Obs/bin/ObsDep/content/Powershell/Roles/Common/HostDscBootstrapConfig.psm1
|
<###################################################
# # # Copyright (c) Microsoft. All rights reserved. # # # ##################################################> Import-Module $PSScriptRoot\..\..\Common\NetworkHelpers.psm1 -DisableNameChecking -Verbose:$false | Out-Null Configuration NewComputeBootstrapDscConfiguration { Param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [System.String] $PsDscClient = 'localhost', [Parameter(Mandatory=$false)] [boolean] $EnableDataCenterBridging = $true, [Parameter(Mandatory=$true)] [hashtable] $NicBindingCriteria, [Parameter(Mandatory=$false)] [string] $IDNSProxyForwarders, [Parameter(Mandatory=$true)] [UInt64] $MinimumDiskBytes, [Parameter(Mandatory=$false)] [boolean] $DisableRemoteDesktop = $false ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName DSC.ProcessorPowerManagement Import-DscResource -ModuleName PDT.DSC.Networking Import-DscResource -ModuleName PDT.DSC.HyperV Import-DscResource -ModuleName PDT.DSC.Service Import-DscResource -ModuleName PDT.DSC.Utilities Import-DscResource -ModuleName PDT_MigrationProtocol Import-DscResource -ModuleName AS.Group Import-DscResource -ModuleName AS.DumpOnLargeHost Import-DscResource -ModuleName AS.WmiConfiguration Node $PsDscClient { # Workaround for the physical environment in the lab where WinRM has to be allowed on hosts at pre-deploy stage Log ASZHostDSCSkip { # DependsOn = '[PDTNetFirewallGroup]WinRM' Message = 'ASZ Host DSC Skipped' } <# # Enable the DSC Analytic log to capture verbose output of the configuration during bootstrap PDTEventLog 'DSCAnalytic' { LogName = 'Microsoft-Windows-DSC/Analytic' IsEnabled = $true MaximumSizeInBytes = [int]5Mb } # Allow Link Local Multicast Name Resolution through the # firewall, as lanmanserver needs it. PDTNetFirewallRule 'FPS-LLMNR-In-UDP' { Name = 'FPS-LLMNR-In-UDP' } #As part of the host hardening, we'll disable the following FW rules group PDTNetFirewallGroup 'AllJoyn Router' { Ensure = 'Absent' Name = 'AllJoyn Router' } PDTNetFirewallGroup 'mDNS' { Ensure = 'Absent' Name = 'mDNS' } #subset of CoreNet rules to be disabled PDTNetFirewallRule 'CoreNet-DHCPV6-In' { Ensure = 'Absent' Name = 'CoreNet-DHCPV6-In' } PDTNetFirewallRule 'CoreNet-Teredo-In' { Ensure = 'Absent' Name = 'CoreNet-Teredo-In' } PDTNetFirewallRule 'CoreNet-Teredo-Out' { Ensure = 'Absent' Name = 'CoreNet-Teredo-Out' } if ($DisableRemoteDesktop) { PDTNetFirewallGroup 'Remote Desktop Group' { Ensure = 'Absent' Name = 'Remote Desktop' } } # disable negative DNS cache # if a DNS query results in a negative response because the DNS server does not # have a record, by default the negative response is cached for 15 minutes # this disables the negative cache so the DNS client will be able to attempt # to resolve again - this will improve parallel steps where one step is expecting # another step to have created something in DNS Registry 'MaxNegativeCacheTtl' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' ValueName = 'MaxNegativeCacheTtl' ValueType = 'Dword' ValueData = '0' } # Setting Host/Infra identification for telemetry Registry 'VMType' { Key = 'HKLM:\SOFTWARE\Microsoft\Windows Azure' ValueName = 'VMType' ValueType = 'String' ValueData = 'AS-HOST' } # Wait for lanmanserver (SMB) to be fully available. Waiting # on this guarantees that a set of kernel- and user-mode services # are runnning and ready for use. PDTService lanmanserver { Name = 'lanmanserver' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Turn off deep power management states that reduce compute benchmark # performance. ProcessorPowerManagement C1Only { ComputerName = 'localhost' PowerScheme = '8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c' DeepestCState = 1 } # Enable dump on hosts that have a physical disk large enough to # handle the extra space needed. This will need a reboot to take # effect after initial deployment. Update will automatically add # this key on supported systems at image creation. ASDumpOnLargeHost DumpSettings { DependsOn = "[File]LiveKernelReportPathDirectoryCreation" Name = 'Dump Settings Dependent on Large Host' MinimumDiskBytes = $MinimumDiskBytes } # Ensure the LiveKernelReportsPath is created File LiveKernelReportPathDirectoryCreation { Type = 'Directory' DestinationPath = 'D:\AzureStack\LiveKernelReports' Ensure = "Present" } # Deploying a one-node host using an action plan involves setting # up that host without creating any virtual switches. This # DSC generation script will be handed a configuration which # has no switches and no vNICs. When setting anything else up, # there will be at least one external switch. if ($Node.ExternalSwitchNames.Count -ne 0) { if ($EnableDataCenterBridging) { PDTNetQosDcbxSetting 'Willing' { DependsOn = '[PDTService]lanmanserver' InterfaceAlias = 'Global' Willing = $false } # These next five ensure that SMB traffic and cluster heartbeat gets treated # with great respect by the switches. If you starve # storage