WilliamLam.com

Automated ESXi Installation with a USB Network Adapter using Kickstart

by // 4 Comments

I have been working with the Project Keswick team for quite some time now, which is an OCTO project is lead by my good friend Alan Renouf, who is doing some really innovative work with ESXi at the edge and application deployment using a desired state engine.

Recently I had met with the team to discuss some of the options for their automated deployment which uses the tried and true ESXi scripted installation aka ESXi Kickstart. One thing that I had shared was just how powerful the %pre section within the kickstart is and can be used to redefine or update the original kickstart based on your installation criteria. For example, you could pull down external configuration files and determine at runtime to decide how you want to configure your networking to even fully bootstrapping a local vSAN datastore and this would all happen prior to ESXi installer starting. I have used the %pre section numerous times as a customer and also demonstrated in my USB-to-SDDC project which has also been an inspiration for the Project Keswick team.

One very cool capability that Project Keswick is enabling is the integration of the popular USB Network Native Driver for ESXi and one challenge they had faced with automating an ESXi installation when only a USB network adapter was available is additional configuration that must be setup before the installer can begin. They shared their solution and thought this would be a good blog post topic, especially as I know many folks use the USB Network Native Driver for ESXi in their homelab and if you wish to automate the installation, the solution shared from the team could help.

[Read more...]

Quick Tip - Automating ESXi local user passwords using SHA512 encrypted hashes

by // Leave a Comment

For those that automate their ESXi installations using Kickstart aka ESXi scripted installation should be quite familiar with the ability to configure the root password as part of the installation. As described in the official ESXi documentation, the --rootpw option can either contain a plain text password (not recommended) or with the use of the additional --iscrypted option, a SHA512 hash of the password can also be used, which is definitely recommended and more secure.

However, when managing additional local users via ESXCLI system account, which I recently blogged about here, I noticed that you can only provide a plain text password either on the command-line (not recommended) or interactively, which prevents this process from being automated. As mentioned in the blog post, you could store the password and the commands into another script file and this will at least hide the password from being stored in the ESXi Shell log file (/var/log/shell.log) but this is far from ideal.

While sharing this feedback with Engineering as part of a feature enhancement request, I came to learn about a nice little utility that can be used with both ESXi 7.x and 8.x that can update local user by simply providing the encrypted SHA512 hash.

[Read more...]

Applying additional security hardening enhancements in ESXi 8.0

by // 14 Comments

While responding to a few ESXi security configuration questions, I was referencing our ESXi Security documentation, which includes a lot of useful information and latest best practices. It is definitely worth re-reviewing this section from time to time to take advantage of all the ESXi security enhancements to help protect and secure your vSphere environment.

In certain areas of the ESXi security documentation, I noticed that it mentions CLI and API, but it does not always provide an example that customers can then reference and use in their Automation, which is really the only guaranteed method to ensure configurations are consistent across your vSphere environment. After answering some of the security related questions, especially on the Automation examples, I figure it would be useful to share this information more broadly so that folks are aware of some of the new and existing security enhancements along with some of their implications if you are not implementing them.

Speaking of new ESXi security enhancements, one of the new features that was introduced in ESXi 8.0 is the ability to disable ESXi Shell access for non-root users. While this might sound like a pretty basic feature, applying this towards the vCenter Server service account vpxuser can help add another layer of protection for your ESXi hosts against attackers. It turns out that users with ESXi Shell access can also modify other local users password on ESXi host including the root user. By restricting ESXi Shell access for the vpxuser, you prevent attackers, which can also be insiders who have access to vCenter Server the ability to just change the ESXi root password without knowing the original password. As a result, this can lock you out of your ESXi hosts or worse, enable an attacker to encrypt your workloads, especially as the rise ransomeware attacks has been increasing.

[Read more...]