Obs/bin/ObsDep/content/Powershell/Roles/Common/HostDscBootstrapConfig.psm1
<###################################################
# # # Copyright (c) Microsoft. All rights reserved. # # # ##################################################> Import-Module $PSScriptRoot\..\..\Common\NetworkHelpers.psm1 -DisableNameChecking -Verbose:$false | Out-Null Configuration NewComputeBootstrapDscConfiguration { Param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [System.String] $PsDscClient = 'localhost', [Parameter(Mandatory=$false)] [boolean] $EnableDataCenterBridging = $true, [Parameter(Mandatory=$true)] [hashtable] $NicBindingCriteria, [Parameter(Mandatory=$false)] [string] $IDNSProxyForwarders, [Parameter(Mandatory=$true)] [UInt64] $MinimumDiskBytes, [Parameter(Mandatory=$false)] [boolean] $DisableRemoteDesktop = $false ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName DSC.ProcessorPowerManagement Import-DscResource -ModuleName PDT.DSC.Networking Import-DscResource -ModuleName PDT.DSC.HyperV Import-DscResource -ModuleName PDT.DSC.Service Import-DscResource -ModuleName PDT.DSC.Utilities Import-DscResource -ModuleName PDT_MigrationProtocol Import-DscResource -ModuleName AS.Group Import-DscResource -ModuleName AS.DumpOnLargeHost Import-DscResource -ModuleName AS.WmiConfiguration Node $PsDscClient { # Workaround for the physical environment in the lab where WinRM has to be allowed on hosts at pre-deploy stage Log ASZHostDSCSkip { # DependsOn = '[PDTNetFirewallGroup]WinRM' Message = 'ASZ Host DSC Skipped' } <# # Enable the DSC Analytic log to capture verbose output of the configuration during bootstrap PDTEventLog 'DSCAnalytic' { LogName = 'Microsoft-Windows-DSC/Analytic' IsEnabled = $true MaximumSizeInBytes = [int]5Mb } # Allow Link Local Multicast Name Resolution through the # firewall, as lanmanserver needs it. PDTNetFirewallRule 'FPS-LLMNR-In-UDP' { Name = 'FPS-LLMNR-In-UDP' } #As part of the host hardening, we'll disable the following FW rules group PDTNetFirewallGroup 'AllJoyn Router' { Ensure = 'Absent' Name = 'AllJoyn Router' } PDTNetFirewallGroup 'mDNS' { Ensure = 'Absent' Name = 'mDNS' } #subset of CoreNet rules to be disabled PDTNetFirewallRule 'CoreNet-DHCPV6-In' { Ensure = 'Absent' Name = 'CoreNet-DHCPV6-In' } PDTNetFirewallRule 'CoreNet-Teredo-In' { Ensure = 'Absent' Name = 'CoreNet-Teredo-In' } PDTNetFirewallRule 'CoreNet-Teredo-Out' { Ensure = 'Absent' Name = 'CoreNet-Teredo-Out' } if ($DisableRemoteDesktop) { PDTNetFirewallGroup 'Remote Desktop Group' { Ensure = 'Absent' Name = 'Remote Desktop' } } # disable negative DNS cache # if a DNS query results in a negative response because the DNS server does not # have a record, by default the negative response is cached for 15 minutes # this disables the negative cache so the DNS client will be able to attempt # to resolve again - this will improve parallel steps where one step is expecting # another step to have created something in DNS Registry 'MaxNegativeCacheTtl' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' ValueName = 'MaxNegativeCacheTtl' ValueType = 'Dword' ValueData = '0' } # Setting Host/Infra identification for telemetry Registry 'VMType' { Key = 'HKLM:\SOFTWARE\Microsoft\Windows Azure' ValueName = 'VMType' ValueType = 'String' ValueData = 'AS-HOST' } # Wait for lanmanserver (SMB) to be fully available. Waiting # on this guarantees that a set of kernel- and user-mode services # are runnning and ready for use. PDTService lanmanserver { Name = 'lanmanserver' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Turn off deep power management states that reduce compute benchmark # performance. ProcessorPowerManagement C1Only { ComputerName = 'localhost' PowerScheme = '8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c' DeepestCState = 1 } # Enable dump on hosts that have a physical disk large enough to # handle the extra space needed. This will need a reboot to take # effect after initial deployment. Update will automatically add # this key on supported systems at image creation. ASDumpOnLargeHost DumpSettings { DependsOn = "[File]LiveKernelReportPathDirectoryCreation" Name = 'Dump Settings Dependent on Large Host' MinimumDiskBytes = $MinimumDiskBytes } # Ensure the LiveKernelReportsPath is created File LiveKernelReportPathDirectoryCreation { Type = 'Directory' DestinationPath = 'D:\AzureStack\LiveKernelReports' Ensure = "Present" } # Deploying a one-node host using an action plan involves setting # up that host without creating any virtual switches. This # DSC generation script will be handed a configuration which # has no switches and no vNICs. When setting anything else up, # there will be at least one external switch. if ($Node.ExternalSwitchNames.Count -ne 0) { if ($EnableDataCenterBridging) { PDTNetQosDcbxSetting 'Willing' { DependsOn = '[PDTService]lanmanserver' InterfaceAlias = 'Global' Willing = $false } # These next five ensure that SMB traffic and cluster heartbeat gets treated # with great respect by the switches. If you starve # storage and miss cluster heartbeat, the entire stamp can fall apart. PDTNetQosPolicyNetDirectPort 'SMBDirect' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'SMBDirect' NetDirectPort = 445 PriorityValue8021Action = $Node.NetQosPriority } PDTNetQosPolicyNetCluster 'Cluster' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Cluster' PriorityValue8021Action = 5 } PDTNetQosPolicyDefault 'Default' { DependsOn = '[PDTNetQosDcbxSetting]Willing' Name = 'Default' PriorityValue8021Action = 0 } PDTNetQosFlowControl 'FlowControl' { DependsOn = '[PDTNetQosPolicyNetDirectPort]SMBDirect' ComputerName = 