Obs/bin/ObsDep/content/Powershell/Roles/Common/HostDscBootstrapConfig.psm1
|
<###################################################
# # # Copyright (c) Microsoft. All rights reserved. # # # ##################################################> Import-Module $PSScriptRoot\..\..\Common\NetworkHelpers.psm1 -DisableNameChecking -Verbose:$false | Out-Null Configuration NewComputeBootstrapDscConfiguration { Param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [System.String] $PsDscClient = 'localhost', [Parameter(Mandatory=$false)] [boolean] $EnableDataCenterBridging = $true, [Parameter(Mandatory=$true)] [hashtable] $NicBindingCriteria, [Parameter(Mandatory=$false)] [string] $IDNSProxyForwarders, [Parameter(Mandatory=$true)] [UInt64] $MinimumDiskBytes, [Parameter(Mandatory=$false)] [boolean] $DisableRemoteDesktop = $false ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName DSC.ProcessorPowerManagement Import-DscResource -ModuleName PDT.DSC.Networking Import-DscResource -ModuleName PDT.DSC.HyperV Import-DscResource -ModuleName PDT.DSC.Service Import-DscResource -ModuleName PDT.DSC.Utilities Import-DscResource -ModuleName PDT_MigrationProtocol Import-DscResource -ModuleName AS.Group Import-DscResource -ModuleName AS.DumpOnLargeHost Import-DscResource -ModuleName AS.WmiConfiguration Node $PsDscClient { # Workaround for the physical environment in the lab where WinRM has to be allowed on hosts at pre-deploy stage Log ASZHostDSCSkip { # DependsOn = '[PDTNetFirewallGroup]WinRM' Message = 'ASZ Host DSC Skipped' } <# # Enable the DSC Analytic log to capture verbose output of the configuration during bootstrap PDTEventLog 'DSCAnalytic' { LogName = 'Microsoft-Windows-DSC/Analytic' IsEnabled = $true MaximumSizeInBytes = [int]5Mb } # Allow Link Local Multicast Name Resolution through the # firewall, as lanmanserver needs it. PDTNetFirewallRule 'FPS-LLMNR-In-UDP' { Name = 'FPS-LLMNR-In-UDP' } #As part of the host hardening, we'll disable the following FW rules group PDTNetFirewallGroup 'AllJoyn Router' { Ensure = 'Absent' Name = 'AllJoyn Router' } PDTNetFirewallGroup 'mDNS' { Ensure = 'Absent' Name = 'mDNS' } #subset of CoreNet rules to be disabled PDTNetFirewallRule 'CoreNet-DHCPV6-In' { Ensure = 'Absent' Name = 'CoreNet-DHCPV6-In' } PDTNetFirewallRule 'CoreNet-Teredo-In' { Ensure = 'Absent' Name = 'CoreNet-Teredo-In' } PDTNetFirewallRule 'CoreNet-Teredo-Out' { Ensure = 'Absent' Name = 'CoreNet-Teredo-Out' } if ($DisableRemoteDesktop) { PDTNetFirewallGroup 'Remote Desktop Group' { Ensure = 'Absent' Name = 'Remote Desktop' } } # disable negative DNS cache # if a DNS query results in a negative response because the DNS server does not # have a record, by default the negative response is cached for 15 minutes # this disables the negative cache so the DNS client will be able to attempt # to resolve again - this will improve parallel steps where one step is expecting # another step to have created something in DNS Registry 'MaxNegativeCacheTtl' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' ValueName = 'MaxNegativeCacheTtl' ValueType = 'Dword' ValueData = '0' } # Setting Host/Infra identification for telemetry Registry 'VMType' { Key = 'HKLM:\SOFTWARE\Microsoft\Windows Azure' ValueName = 'VMType' ValueType = 'String' ValueData = 'AS-HOST' } # Wait for lanmanserver (SMB) to be fully available. Waiting # on this guarantees that a set of kernel- and user-mode services # are runnning and ready for use. PDTService lanmanserver { Name = 'lanmanserver' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Turn off deep power management states that reduce compute benchmark # performance. ProcessorPowerManagement C1Only { ComputerName = 'localhost' PowerScheme = '8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c' DeepestCState = 1 } # Enable dump on hosts that have a physical disk large enough to # handle the extra space needed. This will need a reboot to take # effect after initial deployment. Update will automatically add # this key on supported systems at image creation. ASDumpOnLargeHost DumpSettings { DependsOn = "[File]LiveKernelReportPathDirectoryCreation" Name = 'Dump Settings Dependent on Large Host' MinimumDiskBytes = $MinimumDiskBytes } # Ensure the LiveKernelReportsPath is created File LiveKernelReportPathDirectoryCreation { Type = 'Directory' DestinationPath = 'D:\AzureStack\LiveKernelReports' Ensure = "Present" } # Deploying a one-node host using an action plan involves setting # up that host without creating any virtual switches. This # DSC generation script will be handed a configuration which # has no switches and no vNICs. When setting anything else up, # there will be at least one external switch. if ($Node.ExternalSwitchNames.Count -ne 0) { if ($EnableDataCenterBridging) { PDTNetQosDcbxSetting 'Willing' { DependsOn = '[PDTService]lanmanserver' InterfaceAlias = 'Global' Willing = $false } # These next five