and miss cluster heartbeat, the entire stamp can fall apart. PDTNetQosPolicyNetDirectPort 'SMBDirect' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'SMBDirect' NetDirectPort = 445 PriorityValue8021Action = $Node.NetQosPriority } PDTNetQosPolicyNetCluster 'Cluster' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Cluster' PriorityValue8021Action = 5 } PDTNetQosPolicyDefault 'Default' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Default' PriorityValue8021Action = 0 } PDTNetQosFlowControl 'FlowControl' { DependsOn = '[PDTNetQosPolicyNetDirectPort]SMBDirect' ComputerName = 'localhost' Priority = $Node.NetQosPriority } PDTNetQosTrafficClass 'SMBDirect' { DependsOn = @('[PDTNetQosPolicyNetDirectPort]SMBDirect','[PDTNetQosFlowControl]FlowControl') Name = 'SMBDirect' Algorithm = 'ETS' Priority = $Node.NetQosPriority BandwidthPercentage = 50 } PDTNetQosTrafficClass 'Cluster' { DependsOn = @('[PDTNetQosPolicyNetCluster]Cluster','[PDTNetQosFlowControl]FlowControl') Name = 'Cluster' Algorithm = 'ETS' Priority = 5 BandwidthPercentage = 2 } # This setting reserves space in Ethernet frames for network # virtualization metadata. PDTNetAdapterAdvancedProperty 'EncapOverhead' { DependsOn = '[PDTNetQosTrafficClass]SMBDirect' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*EncapOverhead' RegistryValue = 160 } # skip if it is virtual AzureStack $OEMRole = $Parameters.Roles["OEM"].PublicConfiguration $OEMModel = $OEMRole.PublicInfo.UpdatePackageManifest.UpdateInfo.Model if (@("Virtual Machine", "Hyper-V") -notcontains $OEMModel) { PDTNetAdapterAdvancedProperty 'VirtualSwitchRSS' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*RssOnHostVPorts' RegistryValue = 1 } PDTNetAdapterAdvancedProperty 'DcbxMode' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = 'DcbxMode' RegistryValue = 0 } } # Turn on Quality of Service. PDTNetAdapterQos 'Qos' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' } } # Configure VFP Proxy settings Write-Verbose "Configure VFP Proxy settings on NCHostAgent" -Verbose $gatewayEndpoint = $Parameters.Roles["FabricRingServices"].PublicConfiguration.PublicInfo.RPCommonProperties.ServiceUri $gatewayUriBuilder = New-Object -TypeName System.UriBuilder -ArgumentList $gatewayEndpoint $gatewayPort = $gatewayUriBuilder.Port $gatewayUri = $gatewayUriBuilder.Uri.DnsSafeHost # VFP forwards to Gateway, use the Gateway port value for the services $imdsServiceAddress = '127.0.0.1' $garServiceAddress = $gatewayUri $wireServerServiceAddress = '127.0.0.1' $hostGAPluginServiceAddress = '127.0.0.1' $imdsServicePort = 80 $garServicePort = $gatewayPort $wireServerServicePort = 80 $hostGAPluginServicePort = 32526 # Proxy port values $imdsProxyPort = 15021 $garProxyPort = 15022 $wireServerProxyPort = 15023 $hostGAPluginProxyPort = 15025 Write-Verbose "Making IMDS proxied service registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerAddress' ValueData = $imdsServiceAddress } Registry 'Instance_Metadata_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServiceName' ValueData = 'IMDS' } Registry 'Instance_Metadata_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'Instance_Metadata_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'Instance_Metadata_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making GAR proxied service registry change for MCNP proxy" Registry 'GAR_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerAddress' ValueData = $garServiceAddress } Registry 'GAR_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServiceName' ValueData = 'gar' } Registry 'GAR_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $garServicePort } Registry 'GAR_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'GAR_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyProtocol' ValueData = 'HttpsNoTranslation' } Registry 'GAR_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 1 } Write-Verbose "Making WireServer proxied service registry change for MCNP proxy" Registry 'WireServer_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerAddress' ValueData = $wireServerServiceAddress } Registry 'WireServer_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServiceName' ValueData = 'WireServer' } Registry 'WireServer_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $wireServerServicePort } Registry 'WireServer_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'WireServer_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'WireServer_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making HostGAPlugin proxied service registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerAddress' ValueData = $hostGAPluginServiceAddress } Registry 'HostGAPlugin_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServiceName' ValueData = 'HostGAPlugin' } Registry 'HostGAPlugin_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $hostGaPluginServicePort } Registry 'HostGAPlugin_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'HostGAPlugin_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'HostGAPlugin_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making