ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Kickstat File_Draft_ESXI5.1_Template

?Download as DOCX, PDF?
?
L
Luca Viscomi

This kickstart file configures an ESXi 5.0 installation on a server. It clears partitions on the first disk, installs ESXi using the first disk and overwrites any existing VMFS partitions. It sets the root password, reboots after installation, configures the management network interface, and configures a vSwitch with port groups.

1 of 12
Download to read offline
# +---------------------------------------------------------------------------+ # | KickstatFile :esx-pri # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # | Start of ESXi 5.0.0 Update1(Build623860) KickStart Script(1-5-2012) # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # |IsIt a Dryrun (parse andtest) # +---------------------------------------------------------------------------+ #dryrun # +---------------------------------------------------------------------------+ # | AcceptLicense agreement # +---------------------------------------------------------------------------+ vmaccepteula # +---------------------------------------------------------------------------+ # | DiskPartitioning # | Clearall partitionsinfirstdetecteddiskandoverwrite anyVMFS # | partitionsonthe specifieddrives. # +---------------------------------------------------------------------------+ #clearpart--firstdisk --overwritevmfs clearpart--firstdisk=hpsa--overwritevmfs # +---------------------------------------------------------------------------+ # | Installationmedialocation # +---------------------------------------------------------------------------+ # Freshinstallationonfirstdiskandoverwrite anexistingVMFSdatastore #install --firstdisk --overwritevmfs install --firstdisk=hpsa--overwritevmfs # +---------------------------------------------------------------------------+ # | Rootpasswordand Authicationformat # | Defaultisshadowpasswordenabled,MD5-basedpasswordsenabled # | EncryptedRootPasswordinMD5 format # +---------------------------------------------------------------------------+ # rootpasswordinMD5 format rootpw --iscrypted$1$hgxyTT/.$J7eWEYxhJsMgwFSWbkW0L. #rootpwpassword # +---------------------------------------------------------------------------+ # | Rebootafterinstallation
# +---------------------------------------------------------------------------+ reboot # +---------------------------------------------------------------------------+ # | %include # +---------------------------------------------------------------------------+ %include /tmp/networkconfig # +---------------------------------------------------------------------------+ # | Specifiesscripttorunbefore the kickstartconfigurationisevaluated # +---------------------------------------------------------------------------+ %pre --interpreter=busybox # +---------------------------------------------------------------------------+ # | SetdefaultManagementInterface # | addvmportgroupsetto"0" to disable the creationof defaultguestVMNetwork # +---------------------------------------------------------------------------+ VMK_INT="vmk0" VMK_LINE=$(localcli networkipinterface ipv4get|grep"${VMK_INT}") IPADDR=192.168.5.100 NETMASK=255.255.255.0 GATEWAY="192.168.5.253" DNS="192.168.5.30" HOSTNAME=esx-pri vlanid="**5" echo"network --bootproto=static--addvmportgroup=false--device=vmnic0--ip=${IPADDR} -- netmask=${NETMASK} --gateway=${GATEWAY} --nameserver=${DNS} --hostname=${HOSTNAME} -- vlanid=${vlanid}">/tmp/networkconfig # +---------------------------------------------------------------------------+ # | Specifiesscripttorunafter ESXi isinstalledandbefore reboot # +---------------------------------------------------------------------------+ %post--interpreter=busybox --ignorefailure=true # +---------------------------------------------------------------------------+ # | Specifiesscripttorunafter ESXi installationandafterfirst reboot # | Most of the shell commandwill enabledafterthe firstreboot # +---------------------------------------------------------------------------+ %firstboot--interpreter=busybox
# +---------------------------------------------------------------------------+ # | SetScriptVariable foruse inscript # | Variable canonlybe define afterthe firstrebootandwhenthe full bshell # | isin place # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # | rename local datastore tosomethingmore meaningful # +---------------------------------------------------------------------------+ vim-cmdhostsvc/datastore/renamedatastore1"$(hostname -s)-datastore1" # +---------------------------------------------------------------------------+ # | AssignVMware license # +---------------------------------------------------------------------------+ vim-cmdvimsvc/license--setM5425-42244-48J48-0232H-* # +---------------------------------------------------------------------------+ # | vSwitchconfiguration # +---------------------------------------------------------------------------+ # vSwitch0: Active->vmnic0,vmnic2Standby->vmnic1,vmnic3, # failback:yes # faildectection:link # loadbalancing:portid # notifyswitches:yes # avgbw: 1000000 Kbps # peakbw:1000000 Kbps # burstsize:819200 KBps # allowforgedtransmits:no # allowmacchange:no # allowpromiscuousno # cdpstatus: both # +---------------------------------------------------------------------------+ # | attach vmnic1,vmnic2,vmnic3tovSwitch0 # +---------------------------------------------------------------------------+ esxcli networkvswitchstandarduplinkadd --uplink-namevmnic1--vswitch-namevSwitch0 esxcli networkvswitchstandarduplinkadd --uplink-namevmnic2--vswitch-namevSwitch0 esxcli networkvswitchstandarduplinkadd --uplink-namevmnic3--vswitch-namevSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic4--vswitch-name vSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic5--vswitch-name vSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic6--vswitch-name vSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic7--vswitch-name vSwitch0 # +---------------------------------------------------------------------------+ # | remove defaultVMNetworkportgroupif required? # +---------------------------------------------------------------------------+
esxcli networkvswitchstandardportgroupremove --portgroup-name="VMNetwork"--vswitch- name vSwitch0 # +---------------------------------------------------------------------------+ # | configure portgroup # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardportgroupadd --portgroup-name SED-I-**1--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name SED-I-**1--vlan-id**1 esxcli networkvswitchstandardportgroupadd --portgroup-name DPM-DPM-**2--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name DPM-DPM-**2--vlan-id**2 esxcli networkvswitchstandardportgroupadd --portgroup-name ILO-**3--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name ILO-**3--vlan-id**3 esxcli networkvswitchstandardportgroupadd --portgroup-name CISCO-**4--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name CISCO-**4--vlan-id**4 #esxcli networkvswitchstandardportgroupadd --portgroup-name Scon-**5--vswitch-name vSwitch0 #esxcli networkvswitchstandardportgroupset --portgroup-name"ManagementNetwork"--vlan-id **5 esxcli networkvswitchstandardportgroupadd --portgroup-name CCM-DPM-**7--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name CCM-DPM-**7--vlan-id**7 esxcli networkvswitchstandardportgroupadd --portgroup-name SED-X--vswitch-namevSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name SED-X--vlan-id0 esxcli networkvswitchstandardportgroupadd --portgroup-name SIP-X--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset--portgroup-name SIP-X--vlan-id0 # +---------------------------------------------------------------------------+ # |configure cdp # +---------------------------------------------------------------------------+ esxcli networkvswitchstandard set--cdp-statusboth --vswitch-namevSwitch0 # +---------------------------------------------------------------------------+ # | edited - configure active andstandbyuplinksforvSwitch0 # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicyfailoverset --active-uplinksvmnic0,vmnic2--standby-uplinks vmnic1,vmnic3--vswitch-name vSwitch0 # +---------------------------------------------------------------------------+ # | editedconfigure failure detection+loadbalancing(couldhave appendedtopreviousline) # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicyfailoverset--failbackyes --failure-detectionlink --load- balancingportid --notify-switchesyes --vswitch-name vSwitch0
# +---------------------------------------------------------------------------+ # | FAILOVERCONFIGURATIONS - Portgropup # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardportgrouppolicyfailoverset --active-uplinksvmnic1,vmnic3-- standby-uplinksvmnic0,vmnic2--portgroup-name="ManagementNetwork" # +---------------------------------------------------------------------------+ # | configure failure detection+loadbalancingon"ManagementNetwork"Portgroup # |(couldhave appendedtopreviousline) # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardportgrouppolicyfailoverset --failbackyes --failure-detectionlink -- load-balancingportid --notify-switchesyes --portgroup-name="ManagementNetwork" # +---------------------------------------------------------------------------+ # | SECURITY CONFIGURATION # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicysecurityset --allow-forged-transmitsno--allow-mac-change no --allow-promiscuousno --vswitch-namevSwitch0 # +---------------------------------------------------------------------------+ # | SHAPINGCONFIGURATION # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicyshapingset--enabledyes --avg-bandwidth100000 --peak- bandwidth100000 --burst-size 819200 --vswitch-namevSwitch0 # +---------------------------------------------------------------------------+ # | Update the file /etc/vmware/hostd/hostsvc.xmlwiththe parameterstotickthe # |ManagementNetworkportgroupManagementTrafficbox # +---------------------------------------------------------------------------+ echo"Stoppingthe hostd" /etc/init.d/hostdstop sleep5 echo"Enabling'Management'onvmk0" sed -ie 's/<ConfigRoot>/<ConfigRoot>n<mangementVnics>n<nicid="0000">vmk0</nic>n </mangementVnics>/'/etc/vmware/hostd/hostsvc.xml echo"Startingthe hostd" /etc/init.d/hostdstart # +---------------------------------------------------------------------------+ # | enable managementinterface # +---------------------------------------------------------------------------+ # Still needtouse python/MOBtrick cat > /tmp/enableVmkInterface.py<<__ENABLE_MGMT_INT__ importsys,re,os,urllib,urllib2
# connectioninfotoMOB url = "https://localhost/mob/?moid=ha-vnic-mgr&method=selectVnic" username = "root" password= "password" # Create global variables global passman,authhandler,opener,req,page,page_content,nonce,headers,cookie,params,e_params #auth passman= urllib2.HTTPPasswordMgrWithDefaultRealm() passman.add_password(None,url,username,password) authhandler=urllib2.HTTPBasicAuthHandler(passman) opener= urllib2.build_opener(authhandler) urllib2.install_opener(opener) # Code tocapture requiredpage dataandcookie requiredforpostbackto meetCSRF requirements ### req= urllib2.Request(url) page = urllib2.urlopen(req) page_content=page.read() # regex togetthe vmware-session-nonce value fromthe hiddenformentry reg = re.compile('name="vmware-session-nonce"type="hidden"value="?