WilliamLam.com

Search Results for: kickstart

SSH Keys & Lockdown Mode Caveat in ESXi 5

by // 6 Comments

Hopefully everyone is familiar with ESXi's Lockdown Mode and what it means from a security standpoint. Here is a table of the behavior between normal and Lockdown Mode:

In ESXi 5, the use of SSH keys is officially supported without having to manually create any hacks to preserve .ssh directory as you did with prior releases of ESXi. If you use Lockdown Mode, there is an additional caveat to be aware of in which the use of SSH keys is able to by-pass the Lockdown Mode configuration for an ESXi 5 host.

Here is a quick example demonstrating the process from VMware's VCVA (vCenter Virtual Appliance):

Step 1 - Create SSH keys

vcenter50-1:~ # ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a1:8c:24:60:0e:fe:9a:cf:4a:35:17:d6:89:ba:08:9d root@vcenter50-1
The key's randomart image is:
+--[ DSA 1024]----+
|o. |
|=. o . |
| o. .+ o. |
| ..+oo.. . |
|. E=..o S |
|. = + |
| = . |
|. o |
| ..o |
+-----------------+

Step 2 - Copy SSH public keys over to destination ESXi 5 host into the authorized file under /etc/ssh/keys-root/authorized_keys

vcenter50-1:~ # scp .ssh/id_dsa.pub root@vesxi50-4:/etc/ssh/keys-root/authorized_keys
Password:
id_dsa.pub 100% 606 0.6KB/s 00:00

Step 3 - Enable Lockdown Mode via vCenter

Step 4 - SSH into locked down ESXi 5 host utilizing SSH keys

By default the support of SSH is enabled, you will need to manually disable it to ensure that you are fully lockdown when you choose to enable Lockdown Mode. To disable SSH key support, you just need to comment the following line in /etc/ssh/sshd_config

# AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

The change takes effect right away and you do not need to restart the SSH daemon.

If you are interested in automatically disabling the use of SSH keys or you would like to copy an existing SSH key into your ESXi 5 host via kickstart, take a look at Automating ESXi 5.x Kickstart Tips & Tricks for more details.

Major Enhancements in esxcli for vSphere 5

by // 10 Comments

esxcli in vSphere 5 has undergone significant updates compared to version in vSphere 4.1 which only had 6 major namespaces and 43 commands.

Namespace Description
corestorage VMware core storage commands
network VMware networking commands
nmp VMware Native Multipath Plugin (NMP) This is the VMware default implementation of the Pluggable Storage Architecture
swiscsi VMware iSCSI commands
vaai Vaai Namespace containing vaai code
vms Limited Operations on Virtual Machines

With latest vSphere 5 release, esxcli now includes a total of 10 namespaces and 251 commands! You will notice some of the updated namespaces from vSphere 4.1, such as corestorage which is under the namespace storage and it also contains other sub-namespaces dealing with the storage stack.

Namespace Description
esxcli Commands that operate on the esxcli system itself allowing users to get additional information
fcoe VMware FCOE commands
hardware VMKernel hardware properties and commands for configuring hardware
iscsi VMware iSCSI commands
license Operations pertaining to the licensing of vmware and third party modules on the ESX host. These operations currently only include updating third party module licenses
network Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands to manipulate virtual networking components (vswitch, portgroup, etc) as well as local host IP, DNS and general hsot networking settings
software Manage the ESXi software image and packages
storage VMware storage commands
system VMKernel system properties and commands for configuring properties of the kernel core system
vm A small number of operations that allow a user to Control Virtual Machine operations

To get a complete list of the available esxcli commands in vSphere 5, you can run the following:

esxcli esxcli command list

The goal of esxcli is to provide a centralize, consistent and easy way of accessing and managing your ESXi host from both locally within ESXi Shell or remotely using vCLI and/or vMA. With the release of 5.0, the majority of the legacy esxcfg-*/vicfg-* commands have been migrated over to esxcli. At some point, hopefully not in the distant future, esxcli will be parity complete and the esxcfg-*/vicfg-* commands will be completely deprecated and removed including the esxupdate/vihostupdate utilities.

