WilliamLam.com

Search Results for: kickstart

Automated ESXi Installation to USB using Kickstart

by // 21 Comments

I frequently re-install ESXi on my physical host for various types of testing as I normally work with a number of future releases. Although the process just takes a couple of minutes, having to enter the exact same information each time and also requiring a keyboard and monitor is not really ideal. For the majority, this is really not a problem and manually going through the install workflow is fine for most folks, especially as this is an infrequent operation.

However, with some recent customer conversations, I thought it was worth while to re-visit this topic and demonstrating just how easy it is to automate the installation of ESXi with just a single bootable USB device and embedding an ESXi Kickstart Script. Even for infrequent installation and/or upgrades of ESXi for home labs, this can be a time saver, especially if you do not have monitor and keyboard just lying around. Below are instructions including a reference Kickstart example that folks can use as a starting point. For more advanced automation, please take a look at my ESXi Kickstart Resources as well as the official VMware documentation for ESXi Scripted Installations.

[Read more...]

Using ESXi Kickstart %firstboot with Secure Boot

by // 6 Comments

If you install ESXi via a Kickstart script and make use of the %firstboot option to execute commands on the first boot of the ESXi host after installation, you should be aware of its incompatibility with the Secure Boot feature. If you install ESXi where Secure Boot is enabled, the Kickstart will install ESXi normally only execute up to the %post section. However, it will not execute the %firstboot scripts and if you look at the /var/log/kickstart.log after the host boots, you should see the following message:

INFO UEFI Secure Boot Enabled, skipping execution of /var/lib/vmware/firstboot/001.firstboot_001

If you have Secure Boot enabled, %firstboot is not supported. The reason for this is Secure Boot mandates only known tardisks which can hold executable scripts, and a kickstart script is an unknown source so it can not run when Secure Boot is enabled. If you wish to continue using %firstboot scripts, the only option is to disable Secure Boot and then re-enable it after the installation. A preferred alternative is to convert your %firstboot logic into an external script which can then be applied using the vSphere API (recommended method) and this way you can still customize your ESXi host after the initial installations. I have already filed an internal documentation bug to add a note regarding Secure Boot and %firstboot, hopefully that will roll out with the net documentation refresh.

Quick Tip - What hashing algorithm is supported for ESXi Kickstart password?

by // 2 Comments

I had a question the other day asking whether the encrypted password which can be specified within an ESXi Kickstart file (denoted by the --isencrypted flag) can use a different hashing algorithm other than MD5? The answer is absolutely yes. In fact, MD5 as a default hashing algorithm has NOT been used for a number of releases, probably dating back to classic ESX (you know, the version that had the Service Console).

For all recent releases of ESXi including 5.5 to 6.7, the default hashing algorithm has been SHA512 for quite some time now. Below are two ways in which you can check which default hashing algorithm is currently being used:

Option 1 - SSH to ESXi host and take a look at /etc/pam.d/passwd


Option 2 - SSH to ESXi host and take a look at /etc/shadow and look at the field prior to the salt.

As a reference:

  • $1$ - MD5
  • $5$ - SHA256
  • $6$ - SHA512