ensure that SMB traffic and cluster heartbeat gets treated # with great respect by the switches. If you starve # storage and miss cluster heartbeat, the entire stamp can fall apart. PDTNetQosPolicyNetDirectPort 'SMBDirect' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'SMBDirect' NetDirectPort = 445 PriorityValue8021Action = $Node.NetQosPriority } PDTNetQosPolicyNetCluster 'Cluster' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Cluster' PriorityValue8021Action = 5 } PDTNetQosPolicyDefault 'Default' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Default' PriorityValue8021Action = 0 } PDTNetQosFlowControl 'FlowControl' { DependsOn = '[PDTNetQosPolicyNetDirectPort]SMBDirect' ComputerName = 'localhost' Priority = $Node.NetQosPriority } PDTNetQosTrafficClass 'SMBDirect' { DependsOn = @('[PDTNetQosPolicyNetDirectPort]SMBDirect','[PDTNetQosFlowControl]FlowControl') Name = 'SMBDirect' Algorithm = 'ETS' Priority = $Node.NetQosPriority BandwidthPercentage = 50 } PDTNetQosTrafficClass 'Cluster' { DependsOn = @('[PDTNetQosPolicyNetCluster]Cluster','[PDTNetQosFlowControl]FlowControl') Name = 'Cluster' Algorithm = 'ETS' Priority = 5 BandwidthPercentage = 2 } # This setting reserves space in Ethernet frames for network # virtualization metadata. PDTNetAdapterAdvancedProperty 'EncapOverhead' { DependsOn = '[PDTNetQosTrafficClass]SMBDirect' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*EncapOverhead' RegistryValue = 160 } # skip if it is virtual AzureStack $OEMRole = $Parameters.Roles["OEM"].PublicConfiguration $OEMModel = $OEMRole.PublicInfo.UpdatePackageManifest.UpdateInfo.Model if (@("Virtual Machine", "Hyper-V") -notcontains $OEMModel) { PDTNetAdapterAdvancedProperty 'VirtualSwitchRSS' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*RssOnHostVPorts' RegistryValue = 1 } PDTNetAdapterAdvancedProperty 'DcbxMode' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = 'DcbxMode' RegistryValue = 0 } } # Turn on Quality of Service. PDTNetAdapterQos 'Qos' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' } } # Configure VFP Proxy settings Write-Verbose "Configure VFP Proxy settings on NCHostAgent" -Verbose $gatewayEndpoint = $Parameters.Roles["FabricRingServices"].PublicConfiguration.PublicInfo.RPCommonProperties.ServiceUri $gatewayUriBuilder = New-Object -TypeName System.UriBuilder -ArgumentList $gatewayEndpoint $gatewayPort = $gatewayUriBuilder.Port $gatewayUri = $gatewayUriBuilder.Uri.DnsSafeHost # VFP forwards to Gateway, use the Gateway port value for the services $imdsServiceAddress = '127.0.0.1' $garServiceAddress = $gatewayUri $wireServerServiceAddress = '127.0.0.1' $hostGAPluginServiceAddress = '127.0.0.1' $imdsServicePort = 80 $garServicePort = $gatewayPort $wireServerServicePort = 80 $hostGAPluginServicePort = 32526 # Proxy port values $imdsProxyPort = 15021 $garProxyPort = 15022 $wireServerProxyPort = 15023 $hostGAPluginProxyPort = 15025 Write-Verbose "Making IMDS proxied service registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerAddress' ValueData = $imdsServiceAddress } Registry 'Instance_Metadata_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServiceName' ValueData = 'IMDS' } Registry 'Instance_Metadata_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'Instance_Metadata_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'Instance_Metadata_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making GAR proxied service registry change for MCNP proxy" Registry 'GAR_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerAddress' ValueData = $garServiceAddress } Registry 'GAR_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServiceName' ValueData = 'gar' } Registry 'GAR_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $garServicePort } Registry 'GAR_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'GAR_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyProtocol' ValueData = 'HttpsNoTranslation' } Registry 'GAR_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 1 } Write-Verbose "Making WireServer proxied service registry change for MCNP proxy" Registry 'WireServer_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerAddress' ValueData = $wireServerServiceAddress } Registry 'WireServer_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServiceName' ValueData = 'WireServer' } Registry 'WireServer_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $wireServerServicePort } Registry 'WireServer_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'WireServer_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'WireServer_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making HostGAPlugin proxied service registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerAddress' ValueData = $hostGAPluginServiceAddress } Registry 'HostGAPlugin_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServiceName' ValueData = 'HostGAPlugin' } Registry 