IMDS infra services registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'Port' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'Instance_Metadata_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making GAR infra services registry change for MCNP proxy" Registry 'GAR_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'Port' ValueType = 'Dword' ValueData = 81 } Registry 'GAR_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'GAR_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making WireServer infra services registry change for MCNP proxy" Registry 'WireServer_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'Port' ValueType = 'Dword' ValueData = 80 } Registry 'WireServer_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'WireServer_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making HostGAPlugin infra services registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'Port' ValueType = 'Dword' ValueData = $hostGAPluginServicePort } Registry 'HostGAPlugin_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'HostGAPlugin_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } # Enabling Windows Error Reporting to create user mode dumps on Host Registry 'Host_Application_LocalDump_DumpType' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpType' ValueType = 'Dword' ValueData = 1 } Registry 'Host_Application_LocalDump_DumpFolder' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpFolder' ValueType = 'ExpandString' ValueData = 'D:\AzureStack\CrashDumps' } Registry 'Host_Application_LocalDump_DumpCount' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpCount' ValueType = 'Dword' ValueData = 1 } # Disable SMB1 in registry, so that Get-SmbServerConfiguration won't report it as active Registry 'SMB1' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' ValueName = 'SMB1' ValueType = 'DWORD' ValueData = '0' } Registry 'RefsScrubNoOplock' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' ValueName = 'RefsScrubNoOplock' ValueType = 'DWORD' ValueData = '1' } Registry 'VSwitchDHCP_LeaseDuration' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'LeaseTime' ValueType = 'DWORD' ValueData = '0xFFFFFFFF' Force = $true Hex = $true } Registry 'VSwitchDHCP_Broadcast' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'IPv4Broadcast' ValueType = 'DWORD' ValueData = '1' Force = $true } Registry 'VSwitchDHCP_Option245WireServer' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'Option245WireServer' ValueType = 'String' ValueData = '168.63.129.16' Force = $true } # Win2021 will have these values by default # Revert back when Win2021 is released with Azure Stack Registry 'Host_PtNicDropLowResourcesPackets' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'PtNicDropLowResourcesPackets' ValueType = 'DWORD' ValueData = '1' } Registry 'Host_MaxVrssQueueAllocatedMBytes' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'MaxVrssQueueAllocatedMBytes' ValueType = 'DWORD' ValueData = '16' } # Set the NCHostAgent service to start automatically and # run in its own process. PDTService 'NCHostAgent' { Name = 'NCHostAgent' StartupType = 'Automatic' State = 'Running' Type = 'own' DependsOn = ` @( '[Registry]Instance_Metadata_Service_Server_Address' '[Registry]Instance_Metadata_Service_Server_Name' '[Registry]Instance_Metadata_Service_Server_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Address' '[Registry]Instance_Metadata_Service_Proxy_Protocol' '[Registry]Instance_Metadata_Service_Enable_Client_Auth' '[Registry]GAR_Service_Server_Address' '[Registry]GAR_Service_Server_Name' '[Registry]GAR_Service_Server_Port' '[Registry]GAR_Service_Proxy_Listening_Port' '[Registry]GAR_Service_Proxy_Listening_Address' '[Registry]GAR_Service_Proxy_Protocol' '[Registry]GAR_Service_Enable_Client_Auth' '[Registry]WireServer_Service_Server_Address' '[Registry]WireServer_Service_Server_Name' '[Registry]WireServer_Service_Server_Port' '[Registry]WireServer_Service_Proxy_Listening_Port' '[Registry]WireServer_Service_Proxy_Listening_Address' '[Registry]WireServer_Service_Proxy_Protocol' '[Registry]WireServer_Service_Enable_Client_Auth' '[Registry]HostGAPlugin_Service_Server_Address' '[Registry]HostGAPlugin_Service_Server_Name' '[Registry]HostGAPlugin_Service_Server_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Address' '[Registry]HostGAPlugin_Service_Proxy_Protocol' '[Registry]HostGAPlugin_Service_Enable_Client_Auth' '[Registry]Instance_Metadata_Service_Infra_Port' '[Registry]Instance_Metadata_Service_Infra_Proxy_Port' '[Registry]Instance_Metadata_Service_Infra_Address' '[Registry]Instance_Metadata_Service_Infra_MAC_Address' '[Registry]GAR_Service_Infra_Port' '[Registry]GAR_Service_Infra_Proxy_Port' '[Registry]GAR_Service_Infra_Address' '[Registry]GAR_Service_Infra_MAC_Address' '[Registry]WireServer_Service_Infra_Port' '[Registry]WireServer_Service_Infra_Proxy_Port' '[Registry]WireServer_Service_Infra_Address' '[Registry]WireServer_Service_Infra_MAC_Address' '[Registry]HostGAPlugin_Service_Infra_Port' '[Registry]HostGAPlugin_Service_Infra_Proxy_Port' '[Registry]HostGAPlugin_Service_Infra_Address' '[Registry]HostGAPlugin_Service_Infra_MAC_Address' '[Registry]VSwitchDHCP_LeaseDuration' '[Registry]VSwitchDHCP_Broadcast' '[Registry]VSwitchDHCP_Option245WireServer' ) } # DNS