This topic describes how to use the tool Stembuild to create a Windows stemcell for BOSH, for use by Tanzu Kubernetes Grid Integrated Edition (TKGI) on vSphere.
A BOSH stemcell is a versioned operating system image.
You must create a BOSH stemcell for Windows before you can deploy Windows workers in Kubernetes clusters using Tanzu Kubernetes Grid Integrated Edition on vSphere.
Stembuild is a binary that you use to build BOSH stemcells for Windows Server 2019.
Stembuild creates a BOSH stemcell from a base Windows image. The Stembuild CLI has two commands, construct
and package
, which you run against a Windows Server 2019 VM. These commands are used to create a stemcell in Construct and Package the BOSH Stemcell below.
To create a Windows stemcell for vSphere, you create a base Windows VM from a volume-licensed ISO and subsequently maintain that base template with all Windows-recommended security updates, but without the BOSH dependencies.
The Windows VM with security updates serves as the base for all future stemcells produced from clones of that base VM. This enables you to build new stemcells without having to run Windows updates from scratch each time. You can also use a “snapshot” feature to maintain an updated Windows image that does not contain the BOSH dependencies.
VMware recommends installing any available critical updates and then rebuilding the stemcell from a clone of the original VM.
The BOSH stemcell that you create in this topic is based on Windows Server 2019. If you already have a BOSH stemcell for Windows on vSphere, see Monthly Stemcell Upgrades below.
For more information, see Best Practices for Stembuild for Tanzu Application Service & Tanzu Kubernetes Grid Integrated Edition in VMware Tanzu Tech Tutorials.
To construct, package and upload a BOSH Stemcell for Windows to TKGI, complete the following:
Before you create a BOSH Windows stemcell for Tanzu Kubernetes Grid Integrated Edition on vSphere, you must have:
A vSphere environment. To ensure the VM hardware used by the stemcell is compatible with your deployment environment’s ESXi/ESX host and vCenter Server versions, see ESXi/ESX hosts and compatible virtual machine hardware versions list (2007240) in the VMware Knowledge Base.
An ISO for a Windows Server 2019 Server Core installation, build number: 17763, from Microsoft Developer Network (MSDN) or Microsoft Volume Licensing Service Center (VLSC). The Windows Server 2019 ISO must be a clean, base ISO file. You can use an evaluation copy for testing, but VMware does not recommend an evaluation copy for production because the licensing expires. For more information, see the Windows Server documentation or the Microsoft Volume Licensing Service Center website.
Note: A clean ISO file has no custom scripts or tooling. For example, the ISO must have no logging or antivirus tools installed.
Download the following from Stemcells (Windows) on Broadcom Support:
stembuild
command line interface (CLI) from a 2019.x releaseRefer to Product Snapshot in Release Notes for the compatible version of each to download.
Microsoft Local Group Policy Object Utility (LGPO) downloaded to the same folder as your stembuild
CLI.
The minimum vCenter user permissions required to use stembuild
for vSphere stemcells, specifically:
VirtualMachine.GuestOperations.Modify
VirtualMachine.GuestOperations.Execute
VirtualMachine.GuestOperations.Query
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Interact.SetCDMedia
VApp.Export
System.Anonymous
*System.Read
*System.View
*Permissions marked with an *
are generated upon creating a new user in vCenter and cannot be set within the vCenter UI.
Before using Stembuild to create a stemcell, you need to create a Windows Server 2019 VM and update the VM with the latest Windows updates.
Warning: VMware recommends that you build your stemcell with kubernetes-csi-proxy
v1.1.3 or later to avoid the Kubernetes CVE: CVE-2023-3893. For more information, see CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation #119594 in the Kubernetes GitHub repository.
To create and update a base Windows VM, follow these procedures in the TAS for VMs [Windows] documentation, in order:
By default, VMware Tools prevents worker node VM Ethernet adapter information from being exposed on Windows clusters. You must ensure this Ethernet adapter information is exposed on your Windows base OS image to avoid the oVM.Guest.Net Error on Windows Clusters issue on your Windows clusters.
To ensure Ethernet adapter information is exposed on worker node VMs:
Verify that Ethernet adapter information on worker node VMs is already exposed:
ipconfig
.vEthernet
Ethernet adapters.vEthernet
Ethernet adapter is present, Ethernet adapter information on worker node VMs is not exposed in this environment.If Ethernet adapter information is not exposed on worker node VMs:
C:\ProgramData\VMware\VMware Tools\tools.conf.example
to C:\ProgramData\VMware\VMware Tools\tools.conf
.tools.conf
.Add the following to the configuration:
exclude-nics=""
To create, configure, and package a BOSH Stemcell, follow these procedures, in order:
To ensure your BOSH Windows stemcell can work properly, confirm the stemcell does not have any hidden devices:
Confirm the VM has hidden devices:
Get-PnpDevice -Class net | ? Status -eq Unknown
If there are hidden devices, clean up those devices:
$Devs = Get-PnpDevice -Class net | ? Status -eq Unknown
ForEach ($Dev in $Devs) {
Write-Host "Removing $($Dev.FriendlyName)" -ForegroundColor Cyan
$RemoveKey = "HKLM:\SYSTEM\CurrentControlSet\Enum\$($Dev.InstanceId)"
Get-Item $RemoveKey | Select-Object -ExpandProperty Property | %{ Remove-ItemProperty -Path $RemoveKey -Name $_ -Verbose }
}
Power off the target VM.
Note: The ovs-windows
job requires a VM with a net-adapter named Ethernet0
. Remove hidden devices from the target VM to ensure the Ethernet0
net-adapter name is not taken before the ovs-windows
job starts.
To update Ops Manager with the new BOSH Windows stemcell:
Open Ops Manager.
Navigate to the Stemcell Library.
Replace the existing stemcell in the Ops Manager stemcell library with your new updated stemcell.
Deploy the TKGI tile.
gMSA: If your Windows worker clusters authenticate users via a group Managed Service Account (gMSA) in Microsoft AD, manually reboot its worker nodes as described in the known issue GMSA authentication failures after stemcell upgrade.
Microsoft typically releases Windows updates with security patches on the second Tuesday of each month.
After each Microsoft Windows security update, update your BOSH stemcell by following these procedures, in order:
Configure the Base VM in the TAS for VMs [Windows] documentation.
For known issues with stemcell creation, see Known Issues in the TAS for VMs [Windows] documentation.