([^s^"]+)"') nonce = reg.search(page_content).group(1) # getthe page headerstocapture the cookie headers= page.info() cookie = headers.get("Set-Cookie") #execute method params = {'vmware-session-nonce':nonce,'nicType':'management','device':'vmk0'} e_params= urllib.urlencode(params) req= urllib2.Request(url,e_params,headers={"Cookie":cookie}) page = urllib2.urlopen(req).read() __ENABLE_MGMT_INT__ python/tmp/enableVmkInterface.py # +---------------------------------------------------------------------------+ # | SYSLOG CONFIGURATION # +---------------------------------------------------------------------------+ esxcli systemsyslogconfigset --default-rotate=20-- loghost=udp://192.168.9.238:514,ssl://192.168.9.238:1514 # +---------------------------------------------------------------------------+
# | change the individualsyslogrotationcount # +---------------------------------------------------------------------------+ esxcli systemsyslogconfigloggerset --id=hostd--rotate=20--size=2048 esxcli systemsyslogconfigloggerset --id=vmkernel --rotate=20--size=2048 esxcli systemsyslogconfigloggerset --id=fdm--rotate=20 esxcli systemsyslogconfigloggerset --id=vpxa--rotate=20 # +---------------------------------------------------------------------------+ # | NTPCONFIGURATIONS # +---------------------------------------------------------------------------+ cat > /etc/ntp.conf <<__NTP_CONFIG__ restrictdefaultkodnomodifynotrapnoquerynopeer restrict127.0.0.1 server192.168.5.30 __NTP_CONFIG__ /sbin/chkconfig--level345 ntpdon # +---------------------------------------------------------------------------+ # | FIREWALLCONFIGURATION # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # | Enable firewall # +---------------------------------------------------------------------------+ esxcli networkfirewall set--default-actionfalse --enabled=yes # +---------------------------------------------------------------------------+ # | servicestoenable bydefault # +---------------------------------------------------------------------------+ FIREWALL_SERVICES="syslogntpClientvSphereClient" for SERVICEin${FIREWALL_SERVICES} do esxcli networkfirewall rulesetset --ruleset-id${SERVICE} --enabled=yes done # +---------------------------------------------------------------------------+ # | Deny Allowed-all accesslistonthe firewall # +---------------------------------------------------------------------------+ FIREWALL_DIP_SERVICES="syslogntpClientvSphereClient" for SERVICE_DIPin${FIREWALL_DIP_SERVICES} do esxcli networkfirewall rulesetset--allowed-all=false --ruleset-id${SERVICE_DIP} done
# +---------------------------------------------------------------------------+ # | configure IPV4accesslistonthe firewall # +---------------------------------------------------------------------------+ FIREWALL_IP_SERVICES="syslogntpClientvSphereClient" for SERVICE_IPin${FIREWALL_IP_SERVICES} do esxcli networkfirewall rulesetallowedipadd --ip-address=192.168.5.30 --ruleset-id${SERVICE_IP} done # +---------------------------------------------------------------------------+ # | swicthoff firewallports # +---------------------------------------------------------------------------+ FIREWALL_D_SERVICES="dnsfaultTolerance NFCHBRWOL webAccessnetDumpsnmpvMotiondhcp CIMSLP CIMHttpServerCIMHttpsServervpxHeartbeats" for SERVICE_Din ${FIREWALL_D_SERVICES} do esxcli networkfirewall rulesetset --ruleset-id${SERVICE_D} --enabled=no done # +---------------------------------------------------------------------------+ # | enable &start remote ESXi Shell (SSH) # +---------------------------------------------------------------------------+ vim-cmdhostsvc/enable_ssh vim-cmdhostsvc/start_ssh # +---------------------------------------------------------------------------+ # | Refreshall firewall services # +---------------------------------------------------------------------------+ #esxcli networkfirewall refresh # +---------------------------------------------------------------------------+ # | Save the firewall configuration # +---------------------------------------------------------------------------+ #cp /etc/vmware/firewall/service.xml /vmfs/volumes/$(hostname -s)-datastore1 # +---------------------------------------------------------------------------+ # | addconfigurationtothe /etc/rc.local file # +---------------------------------------------------------------------------+ #sed-i '$ acp/vmfs/volumes/$(hostname-s)-datastore1/services.xml /etc/vmware/firewall' /etc/rc.local #sed-i '$ aesxcli networkfirewall refresh'/etc/rc.local # +---------------------------------------------------------------------------+ # | Shutdownthe DCUI & vpxa& USB arbitrator(SSHlefton)
# +---------------------------------------------------------------------------+ FIREWALL_DAEMON_SERVICES="DCUIvpxausbarbitratorESXShellsfcbd-watchdog" for SERVICE_DAEMON in${FIREWALL_DAEMON_SERVICES} do chkconfig${SERVICE_DAEMON} off done # +---------------------------------------------------------------------------+ # | Backup ESXi configurationtopersistchanges # +---------------------------------------------------------------------------+ /sbin/auto-backup.sh # +---------------------------------------------------------------------------+ # | ESXi Host - SecuiryHardening # +---------------------------------------------------------------------------+ vim-cmdproxysvc/remove_service "/""httpsWithRedirect" vim-cmdproxysvc/remove_service "/mob""httpsWithRedirect" # +---------------------------------------------------------------------------+ # | Create SSH Banner # +---------------------------------------------------------------------------+ /bin/cat> /etc/banner.new<<SSHEOF ${INDENTATION:-}====================================================== ${INDENTATION:-}= Company.COMLTD = ${INDENTATION:-}====================================================== ${INDENTATION:-} ${INDENTATION:-}====================================================== ${INDENTATION:-}= WARNING:UNAUTHORIZEDUSE IS PROHIBITED = ${INDENTATION:-}= ----------------------------------------- = ${INDENTATION:-}= Propertyof Company.comLtd,andshouldonly = ${INDENTATION:-}= be