.

Friday, February 12, 2010

Scripted install of vSphere (ESX4)

First and foremost download a good text editor with a UNIX mode like Notepad++. You MUST be in UNIX mode or your script will FAIL. You cannot use notepad or wordpad for editing these scripts!

A lot of the commands used previously in ESX3.5 have been deprecated or changed in ESX4 so this script took a bit of reworking. The only part that doesn’t work fully is the vswitch port group settings, but this script will definitely get you up and running. Please note that this only applies to ESX and not ESXi.

One of the biggest differences in ESX4 is that the service console now lives in a VMFS volume as a VM. Only the /boot and vmkcore partitions are actually carved out of a physical disk now. The rest of the partitioning is done from within the COS (Console OS) VM’s file system. The smallest disk drives available for HP servers these days are 146GB so I was fairly liberal with my file system layout. 50GB for the local storage VMFS volume where the COS VM will live, set to grow, 30GB for the COS VMDK itself and the rest you can see below in the partitioning section. You want to make sure that however you partition the COS file system that you allocate enough space in the VMDK to house it or your install will fail (virtualdisk esxconsole…).

VMware finally woke up and got rid of that awful FlexLM licensing scheme and has gone back to serial numbers, except now they can be purchased and used in a volume license capacity similar to how Microsoft does it. I now also like to execute all of the ESX configuration parts in the %post section instead of creating a separate SH script to compile and execute. I’m no longer using Altiris so this method is much simpler.

ESX uses a formula based on how much system RAM you have as to how high to set the service console’s memory. 800MB still the max amount and the host RAM sizing chart is accurate. Sean D figured out how to make this work in ESX4, thanks Sean! The esxcfg commands are essentially the same. Modify any of the sections that contain <domain.com> entries with your own servers. NTP, firewall, and AD-integration sections work perfectly. I do enable root SSH access, against best practice recommendations, so if that isn’t cool in your environment comment it out. I also left in the HP mgmt agent install section but haven’t tried it yet on ESX4.

Happy scripting.

########### ESX 4.0 KICKSTART SCRIPT ###############
# +-------------------------------+ #
# | ESX 4.0 install | #
# +-------------------------------+ #
# | Author: Peter Fine | #
# +-------------------------------+ #
#################################################

# root password (Replace with your own password hash)
rootpw --iscrypted $1$4…/

# Authentication
authconfig --enableshadow --enablemd5

# Bootloader options
bootloader --location=mbr

#Installation Method
install cdrom
#install url ftp://10.x.x.x/

# Network install type (change static IP, mask, gateway, and hostname)
network -–device=vmnic0 --bootproto=static --ip=10.0.0.0 --netmask=255.255.255.0 --gateway=10.0.0.0 --hostname=ESX1.domain.com -–addvmportgroup=0

# Regional Settings
keyboard us
timezone America/Chicago --utc

#reboot after script
reboot

# Partitioning

clearpart --alldrives --overwritevmfs
part /boot --fstype=ext3 --size=2048 --onfirstdisk
part None --fstype=vmkcore --size=110 --onfirstdisk
part Local_CUESX1 --fstype=vmfs3 --size=51200 --grow --onfirstdisk
virtualdisk esxconsole --size=30720 --onvmfs=Local_CUESX1
part swap --fstype=swap --size=2048 --onvirtualdisk=esxconsole
part /var/log --fstype=ext3 --size=4096 --onvirtualdisk=esxconsole
part /opt --fstype=ext3 --size=2048 --onvirtualdisk=esxconsole
part /tmp --fstype=ext3 --size=2048 --onvirtualdisk=esxconsole
part /home --fstype=ext3 --size=2048 --onvirtualdisk=esxconsole
part / --fstype=ext3 --size=10240 --grow --onvirtualdisk=esxconsole

# Licensing
accepteula
serialnum --esx=x-x-x-x-x

#+-----------------------------------+
#| Begin %POST Section |
#+-----------------------------------+
%post --interpreter=bash

# This script will configure the following items:
#
# 1. Set Service Console memory to 512MB
# 2. Configure all networking except VMotion
# 3. Add NTP servers, configure and start the NTP service
# 4. Set the proper frewall settings
# 5. Enable root SSH access
#
##********Command Switch Legend*********
##esxcfg-vswitch -a vSwitchX:[ports]--adds new vSwitch
##esxcfg-vswitch -A [pg name] vSwitchX --adds portgroup [name] to vSwitchX
##esxcfg-vswitch -L vmnicX vSwitchX --links vmnicX to vswitchX
##esxcfg-vswitch -v [vlan ID] -p [pg name] vSwitchX --assigns VLAN ID X to [pg name] on vSwitchX
##
##