There are still several types of operations that require tools in addition to esxcli such as configuring licenses for standalone host, enabling/disabling local and remote ESXi Shell, enabling/disabling Fault Tolerance & vMotion traffic types just to name a few. For more details on some of the common operations that you may need to perform using both esxcli and other utilities, take a look at my ESXi 5 kickstart tip and tricks post.

The new remote version of esxcli is compatible with both ESXi 5 and ESX(i) 4.1 hosts. Due to the nature of the framework, the capabilities are located on the host and when you initially connect, it will automatically down the available namespaces that can be supported. The new namespaces in ESXi 5 will not be available on 4.1 but the old 4.1 namespaces will be. In the latest release, there are still no vSphere APIs exposed for esxcli, they are all still hidden. To access esxcli, you will need to either use local esxcli, remote esxcli using vCLI and/or vMA or PowerCLI's esxcli cmdlets.

The syntax of esxcli is very simple to understand:

To get more details on a namespace, you just need to specify the --help option after the namespace selection. In this diagram, we are accessing "network" namespace and we can see there are 5 additional namespaces we can access.

Let's say we're interested in the "firewall" and would like to know more, we can again specify --help option again.

Now we have a set of commands, let's go ahead and run the "get" command

As you might have guessed, the "get" command will get the network firewall status. The actual commands are pretty intuitive and you will find that most esxcli namespaces will support get, set and list operations. The other nice thing about esxcli is that the output is consistent whether you are running this locally on ESXi Shell or remotely using vCLI and/or vMA, which makes scripting extremely simple.

Note: With remote esxcli, you will need to specify the ESX(i) host and credentials to login to as it is going through the APIs.

You also have the ability to control the type of output that is generated whether that is xml, csv or keyvalue. To do so, you can specify --formatter option and specify one of those options. The xml and keyvalue pair works across all namespaces and csv works on majority of the namespaces.

Let's go ahead and run the same command as above but output it in keyvalue pair

~ # esxcli --formatter=keyvalue network firewall get
Firewall.DefaultAction.string=DROP
Firewall.Enabled.boolean=false
Firewall.Loaded.boolean=true

In addition to type of format output, you can also display specific columns of information using --format-param, this is useful in-conjunction with csv output.

Here is an example of listing the standard vSwitches without any formatting:

~ # esxcli network vswitch standard list
vSwitch0
Name: vSwitch0
Class: etherswitch
Num Ports: 128
Used Ports: 6
Configured Ports: 128
MTU: 1500
CDP Status: listen
Beacon Enabled: false
Beacon Interval: 1
Beacon Threshold: 3
Beacon Required By:
Uplinks: vmnic1, vmnic0
Portgroups: ESXSecretAgentNetwork, VM Network, vmk2, vmk1, Management Network
vSwitch1
Name: vSwitch1
Class: etherswitch
Num Ports: 128
Used Ports: 3
Configured Ports: 128
MTU: 1500
CDP Status: listen
Beacon Enabled: false
Beacon Interval: 1
Beacon Threshold: 3
Beacon Required By:
Uplinks: vmnic2
Portgroups: VMkernel

Here is the same example, but now only displaying Name, Num of Ports, MTU, CDP and Portgroups using the formatter and format-param options:

~ # esxcli --formatter=csv --format-param=fields="Name,Num Ports,MTU,CDP,Portgroups" network vswitch standard list
Name,NumPorts,MTU,Portgroups,
vSwitch0,128,1500,"ESXSecretAgentNetwork,VM Network,vmk2,vmk1,Management Network,",
vSwitch1,128,1500,"VMkernel,",

If you like to learn more about esxcli, you can take a look at the What's New in vSphere 5 Platform whitepaper. I would also highly encourage you to play with the new esxcli and see what the new capabilities are. Also, when the vSphere 5 documentation is released, a must read document is the Command-Line Management in vSphere 5.0 for Service Console Users which goes into detail about the specific esxcli commands to use in replacement of the esxcfg-*/vicfg-* commands.

