Lets face it, repetition sucks. When provisioning ESX hosts, using such things as the EDA make life easier, but it only does so much for ESXi.
The install for ESXi is simple and straight forward, but when done, you have to go and set everything else (IP, hostname, DNS, local users, etc…). Doing this for 20 hosts could be a PITA (Pain In The A..), so I set out on writing a script that does all of this for you.
All you have to do is set the IP & root password, then verify you can ping the host by it’s hostname (set host/A record in DNS). Once that’s verified, here’s what the script does for you:
- Creates an Admins group and assigns it to the Administrator role
- Creates local users, sets their default password, and adds them to the Admins group
- Sets primary & secondary NTP & DNS servers
- Sets DNS search suffix
- Combines the provided hostname with DNS search suffix to populate the hostname FQDN
- Sets EnableNaviReg to 0, disabled (requested by my storage team)
- Disables iSCSI (disabled by default, but enabled in my sd image I created from previous post, thus the need to disable)
- Disabled Tech Support Mode, aka ‘unsupported’ console
This is a slightly more advanced script, and it’s not fully polished, but works.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
param([string[]]$vmhosts = $null, [string[]]$vmusers = $null) #add the snapin, just in case Add-PSSnapin VMware.VimAutomation.Core #instantiate script variable, needed in multiple functions set-variable -name pw1 -scope script function usage() { write-host -foregroundcolor green `n`t "This script configures NTP, local users & their password, disables NaviReg, iSCSI, & Tech Support Mode, then reboots" write-host -foregroundcolor green `n`t "-vmhosts and -vmusers are the available parameters, and the usage is below:" write-host -foregroundcolor yellow `n`t`t "Set-Config.ps1 -vmhosts (`"server1`",`"server2`") -vmusers (`"user1`",`"user2`")" write-host -foregroundcolor red `n`t "DO NOT fully qualify the host name, the script sets that based off the DNS Search Suffix." write-host -foregroundcolor green `n`t "For a single vmhost or vmuser, here's the usage:" write-host -foregroundcolor yellow `n`t`t "Set-Config.ps1 -vmhosts server -vmusers user" write-host -foregroundcolor green `n`t "This script sets the username and display name, or description, the same" write-host -foregroundcolor green `n`t "You may get an error if Admins and/or the user already exists" write-host -foregroundcolor green `n`t "If the user exists it is still added to the Admins group" `n } function getPassword() { $script:pw1 = read-host -assecurestring `n "Enter default password" $pw2 = read-host -assecurestring `n "Re-Enter default password" $String1 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($script:pw1) $String2 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw2) $script:pw1 = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($String1) $pw2 = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($String2) $match = $script:pw1.CompareTo($pw2) if ($match -ne 0) { write-host -foregroundcolor red `n "Passwords do not match!" `n getPassword } } function Confirm($strMessage) { write-host -foregroundcolor yellow `n $strMessage $answer = $host.ui.rawui.readkey("NoEcho,IncludeKeyUp") if ($answer.Character -ine "y") { write "" break } write "" } function config() { getPassword $ntp1 = (read-host `n "Enter the name of the first NTP server").tolower() $ntp2 = (read-host `n "Enter the name of the second NTP server").tolower() $dns1 = (read-host `n "Enter the primary DNS server").tolower() $dns2 = (read-host `n "Enter the alternate DNS server").tolower() write-host -foregroundcolor green `n`t "DNS Search Suffix is used to create the FQDN of the