'localhost' Priority = $Node.NetQosPriority } PDTNetQosTrafficClass 'SMBDirect' { DependsOn = @('[PDTNetQosPolicyNetDirectPort]SMBDirect','[PDTNetQosFlowControl]FlowControl') Name = 'SMBDirect' Algorithm = 'ETS' Priority = $Node.NetQosPriority BandwidthPercentage = 50 } PDTNetQosTrafficClass 'Cluster' { DependsOn = @('[PDTNetQosPolicyNetCluster]Cluster','[PDTNetQosFlowControl]FlowControl') Name = 'Cluster' Algorithm = 'ETS' Priority = 5 BandwidthPercentage = 2 } # This setting reserves space in Ethernet frames for network # virtualization metadata. PDTNetAdapterAdvancedProperty 'EncapOverhead' { DependsOn = '[PDTNetQosTrafficClass]SMBDirect' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*EncapOverhead' RegistryValue = 160 } # skip if it is virtual AzureStack $OEMRole = $Parameters.Roles["OEM"].PublicConfiguration $OEMModel = $OEMRole.PublicInfo.UpdatePackageManifest.UpdateInfo.Model if ($OEMModel -notmatch "Hyper-V") { PDTNetAdapterAdvancedProperty 'VirtualSwitchRSS' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = '*RssOnHostVPorts' RegistryValue = 1 } PDTNetAdapterAdvancedProperty 'DcbxMode' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' RegistryKeyword = 'DcbxMode' RegistryValue = 0 } } # Turn on Quality of Service. PDTNetAdapterQos 'Qos' { DependsOn = '[PDTNetAdapterAdvancedProperty]EncapOverhead' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = '10000000000' } } # Configure VFP Proxy settings Write-Verbose "Configure VFP Proxy settings on NCHostAgent" -Verbose $gatewayEndpoint = $Parameters.Roles["FabricRingServices"].PublicConfiguration.PublicInfo.RPCommonProperties.ServiceUri $gatewayUriBuilder = New-Object -TypeName System.UriBuilder -ArgumentList $gatewayEndpoint $gatewayPort = $gatewayUriBuilder.Port $gatewayUri = $gatewayUriBuilder.Uri.DnsSafeHost # VFP forwards to Gateway, use the Gateway port value for the services $imdsServiceAddress = '127.0.0.1' $garServiceAddress = $gatewayUri $wireServerServiceAddress = '127.0.0.1' $hostGAPluginServiceAddress = '127.0.0.1' $imdsServicePort = 80 $garServicePort = $gatewayPort $wireServerServicePort = 80 $hostGAPluginServicePort = 32526 # Proxy port values $imdsProxyPort = 15021 $garProxyPort = 15022 $wireServerProxyPort = 15023 $hostGAPluginProxyPort = 15025 Write-Verbose "Making IMDS proxied service registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerAddress' ValueData = $imdsServiceAddress } Registry 'Instance_Metadata_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServiceName' ValueData = 'IMDS' } Registry 'Instance_Metadata_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'Instance_Metadata_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'Instance_Metadata_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\c79d8d8d-bbb4-42ea-8a8f-a492efc40a94' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making GAR proxied service registry change for MCNP proxy" Registry 'GAR_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerAddress' ValueData = $garServiceAddress } Registry 'GAR_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServiceName' ValueData = 'gar' } Registry 'GAR_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $garServicePort } Registry 'GAR_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'GAR_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'ProxyProtocol' ValueData = 'HttpsNoTranslation' } Registry 'GAR_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\8585dd52-1752-4e61-9d8d-5a32dca4de14' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 1 } Write-Verbose "Making WireServer proxied service registry change for MCNP proxy" Registry 'WireServer_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerAddress' ValueData = $wireServerServiceAddress } Registry 'WireServer_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServiceName' ValueData = 'WireServer' } Registry 'WireServer_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $wireServerServicePort } Registry 'WireServer_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'WireServer_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'WireServer_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\b2eae9af-ad33-49cc-a831-20df5ad39159' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making HostGAPlugin proxied service registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Server_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerAddress' ValueData = $hostGAPluginServiceAddress } Registry 'HostGAPlugin_Service_Server_Name' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServiceName' ValueData = 'HostGAPlugin' } Registry 'HostGAPlugin_Service_Server_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ServerPort' ValueType = 'Dword' ValueData = $hostGaPluginServicePort } Registry 'HostGAPlugin_Service_Proxy_Listening_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Proxy_Listening_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyListeningAddress' ValueData = '0.0.0.0' } Registry 'HostGAPlugin_Service_Proxy_Protocol' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'ProxyProtocol' ValueData = 'Http' } Registry 'HostGAPlugin_Service_Enable_Client_Auth' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\ProxiedServices\f632621f-26cf-464e-9a02-1c66ff499b2b' ValueName = 'EnableClientAuth' ValueType = 'Dword' ValueData = 0 } Write-Verbose "Making IMDS infra services registry change for MCNP proxy" Registry 'Instance_Metadata_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'Port' ValueType = 'Dword' ValueData = $imdsServicePort } Registry 'Instance_Metadata_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $imdsProxyPort } Registry 'Instance_Metadata_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'Instance_Metadata_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service1' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making GAR infra services registry change for MCNP proxy" Registry 'GAR_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'Port' ValueType = 'Dword' ValueData = 81 } Registry 'GAR_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $garProxyPort } Registry 'GAR_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'IP' ValueData = '169.254.169.254' } Registry 'GAR_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\Service2' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making WireServer infra services registry change for MCNP proxy" Registry 'WireServer_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'Port' ValueType = 'Dword' ValueData = 80 } Registry 'WireServer_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $wireServerProxyPort } Registry 'WireServer_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'WireServer_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\WireServer' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } Write-Verbose "Making HostGAPlugin infra services registry change for MCNP proxy" Registry 'HostGAPlugin_Service_Infra_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'Port' ValueType = 'Dword' ValueData = $hostGAPluginServicePort } Registry 'HostGAPlugin_Service_Infra_Proxy_Port' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'ProxyPort' ValueType = 'Dword' ValueData = $hostGAPluginProxyPort } Registry 'HostGAPlugin_Service_Infra_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'IP' ValueData = '168.63.129.16' } Registry 'HostGAPlugin_Service_Infra_MAC_Address' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\HostGAPlugin' ValueName = 'MAC' ValueData = '22-22-22-22-22-22' } # Enabling Windows Error Reporting to create user mode dumps on Host Registry 'Host_Application_LocalDump_DumpType' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpType' ValueType = 'Dword' ValueData = 1 } Registry 'Host_Application_LocalDump_DumpFolder' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpFolder' ValueType = 'ExpandString' ValueData = 'D:\AzureStack\CrashDumps' } Registry 'Host_Application_LocalDump_DumpCount' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' ValueName = 'DumpCount' ValueType = 'Dword' ValueData = 1 } # Disable SMB1 in registry, so that Get-SmbServerConfiguration won't report it as active Registry 'SMB1' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' ValueName = 'SMB1' ValueType = 'DWORD' ValueData = '0' } Registry 'RefsScrubNoOplock' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' ValueName = 'RefsScrubNoOplock' ValueType = 'DWORD' ValueData = '1' } Registry 'VSwitchDHCP_LeaseDuration' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'LeaseTime' ValueType = 'DWORD' ValueData = '0xFFFFFFFF' Force = $true Hex = $true } Registry 'VSwitchDHCP_Broadcast' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'IPv4Broadcast' ValueType = 'DWORD' ValueData = '1' Force = $true } Registry 'VSwitchDHCP_Option245WireServer' { Ensure = "Present" Key = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcHostAgent\Parameters\Plugins\VSwitch\DHCPResponder' ValueName = 'Option245WireServer' ValueType = 'String' ValueData = '168.63.129.16' Force = $true } # Win2021 will have these values by default # Revert back when Win2021 is released with Azure Stack Registry 'Host_PtNicDropLowResourcesPackets' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'PtNicDropLowResourcesPackets' ValueType = 'DWORD' ValueData = '1' } Registry 'Host_MaxVrssQueueAllocatedMBytes' { Key = 'HKLM:\SYSTEM\CurrentControlSet\Services\VmSmp\Parameters' ValueName = 'MaxVrssQueueAllocatedMBytes' ValueType = 'DWORD' ValueData = '16' } # Set the NCHostAgent service to start automatically and # run in its own process. PDTService 'NCHostAgent' { Name = 'NCHostAgent' StartupType = 'Automatic' State = 'Running' Type = 'own' DependsOn = ` @( '[Registry]Instance_Metadata_Service_Server_Address' '[Registry]Instance_Metadata_Service_Server_Name' '[Registry]Instance_Metadata_Service_Server_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Port' '[Registry]Instance_Metadata_Service_Proxy_Listening_Address' '[Registry]Instance_Metadata_Service_Proxy_Protocol' '[Registry]Instance_Metadata_Service_Enable_Client_Auth' '[Registry]GAR_Service_Server_Address' '[Registry]GAR_Service_Server_Name' '[Registry]GAR_Service_Server_Port' '[Registry]GAR_Service_Proxy_Listening_Port' '[Registry]GAR_Service_Proxy_Listening_Address' '[Registry]GAR_Service_Proxy_Protocol' '[Registry]GAR_Service_Enable_Client_Auth' '[Registry]WireServer_Service_Server_Address' '[Registry]WireServer_Service_Server_Name' '[Registry]WireServer_Service_Server_Port' '[Registry]WireServer_Service_Proxy_Listening_Port' '[Registry]WireServer_Service_Proxy_Listening_Address' '[Registry]WireServer_Service_Proxy_Protocol' '[Registry]WireServer_Service_Enable_Client_Auth' '[Registry]HostGAPlugin_Service_Server_Address' '[Registry]HostGAPlugin_Service_Server_Name' '[Registry]HostGAPlugin_Service_Server_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Port' '[Registry]HostGAPlugin_Service_Proxy_Listening_Address' '[Registry]HostGAPlugin_Service_Proxy_Protocol' '[Registry]HostGAPlugin_Service_Enable_Client_Auth' '[Registry]Instance_Metadata_Service_Infra_Port' '[Registry]Instance_Metadata_Service_Infra_Proxy_Port' '[Registry]Instance_Metadata_Service_Infra_Address' '[Registry]Instance_Metadata_Service_Infra_MAC_Address' '[Registry]GAR_Service_Infra_Port' '[Registry]GAR_Service_Infra_Proxy_Port' '[Registry]GAR_Service_Infra_Address' '[Registry]GAR_Service_Infra_MAC_Address' '[Registry]WireServer_Service_Infra_Port' '[Registry]WireServer_Service_Infra_Proxy_Port' '[Registry]WireServer_Service_Infra_Address' '[Registry]WireServer_Service_Infra_MAC_Address' '[Registry]HostGAPlugin_Service_Infra_Port' '[Registry]HostGAPlugin_Service_Infra_Proxy_Port' '[Registry]HostGAPlugin_Service_Infra_Address' '[Registry]HostGAPlugin_Service_Infra_MAC_Address' '[Registry]VSwitchDHCP_LeaseDuration' '[Registry]VSwitchDHCP_Broadcast' '[Registry]VSwitchDHCP_Option245WireServer' ) } # DNS