forwarders Registry 'DNSProxy_Forwarders' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\Parameters" ValueName = "Forwarders" ValueData = $IDNSProxyForwarders } # Start DnsProxy service and make it automatic Write-Verbose "Start DnsProxy service and make it automatic" -Verbose PDTService 'DnsProxy' { Name = 'DnsProxy' StartupType = 'Automatic' State = 'Running' Type = 'own' SkipIfNotFound = $true # This service is in RS1 but not in RS5, so set this to true to skip configuration on RS5. DependsOn = @('[PDTService]NCHostAgent', '[Registry]DNSProxy_Forwarders') } # DNS Proxy Service - Port and ProxyPort $idnsPort = 53 # DNS Proxy service port Registry 'DNSProxyService_Port' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "Port" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service proxy port Registry 'DNSProxyService_ProxyPort' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "ProxyPort" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS IP Address $cloudRole = $Parameters.Roles["Cloud"].PublicConfiguration $dnsIPAddress = $cloudRole.PublicInfo.NetworkConfiguration.iDNS.Endpoint # If the value is not defined, assign it a predefined value if (-not $dnsIPAddress) { $dnsIPAddress = "168.63.129.16" } # DNS Proxy service IP Address Registry 'DNSProxyService_IP' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "IP" ValueData = $dnsIPAddress DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service MAC $dnsProxyServiceMAC = "22-22-22-22-22-22" #A random mac address used to redirect the dns traffic, applied through vfp rules. These rules are created by the NCHostagent on reading the registry. Registry 'DNSProxyService_MAC' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "MAC" ValueData = $dnsProxyServiceMAC DependsOn = '[PDTService]NCHostAgent' } # Comment out this config for now. This firewall group is basically the same as the 4 firewall rules below combined. # Once switching to RS5, the 4 firewall rules should be removed and use this firewall group instead. # PDTNetFirewallGroup 'DNS Proxy Firewall' # { # Ensure = 'Present' # Name = 'DNS Proxy Firewall' # } # Enable some firewall rules needed by DNSProxy service PDTNetFirewallRule 'DnsProxy-TCP-In' { Name = 'DnsProxy-TCP-In' } PDTNetFirewallRule 'DnsProxy-UDP-In' { Name = 'DnsProxy-UDP-In' } PDTNetFirewallRule 'DnsProxy-TCP-Out' { Name = 'DnsProxy-TCP-Out' } PDTNetFirewallRule 'DnsProxy-UDP-Out' { Name = 'DnsProxy-UDP-Out' } # Wait for the Virtual Machine Management Service (VMMS) to start # before calling into it to create virtual switches. PDTService VMMS { Name = 'VMMS' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Specify that VM live migrations should be performed using the SMB # protocol. Live migration configuration is only relevant for multi-node configurations. $physicalNodes = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node if ($physicalNodes.Count -gt 1) { PDT_MigrationProtocol SMB { DependsOn = '[PDTService]VMMS' ComputerName = 'localhost' Protocol = 'SMB' MaximumLiveMigrations = 1 SmbLiveMigrationBandwidthBytesPerSecond = 750MB } } # This gets filled in with all the things that should be in their # desired state before the PDTNetIPv6 (below) is configured. Specifically, # the switches should be built, the switch extensions should be installed # and the vNICs should be built. $IPv6Dependencies = @() # Build all the internal and external switches that the Cloud Definition # calls for. Install the Azure Switch extension on exactly one switch. # If there are internal switches, pick that one. $extensionOnExternalSwitch = $true foreach ($switchName in $Node.InternalSwitchNames) { # Internal switches bind to no NICs. PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' SwitchType = 'Private' Name = $switchName } # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" $extensionOnExternalSwitch = $false } # VMSwitch ID must remain the same across host reimages (in P&U case), so MD5 hash of the host name # (which is not changed across host reimages) is used as GUID for the VMSwitch ID. $encoding = New-Object System.Text.UnicodeEncoding $hostNameBytes = $encoding.GetBytes($Node.NodeName.ToLower()) $memstream = New-Object System.IO.MemoryStream -ArgumentList @(100) try { $memstream.Write($hostNameBytes, 0, $hostNameBytes.Count) $memstream.Seek(0, [System.IO.SeekOrigin]::Begin) $hash = Get-FileHash -InputStream $memstream -Algorithm MD5 $vmswitchId = [Guid]::Parse($hash.Hash) } finally { if($memstream -ne $null) { $memstream.Close() } } $UnboundNICDependencies = @() foreach ($switchName in $Node.ExternalSwitchNames) { # Bind external switches to all NICs that go fast (at least 10Gb.) switch ($NicBindingCriteria.NetAdapterCriteriaType) { 'Speed' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName SwitchType = 'External' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue } } 'AdvancedProperty' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName Id = $vmswitchId SwitchType = 'External' NetAdapterCriteriaType = 'AdvancedProperty' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue LoadBalancingAlgorithm = 'HyperVPort' } } default { throw "Unhandled switch binding criteria $($NicBindingCriteria.NetAdapterCriteriaType)" } } # Record this as something that the unbound NICs rule depends on. $UnboundNICDependencies += "[PDTVMSwitch]$switchName" if ($extensionOnExternalSwitch) { # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" } else { $IPv6Dependencies += "[PDTVMSwitch]$switchName" } } # Enable IPv6 on all interfaces. (Should this depend on the NICs, not # the switches? Or is the point to do this before vNICs are built?) PDTNetIPv6 'IPv6' { DependsOn = $IPv6Dependencies ComputerName = 'localhost' } # Stop ISATAP. Not needed on stamp and groupthink says that it was # causing problems in some of our testing environments. PDTNetISATAP 'ISATAP' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' Ensure = 'Absent' } # Ensure that all NICs not in use for virtualization are disabled. # For One-Node, skip this step as it has been checked elsewhere that it has only active NIC. if(-not $Node.InternalSwitchNames) { PDTNetUnboundNIC 'DisableUnboundNICs' { DependsOn = $UnboundNICDependencies ComputerName = 'localhost' State = 'Disabled' } } # One-node deployments don't have a domain on the host. If there is # one, however, record the DNS suffix. if ($Node.DomainFQDN) { PDTNetGlobalDNS 'GlobalDNSSuffixes' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' SuffixList = $Node.DomainFQDN } } # This gets filled in with management OS NIC names $ManagementOSNicNames = @() # Set up the vNICs on the host. $RdmaNICs = @() $RdmaNICNames = @() $FirewallGroups = @{} foreach ($nicName in $Node.NicNames) { Write-Verbose "Creating vNIC $nicName on Node $($Node.NodeName)." # Create (or delete) the vNIC itself. if ([string]::IsNullOrEmpty($Node.("${nicName}MacAddress"))) { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") PriorityTag = 'On' } } else { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") MacAddress = $Node.("${nicName}MacAddress") PriorityTag = 'On' } } # Record these as VFP Firewall rules will depend on these. $ManagementOSNicNames += "[PDTVMNetworkAdapterManagementOS]$nicName" # If the vNIC above was being created, set RDMA state # and assign an IP address. if ($Node.("${nicName}Ensure") -ne 'Absent') { if ($Node.("${nicName}Rdma")) { Write-Verbose "VNIC $nicName is a RDMA NIC on Node $($Node.NodeName). Add it to RdmaNICs list." PDTNetAdapterRdma $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName } $RdmaNICs += "[PDTNetAdapterRdma]$nicName" $RdmaNICNames += "$nicName" } # In one-node host scenario, if the vNIC above was created with physical NIC's MAC address, the vNIC would get either # a DHCP IP address (if PNIC is using DHCP) or a static IP copied from the PNIC (if PNIC is using static IP). In either case, # there is no need to set the IP address explicitly again. # The "DoNotSetIPAddress" flag is only set to TRUE in one-node scenario. if (!$Node.("${nicName}DoNotSetIPAddress")) { $defGateway = $Node.("${nicName}IPv4DefaultGateway") $useDefaultGateway = $Node.("${nicName}UseDefaultGateway") if ($useDefaultGateway -eq $true) { Write-Verbose "VNIC $nicName is using default gateway $defGateway on Node $($Node.NodeName)." } else { Write-Verbose "VNIC $nicName is not using default gateway on Node $($Node.NodeName)." } $registerThisConnectionsAddress = $Node.("${nicName}RegisterThisConnectionsAddress") if ($useDefaultGateway -eq $true) { # this is to configure IP for HostNic which has default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DefaultGateway = $defGateway DnsRegistration = $registerThisConnectionsAddress } } else { # this is to configure IPs for Storage NICs which do not have default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DnsRegistration = $registerThisConnectionsAddress } } $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTNetIPAddress]$nicName" Profile = $netProfile Name = $nicName } } } else { $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" Profile = $netProfile Name = $nicName } } } $firewallRules = $Node.("${nicName}FirewallRules") foreach ($rule in $firewallRules) { $groupName = $rule.Group if (-not $FirewallGroups.$groupName) { $FirewallGroups.$groupName = New-Object PSObject -Property @{Enabled = $rule.Enabled; InterfaceAlias = @()} } $FirewallGroups.