accessedbyauthorizedCompanyemployees. = ${INDENTATION:-}= Do not attempttologinunlessyouare an = ${INDENTATION:-}= authorizeduser. = ${INDENTATION:-}= = ${INDENTATION:-}= Anyauthorizedorunauthorizedaccessanduse, = ${INDENTATION:-}= will be monitoredandanyone usingthissystem = ${INDENTATION:-}= expresslyconsentstosuchmonitoring.If such = ${INDENTATION:-}= monitoringrevealspossibleenvidence of criminal= ${INDENTATION:-}= activity,suchevidencewillbe providedtolaw = ${INDENTATION:-}= enforcementpersonnel andcanresultincriminal = ${INDENTATION:-}= or civil prosecutionunderapplicable law of = ${INDENTATION:-}= the UnitedKingdom(UK). = ${INDENTATION:-}====================================================== SSHEOF # copynewbannerfile tooverwrite /etc/issue (esxi5store it's bannerfile here)
cp /etc/banner.new/etc/issue # +---------------------------------------------------------------------------+ # | vm AutostartRules#configure virtual machine autostartrules # +---------------------------------------------------------------------------+ #vim-cmdhostsvc/autostartmanager/enable_autostarttrue #vim-cmdhostsvc/autostartmanager/update_defaults120120 "GuestShutdown"true # +---------------------------------------------------------------------------+ # | auto restartall Vm's # +---------------------------------------------------------------------------+ sed-i '$ afor i in $(vim-cmdvmsvc/getallvms|cut -f1-d""|grep-vVmid);dovim-cmd vmsvc/power.on$i;sleep10;done'/etc/rc.local # +---------------------------------------------------------------------------+ # | Update ESXi Host # +---------------------------------------------------------------------------+ #vim-cmdhostsvc/maintenance_mode_enter #DS=`ls /vmfs/volumes/|grepdatastore` #wget-P "/vmfs/volumes/${DS}/"http://10.10.55.5/ESXi500-201111001.zip #esxcli software vibupdate --depot="/vmfs/volumes/${DS}/ESXi500-201111001.zip" #vim-cmdhostsvc/maintenance_mode_exit # +---------------------------------------------------------------------------+ # | Create Resource Pools(SED=pool0,DPM=pool2,CCM=pool3) # +---------------------------------------------------------------------------+ #vim-cmd/hostsvc/rsrc/create --cpu-max=4800--cpu-shares=normal --cpu-min-expandable=FALSE-- mem-min=29--mem-min-expandable=FALSE--mem-max=2048--mem-shares=normal ha-root-pool SED vim-cmd/hostsvc/rsrc/create--cpu-max=480--cpu-shares=normal--cpu-min-expandable=FALSE-- mem-min=29--mem-min-expandable=FALSE--mem-max=204--mem-shares=normal ha-root-pool SED #vim-cmd/hostsvc/rsrc/create --cpu-min=5664 --cpu-max=2400--cpu-shares=high --cpu-min- expandable=FALSE--mem-min=16384 --mem-min-expandable=FALSE--mem-max=16384 --mem- shares=highha-root-pool DPM vim-cmd/hostsvc/rsrc/create--cpu-min=566--cpu-max=240--cpu-shares=high --cpu-min- expandable=FALSE--mem-min=163--mem-min-expandable=FALSE--mem-max=163--mem- shares=highha-root-pool DPM #vim-cmd/hostsvc/rsrc/create --cpu-min=2400 --cpu-max=2400--cpu-shares=normal--cpu-min- expandable=FALSE--mem-min=1024 --mem-min-expandable=FALSE--mem-max=1024--mem- shares=normal ha-root-pool CCM vim-cmd/hostsvc/rsrc/create--cpu-min=240--cpu-max=240--cpu-shares=normal--cpu-min- expandable=FALSE--mem-min=102--mem-min-expandable=FALSE--mem-max=102--mem- shares=normal ha-root-pool CCM
# +---------------------------------------------------------------------------+ # | Importthe SED formthe DVD-ROM,unzipthe .tar file andregisterthe VM # +---------------------------------------------------------------------------+ vmkload_modiso9660 vsish-e set/vmkModules/iso9660/mount$(esxcfg-mpath-b|grep"CD-ROM" | awk '{print$1}') #source_dir=/vmfs/volumes/VMWARE_ESXI5_CUSTOM/VM #post_dir=/vmfs/volumes/$(hostname -s)-datastore1/Staging_Folder mkdir-p/vmfs/volumes/$(hostname-s)-datastore1/Staging_Folder #cp -r${source_dir}/*${post_dir} cp -r /vmfs/volumes/VMWARE_ESXI5_CUSTOM/VM/*/vmfs/volumes/$(hostname -s)- datastore1/Staging_Folder sleep5 tar -zxvf /vmfs/volumes/$(hostname-s)-datastore1/Staging_Folder/2012SED-A.TGZ-C /vmfs/volumes/$(hostname -s)-datastore1 sleep5 # +---------------------------------------------------------------------------+ # | Registerthe SEDwithESXi inside Resource pool (SED,pool0) # +---------------------------------------------------------------------------+ #####advanced options####vim-cmdsolo/registervm/vmfs/volumes/$(hostname -s)- datastore1/2012alpha-SED-B/2012alpha-SED-B.vmx `cat/etc/vmware/hostd/pools.xml |grep"SED" -A1 | grep"[objID]"|sed's///;s/</objID>//g'|sed -e 's/^[[:blank:]]*//;s/[[:blank:]]*$//'` vim-cmdsolo/registervm/vmfs/volumes/$(hostname -s)-datastore1/2012alpha-SED-B/2012alpha- SED-B.vmx 2012alpha-SED-Bpool0 # +---------------------------------------------------------------------------+ # | Save the firewall configurationonthe post? # +---------------------------------------------------------------------------+ #cp /etc/vmware/firewall/service.xml /vmfs/volumes/$(hostname-s)-datastore1 # +---------------------------------------------------------------------------+ # | Backup ESXi configurationtopersistchanges # +---------------------------------------------------------------------------+ /sbin/auto-backup.sh # +---------------------------------------------------------------------------+ # | copy %firstbootscriptlogsto persisteddatastore # +---------------------------------------------------------------------------+ cp /var/log/hostd.log"/vmfs/volumes/$(hostname -s)-datastore1/firstboot-hostd.log" cp /var/log/esxi_install.log"/vmfs/volumes/$(hostname -s)-datastore1/firstboot-esxi_install.log" cp /etc/vmware/esx.conf"/vmfs/volumes/$(hostname-s)-datastore1"
# +---------------------------------------------------------------------------+ # | Reboot # +---------------------------------------------------------------------------+ reboot ##-------------------------------------------------------------------------- ## End of kickstartScript ##--------------------------------------------------------------------------

More Related Content

