in registry, so that Get-SmbServerConfiguration won't report it as active Registry 'SMB1' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' ValueName = 'SMB1' ValueType = 'DWORD' ValueData = '0' } Registry 'RefsScrubNoOplock' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' ValueName = 'RefsScrubNoOplock' ValueType = 'DWORD' ValueData = '1' } Registry 'VSwitchDHCP_LeaseDuration' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'LeaseTime' ValueType = 'DWORD' ValueData = '0xFFFFFFFF' Force = $true Hex = $true } Registry 'VSwitchDHCP_Broadcast' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'IPv4Broadcast' ValueType = 'DWORD' ValueData = '1' Force = $true } Registry 'VSwitchDHCP_Option245WireServer' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'Option245WireServer' ValueType = 'String' ValueData = '168.63.129.16' Force = $true } # Win2021 will have these values by default # Revert back when Win2021 is released with Azure Stack Registry 'Host_PtNicDropLowResourcesPackets' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'PtNicDropLowResourcesPackets' ValueType = 'DWORD' ValueData = '1' } Registry 'Host_MaxVrssQueueAllocatedMBytes' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'MaxVrssQueueAllocatedMBytes' ValueType = 'DWORD' ValueData = '16' } # Set the NCHostAgent service to start automatically and # run in its own process. PDTService 'NCHostAgent' { Name = 'NCHostAgent' StartupType = 'Automatic' State = 'Running' Type = 'own' DependsOn = ` @( '[Registry]Instance_Metadata_Service_Server_Address' '[Registry]Instance_Metadata_Service_Server_Name' '[Registry]Instance_Metadata_Service_Server_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Address' '[Registry]Instance_Metadata_Service_Proxy_Protocol' '[Registry]Instance_Metadata_Service_Enable_Client_Auth' '[Registry]GAR_Service_Server_Address' '[Registry]GAR_Service_Server_Name' '[Registry]GAR_Service_Server_Port' '[Registry]GAR_Service_Proxy_Listening_Port' '[Registry]GAR_Service_Proxy_Listening_Address' '[Registry]GAR_Service_Proxy_Protocol' '[Registry]GAR_Service_Enable_Client_Auth' '[Registry]WireServer_Service_Server_Address' '[Registry]WireServer_Service_Server_Name' '[Registry]WireServer_Service_Server_Port' '[Registry]WireServer_Service_Proxy_Listening_Port' '[Registry]WireServer_Service_Proxy_Listening_Address' '[Registry]WireServer_Service_Proxy_Protocol' '[Registry]WireServer_Service_Enable_Client_Auth' '[Registry]HostGAPlugin_Service_Server_Address' '[Registry]HostGAPlugin_Service_Server_Name' '[Registry]HostGAPlugin_Service_Server_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Address' '[Registry]HostGAPlugin_Service_Proxy_Protocol' '[Registry]HostGAPlugin_Service_Enable_Client_Auth' '[Registry]Instance_Metadata_Service_Infra_Port' '[Registry]Instance_Metadata_Service_Infra_Proxy_Port' '[Registry]Instance_Metadata_Service_Infra_Address' '[Registry]Instance_Metadata_Service_Infra_MAC_Address' '[Registry]GAR_Service_Infra_Port' '[Registry]GAR_Service_Infra_Proxy_Port' '[Registry]GAR_Service_Infra_Address' '[Registry]GAR_Service_Infra_MAC_Address' '[Registry]WireServer_Service_Infra_Port' '[Registry]WireServer_Service_Infra_Proxy_Port' '[Registry]WireServer_Service_Infra_Address' '[Registry]WireServer_Service_Infra_MAC_Address' '[Registry]HostGAPlugin_Service_Infra_Port' '[Registry]HostGAPlugin_Service_Infra_Proxy_Port' '[Registry]HostGAPlugin_Service_Infra_Address' '[Registry]HostGAPlugin_Service_Infra_MAC_Address' '[Registry]VSwitchDHCP_LeaseDuration' '[Registry]VSwitchDHCP_Broadcast' '[Registry]VSwitchDHCP_Option245WireServer' ) } # DNS forwarders Registry 'DNSProxy_Forwarders' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\Parameters" ValueName = "Forwarders" ValueData = $IDNSProxyForwarders } # Start DnsProxy service and make it automatic Write-Verbose "Start DnsProxy service and make it automatic" -Verbose PDTService 'DnsProxy' { Name = 'DnsProxy' StartupType = 'Automatic' State = 'Running' Type = 'own' SkipIfNotFound = $true # This service is in RS1 but not in RS5, so set this to true to skip configuration on RS5. DependsOn = @('[PDTService]NCHostAgent', '[Registry]DNSProxy_Forwarders') } # DNS Proxy Service - Port and ProxyPort $idnsPort = 53 # DNS Proxy service port Registry 'DNSProxyService_Port' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "Port" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service proxy port Registry 'DNSProxyService_ProxyPort' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "ProxyPort" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS IP Address $cloudRole = $Parameters.Roles["Cloud"].PublicConfiguration $dnsIPAddress = $cloudRole.PublicInfo.NetworkConfiguration.iDNS.Endpoint # If the value is not defined, assign it a predefined value if (-not $dnsIPAddress) { $dnsIPAddress = "168.63.129.16" } # DNS Proxy service IP Address Registry 'DNSProxyService_IP' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "IP" ValueData = $dnsIPAddress DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service MAC $dnsProxyServiceMAC = "22-22-22-22-22-22" #A random mac address used to redirect the dns traffic, applied through vfp rules. These rules are created by the NCHostagent on reading the registry. Registry 'DNSProxyService_MAC' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "MAC" ValueData = $dnsProxyServiceMAC DependsOn = '[PDTService]NCHostAgent' } # Comment out this config for now. This firewall group is basically the same as the 4 firewall rules below combined. # Once switching to RS5, the 4 firewall rules should be removed and use this firewall group instead. # PDTNetFirewallGroup 'DNS Proxy Firewall' # { # Ensure = 'Present' # Name = 'DNS Proxy Firewall' # } # Enable some firewall rules needed by DNSProxy service PDTNetFirewallRule 'DnsProxy-TCP-In' { Name = 'DnsProxy-TCP-In' } PDTNetFirewallRule 'DnsProxy-UDP-In' { Name = 'DnsProxy-UDP-In' } PDTNetFirewallRule 'DnsProxy-TCP-Out' { Name = 'DnsProxy-TCP-Out' } PDTNetFirewallRule 'DnsProxy-UDP-Out' { Name = 'DnsProxy-UDP-Out' } # Wait for the Virtual Machine Management Service (VMMS) to start # before calling into it to create virtual switches. PDTService VMMS { Name = 'VMMS' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Specify that VM live migrations should be performed using the SMB # protocol. Live migration configuration is only relevant for multi-node configurations. $physicalNodes = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node if ($physicalNodes.Count -gt 1) { PDT_MigrationProtocol SMB { DependsOn = '[PDTService]VMMS' ComputerName = 'localhost' Protocol = 'SMB' MaximumLiveMigrations = 1 SmbLiveMigrationBandwidthBytesPerSecond = 750MB } } # This gets filled in with all the things that should be in their # desired state before the PDTNetIPv6 (below) is configured. Specifically, # the switches should be built, the switch extensions should be installed # and the vNICs should be built. $IPv6Dependencies = @() # Build all the internal and external switches that the Cloud Definition # calls for. Install the Azure Switch extension on exactly one switch. # If there are internal switches, pick that one. $extensionOnExternalSwitch = $true foreach ($switchName in $Node.InternalSwitchNames) { # Internal switches bind to no NICs. PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' SwitchType = 'Private' Name = $switchName } # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" $extensionOnExternalSwitch = $false } # VMSwitch ID must remain the same across host reimages (in P&U case), so MD5 hash of the host name # (which is not changed across host reimages) is used as GUID for the VMSwitch ID. $encoding = New-Object System.Text.UnicodeEncoding $hostNameBytes = $encoding.GetBytes($Node.NodeName.ToLower()) $memstream = New-Object System.IO.MemoryStream -ArgumentList @(100) try { $memstream.Write($hostNameBytes, 0, $hostNameBytes.Count) $memstream.Seek(0, [System.IO.SeekOrigin]::Begin) $hash = Get-FileHash -InputStream $memstream -Algorithm MD5 $vmswitchId = [Guid]::Parse($hash.Hash) } finally { if($memstream -ne $null) { $memstream.Close() } } $UnboundNICDependencies = @() foreach ($switchName in $Node.ExternalSwitchNames) { # Bind external switches to all NICs that go fast (at least 10Gb.) switch ($NicBindingCriteria.NetAdapterCriteriaType) { 'Speed' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName SwitchType = 'External' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue } } 'AdvancedProperty' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName Id = $vmswitchId SwitchType = 'External' NetAdapterCriteriaType = 'AdvancedProperty' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue LoadBalancingAlgorithm = 'HyperVPort' } } default { throw "Unhandled switch binding criteria $($NicBindingCriteria.NetAdapterCriteriaType)" } } # Record this as something that the unbound NICs rule depends on. $UnboundNICDependencies += "[PDTVMSwitch]$switchName" if ($extensionOnExternalSwitch) { # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" } else { $IPv6Dependencies += "[PDTVMSwitch]$switchName" } } # Enable IPv6 on all interfaces. (Should this depend on the NICs, not # the switches? Or is the point to do this before vNICs are built?) PDTNetIPv6 'IPv6' { DependsOn = $IPv6Dependencies ComputerName = 'localhost' } # Stop ISATAP. Not needed on stamp and groupthink says that it was # causing problems in some of our testing environments. PDTNetISATAP 'ISATAP' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' Ensure = 'Absent' } # Ensure that all NICs not in use for virtualization are disabled. # For One-Node, skip this step as it has been checked elsewhere that it has only active NIC. if(-not $Node.InternalSwitchNames) { PDTNetUnboundNIC 'DisableUnboundNICs' { DependsOn = $UnboundNICDependencies ComputerName = 'localhost' State = 'Disabled' } } # One-node deployments don't have a domain on the host. If there is # one, however, record the DNS suffix. if ($Node.DomainFQDN) { PDTNetGlobalDNS 'GlobalDNSSuffixes' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' SuffixList = $Node.DomainFQDN } } # This gets filled in with management OS NIC names $ManagementOSNicNames = @() # Set up the vNICs on the host. $RdmaNICs = @() $RdmaNICNames = @() $FirewallGroups = @{} foreach ($nicName in $Node.NicNames) { Write-Verbose "Creating vNIC $nicName on Node $($Node.NodeName)." # Create (or delete) the vNIC itself. if ([string]::IsNullOrEmpty($Node.("${nicName}MacAddress"))) { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") PriorityTag = 'On' } } else { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") MacAddress = $Node.("${nicName}MacAddress") PriorityTag = 'On' } } # Record these as VFP Firewall rules will depend on these. $ManagementOSNicNames += "[PDTVMNetworkAdapterManagementOS]$nicName" # If the vNIC above was being created, set RDMA state # and assign an IP address. if ($Node.("${nicName}Ensure") -ne 'Absent') { if ($Node.("${nicName}Rdma")) { Write-Verbose "VNIC $nicName is a RDMA NIC on Node $($Node.NodeName). Add it to RdmaNICs list." PDTNetAdapterRdma $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName } $RdmaNICs += "[PDTNetAdapterRdma]$nicName" $RdmaNICNames += "$nicName" } # In one-node host scenario, if the vNIC above was created with physical NIC's MAC address, the vNIC would get either # a DHCP IP address (if PNIC is using DHCP) or a static IP copied from the PNIC (if PNIC is using static IP). In either case, # there is no need to set the IP address explicitly again. # The "DoNotSetIPAddress" flag is only set to TRUE in one-node scenario. if (!$Node.("${nicName}DoNotSetIPAddress")) { $defGateway = $Node.("${nicName}IPv4DefaultGateway") $useDefaultGateway = $Node.("${nicName}UseDefaultGateway") if ($useDefaultGateway -eq $true) { Write-Verbose "VNIC $nicName is using default gateway $defGateway on Node $($Node.NodeName)." } else { Write-Verbose "VNIC $nicName is not using default gateway on Node $($Node.NodeName)." } $registerThisConnectionsAddress = $Node.