So, this summer there was a conversation on Twitter about reverse imaging of a Provisioning Services (PVS) image. Given my interest in automation, I naturally asked, "why not just rebuild the image instead? It will save you a lot of headaches." Several of the responses in the conversation argued that often a reverse image was the way to go because of time pressure. So in this article, I will go through some of the pros and cons from my point of view in both scenarios.
Some Background Information
What is PVS? PVS is a technology that streams Windows Server and Desktop images from a VHD(x) located on a file share (or on the PVS server itself) out to target devices that don't have an operating system installed. One of the great benefits from this technology is that the VHD file can be a read-only disk (mostly used in this way) and therefore the target device will return to the desired state after a reboot. The VHD files can also be in a read/write mode but this is mostly used for implementing changes to the image and then promoting the VHD into a read-only production VHD. Below you can see how PVS is normally used.
The picture below shows the standard lifecycle for a VHD used in PVS. The workflow for new software and updates to existing software are pretty much the same so I have only created the one workflow.
A bit of a "fun" fact is that you can actually use PVS for steaming non-Citrix servers as well, so if you, for instance, want to deploy 100 IIS servers that run exactly the same software and settings, you can create the image with PVS and push to 100 virtual machines. There are some licensing issues to take into account here, but it can be done and in some sense, this technology is a lot like containers.
What is it that we want to do?
The purpose of a reverse image is to update hypervisor tools and sometimes PVS target device software as well. The reason to update the hypervisor tools can be because of security patches or added functionality, also the hypervisor vendor recommends that the tools in the virtual machine are at the same level as the hypervisor itself. Sometimes you can justify not installing the latest tools if you are at the same release level and the newly added feature isn't needed in your installation, but when it comes to security patches, it is always recommended to get the tools upgraded.
In a standard virtual machine, this isn't an issue to upgrade hypervisor tools because it is just a standard software installation followed by a reboot. But in a PVS scenario, updating the tools means you are updating the software that also contains the drivers for storage, network, graphics and so on. When you are upgrading those drivers it also means that you cut the connection to the PVS server from the target devices and that results in a bluescreen on the VM.
Now, I also mentioned the PVS target device software and this is mostly legacy, because Citrix added an option in PVS 7.6 update 1 that allows you to upgrade the target device software on a maintenance version of your vDisk. I have seen some issues with this still, but the process should work in most cases.
There are quite a few ways to do the reverse image, the ones I have used previously are listed below with links to guides others have created.
Using direct boot from NFS share: https://support.citrix.com/article/CTX137253
Using NFS storage and rename image VHD to VM VHD: https://support.citrix.com/article/CTX123395
Using BCDEDIT and boot from VHD to Windows Server 2012 R2: http://www.carlstalhood.com/pvs-update-vdisk/#reverseimagebcdedit
As you can see, I have used several different ways of reverse imaging XenApp/XenDesktop images and the reason for this isn't that I just like to try something new, but because none of the ways to do it works every time in my experience. To reverse image is quite cumbersome and not a fun job at all, but it can be necessary to do so and I will write more about that in the conclusion.
Rebuilding an image is basically taking an ISO for the operating system of your choice and clicking next-next-finish and so on. When the operating system is installed, you need to install all your applications and then patch everything installed. The last part is to install PVS target device software and capture the image into a VHD file that will be placed on a file share or on the PVS server itself. I personally like to automate this process with Microsoft Deployment Toolkit and have every application I need to install as a package that will install silently. A really good source for automating all sorts of software is www.xenappblog.com/ www.xenapptraining.com which is run by Citrix CTP Trond Eric Haaverstein.
To be honest, there is not one path that can be chosen as the correct way of doing the upgrade of hypervisor tools. I strongly believe that rebuilding the image is the most reliable and secure way of upgrading the tools and it adds something more to the solution than reverse imaging. If you choose to go the path of rebuilding your images, it requires you to have control of all the software that is needed in an image. This may sound simple but in reality, this is actually far from what is seen a lot of places. The basic idea that you have all the installation files and knowledge about how to install them is often missing and the most frequent cause of this is, that employees and external vendors have all installed a piece of software in the image. They might not have documented the installation and left the installation files so that it can be done again in the same way. The very reason for missing software and installation guides is the reason why reverse imaging even exists in my opinion. It isn't something anyone wants to do, but they are forced to do it until they can get all the pieces of the image gathered and then do a rebuild. When you have all the pieces of an image, the rebuild itself will often be a lot faster than doing the reverse imaging. For instance, I recently did a Windows 10 image with about 10 apps in it and it only took 25 mins to install the OS with all application and capture into a VHD file. Those 25 mins will be A LOT faster than doing a reverse image to update the tools.
You can also compare the reverse image vs. rebuild to having a 3-year-old PC that has never been reinstalled. Now, would you want to keep adding and removing software and updates to this PC or would you want to reinstall it completely and only have the software you need on it freshly installed?
So my final conclusion is.... Get in control of the application portfolio that you run at your company or at your customers'. When you have control of the apps, you not only have the option to rebuild on-prem but you can choose to deploy images in any private and public cloud of your desire. When you automate your installations you also document at the same time, because the scripts and settings you use when automating explains what needs to be done, and this information can be found by current and coming employees and also any 3rd party consultants that might be there to help out.
As always if you have any feedback or something I didn't cover in this article but belongs here, please reach out to me here or on twitter @mracket