** Be warned, this is totally unsupported. Only for educational purposes should this be used **
Today I was asked the question on how to create a VIB file (.vib). In our documentation it is mentioned that you can create a VIB file to add firewall rules to your ESXi host. As the .vib tool is not available yet to the general public I decided to dig in to it. I want to stress that I tested this in my own lab, it is not supported at all, but might give a nice insight in how these VIB are constructed. Before you read how I created my own VIB file I suggest reading this excellent article on what a .vib file is and contains by my colleague Kyle Gleed.
First thing I did was download an existing VIB file. I downloaded a tiny LSI SCSI driver. I did a “more” of the .vib file and I noticed the following:
That was my first lead, it appears to be a debian-binary, which is a format that the Linux distribution Debian uses to package software / drivers etc. I knew it should be possible to check what was included in this package. So I did a quick search and stumbled on some procedures on how to do this using some standard commands provided by my Debian virtual machine. (Links at the bottom) So I did the following on the package I downloaded:
ar tv file.vib
This showed me that the .vib file contained three files:
descriptor.xml sig.pkcs7 scsi-meg
This seemed pretty obvious to me after reading Kyle’s article. The descriptor contained the metadata, the “sig*” file contained the signature and the “scsi-meg” was the actual driver. I decided to extract the VIB file to look at the content of these files:
ar vx file.vib
As the permissions on the files didn’t allow me to look at them I changed the permissions on those by using “chmod”. Now what? Well let’s look at the “scsci-meg” file first. What is it? I looked at what was in the file by using the following command:
tar -tzvf scsi-meg
It contained a list of files and that is it. I decided to extract it using “tar -xzvf” and as expected it was the folder structure and files part of this driver. I figured that it wouldn’t be too difficult to create a simple package. Why not try it… Here we go. First I deleted everything in the “sig.pkcs7” file. As Kyle mentioned in his article that community support packages can have an empty signature. I also deleted all the files and folders that were extracted from the “scsi-meg” package that I did not need. I then created a folder underneath the “/etc/vmware” structure as I wanted to create a firewall rule. (Added the folder “firewall”.)
I copied a firewall rule from my existing ESXi host and which is created by HA to my Debian VM and edited the file, the original file was “fdm.xml”. I edited and and renamed it to test.xml. I changed all ports to 7000 and changed the <id> of the service that would need to be added and saved the file in “etc/vmware/firewall”.
Now it was time to package it all up and see if it would work. I guessed that the steps required would simply be the reverse of what I did to extract it all.
tar -czvf etc/ test
I then opened up the descriptor.xml file and changed some of the fields around, most don’t seem to matter much except for the following:
Change the following key to: <acceptance-level>certified</acceptance-level> <acceptance-level>community</acceptance-level>
Add your list of files: <file-list> <file>path-to-file</file> </file-list>
Change the name of your package and the size accordingly: <payload name="test" type="vgz" size="809">
I wasn’t sure if that would work, but I would find out eventually I guess (yes I also tried “communitysupport” as the acceptance-level but that doesn’t work!). I also removed the checksum details from the descriptor file just in case it would be used. This is what my full descriptor file looked like:
<vib version="5.0"> <type>bootbank</type> <name>firewallrule</name> <version>1.0</version> <vendor>Duncan</vendor> <summary>Firewall rule</summary> <description>Firewall rule</description> <release-date>2011-06-01T22:16:31.062257+00:00</release-date> <urls/> <relationships> <depends> </depends> <conflicts/> <replaces/> <provides/> <compatibleWith/> </relationships> <software-tags> <tag>driver</tag> <tag>module</tag> </software-tags> <system-requires> <maintenance-mode>true</maintenance-mode> </system-requires> <file-list> <file>etc/vmware/firewall/test.xml</file> </file-list> <acceptance-level>community</acceptance-level> <live-install-allowed>false</live-install-allowed> <live-remove-allowed>false</live-remove-allowed> <cimom-restart>false</cimom-restart> <stateless-ready>false</stateless-ready> <overlay>false</overlay> <payloads> <payload name="test" type="vgz" size="809"> </payload> </payloads> </vib>
Next up would be making a single .vib file out of these three components again:
ar -r test.vib test descriptor.xml sig.pkcs7
Now I need to ‘scp’ the file to my ESXi host and see if I can install it:
scp test.vib [email protected]:test.vib
esxcli software vib install -v /test.vib
I received an error that the ImageProfile acceptance level needed to be changed. That was my next step:
esxcli software acceptance set --level CommunitySupported
After repeating the “esxcli software vib install” command I received the following output:
~ # esxcli software vib install -v /test.vib Installation Result Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective. Reboot Required: true VIBs Installed: Duncan_bootbank_firewallrule_1.0 VIBs Removed: VIBs Skipped: ~ #
I rebooted the host and here’s a screenshot of the ESXi firewall with the newly added custom service “Test”:
Once again, I want to point out that this is currently unsupported. Don’t use this in your production environment!
The following articles helped me figuring this out and producing this article:
Jason Boche says
A reboot to make a firewall rule change. I expect this will be the next feature Microsoft will copy for Hyper-V 🙂
Duncan Epping says
Nah, I think the reboot is due to the way my descriptor file was build. I will try slimming it down and remove the “reboot” requirements” tomorrow 🙂
Duncan Epping says
I bet that if I change:
it will work without a reboot Jason 🙂
Andreas Peetz says
Good write-up, Duncan!
Let me add the following: Lately I have written a Windows script called TGZ2VIB5.cmd that is included with my ESXi-Customizer tool and is able to automate the process of creating VIB files from tgz (tar.gz) files.
The main purpose of this script is to enable developers of community supported ESXi 5 device drivers to publish their driver packages in VIB format (instead of oem.tgz format).
See http://esxi-customizer.v-front.de for more information.
You can set maintenance-mode to false, live-install-allowed to true, and probably live-remove-allowed to true.
I was playing around with vib files recently and found out it can make ESXi pretty extensible.
Too bad there are so many steps to package it.
tar -czvf etc/ test
tar -czvf test etc/
If you get something similar to the following,
Expected second member of Vib file to be sig.pkcs7, but found smtp instead.
filename = /smtp.vib
Note the order that you add files using “ar -r file.vib” is important!
Must be “descriptor.xml sig.pkcs7 package” where package is the .tgz file
Also to note, that AR appends file to archive by default…
Shahidul Alam says
Thanks for pointing me in the right direction on creating a vib file. I need to compile my R8168 driver which does not work in ESXi 5.1 but works in ESXi 5.0. Hopefully I can write my steps if it works successfully on my blog.