#+-------------------------------------------------------+
#| Set Service Console Memory to 800MB |
#+-------------------------------------------------------+

#backup esx.conf and grub.conf
/bin/cp /etc/vmware/esx.conf /etc/vmware/esx.conf.bak
/bin/cp /boot/grub/grub.conf /boot/grub/grub.conf.bak
#Perform copy/replace operations to increase default values
#ESX Host – 8GB RAM -> Default allocated Service Console RAM = 300MB
#ESX Host – 16GB RAM -> Default allocated Service Console RAM = 400MB
#ESX Host – 32GB RAM -> Default allocated Service Console RAM = 500MB
#ESX Host – 64GB RAM -> Default allocated Service Console RAM = 602MB
#ESX Host – 96GB RAM -> Default allocated Service Console RAM = 661MB
#ESX Host – 128GB RAM -> Default allocated Service Console RAM = 703MB
curMEM=`grep '^/boot/memSize' /etc/vmware/esx.conf | cut -f2 -d\"`
sed -i -e "s/boot\/memSize = \"${curMEM}\"/boot\/memSize = \"800\"/g" /etc/vmware/esx.conf
sed -i -e "s/uppermem $(( curMEM * 1024 ))/uppermem 819200/g" -e "s/mem=${curMEM}M/mem=800M/g" /boot/grub/grub.conf

# +---------------------------------------------------------------------------+
# | Create the Service Console |
# | vSwitch0 creation to assign Service Console |
# +---------------------------------------------------------------------------+

#Create and name VSwitch0 (change IP for your server)
esxcfg-vswitch -a vSwitch0
esxcfg-vswitch -A "Service Console" vSwitch0
#Link vSwitch0 to vmnic0 (pNIC0)
esxcfg-vswitch -L vmnic0 vSwitch0
esxcfg-vswitch -L vmnic1 vSwitch0
#Assign vswif interface and assign IP
esxcfg-vswif --add vswif0 --portgroup "Service Console" --ip=10.0.0.0 --netmask=255.255.255.0

# +---------------------------------------------------------------------------+
# | Create the Production0 vSwitch |
# | vSwitch1 creation and NIC assignments |
# +---------------------------------------------------------------------------+
#Create and name vSwitch1
esxcfg-vswitch -a vSwitch1:1016
esxcfg-vswitch -A VM_Servers vSwitch1
esxfg-vswitch -v 110 -p VM_Servers vSwitch1
#Add pNICs 2 & 3 to vSwitch1
esxcfg-vswitch -L vmnic2 vSwitch1
esxcfg-vswitch -L vmnic3 vSwitch1
esxcfg-vswitch -A VM_Dev vSwitch1
esxfg-vswitch -v 130 -p VM_Dev vSwitch1

# Restart vmware mgmt service for Virtual Center
service mgmt-vmware restart

# +------------------------------------------------------------------+
# | Firewall Configuration |
# +------------------------------------------------------------------+
echo "Now configuring firewal..."
# Open for SSH client
esxcfg-firewall -e sshClient

# Open for SSH Server
esxcfg-firewall -e sshServer

# Open for VCB
esxcfg-firewall -e VCB

# Open for iSCSI
esxcfg-firewall -e swISCSIClient

# Open for Update Manager
esxcfg-firewall -e updateManager

# Open for ntp out
esxcfg-firewall -e ntpClient

# Open for SNMP
esxcfg-firewall -e snmpd

# Open for CIM server services
esxcfg-firewall -e CIMSLP
esxcfg-firewall -e CIMHttpServer
esxcfg-firewall -e CIMHttpsServer

# Open for Virtual Center heartbeats
esxcfg-firewall -e vpxHeartbeats

# Open for FTP out
esxcfg-firewall -e ftpClient

# Open for Kerberos services outbound (should be handled by esxcfg-auth)
#esxcfg-firewall -o 464,tcp,out,KerberosPasswordChange
#esxcfg-firewall -o 88,tcp,out,KerberosClient
#esxcfg-firewall –o 749,tcp,out,KerberosAdm

# Open for HPSIM
esxcfg-firewall -o 2381,tcp,in,HPSIM

# Restart firewall to enable changes
service firewall restart

# +-----------------------------------------------------------------------------+
# | Active Directory authentication for SSH - /etc/krb5.conf |
# +-----------------------------------------------------------------------------+