'HostGAPlugin_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $hostGaPluginServicePort } Registry 'HostGAPlugin_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'HostGAPlugin_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'HostGAPlugin_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making IMDS infra services registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'Port' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'Instance_Metadata_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making GAR infra services registry change for MCNP proxy" Registry 'GAR_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'Port' ValueType = 'Dword' ValueData = 81 } Registry 'GAR_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'GAR_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making WireServer infra services registry change for MCNP proxy" Registry 'WireServer_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'Port' ValueType = 'Dword' ValueData = 80 } Registry 'WireServer_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'WireServer_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making HostGAPlugin infra services registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'Port' ValueType = 'Dword' ValueData = $hostGAPluginServicePort } Registry 'HostGAPlugin_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'HostGAPlugin_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } # Enabling Windows Error Reporting to create user mode dumps on Host Registry 'Host_Application_LocalDump_DumpType' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpType' ValueType = 'Dword' ValueData = 1 } Registry 'Host_Application_LocalDump_DumpFolder' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpFolder' ValueType = 'ExpandString' ValueData = 'D:\AzureStack\CrashDumps' } Registry 'Host_Application_LocalDump_DumpCount' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpCount' ValueType = 'Dword' ValueData = 1 } # Disable SMB1 in registry, so that Get-SmbServerConfiguration won't report it as active Registry 'SMB1' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' ValueName = 'SMB1' ValueType = 'DWORD' ValueData = '0' } Registry 'RefsScrubNoOplock' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' ValueName = 'RefsScrubNoOplock' ValueType = 'DWORD' ValueData = '1' } Registry 'VSwitchDHCP_LeaseDuration' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'LeaseTime' ValueType = 'DWORD' ValueData = '0xFFFFFFFF' Force = $true Hex = $true } Registry 'VSwitchDHCP_Broadcast' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'IPv4Broadcast' ValueType = 'DWORD' ValueData = '1' Force = $true } Registry 'VSwitchDHCP_Option245WireServer' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'Option245WireServer' ValueType = 'String' ValueData = '168.63.129.16' Force = $true } # Win2021 will have these values by default # Revert back when Win2021 is released with Azure Stack Registry 'Host_PtNicDropLowResourcesPackets' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'PtNicDropLowResourcesPackets' ValueType = 'DWORD' ValueData = '1' } Registry 'Host_MaxVrssQueueAllocatedMBytes' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'MaxVrssQueueAllocatedMBytes' ValueType = 'DWORD' ValueData = '16' } # Set the NCHostAgent service to start automatically and # run in its own process. PDTService 'NCHostAgent' { Name = 'NCHostAgent' StartupType = 'Automatic' State = 'Running' Type = 'own' DependsOn = ` @( '[Registry]Instance_Metadata_Service_Server_Address' '[Registry]Instance_Metadata_Service_Server_Name' '[Registry]Instance_Metadata_Service_Server_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Address' '[Registry]Instance_Metadata_Service_Proxy_Protocol' '[Registry]Instance_Metadata_Service_Enable_Client_Auth' '[Registry]GAR_Service_Server_Address' '[Registry]GAR_Service_Server_Name' '[Registry]GAR_Service_Server_Port' '[Registry]GAR_Service_Proxy_Listening_Port' '[Registry]GAR_Service_Proxy_Listening_Address' '[Registry]GAR_Service_Proxy_Protocol' '[Registry]GAR_Service_Enable_Client_Auth' '[Registry]WireServer_Service_Server_Address' '[Registry]WireServer_Service_Server_Name' '[Registry]WireServer_Service_Server_Port' '[Registry]WireServer_Service_Proxy_Listening_Port' '[Registry]WireServer_Service_Proxy_Listening_Address' '[Registry]WireServer_Service_Proxy_Protocol' '[Registry]WireServer_Service_Enable_Client_Auth' '[Registry]HostGAPlugin_Service_Server_Address' '[Registry]HostGAPlugin_Service_Server_Name' '[Registry]HostGAPlugin_Service_Server_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Address' '[Registry]HostGAPlugin_Service_Proxy_Protocol' '[Registry]HostGAPlugin_Service_Enable_Client_Auth' '[Registry]Instance_Metadata_Service_Infra_Port' '[Registry]Instance_Metadata_Service_Infra_Proxy_Port' '[Registry]Instance_Metadata_Service_Infra_Address' '[Registry]Instance_Metadata_Service_Infra_MAC_Address' '[Registry]GAR_Service_Infra_Port' '[Registry]GAR_Service_Infra_Proxy_Port' '[Registry]GAR_Service_Infra_Address' '[Registry]GAR_Service_Infra_MAC_Address' '[Registry]WireServer_Service_Infra_Port' '[Registry]WireServer_Service_Infra_Proxy_Port' '[Registry]WireServer_Service_Infra_Address' '[Registry]WireServer_Service_Infra_MAC_Address' '[Registry]HostGAPlugin_Service_Infra_Port' '[Registry]HostGAPlugin_Service_Infra_Proxy_Port' '[Registry]HostGAPlugin_Service_Infra_Address' '[Registry]HostGAPlugin_Service_Infra_MAC_Address' '[Registry]VSwitchDHCP_LeaseDuration' '[Registry]VSwitchDHCP_Broadcast' '[Registry]VSwitchDHCP_Option245WireServer' ) } # DNS