forwarders Registry 'DNSProxy_Forwarders' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\Parameters" ValueName = "Forwarders" ValueData = $IDNSProxyForwarders } # Start DnsProxy service and make it automatic Write-Verbose "Start DnsProxy service and make it automatic" -Verbose PDTService 'DnsProxy' { Name = 'DnsProxy' StartupType = 'Automatic' State = 'Running' Type = 'own' SkipIfNotFound = $true # This service is in RS1 but not in RS5, so set this to true to skip configuration on RS5. DependsOn = @('[PDTService]NCHostAgent', '[Registry]DNSProxy_Forwarders') } # DNS Proxy Service - Port and ProxyPort $idnsPort = 53 # DNS Proxy service port Registry 'DNSProxyService_Port' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "Port" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service proxy port Registry 'DNSProxyService_ProxyPort' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "ProxyPort" ValueType = "Dword" ValueData = $idnsPort DependsOn = '[PDTService]NCHostAgent' } # DNS IP Address $cloudRole = $Parameters.Roles["Cloud"].PublicConfiguration $dnsIPAddress = $cloudRole.PublicInfo.NetworkConfiguration.iDNS.Endpoint # If the value is not defined, assign it a predefined value if (-not $dnsIPAddress) { $dnsIPAddress = "168.63.129.16" } # DNS Proxy service IP Address Registry 'DNSProxyService_IP' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "IP" ValueData = $dnsIPAddress DependsOn = '[PDTService]NCHostAgent' } # DNS Proxy service MAC $dnsProxyServiceMAC = "22-22-22-22-22-22" #A random mac address used to redirect the dns traffic, applied through vfp rules. These rules are created by the NCHostagent on reading the registry. Registry 'DNSProxyService_MAC' { Ensure = "Present" Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService" ValueName = "MAC" ValueData = $dnsProxyServiceMAC DependsOn = '[PDTService]NCHostAgent' } # Comment out this config for now. This firewall group is basically the same as the 4 firewall rules below combined. # Once switching to RS5, the 4 firewall rules should be removed and use this firewall group instead. # PDTNetFirewallGroup 'DNS Proxy Firewall' # { # Ensure = 'Present' # Name = 'DNS Proxy Firewall' # } # Enable some firewall rules needed by DNSProxy service PDTNetFirewallRule 'DnsProxy-TCP-In' { Name = 'DnsProxy-TCP-In' } PDTNetFirewallRule 'DnsProxy-UDP-In' { Name = 'DnsProxy-UDP-In' } PDTNetFirewallRule 'DnsProxy-TCP-Out' { Name = 'DnsProxy-TCP-Out' } PDTNetFirewallRule 'DnsProxy-UDP-Out' { Name = 'DnsProxy-UDP-Out' } # Wait for the Virtual Machine Management Service (VMMS) to start # before calling into it to create virtual switches. PDTService VMMS { Name = 'VMMS' StartupType = 'Automatic' State = 'Running' Type = 'default' } # Specify that VM live migrations should be performed using the SMB # protocol. Live migration configuration is only relevant for multi-node configurations. $physicalNodes = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node if ($physicalNodes.Count -gt 1) { PDT_MigrationProtocol SMB { DependsOn = '[PDTService]VMMS' ComputerName = 'localhost' Protocol = 'SMB' MaximumLiveMigrations = 1 SmbLiveMigrationBandwidthBytesPerSecond = 750MB } } # This gets filled in with all the things that should be in their # desired state before the PDTNetIPv6 (below) is configured. Specifically, # the switches should be built, the switch extensions should be installed # and the vNICs should be built. $IPv6Dependencies = @() # Build all the internal and external switches that the Cloud Definition # calls for. Install the Azure Switch extension on exactly one switch. # If there are internal switches, pick that one. $extensionOnExternalSwitch = $true foreach ($switchName in $Node.InternalSwitchNames) { # Internal switches bind to no NICs. PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' SwitchType = 'Private' Name = $switchName } # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" $extensionOnExternalSwitch = $false } # VMSwitch ID must remain the same across host reimages (in P&U case), so MD5 hash of the host name # (which is not changed across host reimages) is used as GUID for the VMSwitch ID. $encoding = New-Object System.Text.UnicodeEncoding $hostNameBytes = $encoding.GetBytes($Node.NodeName.ToLower()) $memstream = New-Object System.IO.MemoryStream -ArgumentList @(100) try { $memstream.Write($hostNameBytes, 0, $hostNameBytes.Count) $memstream.Seek(0, [System.IO.SeekOrigin]::Begin) $hash = Get-FileHash -InputStream $memstream -Algorithm MD5 $vmswitchId = [Guid]::Parse($hash.Hash) } finally { if($memstream -ne $null) { $memstream.Close() } } $UnboundNICDependencies = @() foreach ($switchName in $Node.ExternalSwitchNames) { # Bind external switches to all NICs that go fast (at least 10Gb.) switch ($NicBindingCriteria.NetAdapterCriteriaType) { 'Speed' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName SwitchType = 'External' NetAdapterCriteriaType = 