Yellow Bricks

by Duncan Epping

Scripting

VM Template best practices (Linux)

· ·

I was just reading up on my Google Reader. A lot of information been dropped over the last couple of days and more and more people are getting active on the VMware blogoshere. One of the articles that really caught my attention was the “VM Template best practices (Linux)” by Leo Raikhman.

Leo did a great job in explaining how to build up a decent Template. Leo even included a way to regularly zero out the Linux Filesystem for the purpose of VCB image level dumps with small footprints.

And although Leo’s article talks about Linux only this also applies for Windows. If you will be doing VCB then remember to zero-out your filesystem every once in a while. Linux doesn’t scrub the sectors where the files resided and neither does Windows. I wrote an article on how to do this from within Windows. Yes you can do it by hand via the “shrink disk” option in VMware Tools, but as Leo already pointed out there’s no way of scheduling that one, as far I have discovered.

So most of the stuff written about in Leo’s article applies to Windows, yeah also the partition alignment! DO IT! But the zero-out procedure won’t work, I’ve wrote one a while back and here it is:

Set WshShell = WScript.CreateObject("WScript.Shell")
Dim fso, d, dc
Set fso = CreateObject("Scripting.FileSystemObject")
Set dc = fso.Drives
WshShell.RegWrite "HKCU\Software\Sysinternals\", 0, "REG_SZ"
WshShell.RegWrite "HKCU\Software\Sysinternals\SDelete\", 0, "REG_SZ"
WshShell.RegWrite "HKCU\Software\Sysinternals\SDelete\EulaAccepted", 1, "REG_DWORD"
For Each d in dc
If d.DriveType = 2 Then
Return = WshShell.Run("defrag " & d & " -f", 1, TRUE)'
Return = WshShell.Run("sdelete -c " & d, 1, TRUE)
End If
Next
Set WshShell = Nothing

Be sure to download Sdelete before you start, and remember that this script also does a defrag. If you are running “thin” disks than doing a defrag might not be the smartest thing to do, if so just delete the following line from the vb script:

Return = WshShell.Run("defrag " & d & " -f", 1, TRUE)'

Scripted installs and nic teaming

· ·

As of ESX 3.5 it was impossible to add an additional NIC to a team as active without resorting to editing the esx.conf file:

# Active and standby setup and maxActive from 1 to 2
mv /etc/vmware/esx.conf /tmp/esx.conf.bak
/bin/sed -e ’s/net\/vswitch\/child\[0001\]\/teamPolicy\/maxActive = \”1\”/net\/vswitch\/child\[0001\]\/teamPolicy\/maxActive = \”2\”/g’ /tmp/esx.conf.bak >> /etc/vmware/esx.conf

So as you can see, a “sed” command changed the maxActive from 1 to 2. But I rather not use these kinds of solutions, editing the esx.conf that is. As of ESX 3.5 U3 that’s not necessary anymore, VMware fixed this issue:

Network adapters lose bonding during scripted installation
The esxcfg-vswitch -L command now works as expected and with the same functionality as in 3.0.x.

During a scripted installation, the following two commands did not result in a bonded pair of active network adapters on virtual switch VS_VM1. Instead, vmnic3 became the active adapter and vmnic4 became the standby adapter.
esxcfg-vswitch -L vmnic3 VS_VM1
esxcfg-vswitch -L vmnic4 VS_VM1

So just use esxcfg-vswitch again and don’t edit the esx.conf anymore!

Enable VMware tools timesync

· ·

Today I visited a customer that wanted to enable the VMware tools timesync during an automated install of a Windows VM. The customer didn’t want to use powershell / perl or anyother SDK enabled tool. So what’s left?

“C:\Program Files\VMware\VMware Tools\VMwareService.exe” –cmd “vmx.set_option synctime 0 1”

So this command ticks the checkbox for timesync via VMware Tools, which can come in handy when doing RIS alike installs.

Adding users + roles with powershell

· ·

So you can easily add users with useradd command we talked about. But there’s still a problem, you can’t add user-roles to the user you’re creating. You still need the VirtualCenter client to do that. My colleague Horst Mundt read my post and was so kind to email me a powershell script he created that can add roles to specific users or groups for you:

$VCimpl = Get-VIServer -Server 192.168.116.201 -User root -Password <...>
# Note: Server is an ESX host, not VC
# Force load
[Reflection.Assembly]::LoadWithPartialName("vmware.vim")

# Edit hostname below
$hostname = "esx302.hm.local" 

# The name of the role to be assigned
$roleLabel="Read-Only"
#$roleLabel="Administrator"

#The name of the principal (user or group) that the role is assigned to
$principal="GroupX"

# set to false if principal is a user , not a group
$principalIsGroup = $true

$propagateToSubEntities = $true

$svcRef = new-object VMware.Vim.ManagedObjectReference 
$svcRef.Type = "ServiceInstance" 
$svcRef.Value = "ServiceInstance" 
$serviceInstance = get-view $svcRef

$authMgr = Get-View $serviceInstance.Content.AuthorizationManager
$hahost = Get-View (Get-VMhost -Name $hostname).ID
$compResource = $hahost.Parent
$oldperms = $authMgr.retrieveEntityPermissions($hahost.MoRef, $true)
$roles = $authMgr.roleList
$roleid = 0
$found = $false
for ($i = 0 ; $i -lt $roles.Length ; $i++)
{
      $role=$roles[$i]
      if ($role.Info.Label -eq $roleLabel)
      {
            $roleid = $role.RoleId
            $found = $true
      }
}
if ( $found -eq $false )
{
      echo ("Role not found: " + $roleLabel )
      exit 1
}

$permission = New-Object Vmware.Vim.Permission
$permission.group = $principalIsGroup
$permission.principal = $principal
$permission.propagate = $propagateToSubEntities
$permission.roleID = $roleid
$authmgr.SetEntityPermissions($compResource, @($permission))

The script has been tested on ESX 3.0.2. I did not have the opportunity to test it myself by the way… So if anyone can test it against ESX 3.5 and let’s us know what the results are!

Additional user account in a scripted install

· ·

When doing a scripted install it might be useful to create additional user accounts. You can easily do this with the following command:

/usr/sbin/useradd -m -p ‘\$1$ZRo.R0\$1Lk8iA0AaqVFlojm.BTmr/’ -c administrator -g users -G users -d /home/administrator -s /bin/bash administrator

The “-p” value is the encrypted password. You can create them by using the tool “grub-md5-crypt” on a linux box. Just type “grub-md5-crypt” and type your password twice and it returns a md5 encrypted password which you can use in your scripted install. Keep in mind that there can be special characters in your password, if you do a scripted install this will be misinterpreted and you these characters need a preceding “\”.