forwarders Registry 'DNSProxy_Forwarders' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\Parameters" ValueName = "Forwarders" ValueData = $IDNSProxyForwarders } # Start DnsProxy service and make it automatic Write-Verbose "Start DnsProxy service and make it automatic" -Verbose PDTService 'DnsProxy' { Name = 'DnsProxy' StartupType = 'Automatic' State = 'Running' Type = 'own' SkipIfNotFound = $true # This service is in RS1 but not in RS5, so set this to true to skip configuration on RS5. DependsOn = @('[PDTService]NCHostAgent', '[Registry]DNSProxy_Forwarders') } # DNS Proxy Service - Port and ProxyPort $idnsPort = 53 # DNS Proxy service port Registry 'DNSProxyService_Port' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "Port" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service proxy port Registry 'DNSProxyService_ProxyPort' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "ProxyPort" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS IP Address $cloudRole = $Parameters.Roles["Cloud"].PublicConfiguration $dnsIPAddress = $cloudRole.PublicInfo.NetworkConfiguration.iDNS.Endpoint # If the value is not defined, assign it a predefined value if (-not $dnsIPAddress) { $dnsIPAddress = "168.63.129.16" } # DNS Proxy service IP Address Registry 'DNSProxyService_IP' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "IP" ValueData = $dnsIPAddress DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service MAC $dnsProxyServiceMAC = "22-22-22-22-22-22" #A random mac address used to redirect the dns traffic, applied through vfp rules. These rules are created by the NCHostagent on reading the registry. Registry 'DNSProxyService_MAC' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "MAC" ValueData = $dnsProxyServiceMAC DependsOn = '[PDTService]NCHostAgent' } # Comment out this config for now. This firewall group is basically the same as the 4 firewall rules below combined. # Once switching to RS5, the 4 firewall rules should be removed and use this firewall group instead. # PDTNetFirewallGroup 'DNS Proxy Firewall' # { # Ensure = 'Present' # Name = 'DNS Proxy Firewall' # } # Enable some firewall rules needed by DNSProxy service PDTNetFirewallRule 'DnsProxy-TCP-In' { Name = 'DnsProxy-TCP-In' } PDTNetFirewallRule 'DnsProxy-UDP-In' { Name = 'DnsProxy-UDP-In' } PDTNetFirewallRule 'DnsProxy-TCP-Out' { Name = 'DnsProxy-TCP-Out' } PDTNetFirewallRule 'DnsProxy-UDP-Out' { Name = 'DnsProxy-UDP-Out' } # Wait for the Virtual Machine Management Service (VMMS) to start # before calling into it to create virtual switches. PDTService VMMS { Name = 'VMMS' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Specify that VM live migrations should be performed using the SMB # protocol. Live migration configuration is only relevant for multi-node configurations. $physicalNodes = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node if ($physicalNodes.Count -gt 1) { PDT_MigrationProtocol SMB { DependsOn = '[PDTService]VMMS' ComputerName = 'localhost' Protocol = 'SMB' MaximumLiveMigrations = 1 SmbLiveMigrationBandwidthBytesPerSecond = 750MB } } # This gets filled in with all the things that should be in their # desired state before the PDTNetIPv6 (below) is configured. Specifically, # the switches should be built, the switch extensions should be installed # and the vNICs should be built. $IPv6Dependencies = @() # Build all the internal and external switches that the Cloud Definition # calls for. Install the Azure Switch extension on exactly one switch. # If there are internal switches, pick that one. $extensionOnExternalSwitch = $true foreach ($switchName in $Node.InternalSwitchNames) { # Internal switches bind to no NICs. PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' SwitchType = 'Private' Name = $switchName } # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" $extensionOnExternalSwitch = $false } # VMSwitch ID must remain the same across host reimages (in P&U case), so MD5 hash of the host name # (which is not changed across host reimages) is used as GUID for the VMSwitch ID. $encoding = New-Object System.Text.UnicodeEncoding $hostNameBytes = $encoding.GetBytes($Node.NodeName.ToLower()) $memstream = New-Object System.IO.MemoryStream -ArgumentList @(100) try { $memstream.Write($hostNameBytes, 0, $hostNameBytes.Count) $memstream.Seek(0, [System.IO.SeekOrigin]::Begin) $hash = Get-FileHash -InputStream $memstream -Algorithm MD5 $vmswitchId = [Guid]::Parse($hash.Hash) } finally { if($memstream -ne $null) { $memstream.Close() } } $UnboundNICDependencies = @() foreach ($switchName in $Node.ExternalSwitchNames) { # Bind external switches to all NICs that go fast (at least 10Gb.) switch ($NicBindingCriteria.NetAdapterCriteriaType) { 'Speed' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName SwitchType = 'External' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue } } 'AdvancedProperty' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName Id = $vmswitchId SwitchType = 'External' NetAdapterCriteriaType = 'AdvancedProperty' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue LoadBalancingAlgorithm = 'HyperVPort' } } default { throw "Unhandled switch binding criteria $($NicBindingCriteria.NetAdapterCriteriaType)" } } # Record this as something that the unbound NICs rule depends on. $UnboundNICDependencies += "[PDTVMSwitch]$switchName" if ($extensionOnExternalSwitch) { # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" } else { $IPv6Dependencies += "[PDTVMSwitch]$switchName" } } # Enable IPv6 on all interfaces. (Should this depend on the NICs, not # the switches? Or is the point to do this before vNICs are built?) PDTNetIPv6 'IPv6' { DependsOn = $IPv6Dependencies ComputerName = 'localhost' } # Stop ISATAP. Not needed on stamp and groupthink says that it was # causing problems in some of our testing environments. PDTNetISATAP 'ISATAP' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' Ensure = 'Absent' } # Ensure that all NICs not in use for virtualization are disabled. # For One-Node, skip this step as it has been checked elsewhere that it has only active NIC. if(-not $Node.InternalSwitchNames) { PDTNetUnboundNIC 'DisableUnboundNICs' { DependsOn = $UnboundNICDependencies ComputerName = 'localhost' State = 'Disabled' } } # One-node deployments don't have a domain on the host. If there is # one, however, record the DNS suffix. if ($Node.DomainFQDN) { PDTNetGlobalDNS 'GlobalDNSSuffixes' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' SuffixList = $Node.DomainFQDN } } # This gets filled in with management OS NIC names $ManagementOSNicNames = @() # Set up the vNICs on the host. $RdmaNICs = @() $RdmaNICNames = @() $FirewallGroups = @{} foreach ($nicName in $Node.NicNames) { Write-Verbose "Creating vNIC $nicName on Node $($Node.NodeName)." # Create (or delete) the vNIC itself. if ([string]::IsNullOrEmpty($Node.("${nicName}MacAddress"))) { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") PriorityTag = 'On' } } else { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") MacAddress = $Node.("${nicName}MacAddress") PriorityTag = 'On' } } # Record these as VFP Firewall rules will depend on these. $ManagementOSNicNames += "[PDTVMNetworkAdapterManagementOS]$nicName" # If the vNIC above was being created, set RDMA state # and assign an IP address. if ($Node.("${nicName}Ensure") -ne 'Absent') { if ($Node.("${nicName}Rdma")) { Write-Verbose "VNIC $nicName is a RDMA NIC on Node $($Node.NodeName). Add it to RdmaNICs list." PDTNetAdapterRdma $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName } $RdmaNICs += "[PDTNetAdapterRdma]$nicName" $RdmaNICNames += "$nicName" } # In one-node host scenario, if the vNIC above was created with physical NIC's MAC address, the vNIC would get either # a DHCP IP address (if PNIC is using DHCP) or a static IP copied from the PNIC (if PNIC is using static IP). In either case, # there is no need to set the IP address explicitly again. # The "DoNotSetIPAddress" flag is only set to TRUE in one-node scenario. if (!$Node.("${nicName}DoNotSetIPAddress")) { $defGateway = $Node.("${nicName}IPv4DefaultGateway") $useDefaultGateway = $Node.("${nicName}UseDefaultGateway") if ($useDefaultGateway -eq $true) { Write-Verbose "VNIC $nicName is using default gateway $defGateway on Node $($Node.NodeName)." } else { Write-Verbose "VNIC $nicName is not using default gateway on Node $($Node.NodeName)." } $registerThisConnectionsAddress = $Node.("${nicName}RegisterThisConnectionsAddress") if ($useDefaultGateway -eq $true) { # this is to configure IP for HostNic which has default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DefaultGateway = $defGateway DnsRegistration = $registerThisConnectionsAddress } } else { # this is to configure IPs for Storage NICs which do not have default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DnsRegistration = $registerThisConnectionsAddress } } $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTNetIPAddress]$nicName" Profile = $netProfile Name = $nicName } } } else { $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" Profile = $netProfile Name = $nicName } } } $firewallRules = $Node.