Kickstat File_Draft_ESXI5.1_Template

  • 1. # +---------------------------------------------------------------------------+ # | KickstatFile :esx-pri # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # | Start of ESXi 5.0.0 Update1(Build623860) KickStart Script(1-5-2012) # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # |IsIt a Dryrun (parse andtest) # +---------------------------------------------------------------------------+ #dryrun # +---------------------------------------------------------------------------+ # | AcceptLicense agreement # +---------------------------------------------------------------------------+ vmaccepteula # +---------------------------------------------------------------------------+ # | DiskPartitioning # | Clearall partitionsinfirstdetecteddiskandoverwrite anyVMFS # | partitionsonthe specifieddrives. # +---------------------------------------------------------------------------+ #clearpart--firstdisk --overwritevmfs clearpart--firstdisk=hpsa--overwritevmfs # +---------------------------------------------------------------------------+ # | Installationmedialocation # +---------------------------------------------------------------------------+ # Freshinstallationonfirstdiskandoverwrite anexistingVMFSdatastore #install --firstdisk --overwritevmfs install --firstdisk=hpsa--overwritevmfs # +---------------------------------------------------------------------------+ # | Rootpasswordand Authicationformat # | Defaultisshadowpasswordenabled,MD5-basedpasswordsenabled # | EncryptedRootPasswordinMD5 format # +---------------------------------------------------------------------------+ # rootpasswordinMD5 format rootpw --iscrypted$1$hgxyTT/.$J7eWEYxhJsMgwFSWbkW0L. #rootpwpassword # +---------------------------------------------------------------------------+ # | Rebootafterinstallation
  • 2. # +---------------------------------------------------------------------------+ reboot # +---------------------------------------------------------------------------+ # | %include # +---------------------------------------------------------------------------+ %include /tmp/networkconfig # +---------------------------------------------------------------------------+ # | Specifiesscripttorunbefore the kickstartconfigurationisevaluated # +---------------------------------------------------------------------------+ %pre --interpreter=busybox # +---------------------------------------------------------------------------+ # | SetdefaultManagementInterface # | addvmportgroupsetto"0" to disable the creationof defaultguestVMNetwork # +---------------------------------------------------------------------------+ VMK_INT="vmk0" VMK_LINE=$(localcli networkipinterface ipv4get|grep"${VMK_INT}") IPADDR=192.168.5.100 NETMASK=255.255.255.0 GATEWAY="192.168.5.253" DNS="192.168.5.30" HOSTNAME=esx-pri vlanid="**5" echo"network --bootproto=static--addvmportgroup=false--device=vmnic0--ip=${IPADDR} -- netmask=${NETMASK} --gateway=${GATEWAY} --nameserver=${DNS} --hostname=${HOSTNAME} -- vlanid=${vlanid}">/tmp/networkconfig # +---------------------------------------------------------------------------+ # | Specifiesscripttorunafter ESXi isinstalledandbefore reboot # +---------------------------------------------------------------------------+ %post--interpreter=busybox --ignorefailure=true # +---------------------------------------------------------------------------+ # | Specifiesscripttorunafter ESXi installationandafterfirst reboot # | Most of the shell commandwill enabledafterthe firstreboot # +---------------------------------------------------------------------------+ %firstboot--interpreter=busybox
  • 3. # +---------------------------------------------------------------------------+ # | SetScriptVariable foruse inscript # | Variable canonlybe define afterthe firstrebootandwhenthe full bshell # | isin place # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # | rename local datastore tosomethingmore meaningful # +---------------------------------------------------------------------------+ vim-cmdhostsvc/datastore/renamedatastore1"$(hostname -s)-datastore1" # +---------------------------------------------------------------------------+ # | AssignVMware license # +---------------------------------------------------------------------------+ vim-cmdvimsvc/license--setM5425-42244-48J48-0232H-* # +---------------------------------------------------------------------------+ # | vSwitchconfiguration # +---------------------------------------------------------------------------+ # vSwitch0: Active->vmnic0,vmnic2Standby->vmnic1,vmnic3, # failback:yes # faildectection:link # loadbalancing:portid # notifyswitches:yes # avgbw: 1000000 Kbps # peakbw:1000000 Kbps # burstsize:819200 KBps # allowforgedtransmits:no # allowmacchange:no # allowpromiscuousno # cdpstatus: both # +---------------------------------------------------------------------------+ # | attach vmnic1,vmnic2,vmnic3tovSwitch0 # +---------------------------------------------------------------------------+ esxcli networkvswitchstandarduplinkadd --uplink-namevmnic1--vswitch-namevSwitch0 esxcli networkvswitchstandarduplinkadd --uplink-namevmnic2--vswitch-namevSwitch0 esxcli networkvswitchstandarduplinkadd --uplink-namevmnic3--vswitch-namevSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic4--vswitch-name vSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic5--vswitch-name vSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic6--vswitch-name vSwitch0 #esxcli networkvswitchstandarduplinkadd --uplink-name vmnic7--vswitch-name vSwitch0 # +---------------------------------------------------------------------------+ # | remove defaultVMNetworkportgroupif required? # +---------------------------------------------------------------------------+