$groupName.InterfaceAlias += $nicName } } } # Set up the firewall rules for MCNP Proxy, depends on the Management OS Nic Write-Verbose "Setting firewall rules for MCNP proxy" xFirewall 'HostGAPlugin Proxy Rule (Inbound)' { Name = 'HostGAPlugin Proxy Rule (Inbound)' DisplayName = 'HostGAPlugin Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($hostGAPluginProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'WireServer Proxy Rule (Inbound)' { Name = 'WireServer Proxy Rule (Inbound)' DisplayName = 'WireServer Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($wireServerProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Outbound' { Name = 'Instance-Metadata-Server-Proxy-Outbound' DisplayName = 'Instance-Metadata-Server-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Inbound' { Name = 'Instance-Metadata-Server-Proxy-Inbound' DisplayName = 'Instance-Metadata-Server-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Outbound' { Name = 'GAR-Proxy-Outbound' DisplayName = 'GAR-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Inbound' { Name = 'GAR-Proxy-Inbound' DisplayName = 'GAR-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } # Make policies about which pNICs are used for RDMA via each vNIC. if ($RdmaNICs.Count -ne 0) { PDTNetRDMARoutes 'RDMARoutes' { Name = 'Storage*' DependsOn = $RdmaNICs Strategy = 'roundrobin' } } foreach ($group in $FirewallGroups.GetEnumerator()) { $depends = ($group.Value.InterfaceAlias | ForEach-Object {'[PDTVMNetworkAdapterManagementOS]' + $_}) if ($group.Value.Enabled) { $ensure = 'Present' } else { $ensure = 'Absent' } PDTNetFirewallGroup $group.Name { DependsOn = $depends Name = $group.Key InterfaceAlias = $group.Value.InterfaceAlias Ensure = $ensure } } # ASZ - No ASDK mode # Multi-node hosts are hatched already joined to a domain, so we can # add administrators here. # if ($physicalNodes.Count -gt 1) # { $firstPhysicalNode = $physicalNodes | Select-Object -First 1 $localAdmins = $firstPhysicalNode.LocalAdmins.Admin ASGroup 'LocalAdministrators' { DependsOn = $depends GroupName = 'Administrators' MembersToInclude = $localAdmins.Name } # } # In Multi-cluster scenario, the hosts' storage NICs should have static routes to other clusters' storage networks if (IsNetworkSchemaVersion2021($Parameters)) { Write-Verbose "This deployment is using network schema version 2021, which support multiple Scale Units." $localClusterId = $Node.RefClusterId Write-Verbose "Finding local storage network for cluster $($localClusterId) on Node $($Node.NodeName)." $localNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $localClusterId $localClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC1" $localClusterStorageNetwork = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorageNetworkName} if ($localClusterStorageNetwork) { Write-Verbose "Storage Network $localClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $localClusterStorageNetworkName was not found for Node $($Node.NodeName)." } Write-Verbose "Finding local storage2 network for cluster $($localClusterId) on Node $($Node.NodeName)." $localClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC2" $localClusterStorage2Network = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorage2NetworkName} if ($localClusterStorage2Network) { Write-Verbose "Storage2 Network $localClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $localClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $allOtherClusters = $Parameters.Roles["Cluster"].PublicConfiguration.Clusters.Node | Where-Object { $_.Id -ne $localClusterId } # for each additional SU, create two static routes for each storage VNIC on local cluster node, so that there will be 4 such routes per SU: # 1. To other SU's Storage network 1 via vNIC1's default gateway # 2. To other SU's Storage network 2 via vNIC1's default gateway # 3. To other SU's Storage network 1 via vNIC2's default gateway # 4. To other SU's Storage network 2 via vNIC2's default gateway foreach ($otherCluster in $allOtherClusters) { Write-Verbose "Finding storage network in cluster $($otherCluster.Name) for Node $($Node.NodeName)." $otherClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC1" $otherClusterNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $otherCluster.Name $otherClusterStorageNetwork = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorageNetworkName} if ($otherClusterStorageNetwork) { Write-Verbose "Storage Network $otherClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $otherClusterStorageNetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix = $otherClusterStorageNetwork.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage network $destinationPrefix for Node $($Node.NodeName)." $otherClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC2" $otherClusterStorage2Network = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorage2NetworkName} if ($otherClusterStorage2Network) { Write-Verbose "Storage2 Network $otherClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $otherClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix2 = $otherClusterStorage2Network.