Automating vSphere ESX4 host installations
Automating ESX 4 installations is a great way to save time and to provide a method of server recovery in the event of hardware or software failure. It creates consistent high quality repeatable installations that can be quickly modified to handle new and changing hardware. The process can also provide some detailed levels of VMware ESX server instance documentation. This blog will discuss how the process works and how-to create the required elements for you to implement your own automated process.
The vSphere ESX 4 install process uses an updated linux boot release commonly referred to as Syslinux. This Syslinux release version 3.63 supports a variety of popular protocols to facilitate a remote central install repository. FTP, HTTP, NFS and gPXE are all available options for provisioning network attachment to a remote install repository.
From the Syslinux boot process vSphere launches it’s initrd.img kernel instance which is a custom VMware/Linux kernel containing a multitude of VMware ESX 4 drivers and components. The custom drivers allow for a more closely integrated VMware ESX 4 install process that targets an improved ESX 4 server configuration result.
The custom VMware kernel incorporates Linux kickstart scripting functionality to invoke automated installations. The script location is defined as part of the Syslinux functionality and is available as a menu at boot time. A control file located on the boot media provides these variable control elements. Depending on the media type Syslinux uses a respective cfg file to implement this function. The various available Syslinux boot methods that I am aware of are USB, CD, DVD, PXE and gPXE. In this blog I will demonstrate an ISO CDROM method to perform the automated boot cycle. Any of the boot methods mentioned will all work and have varying levels of complexity to achieve.
The ISO CD and DVD based Syslinux configuration uses a config file named isolinux.cfg, USB boot images would use syslinux.cfg as well as gPXE based boot services can use either depending on the final gPXE target image.
Here is a example and description of the boot time menu functional elements for the isolinux.cfg ISO based file in this demonstration.
default Default
gfxboot bootlogo
prompt 1
timeout 3000
label Default
menu default
kernel vmlinuz
append initrd=initrd.img mem=512M quiet ks=http://vc.laspina.ca:8088/esx/4.0/default.cfg
label vh0
kernel vmlinuz
append initrd=initrd.img mem=512M quiet ks=http://vc.laspina.ca:8088/esx/4.0/vh0.cfg
label vh1
kernel vmlinuz
append initrd=initrd.img mem=512M quiet ks=http://vc.laspina.ca:8088/esx/4.0/vh1.cfg
This cfg file provides three menu choices of default, vh0 and vh1. It will invoke the default after 300 seconds (timeout 3000 is not a typo) or you can manually select the other menu items. The “ks=” append option entry can also be one of file://… cdrom://… ftp://… nfs://… usb and UUID:ID/… The initrd.img element is an ESX initial ram disk image and it needs to version match your repository for a successful install process.
This isolinux.cfg file relies on DHCP to provide IP services. If DHCP is not an option you can use static methods to provision the same by passing the IP specific info into the initial ram disk image.
Here is an example of static IP parameters within the isolinux.cfg file.
label vh1
kernel vmlinuz
append initrd=initrd.img mem=512M quiet ksdevice=eth0 ip=10.10.0.1 netmask=255.255.255.0 gateway=10.10.0.254 nameserver=10.10.0.253 ks=http://vc.laspina.ca:8088/esx/4.0/vh1.cfg
Static IP parameters can also be defined in the kickstart ks file but then the ks file would need to be locally available in order for it to work.
Let’s now look at how we can create a remote repository based, automated ESX 4 ISO CD installation boot image. My tool of choice for this process was ISOMagic of which you can make images 300MB or less in size for free. Of course you can use others like PowerISO which is also one of my favourites. The first step in the process is to open the vSphere installation ISO and delete all but the highlighted files show in the graphic. While you could leave them intact I prefer to remove elements that are not required as this can be a template for USB or other boot images.
The ISO boot method is quite simple, all we need to do is create a text isolinux.cfg file based on the example show previously and drag it to the MagicISO window onto the isolinux folder. Once the file is replaced we can use SaveAs an ISO to the name of your choice then burn it or mount it on your server’s ILOM interface. I plan on making a USB based image later so stay tuned for that in another blog entry.
