WilliamLam.com

OVFTool 4.4.1 - Upload OVF/OVA from URL using upcoming "pull" mechanism

by // 12 Comments

I was helping a fellow colleague yesterday with an OVA question and I came to learn about an upcoming feature in the popular OVFTool utility that would allow for a new method of uploading a remote OVF/OVA to either a vCenter and/or ESXi endpoint.

Historically, when you upload an OVF/OVA whether that is stored locally or remotely from a URL, the data path will actually transfer through the system running the OVFTool between the source and destination, which is ultimately the ESXi host which performs the actual download. Although the OVF/OVA data is not actually stored on your local system, the traffic is proxied through your system and can add an unnecessary hop if the remote OVF/OVA URL can directly be accessed by ESXi host.

A new --pullUploadMode flag has been introduced in the latest OVFTool 4.4.1 release, which will allow ESXi host to directly download (pull) from the remote OVF/OVA URL, assuming it has connectivity. In addition to version of OVFTool, you will also need to have either ESXi 6.7 or 7.0 environment for this new feature to work.

Disclaimer: Although this feature is available in latest OVFTool release, it is still under development and should be considered a Beta feature in case folks are interested in trying it out.

Since the ESXi host is directly downloading from the remote source, there are two additional security verification that has already been implemented. The first is an additional vSphere Privilege called "Pull from URL" which is under the vApp section. Without this, you will get a permission denied error.


Secondly, in addition to specifying the new CLI option, you will also need to provide another flag called --sourceSSLThumbprint which should include the SHA1 hash of endpoint hosting the OVF/OVA. This is an additional verification to ensure the validity of the server hosting the OVF/OVA.

Here is an example of deploying my latest ESXi 7.0 Update 1 Virtual Appliance OVA which is remotely hosted. The quickest way to obtain the SHA1 thumbprint is simply opening browser to based URL which is https://download3.vmware.com/


You will need to replace the space with ":" (colon), so the final string should look like BA:C6:4E:D9:AD:D4:53:B5:86:5A:5D:70:36:CF:89:93:D1:6C:F9:63

Note: The SHA1 thumbprint example shown above is only valid as of Oct 2020, as TLS certificates are replaced periodically, the SHA1 hash will change.

Here is an example OVFTool command to deploy from the remote URL

ovftool \
--X:logFile="ovftool.log" \
--acceptAllEulas \
--allowAllExtraConfig \
--allowExtraConfig \
--noSSLVerify \
--sourceSSLThumbprint="B2:52:9E:4D:57:9F:EA:53:4D:A0:0B:7F:D4:7E:55:91:56:C0:64:BB" \
--name="Nested-ESXi-7.0-Update-1-Appliance" \
--datastore=sm-vsanDatastore \
--net:"VM Network"="VM Network" \
--pullUploadMode \
https://download3.vmware.com/software/vmw-tools/nested-esxi/Nested_ESXi7.0u1_Appliance_Template_v1.ova \
'vi://*protected email*:[email protected]/Primp-Datacenter/host/Supermicro-Cluster'

If we switch over to the vSphere UI, we should see a new task called "Download remote files" which indicates the new pull method is being leveraged. One thing to note is that because ESXi is now performing the download directly, progress may not be known by the OVFTool client, since it is not longer the source for the data transfer. Another thing to be aware of is that OVFTool itself has built-in retry logic in case there is a slight interruption during the data transfer with the current mechanisms. In the "pull" scenario, there is no retry by ESXi and so depending on connectivity, its possible deployments can fail and complete re-transfer would be required.

NSX-T Edge OVF property to automatically join NSX-T Management Plane

by // 2 Comments

After publishing my vSphere 7 with Kubernetes automation lab deployment script, I was looking at my NSX-T Edge code which leverages the vSphere VM Keystroke API to automate the joining of the the NSX-T Edge to the NSX-T Management Plane. This technique is used to avoid the need for SSH access to both NSX-T Edge and Manager which is the official VMware method as outlined in the documentation for configuring the Edge.

This is certainly unfortunate as most customers normally disable SSH by default and only enable it for troubleshooting/debugging purposes. As far as I know, there are no remote NSX-T APIs for configuring an NSX-T Edge that has been deployed outside of NSX-T Manager, which has its own implications.

I recently had a chance to revisit some research I had made a note of when I had first started working with NSX-T. While inspecting the NSX-T Edge OVA, I found several OVF properties that begin with mp which per the description was referring to the NSX-T Manager. At the time, I was not able to figure out which the required combination of keys and values. Taking a closer look and poking around the appliance and logs, I was able to finally figure out the correct combination which turned out to be easy, once you knew what it was expecting.

To help demonstrate this functionality, I have created a basic PowerCLI script edge-auto-join-nsxt-management-plane.ps1 which uses information from your already deployed NSX-T Manager to automatically deploy the desired number of NSX-T Edge(s) which will automatically join the NSX-T Management Plane upon initial setup.


The way this works is that the following four OVF properties must be filled as part of the NSX-T Edge deployment:

[Read more...]

Really cool updates with OVFTool 4.4 and support for vSphere 7

by // 5 Comments

vSphere 7 has officially GA'ed this morning and with folks starting to download ESXi and the vCenter Server Appliance, do not forget about all the supporting tools such as the latest PowerCLI 12.0 release which includes a number of enhancement as well as the various vSphere Management and Automation SDKs.

One of my most frequently used tools on a daily basis, some times even more than PowerCLI is OVFTool which is now at version 4.4 which officially supports vSphere 7 but it also includes a number of really awesome enhancements and bug fixes. 

While looking over the OVFTool release notes, I noticed a few interesting tidbits that I thought was worth calling out:

OVF Tool now can upload disk files to the host in parallel, and download disk files from the host in parallel. OVA is unsupported. Parallelism is limited by the number of CPUs. See the --parallelThreads=N option in the OVF Tool User's Guide for details.

This is a most welcome feature for customers with extremely large VMs where upload and/or downloads of OVAs can take a considerable amount of time as only a single CPU thread is used. With this feature, you can now enable multiple CPU threads with the --parallelThreads parameter which should really with performance! Even for smaller size VMs, you can still benefit if you have additional CPU resources to allocate and something I will be using going forward!

For multi-disk virtual machines, OVF Tool now includes the --multiDatastore flag to specify datastore per disk. See the OVF Tool User's Guide for details.

This is another welcome feature for customers where you might have an OVA that contains multiple VMDKs and want to explicitly place them on specific datastore.

The ARM64 architecture on Linux is now supported.

Finally, I thought this was very interesting to see that OVFTool has been ported over to ARM64 for Linux which means we can run now run OVFTool on a Raspberry Pi or even an Amazon A1 EC2 Instance! This might come handy in the future and I wonder if OVFTool for ESXi would be the next logical step? 🙂

I highly recommend you check out the rest of the release notes as it contains many more enhancements and fixes, many of which I have reported from the community and/or by our customers. I think this is certainly one of the tools you can upgrade immediately as it has great backwards compatibility with older vSphere releases but you can also take advantage of all the new features mentioned above immediately. If there are other OVFTool improvements or enhancements you really would like to see, feel free to leave a comment along with the use case and I will past that on to Engineering.