("${nicName}FirewallRules") foreach ($rule in $firewallRules) { $groupName = $rule.Group if (-not $FirewallGroups.$groupName) { $FirewallGroups.$groupName = New-Object PSObject -Property @{Enabled = $rule.Enabled; InterfaceAlias = @()} } $FirewallGroups.$groupName.InterfaceAlias += $nicName } } } # Set up the firewall rules for MCNP Proxy, depends on the Management OS Nic Write-Verbose "Setting firewall rules for MCNP proxy" xFirewall 'HostGAPlugin Proxy Rule (Inbound)' { Name = 'HostGAPlugin Proxy Rule (Inbound)' DisplayName = 'HostGAPlugin Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($hostGAPluginProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'WireServer Proxy Rule (Inbound)' { Name = 'WireServer Proxy Rule (Inbound)' DisplayName = 'WireServer Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($wireServerProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Outbound' { Name = 'Instance-Metadata-Server-Proxy-Outbound' DisplayName = 'Instance-Metadata-Server-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Inbound' { Name = 'Instance-Metadata-Server-Proxy-Inbound' DisplayName = 'Instance-Metadata-Server-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Outbound' { Name = 'GAR-Proxy-Outbound' DisplayName = 'GAR-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Inbound' { Name = 'GAR-Proxy-Inbound' DisplayName = 'GAR-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } # Make policies about which pNICs are used for RDMA via each vNIC. if ($RdmaNICs.Count -ne 0) { PDTNetRDMARoutes 'RDMARoutes' { Name = 'Storage*' DependsOn = $RdmaNICs Strategy = 'roundrobin' } } foreach ($group in $FirewallGroups.GetEnumerator()) { $depends = ($group.Value.InterfaceAlias | ForEach-Object {'[PDTVMNetworkAdapterManagementOS]' + $_}) if ($group.Value.Enabled) { $ensure = 'Present' } else { $ensure = 'Absent' } PDTNetFirewallGroup $group.Name { DependsOn = $depends Name = $group.Key InterfaceAlias = $group.Value.InterfaceAlias Ensure = $ensure } } # ASZ - No ASDK mode # Multi-node hosts are hatched already joined to a domain, so we can # add administrators here. # if ($physicalNodes.Count -gt 1) # { $firstPhysicalNode = $physicalNodes | Select-Object -First 1 $localAdmins = $firstPhysicalNode.LocalAdmins.Admin ASGroup 'LocalAdministrators' { DependsOn = $depends GroupName = 'Administrators' MembersToInclude = $localAdmins.Name } # } # In Multi-cluster scenario, the hosts' storage NICs should have static routes to other clusters' storage networks if (IsNetworkSchemaVersion2021($Parameters)) { Write-Verbose "This deployment is using network schema version 2021, which support multiple Scale Units." $localClusterId = $Node.RefClusterId Write-Verbose "Finding local storage network for cluster $($localClusterId) on Node $($Node.NodeName)." $localNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $localClusterId $localClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC1" $localClusterStorageNetwork = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorageNetworkName} if ($localClusterStorageNetwork) { Write-Verbose "Storage Network $localClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $localClusterStorageNetworkName was not found for Node $($Node.NodeName)." } Write-Verbose "Finding local storage2 network for cluster $($localClusterId) on Node $($Node.NodeName)." $localClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC2" $localClusterStorage2Network = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorage2NetworkName} if ($localClusterStorage2Network) { Write-Verbose "Storage2 Network $localClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $localClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $allOtherClusters = $Parameters.Roles["Cluster"].PublicConfiguration.Clusters.Node | Where-Object { $_.Id -ne $localClusterId } # for each additional SU, create two static routes for each storage VNIC on local cluster node, so that there will be 4 such routes per SU: # 1. To other SU's Storage network 1 via vNIC1's default gateway # 2. To other SU's Storage network 2 via vNIC1's default gateway # 3. To other SU's Storage network 1 via vNIC2's default gateway # 4. To other SU's Storage network 2 via vNIC2's default gateway foreach ($otherCluster in $allOtherClusters) { Write-Verbose "Finding storage network in cluster $($otherCluster.Name) for Node $($Node.NodeName)." $otherClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC1" $otherClusterNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $otherCluster.Name $otherClusterStorageNetwork = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorageNetworkName} if ($otherClusterStorageNetwork) { Write-Verbose "Storage Network $otherClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $otherClusterStorageNetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix = $otherClusterStorageNetwork.