'Speed' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue } } 'AdvancedProperty' { PDTVMSwitch $switchName { DependsOn = '[PDTService]VMMS' Name = $switchName Id = $vmswitchId SwitchType = 'External' NetAdapterCriteriaType = 'AdvancedProperty' NetAdapterCriteriaValue = $NicBindingCriteria.NetAdapterCriteriaValue LoadBalancingAlgorithm = 'HyperVPort' } } default { throw "Unhandled switch binding criteria $($NicBindingCriteria.NetAdapterCriteriaType)" } } # Record this as something that the unbound NICs rule depends on. $UnboundNICDependencies += "[PDTVMSwitch]$switchName" if ($extensionOnExternalSwitch) { # Disable the wfp switch extension as it is not required for software # defined networking $wfpSwitchExtensionRuleName = "WFP-$switchName" PDTVMSwitchExtension $wfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Windows Filtering Platform' VMSwitchName = $switchName Ensure = "Absent" } # Add the switch extension that allows Software Defined Networking # in Azure environments. $vfpSwitchExtensionRuleName = "VFP-$switchName" PDTVMSwitchExtension $vfpSwitchExtensionRuleName { DependsOn = "[PDTVMSwitch]$switchName" Name = 'Microsoft Azure VFP Switch Extension' VMSwitchName = $switchName } # Record these as something that IPv6 will depend on. $IPv6Dependencies += "[PDTVMSwitchExtension]$wfpSwitchExtensionRuleName" $IPv6Dependencies += "[PDTVMSwitchExtension]$vfpSwitchExtensionRuleName" } else { $IPv6Dependencies += "[PDTVMSwitch]$switchName" } } # Enable IPv6 on all interfaces. (Should this depend on the NICs, not # the switches? Or is the point to do this before vNICs are built?) PDTNetIPv6 'IPv6' { DependsOn = $IPv6Dependencies ComputerName = 'localhost' } # Stop ISATAP. Not needed on stamp and groupthink says that it was # causing problems in some of our testing environments. PDTNetISATAP 'ISATAP' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' Ensure = 'Absent' } # Ensure that all NICs not in use for virtualization are disabled. # For One-Node, skip this step as it has been checked elsewhere that it has only active NIC. if(-not $Node.InternalSwitchNames) { PDTNetUnboundNIC 'DisableUnboundNICs' { DependsOn = $UnboundNICDependencies ComputerName = 'localhost' State = 'Disabled' } } # One-node deployments don't have a domain on the host. If there is # one, however, record the DNS suffix. if ($Node.DomainFQDN) { PDTNetGlobalDNS 'GlobalDNSSuffixes' { DependsOn = '[PDTNetIPv6]IPv6' ComputerName = 'localhost' SuffixList = $Node.DomainFQDN } } # This gets filled in with management OS NIC names $ManagementOSNicNames = @() # Set up the vNICs on the host. $RdmaNICs = @() $RdmaNICNames = @() $FirewallGroups = @{} foreach ($nicName in $Node.NicNames) { Write-Verbose "Creating vNIC $nicName on Node $($Node.NodeName)." # Create (or delete) the vNIC itself. if ([string]::IsNullOrEmpty($Node.("${nicName}MacAddress"))) { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") PriorityTag = 'On' } } else { PDTVMNetworkAdapterManagementOS $nicName { DependsOn = ` @( '[PDTNetIPv6]IPv6' '[PDTService]VMMS' ) Name = $nicName SwitchName = $Node.("${nicName}SwitchName") VlanId = $Node.("${nicName}VlanId") Ensure = $Node.("${nicName}Ensure") MacAddress = $Node.("${nicName}MacAddress") PriorityTag = 'On' } } # Record these as VFP Firewall rules will depend on these. $ManagementOSNicNames += "[PDTVMNetworkAdapterManagementOS]$nicName" # If the vNIC above was being created, set RDMA state # and assign an IP address. if ($Node.("${nicName}Ensure") -ne 'Absent') { if ($Node.("${nicName}Rdma")) { Write-Verbose "VNIC $nicName is a RDMA NIC on Node $($Node.NodeName). Add it to RdmaNICs list." PDTNetAdapterRdma $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName } $RdmaNICs += "[PDTNetAdapterRdma]$nicName" $RdmaNICNames += "$nicName" } # In one-node host scenario, if the vNIC above was created with physical NIC's MAC address, the vNIC would get either # a DHCP IP address (if PNIC is using DHCP) or a static IP copied from the PNIC (if PNIC is using static IP). In either case, # there is no need to set the IP address explicitly again. # The "DoNotSetIPAddress" flag is only set to TRUE in one-node scenario. if (!$Node.("${nicName}DoNotSetIPAddress")) { $defGateway = $Node.("${nicName}IPv4DefaultGateway") $useDefaultGateway = $Node.("${nicName}UseDefaultGateway") if ($useDefaultGateway -eq $true) { Write-Verbose "VNIC $nicName is using default gateway $defGateway on Node $($Node.NodeName)." } else { Write-Verbose "VNIC $nicName is not using default gateway on Node $($Node.NodeName)." } $registerThisConnectionsAddress = $Node.("${nicName}RegisterThisConnectionsAddress") if ($useDefaultGateway -eq $true) { # this is to configure IP for HostNic which has default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DefaultGateway = $defGateway DnsRegistration = $registerThisConnectionsAddress } } else { # this is to configure IPs for Storage NICs which do not have default gateway PDTNetIPAddress $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" NetAdapterCriteriaType = 'Name' NetAdapterCriteriaValue = $nicName IPAddress = $Node.("${nicName}IPv4Address") PrefixLength = $Node.("${nicName}IPv4PrefixLength") DNSServers = $Node.DNSServers DnsRegistration = $registerThisConnectionsAddress } } $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTNetIPAddress]$nicName" Profile = $netProfile Name = $nicName } } } else { $netProfile = $Node.("${nicName}NetConnectionProfile") if ($netProfile) { PDTNetConnectionProfile $nicName { DependsOn = "[PDTVMNetworkAdapterManagementOS]$nicName" Profile = $netProfile Name = $nicName } } } $firewallRules = $Node.