  • 4. esxcli networkvswitchstandardportgroupremove --portgroup-name="VMNetwork"--vswitch- name vSwitch0 # +---------------------------------------------------------------------------+ # | configure portgroup # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardportgroupadd --portgroup-name SED-I-**1--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name SED-I-**1--vlan-id**1 esxcli networkvswitchstandardportgroupadd --portgroup-name DPM-DPM-**2--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name DPM-DPM-**2--vlan-id**2 esxcli networkvswitchstandardportgroupadd --portgroup-name ILO-**3--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name ILO-**3--vlan-id**3 esxcli networkvswitchstandardportgroupadd --portgroup-name CISCO-**4--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name CISCO-**4--vlan-id**4 #esxcli networkvswitchstandardportgroupadd --portgroup-name Scon-**5--vswitch-name vSwitch0 #esxcli networkvswitchstandardportgroupset --portgroup-name"ManagementNetwork"--vlan-id **5 esxcli networkvswitchstandardportgroupadd --portgroup-name CCM-DPM-**7--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name CCM-DPM-**7--vlan-id**7 esxcli networkvswitchstandardportgroupadd --portgroup-name SED-X--vswitch-namevSwitch0 esxcli networkvswitchstandardportgroupset --portgroup-name SED-X--vlan-id0 esxcli networkvswitchstandardportgroupadd --portgroup-name SIP-X--vswitch-name vSwitch0 esxcli networkvswitchstandardportgroupset--portgroup-name SIP-X--vlan-id0 # +---------------------------------------------------------------------------+ # |configure cdp # +---------------------------------------------------------------------------+ esxcli networkvswitchstandard set--cdp-statusboth --vswitch-namevSwitch0 # +---------------------------------------------------------------------------+ # | edited - configure active andstandbyuplinksforvSwitch0 # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicyfailoverset --active-uplinksvmnic0,vmnic2--standby-uplinks vmnic1,vmnic3--vswitch-name vSwitch0 # +---------------------------------------------------------------------------+ # | editedconfigure failure detection+loadbalancing(couldhave appendedtopreviousline) # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicyfailoverset--failbackyes --failure-detectionlink --load- balancingportid --notify-switchesyes --vswitch-name vSwitch0
  • 5. # +---------------------------------------------------------------------------+ # | FAILOVERCONFIGURATIONS - Portgropup # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardportgrouppolicyfailoverset --active-uplinksvmnic1,vmnic3-- standby-uplinksvmnic0,vmnic2--portgroup-name="ManagementNetwork" # +---------------------------------------------------------------------------+ # | configure failure detection+loadbalancingon"ManagementNetwork"Portgroup # |(couldhave appendedtopreviousline) # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardportgrouppolicyfailoverset --failbackyes --failure-detectionlink -- load-balancingportid --notify-switchesyes --portgroup-name="ManagementNetwork" # +---------------------------------------------------------------------------+ # | SECURITY CONFIGURATION # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicysecurityset --allow-forged-transmitsno--allow-mac-change no --allow-promiscuousno --vswitch-namevSwitch0 # +---------------------------------------------------------------------------+ # | SHAPINGCONFIGURATION # +---------------------------------------------------------------------------+ esxcli networkvswitchstandardpolicyshapingset--enabledyes --avg-bandwidth100000 --peak- bandwidth100000 --burst-size 819200 --vswitch-namevSwitch0 # +---------------------------------------------------------------------------+ # | Update the file /etc/vmware/hostd/hostsvc.xmlwiththe parameterstotickthe # |ManagementNetworkportgroupManagementTrafficbox # +---------------------------------------------------------------------------+ echo"Stoppingthe hostd" /etc/init.d/hostdstop sleep5 echo"Enabling'Management'onvmk0" sed -ie 's/<ConfigRoot>/<ConfigRoot>n<mangementVnics>n<nicid="0000">vmk0</nic>n </mangementVnics>/'/etc/vmware/hostd/hostsvc.xml echo"Startingthe hostd" /etc/init.d/hostdstart # +---------------------------------------------------------------------------+ # | enable managementinterface # +---------------------------------------------------------------------------+ # Still needtouse python/MOBtrick cat > /tmp/enableVmkInterface.py<<__ENABLE_MGMT_INT__ importsys,re,os,urllib,urllib2
  • 6. # connectioninfotoMOB url = "https://localhost/mob/?moid=ha-vnic-mgr&method=selectVnic" username = "root" password= "password" # Create global variables global passman,authhandler,opener,req,page,page_content,nonce,headers,cookie,params,e_params #auth passman= urllib2.HTTPPasswordMgrWithDefaultRealm() passman.add_password(None,url,username,password) authhandler=urllib2.HTTPBasicAuthHandler(passman) opener= urllib2.build_opener(authhandler) urllib2.install_opener(opener) # Code tocapture requiredpage dataandcookie requiredforpostbackto meetCSRF requirements ### req= urllib2.Request(url) page = urllib2.urlopen(req) page_content=page.read() # regex togetthe vmware-session-nonce value fromthe hiddenformentry reg = re.compile('name="vmware-session-nonce"type="hidden"value="?([^s^"]+)"') nonce = reg.search(page_content).group(1) # getthe page headerstocapture the cookie headers= page.info() cookie = headers.get("Set-Cookie") #execute method params = {'vmware-session-nonce':nonce,'nicType':'management','device':'vmk0'} e_params= urllib.urlencode(params) req= urllib2.Request(url,e_params,headers={"Cookie":cookie}) page = urllib2.urlopen(req).read() __ENABLE_MGMT_INT__ python/tmp/enableVmkInterface.py # +---------------------------------------------------------------------------+ # | SYSLOG CONFIGURATION # +---------------------------------------------------------------------------+ esxcli systemsyslogconfigset --default-rotate=20-- loghost=udp://192.168.9.238:514,ssl://192.168.9.238:1514 # +---------------------------------------------------------------------------+