Note: Hopefully it was okay to borrow some of these esxcli slides from VMware, I made some slight modifications. The diagrams are a great way to explain how esxcli namespaces work.

Semi-Interactive automated ESXi installation

by // 18 Comments

There was a recent thread in the VMTN community forums where a user wanted to provide user input prior to an automated ESXi installation. This may sound odd at first, especially when we are talking about an unattended installation, the last thing you want is any type of user interaction. The reason for this requirement was to maintain a generic kickstart configuration file and based on the site specific input (IP Address, Netmask, Gateway, Hostname and DNS Servers), the ESXi installation would be able to deploy and configure itself the same across multiple locations.

UPDATE (01/10/19) - For ESXi 6.5 or greater, please take a look at this blog post for an updated solution

UPDATE (10/28/15) - Please take a look at this blog post on how to prompt for user input during an interactive or scripted installation of ESXi.

The other reason for this requirement is that all hosts in the user's environment must be configured with a static IP Address, this is not an uncommon requirement for many production environments to not have DHCP enabled networks. I can only assume the initial network the host is being built is either a private build network or booting off of local media such as a USB or CD-ROM device.

Whether you are booting off of local media or via PXE over the network, you have the ability to specify some boot parameters which includes things like IP Address, Netmask, Gateway and DNS Servers. These "bootstrap" options are fully supported and documented in the ESXi Installation Section. You can also specify advanced VMkernel boot parameters which may not be officially supported by VMware, but you can take a look here for more details.The concept of specifying these boot parameters is nothing new and has been supported since the early days of classic ESX and other popular UNIX/Linux distros for PXE boot/installations.

When you boot the ESXi installer, you may have seen a screen similar to the following in which you have a few seconds to hit the "tab" key to edit the boot options.

Once you hit the "tab" key, you will be able to see what the default boot options are and if you are PXE booting, you will also see some IP information appended towards the end of the string. This is where you can append or update additional parameters and later read in by your kickstart script.

Here is an example of an ESXi installation being PXE booted over the network and I have added 4 supported boot parameters and 2 custom ones.

If you take a look at the screenshot, the "+++" IP information towards the end is what was given by the DHCP server but I am interested in specifying a different IP Address for the ESXi installer to boot from. I provided new entries for ip, netmask, gateway and nameserver. You can also see that I introduced two new variables called hostname and dc, these will be used to specify the hostname of the ESXi host and also the name of the datacenter which will be used later in the kickstart script to rename a datastore.

Note: If you redefine the IP information, you do not need to change the IP information found after the "+++", these will just be over-written with the new IP information.

When specifying these boot parameters, you need to make sure it is after the "vmkboot.gz" but before "--- vmkernel.gz". To help make this clear, I have colorized the section that was appended to the default options.

vmkboot.gz dc=ghettoDC hostname=vesxi41-2.primp-industries.com ip=172.30.0.200 netmask=255.255.255.0 gateway=172.30.0.1 nameserver=172.30.0.100 ks=http://172.30.0.108/esxi41u1/ks.cfg --- vmkernel.gz --- sys.vgz --- cim.vgz --- ienviron.vgz --- install.vgz

Note: You can create any custom variables, the key in using the custom variables will be parsing from the boot command line using vsish which will be defined in your kickstart script. This will work also work for local media, but you MUST use a kickstart to perform the actual installation or inject the kickstart script into a custom ISO.

After you have provided all the input, you will then boot the installer and the the following kickstart configuration file is used to parse the boot options using vsish.

accepteula
autopart --firstdisk --overwritevmfs
rootpw vmware
install url http://172.30.0.108/esxi41u1
reboot