("${nicName}RegisterThisConnectionsAddress") if ($useDefaultGateway -eq $true) { # this is to configure IP for HostNic which has default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DefaultGateway = $defGateway DnsRegistration = $registerThisConnectionsAddress } } else { # this is to configure IPs for Storage NICs which do not have default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DnsRegistration = $registerThisConnectionsAddress } } $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTNetIPAddress]$nicName" Profile = $netProfile Name = $nicName } } } else { $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" Profile = $netProfile Name = $nicName } } } $firewallRules = $Node.("${nicName}FirewallRules") foreach ($rule in $firewallRules) { $groupName = $rule.Group if (-not $FirewallGroups.$groupName) { $FirewallGroups.$groupName = New-Object PSObject -Property @{Enabled = $rule.Enabled; InterfaceAlias = @()} } $FirewallGroups.$groupName.InterfaceAlias += $nicName } } } # Set up the firewall rules for MCNP Proxy, depends on the Management OS Nic Write-Verbose "Setting firewall rules for MCNP proxy" xFirewall 'HostGAPlugin Proxy Rule (Inbound)' { Name = 'HostGAPlugin Proxy Rule (Inbound)' DisplayName = 'HostGAPlugin Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($hostGAPluginProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'WireServer Proxy Rule (Inbound)' { Name = 'WireServer Proxy Rule (Inbound)' DisplayName = 'WireServer Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($wireServerProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Outbound' { Name = 'Instance-Metadata-Server-Proxy-Outbound' DisplayName = 'Instance-Metadata-Server-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Inbound' { Name = 'Instance-Metadata-Server-Proxy-Inbound' DisplayName = 'Instance-Metadata-Server-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Outbound' { Name = 'GAR-Proxy-Outbound' DisplayName = 'GAR-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Inbound' { Name = 'GAR-Proxy-Inbound' DisplayName = 'GAR-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } # Make policies about which pNICs are used for RDMA via each vNIC. if ($RdmaNICs.Count -ne 0) { PDTNetRDMARoutes 'RDMARoutes' { Name = 'Storage*' DependsOn = $RdmaNICs Strategy = 'roundrobin' } } foreach ($group in $FirewallGroups.GetEnumerator()) { $depends = ($group.Value.InterfaceAlias | ForEach-Object {'[PDTVMNetworkAdapterManagementOS]' + $_}) if ($group.Value.Enabled) { $ensure = 'Present' } else { $ensure = 'Absent' } PDTNetFirewallGroup $group.Name { DependsOn = $depends Name = $group.Key InterfaceAlias = $group.Value.InterfaceAlias Ensure = $ensure } } # ASZ - No ASDK mode # Multi-node hosts are hatched already joined to a domain, so we can # add administrators here. # if ($physicalNodes.Count -gt 1) # { $firstPhysicalNode = $physicalNodes | Select-Object -First 1 $localAdmins = $firstPhysicalNode.LocalAdmins.Admin ASGroup 'LocalAdministrators' { DependsOn = $depends GroupName = 'Administrators' MembersToInclude = $localAdmins.Name } # } # In Multi-cluster scenario, the hosts' storage NICs should have static routes to other clusters' storage networks if (IsNetworkSchemaVersion2021($Parameters)) { Write-Verbose "This deployment is using network schema version 2021, which support multiple Scale Units." $localClusterId = $Node.RefClusterId Write-Verbose "Finding local storage network for cluster $($localClusterId) on Node $($Node.NodeName)." $localNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $localClusterId $localClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC1" $localClusterStorageNetwork = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorageNetworkName} if ($localClusterStorageNetwork) { Write-Verbose "Storage Network $localClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $localClusterStorageNetworkName was not found for Node $($Node.NodeName)." } Write-Verbose "Finding local storage2 network for cluster $($localClusterId) on Node $($Node.NodeName)." $localClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC2" $localClusterStorage2Network = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorage2NetworkName} if ($localClusterStorage2Network) { Write-Verbose "Storage2 Network $localClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $localClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $allOtherClusters = $Parameters.Roles["Cluster"].PublicConfiguration.Clusters.Node | Where-Object { $_.Id -ne $localClusterId } # for each additional SU, create two static routes for each storage VNIC on local cluster node, so that there will be 4 such routes per SU: # 1. To other SU's Storage network 1 via vNIC1's default gateway # 2. To other SU's Storage network 2 via vNIC1's default gateway # 3. To other SU's Storage network 1 via vNIC2's default gateway # 4. To other SU's Storage network 2 via vNIC2's default gateway foreach ($otherCluster in $allOtherClusters) { Write-Verbose "Finding storage network in cluster $($otherCluster.Name) for Node $($Node.NodeName)." $otherClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC1" $otherClusterNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $otherCluster.Name $otherClusterStorageNetwork = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorageNetworkName} if ($otherClusterStorageNetwork) { Write-Verbose "Storage Network $otherClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $otherClusterStorageNetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix = $otherClusterStorageNetwork.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage network $destinationPrefix for Node $($Node.NodeName)." $otherClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC2" $otherClusterStorage2Network = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorage2NetworkName} if ($otherClusterStorage2Network) { Write-Verbose "Storage2 Network $otherClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $otherClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix2 = $otherClusterStorage2Network.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage2 network $destinationPrefix2 for Node $($Node.NodeName)." foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $destinationPrefix via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix NextHop = $nextHop } Write-Verbose "Creating static route to $destinationPrefix2 via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix2" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix2 NextHop = $nextHop } } } } # This will increase the default WMI limit of 4096 WMI HandlesPerHost to 8192. # We believe this will avoid some of our WMI throttling errors and WMI service crashes WmiConfiguration 'WmiQuotaConfig' { ComputerName = "localhost" HandlesPerHost = 8192 } # When NAS cluster(s) integrated, the hosts' storage NICs should have static routes to the NAS storage networks # So that Blob data traffic can go through the storage NICs $nasClusters = $Parameters.Roles["NasCluster"].PublicConfiguration.NasClusters.Node foreach ($nasCluster in $nasClusters) { $nasName = $nasCluster.Name $nasStorageSubnet = $nasCluster.NasClusterNetworks.StorageNetwork.Subnet Write-Verbose "Found NasCluster:[$nasName], StorageSubnet:[$nasStorageSubnet]" -Verbose foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $nasStorageSubnet via NextHop $nextHop for NIC $rdmaNicName on Node $($Node.NodeName)." -Verbose if (-not $nasStorageSubnet -or -not $nextHop) { throw "Invalid static route parameter" } xRoute "$rdmaNicName-$nasStorageSubnet" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $nasStorageSubnet NextHop = $nextHop } } } } #> } } Export-ModuleMember -Function NewComputeBootstrapDscConfiguration # SIG # Begin signature block # MIIoKQYJKoZIhvcNAQcCoIIoGjCCKBYCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA8r8CITAWgNZWE # Etp9W1bjNkDQK+m/IlfAuyY72twfNKCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGgkwghoFAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIBy1wPbtm7AyTmK2knX04Jlr # U65Oq7D79DJfEtR2yCovMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAipoT1r6KMLzpWRuwGxVts1EzjVy/MnvFbZG44N4YomUnoiiyRqf2Qmbt # PpjBJ9LNLRphpaUvcvYWSs1sD5JPKav7utPutazk3JqAh2itYtS8FQ4RWGFAPXXx # SWRT9D6CmBV2YXRVJLGZiutQEviXTQ+tVM61CQRNindLFirQTaUiGGekMqz4cxmy # o4UaO0/K1KSqn5MRU4gDsmof+pgLxLFLg4GEaoRSDdoxJPFOgpzZVYF8T/lnIR7Y # kba/YNd7DB6DRg/DikjvBD1lYIoBwPNAliRJZ6ewADJ4JcW63fe/ylws0551lUZ9 # ApESxjFEsD1EUX1Q7bMyupGzlY7t66GCF5MwghePBgorBgEEAYI3AwMBMYIXfzCC # F3sGCSqGSIb3DQEHAqCCF2wwghdoAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsq # hkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCBj4MsDaORTTHYqfwY0F2UkotL8pMC8rIY+jHlo9VZS8AIGZmr7DoRy # GBIyMDI0MDcwOTA4NTQzMi4zMlowBIACAfSggdGkgc4wgcsxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy # aWNhIE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjo4NjAzLTA1 # RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCC # EeowggcgMIIFCKADAgECAhMzAAAB8bNF9SfowBbWAAEAAAHxMA0GCSqGSIb3DQEB # CwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTIzMTIwNjE4NDU1 # NVoXDTI1MDMwNTE4NDU1NVowgcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMx # JzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjo4NjAzLTA1RTAtRDk0NzElMCMGA1UE # AxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCAiIwDQYJKoZIhvcNAQEB # BQADggIPADCCAgoCggIBALG6UJm20h/xf3utb38n5DhWD0+K6AHXJrX8NHHEtbaH # DLhCC1TePl9XvlkprpdNNCFbkKWQaXqCnWd3lUGzHglv6hTg+wwDZ+h7yA/1tA09 # XEgcwm7pNhyuuff0d1163bGR2pSHPPJJdo8WoUyTZWJ8R+P4dHomF42zYsvObwUM # mb6kF108MtqD9H4A8hYfJ+2r2K3AzRY/lnR19DIjhaVV5RL6+i2w9tab5EqwfgVA # 2HNvS38PiK61x8Irf8sr7EuZLp2YCHsAwq4RSXyLaR1YENFxz4lZrbVIJ5/HlI+E # kQWBiF0Y8CincbWXxPfdyqtsu1wUmrDDhNCJiIKR3KwJycgXRmpI0Adx8j1IC/eB # +TLGpA0knexOyDkY9EX3maqBt9BuQWdTXuJhtEg8mrCBIuHIHzfdkOCbPFsqYmZ0 # NptvNLTIaGeAdrr6DBVo5Spwd/3DqTDEyj46obdBkhzB3nAcQKzmsAlno8jIUzsB # 3aFFQUdFOLfncjtXjESBga5lvqoXHo9/jiLsCNdum1SiUNxXNgR2AtBJaK4VqNLp # eDeTsLLxOIzkc9Qr0tkieWhPG5QtLEmYnudONSM6PnHBGYLvHZL+bGqXye8dII3U # 4QPb/AQI6i3owR71svefOgrA7xM2URK2rmxx3bkYDSAxA76o1dX/FMM4FMnzMFwZ # AgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQUvLbF7n2wITRKPJyoTkStvhitLWAwHwYD # VR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYDVR0fBFgwVjBUoFKgUIZO # aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIw # VGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwGCCsGAQUFBwEBBGAwXjBc # BggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0 # cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcnQwDAYD # VR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMC # B4AwDQYJKoZIhvcNAQELBQADggIBAOFISNIEVIJsnKXdT9CYUxbZ4s8GSeeWx8gP # /uBMy8A0SeGrTwj0cdtuqLCoMQdK8BG8q0vuPTOcgJgFsytVKa+APFTyMAaozKIu # gzzTvzxKjf5PohlX/9RlEmoGXigzdsIhCAUajRVN5DpHNgv63XMJReaak+YzjFxJ # xUUBNePlPHsHLhKFZQLtWGbumJwOJTmKAaO6K9GHE+9ul+VuH9uyITm3Hly44kQl # Ib65ZyoHJHtMLhwa+5q8dKOTWJFdP9CNo4R4mg6d96xs528msl1ub6V5gtEjrs3d # x3wH+y5TbW1F2DA6dOTaE65kqz+QvBpfo2wBtTL2kqwOZPKhacabJNYE+JNvaunm # iCjxjyExTVhCzusdHmGqKUSrzyMX70fwpxxv/WKyYlMacGdEy/rxR3aXksWE5nid # G2XiUeuL43UvwQGDtoTwS897wJr2DPyyHYXgI5Nh3U8dx7W6Au+9ZbX5o5Kl3w2f # ASJ3jOAPv1lDGKwmrI7iUxYzMCAR4WFSbjQWyG3Ne50CxfkugKKXistsd/Bi0Y6n # D0NVfeNcBX3S0b2JFtyqO23e+Fb1P4vd8BmUx6tpZ+Ht5SY+W0xTyURA4x6Wj/V6 # GQgY7thk4fFSp4qmYX1BpbwtdNPT3QAdniTqD612lkV8Iyi3Ib4Theo3pla0oQFC # ITfEvbsEMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG # 9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO # BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy # MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw # MTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt # ZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az # /1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V2 # 9YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oa # ezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkN # yjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7K # MtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRf # NN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SU # HDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoY # WmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5 # C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8 # FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TAS # BgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1 # Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUw # UzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNy # b3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoG # CCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIB # hjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fO # mhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9w # a2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggr # BgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNv # bS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3 # DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEz # tTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJW # AAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G # 82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/Aye # ixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI9 # 5ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1j # dEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZ # KCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xB # Zj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuP # Ntq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvp # e784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCA00w # ggI1AgEBMIH5oYHRpIHOMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScw # JQYDVQQLEx5uU2hpZWxkIFRTUyBFU046ODYwMy0wNUUwLUQ5NDcxJTAjBgNVBAMT # HE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAPuf # sGTiCwza1tT+L4zcG1GcuPT3oIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTAwDQYJKoZIhvcNAQELBQACBQDqNxXGMCIYDzIwMjQwNzA5MDE0OTU4 # WhgPMjAyNDA3MTAwMTQ5NThaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOo3FcYC # AQAwBwIBAAICYCEwBwIBAAICE2cwCgIFAOo4Z0YCAQAwNgYKKwYBBAGEWQoEAjEo # MCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG # 9w0BAQsFAAOCAQEAfWZ45ZtFuCSkkxvgwiyO2fvoQUOHHtvnrINN6e0T/Qvo3XRi # HJPjdIVZqNCo9b1OCT0mr5063kIUDNN3WGTWuE19tGOlnE+lpoYZqlIbljpTI9YY # 2QJy5ijy4XRfUNe/130n3dnFix8pBRW81O8ZpEFPMYbLC/kmYe8zJzpWHBqJM9uJ # 3TdgaDaC5VG+pFn3K1fvlf98njQUXF9TI37XEZdtuGC2vh2H2jY6jZk/KUpL49YM # wE6mRLnaEsFqhe6RQNminThkZQ9fEaZyWs2nrcNdq0k6t/dICJbMg1HtrwYAuukK # yeQc6RXZvi3kMrDwT5k/4VVjJss/tQlZTAucQzGCBA0wggQJAgEBMIGTMHwxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv # c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB8bNF9SfowBbWAAEAAAHxMA0G # CWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJ # KoZIhvcNAQkEMSIEIKRg4s/trr+f4sOD98fN9SFWA7vo0SXNyTjBWd6oKYBiMIH6 # BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQg1Xf9PmFLuKPBqjjrpGiwHvDASJu3 # RrU/kSojASP2EXgwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx # MAITMwAAAfGzRfUn6MAW1gABAAAB8TAiBCAwXTvvg0ZXypgiN8mrHEiVG0K+Lr6o # LfB2IzuGaTxzZjANBgkqhkiG9w0BAQsFAASCAgA/SM0u8N8vZMOIKAsF8/RVnNz9 # Yf9oTNIv15GVTYTzEZUFdQ0oooOAK+mzLey7DQhFxYKCPNPO6xTYyAJlcTNCQwEQ # KHkf3615YBEeLvGqR3Rni2U08d2kUOCZnWzeBPB1wsMnQ/7iaPVd+clOAP1fu0in # jy0K95NS16JCdBSKEEMSeddG5S38CjxmPVk5ebMwMSAKppm7ua+Zs1h0zN1urgx3 # nPCbjEjwvLvXAdj2kQT4k93G5WFSwWaqlPz4zUUydl4mT9GN7/mPCKt4ukJHG89I # +aM6Fbbs6YH5FV8xvOWhbbJaLkOyQDYvr/EC/lDitP3N4Iw0eFJnAKTQ7PkBP/D2 # DM9oP3hK083691np65AxyH+zhUr5POWM1euKql4jY10nt2OCsOMto1yw3d1GWlw8 # ZO2HshVJedNKaPNk8DbfdZ5NJhHMgpbiEEUZFC/MOSk8QVOnns4qsHEquTo/cSnh # cF52SDJXdplNThMiBVBUAjdGS51jp8SAgQPj4ruuxFpot8lNBo5Qv6iXYHUDxIqL # ihHTsM23eH2Fszkb+C/kvHtKz7SNuoj1igucxAjm6uD3QSnx38HWUQ0duogUGJIq # W+ZPCekszrvBfW3pNTXypheBD4jgwu+Qk4VFr6747oYPmQqjEsGH9MpGrjIq2Od4 # NdRfKFcaV1/D+PuHrw== # SIG # End signature block |