  • 7. # | change the individualsyslogrotationcount # +---------------------------------------------------------------------------+ esxcli systemsyslogconfigloggerset --id=hostd--rotate=20--size=2048 esxcli systemsyslogconfigloggerset --id=vmkernel --rotate=20--size=2048 esxcli systemsyslogconfigloggerset --id=fdm--rotate=20 esxcli systemsyslogconfigloggerset --id=vpxa--rotate=20 # +---------------------------------------------------------------------------+ # | NTPCONFIGURATIONS # +---------------------------------------------------------------------------+ cat > /etc/ntp.conf <<__NTP_CONFIG__ restrictdefaultkodnomodifynotrapnoquerynopeer restrict127.0.0.1 server192.168.5.30 __NTP_CONFIG__ /sbin/chkconfig--level345 ntpdon # +---------------------------------------------------------------------------+ # | FIREWALLCONFIGURATION # +---------------------------------------------------------------------------+ # +---------------------------------------------------------------------------+ # | Enable firewall # +---------------------------------------------------------------------------+ esxcli networkfirewall set--default-actionfalse --enabled=yes # +---------------------------------------------------------------------------+ # | servicestoenable bydefault # +---------------------------------------------------------------------------+ FIREWALL_SERVICES="syslogntpClientvSphereClient" for SERVICEin${FIREWALL_SERVICES} do esxcli networkfirewall rulesetset --ruleset-id${SERVICE} --enabled=yes done # +---------------------------------------------------------------------------+ # | Deny Allowed-all accesslistonthe firewall # +---------------------------------------------------------------------------+ FIREWALL_DIP_SERVICES="syslogntpClientvSphereClient" for SERVICE_DIPin${FIREWALL_DIP_SERVICES} do esxcli networkfirewall rulesetset--allowed-all=false --ruleset-id${SERVICE_DIP} done
  • 8. # +---------------------------------------------------------------------------+ # | configure IPV4accesslistonthe firewall # +---------------------------------------------------------------------------+ FIREWALL_IP_SERVICES="syslogntpClientvSphereClient" for SERVICE_IPin${FIREWALL_IP_SERVICES} do esxcli networkfirewall rulesetallowedipadd --ip-address=192.168.5.30 --ruleset-id${SERVICE_IP} done # +---------------------------------------------------------------------------+ # | swicthoff firewallports # +---------------------------------------------------------------------------+ FIREWALL_D_SERVICES="dnsfaultTolerance NFCHBRWOL webAccessnetDumpsnmpvMotiondhcp CIMSLP CIMHttpServerCIMHttpsServervpxHeartbeats" for SERVICE_Din ${FIREWALL_D_SERVICES} do esxcli networkfirewall rulesetset --ruleset-id${SERVICE_D} --enabled=no done # +---------------------------------------------------------------------------+ # | enable &start remote ESXi Shell (SSH) # +---------------------------------------------------------------------------+ vim-cmdhostsvc/enable_ssh vim-cmdhostsvc/start_ssh # +---------------------------------------------------------------------------+ # | Refreshall firewall services # +---------------------------------------------------------------------------+ #esxcli networkfirewall refresh # +---------------------------------------------------------------------------+ # | Save the firewall configuration # +---------------------------------------------------------------------------+ #cp /etc/vmware/firewall/service.xml /vmfs/volumes/$(hostname -s)-datastore1 # +---------------------------------------------------------------------------+ # | addconfigurationtothe /etc/rc.local file # +---------------------------------------------------------------------------+ #sed-i '$ acp/vmfs/volumes/$(hostname-s)-datastore1/services.xml /etc/vmware/firewall' /etc/rc.local #sed-i '$ aesxcli networkfirewall refresh'/etc/rc.local # +---------------------------------------------------------------------------+ # | Shutdownthe DCUI & vpxa& USB arbitrator(SSHlefton)
  • 9. # +---------------------------------------------------------------------------+ FIREWALL_DAEMON_SERVICES="DCUIvpxausbarbitratorESXShellsfcbd-watchdog" for SERVICE_DAEMON in${FIREWALL_DAEMON_SERVICES} do chkconfig${SERVICE_DAEMON} off done # +---------------------------------------------------------------------------+ # | Backup ESXi configurationtopersistchanges # +---------------------------------------------------------------------------+ /sbin/auto-backup.sh # +---------------------------------------------------------------------------+ # | ESXi Host - SecuiryHardening # +---------------------------------------------------------------------------+ vim-cmdproxysvc/remove_service "/""httpsWithRedirect" vim-cmdproxysvc/remove_service "/mob""httpsWithRedirect" # +---------------------------------------------------------------------------+ # | Create SSH Banner # +---------------------------------------------------------------------------+ /bin/cat> /etc/banner.new<<SSHEOF ${INDENTATION:-}====================================================== ${INDENTATION:-}= Company.COMLTD = ${INDENTATION:-}====================================================== ${INDENTATION:-} ${INDENTATION:-}====================================================== ${INDENTATION:-}= WARNING:UNAUTHORIZEDUSE IS PROHIBITED = ${INDENTATION:-}= ----------------------------------------- = ${INDENTATION:-}= Propertyof Company.comLtd,andshouldonly = ${INDENTATION:-}= be accessedbyauthorizedCompanyemployees. = ${INDENTATION:-}= Do not attempttologinunlessyouare an = ${INDENTATION:-}= authorizeduser. = ${INDENTATION:-}= = ${INDENTATION:-}= Anyauthorizedorunauthorizedaccessanduse, = ${INDENTATION:-}= will be monitoredandanyone usingthissystem = ${INDENTATION:-}= expresslyconsentstosuchmonitoring.If such = ${INDENTATION:-}= monitoringrevealspossibleenvidence of criminal= ${INDENTATION:-}= activity,suchevidencewillbe providedtolaw = ${INDENTATION:-}= enforcementpersonnel andcanresultincriminal = ${INDENTATION:-}= or civil prosecutionunderapplicable law of = ${INDENTATION:-}= the UnitedKingdom(UK). = ${INDENTATION:-}====================================================== SSHEOF # copynewbannerfile tooverwrite /etc/issue (esxi5store it's bannerfile here)