("${nicName}FirewallRules") foreach ($rule in $firewallRules) { $groupName = $rule.Group if (-not $FirewallGroups.$groupName) { $FirewallGroups.$groupName = New-Object PSObject -Property @{Enabled = $rule.Enabled; InterfaceAlias = @()} } $FirewallGroups.$groupName.InterfaceAlias += $nicName } } } # Set up the firewall rules for MCNP Proxy, depends on the Management OS Nic Write-Verbose "Setting firewall rules for MCNP proxy" xFirewall 'HostGAPlugin Proxy Rule (Inbound)' { Name = 'HostGAPlugin Proxy Rule (Inbound)' DisplayName = 'HostGAPlugin Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($hostGAPluginProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'WireServer Proxy Rule (Inbound)' { Name = 'WireServer Proxy Rule (Inbound)' DisplayName = 'WireServer Proxy Rule (Inbound)' Direction = 'InBound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($wireServerProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Outbound' { Name = 'Instance-Metadata-Server-Proxy-Outbound' DisplayName = 'Instance-Metadata-Server-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'Instance-Metadata-Server-Proxy-Inbound' { Name = 'Instance-Metadata-Server-Proxy-Inbound' DisplayName = 'Instance-Metadata-Server-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($imdsProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Outbound' { Name = 'GAR-Proxy-Outbound' DisplayName = 'GAR-Proxy-Outbound' Direction = 'Outbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } xFirewall 'GAR-Proxy-Inbound' { Name = 'GAR-Proxy-Inbound' DisplayName = 'GAR-Proxy-Inbound' Direction = 'Inbound' Access = 'Allow' Protocol = 'TCP' LocalPort = @($garProxyPort) DependsOn = $ManagementOSNicNames } # Make policies about which pNICs are used for RDMA via each vNIC. if ($RdmaNICs.Count -ne 0) { PDTNetRDMARoutes 'RDMARoutes' { Name = 'Storage*' DependsOn = $RdmaNICs Strategy = 'roundrobin' } } foreach ($group in $FirewallGroups.GetEnumerator()) { $depends = ($group.Value.InterfaceAlias | ForEach-Object {'[PDTVMNetworkAdapterManagementOS]' + $_}) if ($group.Value.Enabled) { $ensure = 'Present' } else { $ensure = 'Absent' } PDTNetFirewallGroup $group.Name { DependsOn = $depends Name = $group.Key InterfaceAlias = $group.Value.InterfaceAlias Ensure = $ensure } } # ASZ - No ASDK mode # Multi-node hosts are hatched already joined to a domain, so we can # add administrators here. # if ($physicalNodes.Count -gt 1) # { $firstPhysicalNode = $physicalNodes | Select-Object -First 1 $localAdmins = $firstPhysicalNode.LocalAdmins.Admin ASGroup 'LocalAdministrators' { DependsOn = $depends GroupName = 'Administrators' MembersToInclude = $localAdmins.Name } # } # In Multi-cluster scenario, the hosts' storage NICs should have static routes to other clusters' storage networks if (IsNetworkSchemaVersion2021($Parameters)) { Write-Verbose "This deployment is using network schema version 2021, which support multiple Scale Units." $localClusterId = $Node.RefClusterId Write-Verbose "Finding local storage network for cluster $($localClusterId) on Node $($Node.NodeName)." $localNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $localClusterId $localClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC1" $localClusterStorageNetwork = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorageNetworkName} if ($localClusterStorageNetwork) { Write-Verbose "Storage Network $localClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $localClusterStorageNetworkName was not found for Node $($Node.NodeName)." } Write-Verbose "Finding local storage2 network for cluster $($localClusterId) on Node $($Node.NodeName)." $localClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $localClusterId -NetworkName "DC2" $localClusterStorage2Network = $localNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $localClusterStorage2NetworkName} if ($localClusterStorage2Network) { Write-Verbose "Storage2 Network $localClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $localClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $allOtherClusters = $Parameters.Roles["Cluster"].PublicConfiguration.Clusters.Node | Where-Object { $_.Id -ne $localClusterId } # for each additional SU, create two static routes for each storage VNIC on local cluster node, so that there will be 4 such routes per SU: # 1. To other SU's Storage network 1 via vNIC1's default gateway # 2. To other SU's Storage network 2 via vNIC1's default gateway # 3. To other SU's Storage network 1 via vNIC2's default gateway # 4. To other SU's Storage network 2 via vNIC2's default gateway foreach ($otherCluster in $allOtherClusters) { Write-Verbose "Finding storage network in cluster $($otherCluster.Name) for Node $($Node.NodeName)." $otherClusterStorageNetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC1" $otherClusterNetworkDefinition = Get-NetworkDefinitionForCluster -Parameters $Parameters -ClusterName $otherCluster.Name $otherClusterStorageNetwork = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorageNetworkName} if ($otherClusterStorageNetwork) { Write-Verbose "Storage Network $otherClusterStorageNetworkName was found for Node $($Node.NodeName)." } else { throw "Storage network $otherClusterStorageNetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix = $otherClusterStorageNetwork.