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage network $destinationPrefix for Node $($Node.NodeName)." $otherClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC2" $otherClusterStorage2Network = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorage2NetworkName} if ($otherClusterStorage2Network) { Write-Verbose "Storage2 Network $otherClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $otherClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix2 = $otherClusterStorage2Network.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage2 network $destinationPrefix2 for Node $($Node.NodeName)." foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $destinationPrefix via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix NextHop = $nextHop } Write-Verbose "Creating static route to $destinationPrefix2 via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix2" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix2 NextHop = $nextHop } } } } # This will increase the default WMI limit of 4096 WMI HandlesPerHost to 8192. # We believe this will avoid some of our WMI throttling errors and WMI service crashes WmiConfiguration 'WmiQuotaConfig' { ComputerName = "localhost" HandlesPerHost = 8192 } # When NAS cluster(s) integrated, the hosts' storage NICs should have static routes to the NAS storage networks # So that Blob data traffic can go through the storage NICs $nasClusters = $Parameters.Roles["NasCluster"].PublicConfiguration.NasClusters.Node foreach ($nasCluster in $nasClusters) { $nasName = $nasCluster.Name $nasStorageSubnet = $nasCluster.NasClusterNetworks.StorageNetwork.Subnet Write-Verbose "Found NasCluster:[$nasName], StorageSubnet:[$nasStorageSubnet]" -Verbose foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $nasStorageSubnet via NextHop $nextHop for NIC $rdmaNicName on Node $($Node.NodeName)." -Verbose if (-not $nasStorageSubnet -or -not $nextHop) { throw "Invalid static route parameter" } xRoute "$rdmaNicName-$nasStorageSubnet" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $nasStorageSubnet NextHop = $nextHop } } } } #> } } Export-ModuleMember -Function NewComputeBootstrapDscConfiguration # SIG # Begin signature block # MIIoKgYJKoZIhvcNAQcCoIIoGzCCKBcCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA8r8CITAWgNZWE # Etp9W1bjNkDQK+m/IlfAuyY72twfNKCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGgowghoGAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIBy1wPbtm7AyTmK2knX04Jlr # U65Oq7D79DJfEtR2yCovMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAipoT1r6KMLzpWRuwGxVts1EzjVy/MnvFbZG44N4YomUnoiiyRqf2Qmbt # PpjBJ9LNLRphpaUvcvYWSs1sD5JPKav7utPutazk3JqAh2itYtS8FQ4RWGFAPXXx # SWRT9D6CmBV2YXRVJLGZiutQEviXTQ+tVM61CQRNindLFirQTaUiGGekMqz4cxmy # o4UaO0/K1KSqn5MRU4gDsmof+pgLxLFLg4GEaoRSDdoxJPFOgpzZVYF8T/lnIR7Y # kba/YNd7DB6DRg/DikjvBD1lYIoBwPNAliRJZ6ewADJ4JcW63fe/ylws0551lUZ9 # ApESxjFEsD1EUX1Q7bMyupGzlY7t66GCF5QwgheQBgorBgEEAYI3AwMBMYIXgDCC # F3wGCSqGSIb3DQEHAqCCF20wghdpAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFSBgsq # hkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCBj4MsDaORTTHYqfwY0F2UkotL8pMC8rIY+jHlo9VZS8AIGZpVsZh4y # GBMyMDI0MDcxNjE2MjczNS41MTRaMASAAgH0oIHRpIHOMIHLMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0YwMC0w # NUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Wg # ghHqMIIHIDCCBQigAwIBAgITMwAAAfAqfB1ZO+YfrQABAAAB8DANBgkqhkiG9w0B # AQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMzEyMDYxODQ1 # NTFaFw0yNTAzMDUxODQ1NTFaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z # MScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0YwMC0wNUUwLUQ5NDcxJTAjBgNV # BAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQC1Hi1Tozh3O0czE8xfRnrymlJNCaGWommPy0eINf+4 # EJr7rf8tSzlgE8Il4Zj48T5fTTOAh6nITRf2lK7+upcnZ/xg0AKoDYpBQOWrL9Ob # FShylIHfr/DQ4PsRX8GRtInuJsMkwSg63bfB4Q2UikMEP/CtZHi8xW5XtAKp95cs # 3mvUCMvIAA83Jr/UyADACJXVU4maYisczUz7J111eD1KrG9mQ+ITgnRR/X2xTDMC # z+io8ZZFHGwEZg+c3vmPp87m4OqOKWyhcqMUupPveO/gQC9Rv4szLNGDaoePeK6I # U0JqcGjXqxbcEoS/s1hCgPd7Ux6YWeWrUXaxbb+JosgOazUgUGs1aqpnLjz0YKfU # qn8i5TbmR1dqElR4QA+OZfeVhpTonrM4sE/MlJ1JLpR2FwAIHUeMfotXNQiytYfR # BUOJHFeJYEflZgVk0Xx/4kZBdzgFQPOWfVd2NozXlC2epGtUjaluA2osOvQHZzGO # oKTvWUPX99MssGObO0xJHd0DygP/JAVp+bRGJqa2u7AqLm2+tAT26yI5veccDmNZ # sg3vDh1HcpCJa9QpRW/MD3a+AF2ygV1sRnGVUVG3VODX3BhGT8TMU/GiUy3h7ClX # OxmZ+weCuIOzCkTDbK5OlAS8qSPpgp+XGlOLEPaM31Mgf6YTppAaeP0ophx345oh # twIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFNCCsqdXRy/MmjZGVTAvx7YFWpslMB8G # A1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCG # Tmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUy # MFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4w # XAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2Vy # dHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwG # A1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDgYDVR0PAQH/BAQD # AgeAMA0GCSqGSIb3DQEBCwUAA4ICAQA4IvSbnr4jEPgo5W4xj3/+0dCGwsz863QG # Z2mB9Z4SwtGGLMvwfsRUs3NIlPD/LsWAxdVYHklAzwLTwQ5M+PRdy92DGftyEOGM # Hfut7Gq8L3RUcvrvr0AL/NNtfEpbAEkCFzseextY5s3hzj3rX2wvoBZm2ythwcLe # ZmMgHQCmjZp/20fHWJgrjPYjse6RDJtUTlvUsjr+878/t+vrQEIqlmebCeEi+VQV # xc7wF0LuMTw/gCWdcqHoqL52JotxKzY8jZSQ7ccNHhC4eHGFRpaKeiSQ0GXtlbGI # bP4kW1O3JzlKjfwG62NCSvfmM1iPD90XYiFm7/8mgR16AmqefDsfjBCWwf3qheIM # fgZzWqeEz8laFmM8DdkXjuOCQE/2L0TxhrjUtdMkATfXdZjYRlscBDyr8zGMlprF # C7LcxqCXlhxhtd2CM+mpcTc8RB2D3Eor0UdoP36Q9r4XWCVV/2Kn0AXtvWxvIfyO # Fm5aLl0eEzkhfv/XmUlBeOCElS7jdddWpBlQjJuHHUHjOVGXlrJT7X4hicF1o23x # 5U+j7qPKBceryP2/1oxfmHc6uBXlXBKukV/QCZBVAiBMYJhnktakWHpo9uIeSnYT # 6Qx7wf2RauYHIER8SLRmblMzPOs+JHQzrvh7xStx310LOp+0DaOXs8xjZvhpn+Wu # Zij5RmZijDCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZI # hvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # MjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAy # MDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC # AQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25Phdg # M/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPF # dvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6 # GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBp # Dco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50Zu # yjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3E # XzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0 # lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1q # GFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ # +QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PA # PBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkw # EgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxG # NSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARV # MFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAK # BggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC # AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX # zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v # cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI # KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG # 9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0x # M7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmC # VgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449 # xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wM # nosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDS # PeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2d # Y3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxn # GSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+Crvs # QWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokL # jzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL # 6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggNN # MIICNQIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEn # MCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjdGMDAtMDVFMC1EOTQ3MSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQDC # KAZKKv5lsdC2yoMGKYiQy79p/6CBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6kCTlDAiGA8yMDI0MDcxNjA2Mzcw # OFoYDzIwMjQwNzE3MDYzNzA4WjB0MDoGCisGAQQBhFkKBAExLDAqMAoCBQDqQJOU # AgEAMAcCAQACAjEHMAcCAQACAhU2MAoCBQDqQeUUAgEAMDYGCisGAQQBhFkKBAIx # KDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJKoZI # hvcNAQELBQADggEBAAUKqAkr+80EgEv+2eVbn5a/M2HCj+/JstY1KS70mqMcJODm # niG6fi7vlr9IdPvOlxOpKMBIbWdquA3elF4ueU7pD4q/QA9JNBOPzvKi1WKjBtYp # rCFcIPw2U68E1NlWysdvvCdiH9qWW0g30yb/ry0JPdl8JqHWiccRXX8MVym7wRAI # fnoZuH5bgtFH59pkEz3MRowZK012EgOF75KCwWdAgSd6jwpIfp+hGXOksQmWnbuI # iEbTMUHtG440BNDKOBc4ToBzKLCx/LibYLQ8IxzNGjVV0w93QGg09IwmpEEEyEbN # isqzc+Fn8R4FK603zE8Q0jyTeo0k3F3sxBy8xfoxggQNMIIECQIBATCBkzB8MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNy # b3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAfAqfB1ZO+YfrQABAAAB8DAN # BglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8G # CSqGSIb3DQEJBDEiBCBpsyy0NthVjuzE6zUixiuPDHqNDmVghvwEztCFnChj4TCB # +gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIFwBmqOlcv3kU7mAB5sWR74QFAiS # 6mb+CM6asnFAZUuLMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw # MTACEzMAAAHwKnwdWTvmH60AAQAAAfAwIgQg065lijQszyb5cqUknkS/jUqrggAE # QA3NVPtNHTnR9dwwDQYJKoZIhvcNAQELBQAEggIAfXV1+CLrWyxW7V0CvoEtZt+v # 9r3SUY4LV8PhSg3gD9X3Zk1VJDnrjsa/g1xp2ZQdQfiFZ/c0OCWt7AHpmNmWLEEP # VC/ycxCbgCjSi6rvcFe6gfJ3wBfXOrNj9Kcd0Pv3I/V0ouGUsPbTSXiVTMVjlRG6 # yUKLRIIP0KyOAw52lshI4NeigYP3INnOM3VKAedmvHTXiQ1km0nwG8HkbC781ieW # sQGsMDhmyIzLrOoqBjG3IzX+rVnBw16JcvslLarSOs3il3sKYerGqAtmsUKO4LPm # 03XlwlnwPt54BOICpYsJrBVU5e4ERWn9DbmswhWM64lc3/rmIl7sJbki/haxlvSP # soTszz9YVQrMJq1kbhwKEleCb21umY+f9yoW1DBPUH5BqrZva/t5URa3I1Ioo/g0 # ofP6TIGAOI09bGV121fO/3zVLrF3ZWY9JnaOX/51PfQKipdbG/2W8J5RyUcibGmQ # dJ8fKtfSeXAfxjHkeaOronYRvjcfs1ZCKNkc6AXkBKRUOiRMwOpqN/IAKJJMk1m/ # J/AV75lH9BsCbf9bgJLOeaAruU9G9fVTjgafJ4rptY2WKw4cYXUTVke9KToaRA8O # ejDWN4tk+qcoHSRsLTTfGEX9tbWmw8zOwaGydnK+hYuwJzFjRy3C+oAkcFlv+hbt # mnfwUDhNPmDkKoRlIW0= # SIG # End signature block |