  • 10. cp /etc/banner.new/etc/issue # +---------------------------------------------------------------------------+ # | vm AutostartRules#configure virtual machine autostartrules # +---------------------------------------------------------------------------+ #vim-cmdhostsvc/autostartmanager/enable_autostarttrue #vim-cmdhostsvc/autostartmanager/update_defaults120120 "GuestShutdown"true # +---------------------------------------------------------------------------+ # | auto restartall Vm's # +---------------------------------------------------------------------------+ sed-i '$ afor i in $(vim-cmdvmsvc/getallvms|cut -f1-d""|grep-vVmid);dovim-cmd vmsvc/power.on$i;sleep10;done'/etc/rc.local # +---------------------------------------------------------------------------+ # | Update ESXi Host # +---------------------------------------------------------------------------+ #vim-cmdhostsvc/maintenance_mode_enter #DS=`ls /vmfs/volumes/|grepdatastore` #wget-P "/vmfs/volumes/${DS}/"http://10.10.55.5/ESXi500-201111001.zip #esxcli software vibupdate --depot="/vmfs/volumes/${DS}/ESXi500-201111001.zip" #vim-cmdhostsvc/maintenance_mode_exit # +---------------------------------------------------------------------------+ # | Create Resource Pools(SED=pool0,DPM=pool2,CCM=pool3) # +---------------------------------------------------------------------------+ #vim-cmd/hostsvc/rsrc/create --cpu-max=4800--cpu-shares=normal --cpu-min-expandable=FALSE-- mem-min=29--mem-min-expandable=FALSE--mem-max=2048--mem-shares=normal ha-root-pool SED vim-cmd/hostsvc/rsrc/create--cpu-max=480--cpu-shares=normal--cpu-min-expandable=FALSE-- mem-min=29--mem-min-expandable=FALSE--mem-max=204--mem-shares=normal ha-root-pool SED #vim-cmd/hostsvc/rsrc/create --cpu-min=5664 --cpu-max=2400--cpu-shares=high --cpu-min- expandable=FALSE--mem-min=16384 --mem-min-expandable=FALSE--mem-max=16384 --mem- shares=highha-root-pool DPM vim-cmd/hostsvc/rsrc/create--cpu-min=566--cpu-max=240--cpu-shares=high --cpu-min- expandable=FALSE--mem-min=163--mem-min-expandable=FALSE--mem-max=163--mem- shares=highha-root-pool DPM #vim-cmd/hostsvc/rsrc/create --cpu-min=2400 --cpu-max=2400--cpu-shares=normal--cpu-min- expandable=FALSE--mem-min=1024 --mem-min-expandable=FALSE--mem-max=1024--mem- shares=normal ha-root-pool CCM vim-cmd/hostsvc/rsrc/create--cpu-min=240--cpu-max=240--cpu-shares=normal--cpu-min- expandable=FALSE--mem-min=102--mem-min-expandable=FALSE--mem-max=102--mem- shares=normal ha-root-pool CCM
  • 11. # +---------------------------------------------------------------------------+ # | Importthe SED formthe DVD-ROM,unzipthe .tar file andregisterthe VM # +---------------------------------------------------------------------------+ vmkload_modiso9660 vsish-e set/vmkModules/iso9660/mount$(esxcfg-mpath-b|grep"CD-ROM" | awk '{print$1}') #source_dir=/vmfs/volumes/VMWARE_ESXI5_CUSTOM/VM #post_dir=/vmfs/volumes/$(hostname -s)-datastore1/Staging_Folder mkdir-p/vmfs/volumes/$(hostname-s)-datastore1/Staging_Folder #cp -r${source_dir}/*${post_dir} cp -r /vmfs/volumes/VMWARE_ESXI5_CUSTOM/VM/*/vmfs/volumes/$(hostname -s)- datastore1/Staging_Folder sleep5 tar -zxvf /vmfs/volumes/$(hostname-s)-datastore1/Staging_Folder/2012SED-A.TGZ-C /vmfs/volumes/$(hostname -s)-datastore1 sleep5 # +---------------------------------------------------------------------------+ # | Registerthe SEDwithESXi inside Resource pool (SED,pool0) # +---------------------------------------------------------------------------+ #####advanced options####vim-cmdsolo/registervm/vmfs/volumes/$(hostname -s)- datastore1/2012alpha-SED-B/2012alpha-SED-B.vmx `cat/etc/vmware/hostd/pools.xml |grep"SED" -A1 | grep"[objID]"|sed's///;s/</objID>//g'|sed -e 's/^[[:blank:]]*//;s/[[:blank:]]*$//'` vim-cmdsolo/registervm/vmfs/volumes/$(hostname -s)-datastore1/2012alpha-SED-B/2012alpha- SED-B.vmx 2012alpha-SED-Bpool0 # +---------------------------------------------------------------------------+ # | Save the firewall configurationonthe post? # +---------------------------------------------------------------------------+ #cp /etc/vmware/firewall/service.xml /vmfs/volumes/$(hostname-s)-datastore1 # +---------------------------------------------------------------------------+ # | Backup ESXi configurationtopersistchanges # +---------------------------------------------------------------------------+ /sbin/auto-backup.sh # +---------------------------------------------------------------------------+ # | copy %firstbootscriptlogsto persisteddatastore # +---------------------------------------------------------------------------+ cp /var/log/hostd.log"/vmfs/volumes/$(hostname -s)-datastore1/firstboot-hostd.log" cp /var/log/esxi_install.log"/vmfs/volumes/$(hostname -s)-datastore1/firstboot-esxi_install.log" cp /etc/vmware/esx.conf"/vmfs/volumes/$(hostname-s)-datastore1"
  • 12. # +---------------------------------------------------------------------------+ # | Reboot # +---------------------------------------------------------------------------+ reboot ##-------------------------------------------------------------------------- ## End of kickstartScript ##--------------------------------------------------------------------------