%include /tmp/networkconfig

%pre --unsupported --interpreter=busybox

CMDLINE_FILE=/tmp/cmdline
ESXI_INSTALL_LOG=/var/log/esxi_install.log

# extract boot options
vsish -e get /system/bootCmdLine > ${CMDLINE_FILE}

# extract and set variables
HOSTNAME=$(cat ${CMDLINE_FILE} | grep hostname | sed -e 's/.*hostname=\([^ ]*\).*/\1/')
IPADDR=$(cat ${CMDLINE_FILE} | grep ip | sed -e 's/.*ip=\([^ ]*\).*/\1/')
NETMASK=$(cat ${CMDLINE_FILE} | grep netmask | sed -e 's/.*netmask=\([^ ]*\).*/\1/')
GATEWAY=$(cat ${CMDLINE_FILE} | grep gateway | sed -e 's/.*gateway=\([^ ]*\).*/\1/')
NAMESERVER=$(cat ${CMDLINE_FILE} | grep nameserver | sed -e 's/.*nameserver=\([^ ]*\).*/\1/')
DC=$(cat ${CMDLINE_FILE} | grep dc | sed -e 's/.*dc=\([^ ]*\).*/\1/')

# create networkline based on boot options
echo "network --bootproto=static --hostname=${HOSTNAME} --ip=${IPADDR} --netmask=${NETMASK} --gateway=${GATEWAY} --nameserver=${NAMESERVER} --addvmportgroup=0" > /tmp/networkconfig

# persist custom variables in ESXi install log for %post section
echo "GHETTO_CUSTOM_VARIABLE-DC ${DC}" >> ${ESXI_INSTALL_LOG}

%firstboot --unsupported --interpreter=busybox --level=9999

#extract custom variables in ESXi install log
DC=$(grep "^GHETTO_CUSTOM_VARIABLE-DC" /var/log/esxi_install.log | awk '{print $2}')

vim-cmd hostsvc/datastore/rename datastore1 "${DC}-datastore1"

vim-cmd hostsvc/maintenance_mode_enter
vim-cmd hostsvc/enable_remote_tsm
vim-cmd hostsvc/start_remote_tsm
vim-cmd hostsvc/enable_local_tsm
vim-cmd hostsvc/start_local_tsm

The script does the following:

  1. Reads the boot options using vsish and temporarily stores the output to /tmp/cmdline for later use
  2. Extracts all the relevant boot parameters in /tmp/cmdline and stores them in variables to be used in the script.
  3. Creates the "network" stanza for static IP assignment of the ESXi host which includes: Hostname, IP Address, Netmask, Gateway and Nameserver
  4. Writing out the custom variable "dc" into /var/log/esxi_install.log because this will be persisted through the reboot and can be later read in for any %firstboot operations.
  5. Upon the reboot, %firstboot will execute and read from /var/log/esxi_install.log to extract the "dc" variable in which it will use to rename the local datastore

Note: The above is just an example of what you can do with custom parameters. You can easily add as many as you need for site specific configurations and then use those input in your post configure your ESXi host. Also note that you do not need to make sure of ip,netmask,gateway,dns parameters to use custom variables, these are all optional.

You can add as many custom entries as you would like, but this can easily get error prone due to the amount of typing required. One thing you can do to minimize the amount of typos is to pre-specify the custom variables in your PXE/TFTP configuration file.

To do so, your PXE/TFTP configuration file would look something like this:

IMEOUT 300 #30 seconds
PROMPT 1
DEFAULT menu.c32
SAY -
SAY vga - Install esxi410u1 (vga console)
SAY -

LABEL www.virtuallyghetto.com - Semi-Interactive ESXi Install
KERNEL mboot.c32
APPEND vmkboot.gz dc= hostname= ip= netmask= gateway= nameserver= ks=http://172.30.0.108/esxi41u1/ks.cfg --- vmkernel.gz --- sys.vgz --- cim.vgz --- ienviron.vgz --- install.vgz
IPAPPEND 1

This not only reduces the amount of typing but also lets the user know what variables must be defined in order for the installation to proceed.

I totally understand where the user is coming from and I have had this requirement in the past but I think having a static DHCP entry and maintaining a simple configuration file can easily solve this problem. This not only makes the deployment process hands-off as it should be in the first place but also removing the human factor out of the equation. Can you imagine deploying 100-300 ESXi hosts in a day? I sure can not if I had to manually type out all those addresses by hand.