# Configure Active Directory authentication (change both domains to yours)
esxcfg-auth --enablead --addomain=domain.com --addc=domain.com

# Add active directory users to the local database
useradd AD_User1
useradd AD_User2

# DNS configuration (add all ESX hosts and VC servers to HOSTS file, just for safety)
echo nameserver 10.0.0.0 >> /etc/resolv.conf
echo nameserver 10.0.0.0 >> /etc/resolv.conf
echo "Configuring hosts file"
echo "127.0.0.1 esx1.domain.com localhost" > /etc/hosts
echo "10.0.0.0 esx1.domain.com esx1" >> /etc/hosts
echo "10.0.0.0 esx2.domain.com esx2" >> /etc/hosts
echo "10.0.0.0 esx3.domain.com esx3" >> /etc/hosts
echo "10.0.0.0 esx4.domain.com esx4" >> /etc/hosts
echo "10.0.0.0 vc1.domain.com vc1" >> /etc/hosts
echo "10.0.0.0 vc2.domain.com vc2" >> /etc/hosts

# +------------------------------------------------------------------+
# | NTP configuration |
# +------------------------------------------------------------------+

# Backup ntpd.conf and step-tickers file
mv /etc/ntpd.conf /etc/ntpd.conf.bak
mv /etc/ntpd/step-tickers /etc/ntpd/step-tickers.bak

# Add Servers to step-tickers
echo "dc2.domain.com" > /etc/ntp/step-tickers
echo "dc1.domain.com" >> /etc/ntp/step-tickers

# create ntp.conf
echo "restrict 127.0.0.1" > /etc/ntp.conf
echo "restrict dc1.domain.com mask 255.255.255.255 nomodify notrap noquery" >> /etc/ntp.conf
echo "restrict dc2.domain.com mask 255.255.255.255 nomodify notrap noquery" >> /etc/ntp.conf
echo "server dc1.domain.com" >> /etc/ntp.conf
echo "server dc2.domain.com" >> /etc/ntp.conf
echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf

# Service restart
service ntpd restart

# Make ntp start at boot time
chkconfig --level 345 ntpd on

# Sync hardware clock
hwclock –systohc

#+-----------------------------------+
#| Enable Root SSH Access |
#+-----------------------------------+

/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -e 's/PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
mv -f /etc/ssh/sshd_config.new /etc/ssh/sshd_config
service sshd restart

# SSH Banner Message...
# The echo >> /etc/banner are blank spaces for readability...

echo >> /etc/banner
echo This is a private and secure system. >> /etc/banner
echo Authorized users ONLY! >> /etc/banner
echo All logon attemtps and activites are monitored. >> /etc/banner
echo Banner /etc/banner >> /etc/ssh/sshd_config

# +-----------------------------------------------------------------+
# | Scripted HP Insight Manager Agent install |
# | Download agent tar to local tmp dir |
# | To download, first open the firewall |
# +-----------------------------------------------------------------+
#
#cd /tmp
#/usr/sbin/esxcfg-firewall --allowOutgoing
#lwp-download http://10.0.0.0/hpmgmt-8.3.1-vmware4x.tgz /tmp/hpmgmt-8.3.1-vmware4x.tgz
#lwp-download http://0.0.0.0/hpagent/esx3/hpmgmt.conf /tmp/hpmgmt.conf
#
# extract tar file
#tar -zxvf hpmgmt-8.3.1-vmware4x.tgz
#
# execute auto install
#cd /tmp/hpmgmt/831
#./installvm831.sh --silent --inputfile /tmp/hpmgmt.conf
#/usr/sbin/esxcfg-firewall --blockOutgoing
#
# End of first script
#EOF1
#
# All of the above has been sent to /tmp/esxcfg.sh (not been executed yet)
# next step is to make /tmp/esxcfg.sh executable
#chmod +x /tmp/esxcfg.sh
#
# Backup of original rc.local file
#cp /etc/rc.d/rc.local /etc/rc.d/rc.local.bak
#
#
# edit rc.local to call esxcfg.sh
# and to make rc.local reset itself after calling
#
#cat >> /etc/rc.d/rc.local <<EOF
#cd /tmp
#/tmp/esxcfg.sh > /tmp/post_install.log
#mv -f /etc/rc.d/rc.local.bak /etc/rc.d/rc.local
#EOF
#
####################################### END OF KICKSTART SCRIPT #################################

No comments:

Post a Comment