host" $dnsSearch = (read-host `n "Enter DNS search suffix, ie sub.domain.com").tolower() write-host -foregroundcolor yellow `n`t "Primary NTP:" $ntp1 write-host -foregroundcolor yellow `n`t "Secondary NTP:" $ntp2 write-host -foregroundcolor yellow `n`t "Primary DNS:" $dns1 write-host -foregroundcolor yellow `n`t "Secondary DNS:" $dns2 write-host -foregroundcolor yellow `n`t "DNS Search & FQDN Suffix:" $dnsSearch Confirm("Press 'Y' to continue, or any other key to exit...") $creds = get-credential foreach ($vmhost in $vmhosts) { $vmhostfqdn = $vmhost.ToString() + "." + $dnsSearch.ToString() write `n "Connecting to" $vmhostfqdn connect-viserver $vmhost -credential $creds write `n "Setting up NTP servers" add-vmhostntpserver -ntpserver $ntp1,$ntp2 write `n "Adding DNS, Hostname, & Search Order" $vmhostnetwork = get-vmhostnetwork -vmhost $vmhost set-vmhostnetwork -network $vmhostnetwork -dnsaddress $dns1,$dns2 -DomainName $dnsSearch -searchdomain $dnsSearch -HostName $vmhost write `n "Now adding users to admin group" New-VMHostAccount -group Admins foreach ($vmuser in $vmusers) { New-VMHostAccount -User -Id $vmuser -Password $script:pw1 -Description $vmuser set-vmhostaccount -user $vmuser -AssignGroups localadmin,users,Admins } #add Admins to admin role $AuthMgr = Get-View (Get-View ServiceInstance).Content.AuthorizationManager $Entity = Get-Folder ha-folder-root | Get-View $Perm = New-Object VMware.Vim.Permission $Perm.entity = $Entity.MoRef $Perm.group = $true $Perm.principal = "Admins" $Perm.propagate = $true $Perm.roleId = ($AuthMgr.RoleList | where {$_.Name -eq "Admin"}).RoleId $AuthMgr.SetEntityPermissions($Entity.MoRef,$Perm) #Set EnableNaviReg to 0 set-vmhostadvancedconfiguration -vmhost $vmhost -name Disk.EnableNaviReg -value 0 #disable iSCSI $hostView = Get-View -VIObject (Get-vmhost $vmhost) $storageSystem = Get-View $hostView.configManager.storageSystem $storageSystem.UpdateSoftwareInternetScsiEnabled($false) #disable 'unsupported' Tech Support Mode set-vmhostadvancedconfiguration -vmhost $vmhost -name VMkernel.Boot.techSupportMode -value False #restart for settings restart-vmhost $vmhost -runasync -confirm:$false -force Disconnect-VIServer -confirm:$false } } #garbage collection, just in case Function collectGarbage() { $creds = $null $script:pw1 = $null $pw2 = $null $string1 = $null $string2 = $null $ntp1 = $null $ntp2 = $null $dns1 = $null $dns2 = $null $dnsSearch = $null $vmhosts = $null $vmusers = $null } if (($vmhosts -eq $null) -or ($vmusers -eq $null)) { usage break } #Lets run the config now after setting up all the functions config collectGarbage |
To run this script, save it as Set-Config.ps1, and run:
.\Set-Config.ps1 -vmhosts ("host1","host2","host3") -vmusers ("user1","user2")
OR
.\Set-Config.ps1 -vmhosts host -vmusers user
Should you want to not disable EnableNaviReg, simply add at # in front of that line, same with Tech Support Mode or iSCSI.
Since Tech Support Mode is ‘unsupported’ by VMware, I disable it so we don’t rely on it. If something needs to be ‘fixed’, we need to find a supported way to get that done. So far, our biggest hurdle was lack of CNA drivers for our hosts that ONLY use the CNA’s to connect, but using a host connected through the LOM, we were able to inject the drivers just fine.
I also wanted to enable lockdown mode via this script, but it’s not currently available.
I imagine you could use this to config ESX as well, and add such things as adding users to sudoers, but our plan is to move to ESXi only, so I haven’t tested it with full ESX.
**UPDATED 03-26-2012**
I’ve test this with ESXi 5.0 and it works. Some of the commands are older and PowerCLI will bark at you for them, but they still work. I’ll update for 5.0 and repost when I have time.