Free VMware Transition to ESXi Essentials course

Posted on April 30, 2011 by brian.wuchner

I recently completed the free VMware Transition to ESXi Essentials course. If you’d like more information on how to sign up for this course yourself, check out the following link: http://blogs.vmware.com/esxi/2011/04/become-a-true-esxi-expert-with-the-new-free-vmware-elearning-course-and-ebook-offer.html

I wanted to share a few specific things I learned from the training. If the price tag (free) isn’t enough to entice you to sign up, hopefully the following details will.

Module 4 of the training discusses using the vMA and goes into specific detail on vifp addserver, mcli.pl and vicfg-hostops. I’ve used one of these commands before, but learned something about it; the other two commands were new to me — but I’m sure I’ll be using them soon.

vifp addserver: I’ve used this command several times before. Once you have servers added with fastpass, you can issue commands to the host without providing credentials. What I didn’t realize, but learned from the course, is that vifp addserver creates local accounts on the ESXi host. I verified that several of my ESXi hosts still have these users hanging out.

mcli.pl: located in /opt/vmware/vma/samples/perl; allows running the exact same command against a list of ESXi host names. I have not tried yet, but I would assume this could be used to enable CDP for a virtual switch on all hosts in a cluster (see http://enterpriseadmins.org/blog/virtualization/update-to-enabling-vswitch-cdp-vma-4-1/ for CDP syntax)

vicfg-hostops: allows hosts to be put into maintenance mode (with -o enter) or removed (with -o exit) from within the vMA. This would be helpful when using vihostupdate to deploy a bundle. Normally I turn this into a 2 console operation…now I can do it all from the command line!

This module also shared the link to a PDF worth keeping around — vSphere Command-Line Interface Installation and Scripting Guide.

This is just a sample of the ~3 hours worth of quality content. I’d recommend any VMware administrator find the time to sit through this eCourse presentation.

Posted in Virtualization | 1 Comment

Migrate virtual machines and enable thin provisioning

Posted on April 26, 2011 by brian.wuchner

I recently used this code to move a couple dozen terabytes of virtual machines from one array to another — all while enabling thin provisioning (aka sparse disk). Once the LUN migration is complete a nice little message shows up in your email. It is a very straight forward script that I thought was worth sharing.

[cc lang=”powershell”]
$startTime = get-date
$sourceDS = “array1-1000”
$destDS = “array2-3000”

$dsView = Get-Datastore -Name $destDS | Get-View -Property Name

Get-VM -Datastore $sourceDS | sort name | % {
$vmView = $_ | Get-View -Property Name
$spec = New-Object VMware.Vim.VirtualMachineRelocateSpec
$spec.datastore = $dsView.MoRef
$spec.transform = “sparse”
$vmView.RelocateVM($spec, $null)
}

Send-MailMessage -From “vmware@mydomain.local” -SmtpServer “smtp.mydomain.local” -Subject “Migration from $sourceDS to $destDS complete” -To “me@mydomain.local” -BodyAsHtml “This task started at $($startTime.datetime.tostring()) and finished at $((get-date).datetime.tostring())”
[/cc]

Posted in Scripting, Virtualization | 1 Comment

Scripted Dell Remote Access Controller (DRAC) Configuration

Posted on April 3, 2011 by brian.wuchner

Recently I had an opportunity to work with several new Dell PowerEdge R810 physical servers. I needed to remotely connect to the console of these servers and found out they were equipped with Integrated Dell Remote Access Controller 6 – Enterprise (iDRAC) cards. Since I had several of these to configure — and as a scripter am fundamentally opposed to doing things manually — I started researching how to script this.

After a bit of Googling, I found out that Dell has a RACADM command that can be used to configure the iDRAC. You can get the Dell RAC configuration utility from Dell. After installing the utility, I opened a command prompt and retreived the configuration from an existing R810 using the following syntax:

racadm -r 192.168.252.108 -u root -p calvin getconfig -f C:\252-108_config.cfg

Looking through the exported configuration, I found several groups and objects that I wanted to specify in my scripted configuration. Command line switches exist so that you can import an entire configuration file, but I wanted to prompt for certain values and only update the items I wanted to specifically change. Not wanting to dwell on the script for too long, I put something together rather quick using a simple batch file. Here is that code…please feel free to offer suggestions or better solutions in the comments!

[cc lang=”dos” width=”520″]
@echo off

set /P dracIP=”Please enter the IP address of the DRAC: ”
set /P dracName=”Please enter the name of the server to configure: ”
set /P dracDomain=”Please enter the DNS domain name to use: ”

echo These commands need issued individually as the pass arguments from the environment to the server
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSRacName %dracName%rac
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSDomainName %dracDomain%
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSRegisterRac 1
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSServer1 192.168.8.8
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSServer2 10.168.8.4

REM pause
echo These commands are going to enable Active Directory Standard Schema configs
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADType 2
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADCertValidationEnable 0
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADDcSRVLookupEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADDcSRVLookupbyUserdomain 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADGcSRVLookupEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADGcRootDomain test.local