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage2 network $destinationPrefix2 for Node $($Node.NodeName)." foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $destinationPrefix via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix NextHop = $nextHop } Write-Verbose "Creating static route to $destinationPrefix2 via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix2" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix2 NextHop = $nextHop } } } } # This will increase the default WMI limit of 4096 WMI HandlesPerHost to 8192. # We believe this will avoid some of our WMI throttling errors and WMI service crashes WmiConfiguration 'WmiQuotaConfig' { ComputerName = "localhost" HandlesPerHost = 8192 } # When NAS cluster(s) integrated, the hosts' storage NICs should have static routes to the NAS storage networks # So that Blob data traffic can go through the storage NICs $nasClusters = $Parameters.Roles["NasCluster"].PublicConfiguration.NasClusters.Node foreach ($nasCluster in $nasClusters) { $nasName = $nasCluster.Name $nasStorageSubnet = $nasCluster.NasClusterNetworks.StorageNetwork.Subnet Write-Verbose "Found NasCluster:[$nasName], StorageSubnet:[$nasStorageSubnet]" -Verbose foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $nasStorageSubnet via NextHop $nextHop for NIC $rdmaNicName on Node $($Node.NodeName)." -Verbose if (-not $nasStorageSubnet -or -not $nextHop) { throw "Invalid static route parameter" } xRoute "$rdmaNicName-$nasStorageSubnet" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $nasStorageSubnet NextHop = $nextHop } } } } #> } } Export-ModuleMember -Function NewComputeBootstrapDscConfiguration # SIG # Begin signature block # MIIoRgYJKoZIhvcNAQcCoIIoNzCCKDMCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA8r8CITAWgNZWE # Etp9W1bjNkDQK+m/IlfAuyY72twfNKCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGiYwghoiAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIBy1wPbtm7AyTmK2knX04Jlr # U65Oq7D79DJfEtR2yCovMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAipoT1r6KMLzpWRuwGxVts1EzjVy/MnvFbZG44N4YomUnoiiyRqf2Qmbt # PpjBJ9LNLRphpaUvcvYWSs1sD5JPKav7utPutazk3JqAh2itYtS8FQ4RWGFAPXXx # SWRT9D6CmBV2YXRVJLGZiutQEviXTQ+tVM61CQRNindLFirQTaUiGGekMqz4cxmy # o4UaO0/K1KSqn5MRU4gDsmof+pgLxLFLg4GEaoRSDdoxJPFOgpzZVYF8T/lnIR7Y # kba/YNd7DB6DRg/DikjvBD1lYIoBwPNAliRJZ6ewADJ4JcW63fe/ylws0551lUZ9 # ApESxjFEsD1EUX1Q7bMyupGzlY7t66GCF7AwghesBgorBgEEAYI3AwMBMYIXnDCC # F5gGCSqGSIb3DQEHAqCCF4kwgheFAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFaBgsq # hkiG9w0BCRABBKCCAUkEggFFMIIBQQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCBj4MsDaORTTHYqfwY0F2UkotL8pMC8rIY+jHlo9VZS8AIGZr3+UCU2 # GBMyMDI0MDgxOTE3Mjg1MS4wNjlaMASAAgH0oIHZpIHWMIHTMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl # bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVT # TjoyRDFBLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg # U2VydmljZaCCEf4wggcoMIIFEKADAgECAhMzAAAB/XP5aFrNDGHtAAEAAAH9MA0G # CSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u # MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp # b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTI0 # MDcyNTE4MzExNloXDTI1MTAyMjE4MzExNlowgdMxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9w # ZXJhdGlvbnMgTGltaXRlZDEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjJEMUEt # MDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoWWs+D+Ou4JjYnRHRedu # 0MTFYzNJEVPnILzc02R3qbnujvhZgkhp+p/lymYLzkQyG2zpxYceTjIF7HiQWbt6 # FW3ARkBrthJUz05ZnKpcF31lpUEb8gUXiD2xIpo8YM+SD0S+hTP1TCA/we38yZ3B # EtmZtcVnaLRp/Avsqg+5KI0Kw6TDJpKwTLl0VW0/23sKikeWDSnHQeTprO0zIm/b # tagSYm3V/8zXlfxy7s/EVFdSglHGsUq8EZupUO8XbHzz7tURyiD3kOxNnw5ox1eZ # X/c/XmW4H6b4yNmZF0wTZuw37yA1PJKOySSrXrWEh+H6++Wb6+1ltMCPoMJHUtPP # 3Cn0CNcNvrPyJtDacqjnITrLzrsHdOLqjsH229Zkvndk0IqxBDZgMoY+Ef7ffFRP # 2pPkrF1F9IcBkYz8hL+QjX+u4y4Uqq4UtT7VRnsqvR/x/+QLE0pcSEh/XE1w1fcp # 6Jmq8RnHEXikycMLN/a/KYxpSP3FfFbLZuf+qIryFL0gEDytapGn1ONjVkiKpVP2 # uqVIYj4ViCjy5pLUceMeqiKgYqhpmUHCE2WssLLhdQBHdpl28+k+ZY6m4dPFnEoG # cJHuMcIZnw4cOwixojROr+Nq71cJj7Q4L0XwPvuTHQt0oH7RKMQgmsy7CVD7v55d # OhdHXdYsyO69dAdK+nWlyYcCAwEAAaOCAUkwggFFMB0GA1UdDgQWBBTpDMXA4ZW8 # +yL2+3vA6RmU7oEKpDAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBf # BgNVHR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3Bz # L2NybC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmww # bAYIKwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29m # dC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0El # MjAyMDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUF # BwMIMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAY9hYX+T5AmCr # YGaH96TdR5T52/PNOG7ySYeopv4flnDWQLhBlravAg+pjlNv5XSXZrKGv8e4s5dJ # 5WdhfC9ywFQq4TmXnUevPXtlubZk+02BXK6/23hM0TSKs2KlhYiqzbRe8QbMfKXE # DtvMoHSZT7r+wI2IgjYQwka+3P9VXgERwu46/czz8IR/Zq+vO5523Jld6ssVuzs9 # uwIrJhfcYBj50mXWRBcMhzajLjWDgcih0DuykPcBpoTLlOL8LpXooqnr+QLYE4Bp # Uep3JySMYfPz2hfOL3g02WEfsOxp8ANbcdiqM31dm3vSheEkmjHA2zuM+Tgn4j5n # +Any7IODYQkIrNVhLdML09eu1dIPhp24lFtnWTYNaFTOfMqFa3Ab8KDKicmp0Ath # RNZVg0BPAL58+B0UcoBGKzS9jscwOTu1JmNlisOKkVUVkSJ5Fo/ctfDSPdCTVaIX # XF7l40k1cM/X2O0JdAS97T78lYjtw/PybuzX5shxBh/RqTPvCyAhIxBVKfN/hfs4 # CIoFaqWJ0r/8SB1CGsyyIcPfEgMo8ceq1w5Zo0JfnyFi6Guo+z3LPFl/exQaRubE # rsAUTfyBY5/5liyvjAgyDYnEB8vHO7c7Fg2tGd5hGgYs+AOoWx24+XcyxpUkAajD # hky9Dl+8JZTjts6BcT9sYTmOodk/SgIwggdxMIIFWaADAgECAhMzAAAAFcXna54C # m0mZAAAAAAAVMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UE # CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z # b2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZp # Y2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAxODMy # MjVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIICIjANBgkqhkiG9w0B # AQEFAAOCAg8AMIICCgKCAgEA5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51 # yMo1V/YBf2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY # 6GB9alKDRLemjkZrBxTzxXb1hlDcwUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9 # cmmvHaus9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl3GoPz130/o5Tz9bshVZN # 7928jaTjkY+yOSxRnOlwaQ3KNi1wjjHINSi947SHJMPgyY9+tVSP3PoFVZhtaDua # Rr3tpK56KTesy+uDRedGbsoy1cCGMFxPLOJiss254o2I5JasAUq7vnGpF1tnYN74 # kpEeHT39IM9zfUGaRnXNxF803RKJ1v2lIH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2 # K26oElHovwUDo9Fzpk03dJQcNIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNOwTM5 # TI4CvEJoLhDqhFFG4tG9ahhaYQFzymeiXtcodgLiMxhy16cg8ML6EgrXY28MyTZk # i1ugpoMhXV8wdJGUlNi5UPkLiWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9Q # BXpsxREdcu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6HXtqPnhZyacaue7e3Pmri # Lq0CAwEAAaOCAd0wggHZMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUC # BBYEFCqnUv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQWBBSfpxVdAF5iXYP05dJl # pxtTNRnpcjBcBgNVHSAEVTBTMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9y # eS5odG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUA # YgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU # 1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2Ny # bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIw # MTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0w # Ni0yMy5jcnQwDQYJKoZIhvcNAQELBQADggIBAJ1VffwqreEsH2cBMSRb4Z5yS/yp # b+pcFLY+TkdkeLEGk5c9MTO1OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulm # ZzpTTd2YurYeeNg2LpypglYAA7AFvonoaeC6Ce5732pvvinLbtg/SHUB2RjebYIM # 9W0jVOR4U3UkV7ndn/OOPcbzaN9l9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECW # OKz3+SmJw7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWKNsIdw2FzLixre24/LAl4 # FOmRsqlb30mjdAy87JGA0j3mSj5mO0+7hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3Uw # xTSwethQ/gpY3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+c23Kjgm9swFXSVRk2XPX # fx5bRAGOWhmRaw2fpCjcZxkoJLo4S5pu+yFUa2pFEUep8beuyOiJXk+d0tBMdrVX # VAmxaQFEfnyhYWxz/gq77EFmPWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/AsGC # onsXHRWJjXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU # 5nR0W2rRnj7tfqAxM328y+l7vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEG # ahC0HVUzWLOhcGbyoYIDWTCCAkECAQEwggEBoYHZpIHWMIHTMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl # bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVT # TjoyRDFBLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg # U2VydmljZaIjCgEBMAcGBSsOAwIaAxUAoj0WtVVQUNSKoqtrjinRAsBUdoOggYMw # gYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQsF # AAIFAOptwpowIhgPMjAyNDA4MTkxMzA5NDZaGA8yMDI0MDgyMDEzMDk0NlowdzA9 # BgorBgEEAYRZCgQBMS8wLTAKAgUA6m3CmgIBADAKAgEAAgIBBQIB/zAHAgEAAgIU # AzAKAgUA6m8UGgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAow # CAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBCwUAA4IBAQBlrE0qVwPI # jfLU9lWi6mchjmAqn9Z+JXeI6Y71GjPDb+wFOhzHlPTZxx20TjLoJnJL2VRIsbFg # lAYF+AOJ9Qbu8YVDW2iTtRc06S8PruO3IZgRPEX3/s/AJ5vWSb9geiawtcs4S0gX # mPgDiaI5sQ36Ysaf78NNrym7VePWlidhoMt2ucSuzj/8uGQXEmgEYg8u3JJ2mCJG # Ojj3W6TozvBpfMH+7P4lchAb+ygHP/3SPP+TkA5PuTQNqsf0EcUjCTH4b4vCQDuQ # /epnt3zv1EkQGGpCYY6zVmjEVG2O9JknBd1Rq0610aqG6xVcDemBYwUCHijKcuF0 # URzSkeoXC6yYMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB # IDIwMTACEzMAAAH9c/loWs0MYe0AAQAAAf0wDQYJYIZIAWUDBAIBBQCgggFKMBoG # CSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgA01E0Pcy # Ht1kbaFSa4Cmw3tvfp5s88itT8JsPPMO/UEwgfoGCyqGSIb3DQEJEAIvMYHqMIHn # MIHkMIG9BCCAKEgNyUowvIfx/eDfYSupHkeF1p6GFwjKBs8lRB4NRzCBmDCBgKR+ # MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT # HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB/XP5aFrNDGHtAAEA # AAH9MCIEIHJryavxyRuPmraew0S4mZGMti5tYMMgOoOKOzqfhn0UMA0GCSqGSIb3 # DQEBCwUABIICAJpFG9n5qSaqr0i5PgRt3w8zmqyh0LsJdEN4INKRCa9pZO7eL13t # J829AZihf4IphJ1ASykVbc/pruEzDzb3SEaxY4V7ZIVguRrmfO02Vd9qPt/p93/p # rT4XKARRCHAOa5NuqhgcCHuZ+RJPXovS3Kq5dOKR0aajG0b1MVT6ynEiLnF2jYu/ # iNzugjjUJ7+QXSs+dMUza4kfTzWXX8kGViiVyNbFIFP8dY2VKliVej6yfRJ0M/ha # Ou9bpwaA1Vi+traVqo8J0wdFWtbY/X4GFX6uNkhOitI8SHlkoLsHyBc8l+dqucGA # pi8XkPw6qjoYWeLQ3kAb6rdQ8ZhLo0HUwCqXKqzJNIrmVzp9F2rJlAIGKO368wiu # BCmphe+I8pnNR25A9Z2bD8zS19fMMKk4piJOavgpffKxckAVsJaiwq5Gl+e2cDi6 # QeOA5ETgDuMc/51LGs/8RV2y2BMjemW0iC2M8Ximy3C65TrlLHaBA41hbxYOKRa2 # FMkZ0gMTNJ76y7y+xaykDI2t4bKoZt2HGieRBPxrT/AJgw7nLZxHDoD9C0jzwyS6 # hoBy89/jQwUhG5b1q35pOyfH+j89/H3qDSPV0GMdXRE/ARVOezLzwOINFy0U5xIu # /Z6kPfkN8Fos13d7EGMFg2xPGC0bQd3VA6m1dTD4muSVyVY0ajSFgE3D # SIG # End signature block |