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage network $destinationPrefix for Node $($Node.NodeName)." $otherClusterStorage2NetworkName = Get-NetworkNameForCluster -ClusterName $otherCluster.Name -NetworkName "DC2" $otherClusterStorage2Network = $otherClusterNetworkDefinition.Networks.Network | Where-Object {$_.Id -eq $otherClusterStorage2NetworkName} if ($otherClusterStorage2Network) { Write-Verbose "Storage2 Network $otherClusterStorage2NetworkName was found for Node $($Node.NodeName)." } else { throw "Storage2 network $otherClusterStorage2NetworkName was not found for Node $($Node.NodeName)." } $destinationPrefix2 = $otherClusterStorage2Network.IPv4.Subnet Write-Verbose "Found cluster $($otherCluster.Name) storage2 network $destinationPrefix2 for Node $($Node.NodeName)." foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $destinationPrefix via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix NextHop = $nextHop } Write-Verbose "Creating static route to $destinationPrefix2 via NextHop $nexthop for NIC $rdmaNicName on Node $($Node.NodeName)." xRoute "$rdmaNicName-$destinationPrefix2" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $destinationPrefix2 NextHop = $nextHop } } } } # This will increase the default WMI limit of 4096 WMI HandlesPerHost to 8192. # We believe this will avoid some of our WMI throttling errors and WMI service crashes WmiConfiguration 'WmiQuotaConfig' { ComputerName = "localhost" HandlesPerHost = 8192 } # When NAS cluster(s) integrated, the hosts' storage NICs should have static routes to the NAS storage networks # So that Blob data traffic can go through the storage NICs $nasClusters = $Parameters.Roles["NasCluster"].PublicConfiguration.NasClusters.Node foreach ($nasCluster in $nasClusters) { $nasName = $nasCluster.Name $nasStorageSubnet = $nasCluster.NasClusterNetworks.StorageNetwork.Subnet Write-Verbose "Found NasCluster:[$nasName], StorageSubnet:[$nasStorageSubnet]" -Verbose foreach ($rdmaNicName in $RdmaNICNames) { $nexthop = $Node.("${rdmaNicName}IPv4DefaultGateway") Write-Verbose "Creating static route to $nasStorageSubnet via NextHop $nextHop for NIC $rdmaNicName on Node $($Node.NodeName)." -Verbose if (-not $nasStorageSubnet -or -not $nextHop) { throw "Invalid static route parameter" } xRoute "$rdmaNicName-$nasStorageSubnet" { DependsOn = $RdmaNICs HyperVNetworkAdapterName = $rdmaNicName AddressFamily = "IPv4" DestinationPrefix = $nasStorageSubnet NextHop = $nextHop } } } } #> } } Export-ModuleMember -Function NewComputeBootstrapDscConfiguration # SIG # Begin signature block # MIInvwYJKoZIhvcNAQcCoIInsDCCJ6wCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDmFCyiASpkQQ42 # 7UjzkweDZpTBLQz8ff+ygPosqgc6aaCCDXYwggX0MIID3KADAgECAhMzAAADTrU8 # esGEb+srAAAAAANOMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI5WhcNMjQwMzE0MTg0MzI5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDdCKiNI6IBFWuvJUmf6WdOJqZmIwYs5G7AJD5UbcL6tsC+EBPDbr36pFGo1bsU # p53nRyFYnncoMg8FK0d8jLlw0lgexDDr7gicf2zOBFWqfv/nSLwzJFNP5W03DF/1 # 1oZ12rSFqGlm+O46cRjTDFBpMRCZZGddZlRBjivby0eI1VgTD1TvAdfBYQe82fhm # WQkYR/lWmAK+vW/1+bO7jHaxXTNCxLIBW07F8PBjUcwFxxyfbe2mHB4h1L4U0Ofa # +HX/aREQ7SqYZz59sXM2ySOfvYyIjnqSO80NGBaz5DvzIG88J0+BNhOu2jl6Dfcq # jYQs1H/PMSQIK6E7lXDXSpXzAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUnMc7Zn/ukKBsBiWkwdNfsN5pdwAw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMDUxNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAD21v9pHoLdBSNlFAjmk # mx4XxOZAPsVxxXbDyQv1+kGDe9XpgBnT1lXnx7JDpFMKBwAyIwdInmvhK9pGBa31 # TyeL3p7R2s0L8SABPPRJHAEk4NHpBXxHjm4TKjezAbSqqbgsy10Y7KApy+9UrKa2 # kGmsuASsk95PVm5vem7OmTs42vm0BJUU+JPQLg8Y/sdj3TtSfLYYZAaJwTAIgi7d # hzn5hatLo7Dhz+4T+MrFd+6LUa2U3zr97QwzDthx+RP9/RZnur4inzSQsG5DCVIM # pA1l2NWEA3KAca0tI2l6hQNYsaKL1kefdfHCrPxEry8onJjyGGv9YKoLv6AOO7Oh # JEmbQlz/xksYG2N/JSOJ+QqYpGTEuYFYVWain7He6jgb41JbpOGKDdE/b+V2q/gX # UgFe2gdwTpCDsvh8SMRoq1/BNXcr7iTAU38Vgr83iVtPYmFhZOVM0ULp/kKTVoir # IpP2KCxT4OekOctt8grYnhJ16QMjmMv5o53hjNFXOxigkQWYzUO+6w50g0FAeFa8 # 5ugCCB6lXEk21FFB1FdIHpjSQf+LP/W2OV/HfhC3uTPgKbRtXo83TZYEudooyZ/A # Vu08sibZ3MkGOJORLERNwKm2G7oqdOv4Qj8Z0JrGgMzj46NFKAxkLSpE5oHQYP1H # tPx1lPfD7iNSbJsP6LiUHXH1MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGZ8wghmbAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAANOtTx6wYRv6ysAAAAAA04wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIPqjjog4gM+uXz+LWS1sg/2b # A5C7PfmGL8UIwSvh3t6iMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAs2FU6ZzKQMuJPtwI8ld9jC3EDTLwm2GXD46/BnJCSuvcfCYjqsJKtB8w # Xume/77uLojExLytlnC5E06k1byGtKV4ZoPVOP/l9DTdOOqyhze2szjW1G9zbdFU # V+hahrPe5/ljR+jUNCDHK0tr2YPrvxLNlc/ealfRZpnvT5c/Agzw6uVOWc+Jv/Uj # 3sqkCnqUWEb+IlZroC87FRQaJ9H8I4R/UAeDVLzyvyAOxVxRz0aNnFMuLyemggUT # 5YJh8njM9r2qnTobvEveCb6cTXJYN9xC8PyORT8qF1YLmog28Nw9SewQcTlybNwW # wjxZ90Wu9K0uMT/o9/H5jaKpLYKSK6GCFykwghclBgorBgEEAYI3AwMBMYIXFTCC # FxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFZBgsq # hkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCCBpZTTmIn7CRoyGt6E6y8q5SeHAC6E4DTPQGFeIq3ARQIGZMmKewpc # GBMyMDIzMDgwMzA4MjEwNy4wMDlaMASAAgH0oIHYpIHVMIHSMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl # bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNO # OjhENDEtNEJGNy1CM0I3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAGz/iXOKRsbihwAAQAAAbMwDQYJ # KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMjIw # OTIwMjAyMjAzWhcNMjMxMjE0MjAyMjAzWjCB0jELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxhbmQgT3Bl # cmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4RDQxLTRC # RjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCC # AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALR8D7rmGICuLLBggrK9je3h # JSpc9CTwbra/4Kb2eu5DZR6oCgFtCbigMuMcY31QlHr/3kuWhHJ05n4+t377PHon # dDDbz/dU+q/NfXSKr1pwU2OLylY0sw531VZ1sWAdyD2EQCEzTdLD4KJbC6wmACon # iJBAqvhDyXxJ0Nuvlk74rdVEvribsDZxzClWEa4v62ENj/HyiCUX3MZGnY/AhDya # zfpchDWoP6cJgNCSXmHV9XsJgXJ4l+AYAgaqAvN8N+EpN+0TErCgFOfwZV21cg7v # genOV48gmG/EMf0LvRAeirxPUu+jNB3JSFbW1WU8Z5xsLEoNle35icdET+G3wDNm # cSXlQYs4t94IWR541+PsUTkq0kmdP4/1O4GD54ZsJ5eUnLaawXOxxT1fgbWb9VRg # 1Z4aspWpuL5gFwHa8UNMRxsKffor6qrXVVQ1OdJOS1JlevhpZlssSCVDodMc30I3 # fWezny6tNOofpfaPrtwJ0ukXcLD1yT+89u4uQB/rqUK6J7HpkNu0fR5M5xGtOch9 # nyncO9alorxDfiEdb6zeqtCfcbo46u+/rfsslcGSuJFzlwENnU+vQ+JJ6jJRUrB+ # mr51zWUMiWTLDVmhLd66//Da/YBjA0Bi0hcYuO/WctfWk/3x87ALbtqHAbk6i1cJ # 8a2coieuj+9BASSjuXkBAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQU0BpdwlFnUgwY # izhIIf9eBdyfw40wHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYD # VR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9j # cmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwG # CCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIw # MjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcD # CDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAFqGuzfOsAm4wAJf # ERmJgWW0tNLLPk6VYj53+hBmUICsqGgj9oXNNatgCq+jHt03EiTzVhxteKWOLoTM # x39cCcUJgDOQIH+GjuyjYVVdOCa9Fx6lI690/OBZFlz2DDuLpUBuo//v3e4Kns41 # 2mO3A6mDQkndxeJSsdBSbkKqccB7TC/muFOhzg39mfijGICc1kZziJE/6HdKCF8p # 9+vs1yGUR5uzkIo+68q/n5kNt33hdaQ234VEh0wPSE+dCgpKRqfxgYsBT/5tXa3e # 8TXyJlVoG9jwXBrKnSQb4+k19jHVB3wVUflnuANJRI9azWwqYFKDbZWkfQ8tpNoF # fKKFRHbWomcodP1bVn7kKWUCTA8YG2RlTBtvrs3CqY3mADTJUig4ckN/MG6AIr8Q # +ACmKBEm4OFpOcZMX0cxasopdgxM9aSdBusaJfZ3Itl3vC5C3RE97uURsVB2pvC+ # CnjFtt/PkY71l9UTHzUCO++M4hSGSzkfu+yBhXMGeBZqLXl9cffgYPcnRFjQT97G # b/bg4ssLIFuNJNNAJub+IvxhomRrtWuB4SN935oMfvG5cEeZ7eyYpBZ4DbkvN44Z # vER0EHRakL2xb1rrsj7c8I+auEqYztUpDnuq6BxpBIUAlF3UDJ0SMG5xqW/9hLMW # naJCvIerEWTFm64jthAi0BDMwnCwMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJ # mQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNh # dGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1 # WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEB # BQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjK # NVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhg # fWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJp # rx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/d # vI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka9 # 7aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKR # Hh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9itu # qBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyO # ArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItb # oKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6 # bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6t # AgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQW # BBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacb # UzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYz # aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnku # aHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIA # QwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2 # VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwu # bWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEw # LTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt # MjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/q # XBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6 # U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVt # I1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis # 9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTp # kbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0 # sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138e # W0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJ # sWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7 # Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0 # dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQ # tB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB1TCB0jELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxh # bmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4 # RDQxLTRCRjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZaIjCgEBMAcGBSsOAwIaAxUAcYtE6JbdHhKlwkJeKoCV1JIkDmGggYMwgYCk # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF # AOh1WlYwIhgPMjAyMzA4MDMwNjQyMzBaGA8yMDIzMDgwNDA2NDIzMFowdDA6Bgor # BgEEAYRZCgQBMSwwKjAKAgUA6HVaVgIBADAHAgEAAgIhfDAHAgEAAgIVwzAKAgUA # 6Har1gIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAID # B6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAFNPJasblHYtMWpbDWh3 # Ti7S/zUXN3xSGMoyf/tPnY91WzbTWChClrIZMjdCtD960bg3IPdvemfpuGLYFmh3 # ji3o0625aH5vnk28E0Iz2ERW2U70Rf+ZIbgNxIelAVXXghfMw+UN4O2FEdq4szY5 # 5xwJaJ7nDGl2Q4KDrSVr5aAZMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt # U3RhbXAgUENBIDIwMTACEzMAAAGz/iXOKRsbihwAAQAAAbMwDQYJYIZIAWUDBAIB # BQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQx # IgQgteZA3D1kvgwJCMC67NP7mZhDK8iRqBjwgrpyLaj8Uu4wgfoGCyqGSIb3DQEJ # EAIvMYHqMIHnMIHkMIG9BCCGoTPVKhDSB7ZG0zJQZUM2jk/ll1zJGh6KOhn76k+/ # QjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABs/4l # zikbG4ocAAEAAAGzMCIEIETylqyW4GfyewUmEWdFqjUbqnCfTLToMzXLeQn2MHLg # MA0GCSqGSIb3DQEBCwUABIICAHUjFIEn6upr3DMKcdz0gV5Kt07jpngc5e4n1OJI # dvK41YEduTAHKh3LJbqEd51mLHplTFGT5vCptBmfqI5dtHwUDuVLvmBjE+PkXHIG # 4kXLsJIapqkuh/rNFblqDW0VjLQ0me7QDgjvrGXRTkYKVlaxDZW7/vJzpoqhBeZO # mfeiUPAEL9WmnBPlVRVF21G9sKdAtImbcAwn66wMNWmqPflkfoD3058k+zqCLjjh # yNOlzXv5CPpo+gyq8pRZ48Fhgqoobbn2z4MFRSPgISWVAr7XG7KJg8XEBswqQrLB # XEWqSXeI392Njf0WTkw8Js/6scX2WzjDxymBt8jaCxIFoQrbLlaQ8060Ovk25OvA # qi+GM74lMfzEQZCBEl8EEBllUFxs69Nij0RFqzA+A8NW5gtv86Mcdk8jwvmAALoo # SB4uX8qUQfMG70q3OI3KE+R12YbNZ+c6kgkqF0IHsPgIjR3uMY19yIE38UJT/27M # hYeaygCgGYl2h/mi/SBo4Rd/mDVBAbQeCj5xNiv0C9dMshzFy3Y6JVcVjh1oySSN # PbHvFxTN9haxfN6P/2nk+bOFNu9mv7cqkhIJwk+Vd8kKcF1J81V5vCtYhQCUr8wT # 7N+v9z1h9iGTRHXJAR3HYovl/fLo4CXQtqBFoxEc8wQWCUIJcqoCiT4MEkzjyloO # wNjJ # SIG # End signature block |