REM echo Configure domains to login with
racadm -r %dracIP% -u root -p calvin config -g cfgUserDomain -i 1 -o cfgUserDomainName test.local
racadm -r %dracIP% -u root -p calvin config -g cfgUserDomain -i 2 -o cfgUserDomainName admin.test.local

echo Make the DRACAdmin an Administrator
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 1 -o cfgSSADRoleGroupName DRACAdmin
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 1 -o cfgSSADRoleGroupDomain admin.test.local
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 1 -o cfgSSADRoleGroupPrivilege 0x000001ff

echo Make the DRACUser an Operator
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 2 -o cfgSSADRoleGroupName DRACUser
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 2 -o cfgSSADRoleGroupDomain admin.test.local
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 2 -o cfgSSADRoleGroupPrivilege 0x000001f3

REM pause
echo Make/update the local account
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminUserName MyAdminUser
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminPassword MyAdminP@ss
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminPrivilege 0x000001ff
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminIpmiLanPrivilege 4
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminIpmiSerialPrivilege 4
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminSolEnable 0

Echo Please verify settings and disable/change password on root if everything is in order
Echo Thanks!
pause
[/cc]

Posted in Scripting | 4 Comments

Minor Update to vCheck 5.31 — beta testers required

Posted on March 30, 2011 by brian.wuchner

I typically do not view my vCheck report as an email message…I have a link to the report on the home screen of my vSphere Client (if you’d like to see how to do that, please check out this post: http://enterpriseadmins.org/blog/scripting/vcheck-as-a-vsphere-client-solution-and-application/). However, I’ve noticed many comments requesting better email support. From my research, it appears that the problem is likely with Outlook 2007 — since it does not properly support all cascading style sheets (CSS) properties. After a little bit of testing, I believe I have found a rather simple way to work around this. The change adjusts the e-mail output and leaves the standard HTML output file alone.

This is a very minor change and I plan to include it in a future release. If you get a chance please test it out and report back if it works for you too.

Change line #2158 from

send-SMTPmail $EmailTo $EmailFrom "$VISRV vCheck Report" $SMTPSRV $MyReport

to

send-SMTPmail $EmailTo $EmailFrom "$VISRV vCheck Report" $SMTPSRV $MyReport.Replace("class=`"dsp ","class=`"")

This simply removes one of the CSS tags from the email message body, making the report easier to read from email clients (at this point the format has only been tested with Outlook 2007).

If you need a copy of the vCheck 5.31 version, you can get it here: http://enterpriseadmins.org/blog/wp-content/uploads/2011/02/vCheck5.31.ps1_.txt

Posted in Scripting, Virtualization | 3 Comments

vCenter Mobile Access (vCMA) and custom SSL certificates

Posted on March 18, 2011 by brian.wuchner

If you haven’t heard of the vCMA Fling, you should stop reading this article and check out http://labs.vmware.com/flings. It is by far my favorite application available.

I like to use valid certificates on all VMware products. I’ve replaced certificates used by vCenter, Update Manager, View and individual ESX/ESXi hosts. Today I started using the newest version of vCMA (vCenter Mobile Access) that has built in SSL support — but uses a generic certificate. I decided to find out how much effort would be required to replace this cert with a valid certificate issued from a certificate authority.

I found the following article that helped a lot. You’ll need everything on page 2 and 3 of the document: http://www.informit.com/articles/article.aspx?p=407886&seqNum=2

The first step was to find the keytool required. A simple “find /|grep keytool” showed me right where the command was, so I changed to that directory:

cd /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

Once in the proper directory, I decided to create a new key file (using the steps in the above article)

./keytool -genkey -alias mobile-vmware -keyalg RSA -keysize 2048 -dname "CN=vcma.domain.test,OU=Organization Name,O=Parent Organization,L=City,ST=State,C=US,emailAddress=vmware-admin@domain.test" -keypass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

Easy enough. Now we need to create a certificate request

./keytool -certreq -v -alias mobile-vmware -file /etc/mobile/ssl/csr-mobile-vmware.pem -keypass mypass -storepass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks

The command returns the following information if successful
Certification request stored in file
Submit this to your CA

Take the contents of the generated file and submit them to your certificate authority. Once the file is returned, copy it to /etc/mobile/ssl (I used WinSCP for this task). Another file you’ll need to transfer at this time is the CA certificate (Verisign/internal/etc).

Once you have the two files copied over to the vCMA appliance, you’ll want to prepare your keystore to accept the certificate by importing the CA’s certificate. You can do that with this command:

./keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /etc/mobile/ssl/rootca-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

The following results should be returned from that command:
Certificate was added to keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Now we are ready to import our actual certificate:

./keytool -import -v -alias mobile-vmware -file /etc/mobile/ssl/mobile-vmware-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -keypass mypass -storepass mypass

The following results should be returned from that command:
Certificate reply was installed in keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Almost at the end now…

We need a text editor, so I went the easy way and installed one I know how to use. You can do the same with “yum install nano”.

nano /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.28/conf/server.xml

Look through the code for a line that starts 

<Connector port="443" protocol="HTTP/1.1"

  In that section you’ll want to change the keystore file to “/etc/mobile/ssl/mobile-vmware.jks” and the keystorepass to “mypass”.

Once the code is modified, save the file and exit nano. Now type the following:

service mobile restart

This restarts the vCMA application to read in the certificate changes we made. Now when you access vCMA you should check the certificate — it should be the valid one you created.

Posted in Virtualization | 6 Comments