.. _Creating SSH-Enabled Templates:

Creating SSH-Enabled Templates
------------------------------

To be able to connect to a virtual machine via SSH, you need to prepare a VM template (or a boot volume for Windows VMs) before creating a VM from it. The steps you need to perform to prepare the VM template differ depending on the guest operating system and are described in the sections below.

Creating SSH-Enabled Linux Templates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As all Linux guests have OpenSSH Server pre-installed by default, you only need to make sure a Linux template has cloud-init installed.

The easiest way to get a Linux template with cloud-init installed is to build one with the ``diskimage-builder`` tool. For more information, refer to :ref:`Creating Linux Templates`.

Creating SSH-Enabled Windows Templates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Windows guests have neither OpenSSH Server nor Cloudbase-Init pre-installed by default. You need to install and configure them manually as follows:

#. Upload the Windows distribution ISO image. For example:

   ::

      # vinfra service compute image create windows10-image --os-distro win10 --file <path_to_image>

   where

   - ``windows10-image`` is the name of a new image.
   - ``win10`` is the OS distribution. To list available distributions, run ``vinfra service compute show``.

#. Create a VM from the ISO image. For example: 

   ::

      # vinfra service compute server create windows10-vm --flavor medium --network public \
      --volume source=blank,size=64,boot-index=0,type=disk \
      --volume source=image,id=windows10-image,size=5,boot-index=1,type=cdrom

   .. note:: Round up the size of volumes to be created from images. E.g., if the OS distribution image is 4.9 GB, use size=5.

   where

   - ``windows10-vm`` is the name of a new VM.
   - The first volume is a blank virtual HDD. 
   - The second volume is the OS distribution image ``windows10-image`` added to the compute cluster in step 1.
   - The ``boot-index`` parameter is used to specify the correct boot order.

#. Log in to the VM and install the guest OS using the built-in VNC console.

#. Create a new administrator account that will be used for SSH connections and log in with it. 

   .. important:: You will be able to log in with this account only using the key authentication method.

#. Install and configure OpenSSH Server as follows:

   #. Run Windows PowerShell with administrator privileges and set the execution policy to unrestricted to be able to run scripts:

      ::

         > Set-ExecutionPolicy Unrestricted

   #. Download OpenSSH Server (for example, from the `GitHub repository <https://github.com/PowerShell/Win32-OpenSSH/releases/>`__), extract the ZIP archive into the ``C:/Program Files`` directory, and install it by running:

      ::

         > & 'C:/Program Files/OpenSSH-Win64/install-sshd.ps1'

   #. Start the **OpenSSH SSH Server** service in the **Control Panel** > **System and Security** > **Administrative Tools** > **Services** and set its startup type to **Automatic**:

      .. image:: /images/win_guests_ssh1.png
         :align: center
         :class: align-center

   #. Open TCP port 22 for the OpenSSH service in the Windows Firewall:

      ::

         > New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound \
         -Action Allow -DisplayName OpenSSH

   #. Open the ``C:\ProgramData\ssh\sshd_config`` file:

      ::

         > notepad 'C:\ProgramData\ssh\sshd_config'

      Comment out the following lines at the end of the file:

      ::

         #Match Group administrators
         #AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

      And save the changes.

   #. Create the ``.ssh`` directory in ``C:\Users\<current_user>`` and an empty ``authorized_keys`` file inside it:

      ::

         > cd C:\Users\<current_user>
         > mkdir .ssh
         > notepad .ssh\authorized_keys

      The created file will have the ``.txt`` extension. To remove it, run:

      ::

         > move .\.ssh\authorized_keys.txt .\.ssh\authorized_keys

   #. Modify the permissions for the created file to disable inheritance as follows:

      ::

         > icacls .ssh\authorized_keys /inheritance:r

#. Download Cloudbase-Init (for example, from the `official site <https://cloudbase.it/cloudbase-init>`__) and launch the installation: 

   #. In the **Configuration options** window, enter the name of the current user in the **Username** field and deselect the checkbox **Use metadata password**:

   .. image:: /images/win_guests_ssh2.png
      :align: center
      :class: align-center

   #. When the installation is complete, select the following checkboxes:

   .. image:: /images/win_guests_ssh3.png
      :align: center
      :class: align-center

   #. Click **Finish**.

After the VM shuts down, you can either

- delete it to make its boot volume available for creating new VMs from it or

- convert the VM boot volume to a template (see the section "Creating Images from Volumes" in the *Administrator's Guide*).