Be wary of using a windows based text editors as they do work well with Unix based text processing operations since it adds invisible characters to the edited files that will cause some of the unix processes to fail. I normally use Ultraedit to edit the Unix targeted files since it has a function that allows you to convert and save in Unix file format.
To provision an install repository is a matter of choice, you can use any of the many different hosts that can serve one of the supported protocols. If your going to use an http repo you will need to take note of Mime types that may not be defined on the web service of choice. In this blog example we are going to define an http based repo on a Virtual Center Server (VC).
Create a base directory on the VC to host the install repo and extract the ESX 4 ISO to an appropriately named subfolder.
e.g. My base is D:VMwareRepo and the subfolder is esx4.0
We need to setup an IIS service instance on the VC and create a WEB site on port 8088. Do not use the default port 80 as it will conflict with other VC services.
We assign our base repo directory to this site and allow directory browsing.
The addition of MIME type pkl is required, right mouse -> Properties on the IIS instance within your Computer Manager MSC
That’s all you need for provisioning an http repo with IIS on your VC. Once you have a repo defined and running make sure you can browse it using your favourite browser.
As an added layer of security I only allow ESX console IP interfaces of a specific subnet on the repo site. Here is an example screen shot. Remember to check browsing availability before you enable any subnet restrictions.
The next step is the most involved and interesting part of the process. Let’s use an example script named vh1.cfg to examine and discuss one of my scripted processes. The script is normally stored in your repo e.g. D:VMwareRepoesx4.0vh1.cfg.
##########################################################
# ESX 4 Kickstart installation script
# © Mike La Spina – Ubiquitous Talk
# File name: vh1.cfg
##########################################################
# Install or Upgrade
install url http://vc.laspina.ca:8088/esx/4.0
“We first define a source for our ESX 4 install files, the possible methods are file://, ftp:// nfs:// cdrom://, take note that you can use a custom port like 8088.”
##########################################################
#Network install type
network –bootproto=static –ip=10.20.0.1 –gateway=10.20.0.254 –netmask=255.255.255.0 –hostname=vh1.laspina.ca –nameserver=10.20.0.200 –device=vmnic0 –addvmportgroup=0
“This defines our final static IP on the vswif0 management interface of vmnic0 (aka the Service Console) and addvmportgroup=0 disables the default VM network creation.”
##########################################################
# root Password
rootpw changeme
“Obviously this sets a root password, however I do not recommend you use an encrypted password method as it can be reversed with simple tools. It is better to just immediately change it to a secured one.”
##########################################################
# Authconfig
authconfig –enableshadow –enablemd5
“Enables a local password shadow file and stores the passwords as MD5 hashes.”
##########################################################
# Regional Settings
keyboard us
timezone America/Winnipeg
“Obvious”
##########################################################
# Firewall settings
firewall –allowOutgoing
“Obvious”
##########################################################
# Enable reboot after script
reboot
“Obvious”
##########################################################
# Boot Config
bootloader –location=mbr
“Installs a master boot record on the firstdisk by default”
##########################################################
# Disk Partitioning
clearpart –firstdisk –overwritevmfs
part /boot –fstype=ext3 –size=250 –onfirstdisk –asprimary
part vh1-local0 –fstype=vmfs3 –size=16384 –grow –onfirstdisk
part None –fstype=vmkcore –size=100 –onfirstdisk
# Create the vmdk on the cos vmfs partition.
virtualdisk cos –size=8192 –onvmfs=vh1-local0
# Partition the virtual disk.
part / –fstype=ext3 –size=4096 –grow –onvirtualdisk=cos
part swap –fstype=swap –size=256 –onvirtualdisk=cos
“Creates the ESX boot, core dump and VMFS partitions as we would expect. We have new partition function available, we can now create our Console Operating System on a vmdk. Here we are defining a virtual disk vmdk named cos on VMFS volume vh1-local0. Very cool, the ESX kernel can now snapshot itself. Take note of the –overwritevmfs option, this can wipe out any perfectly healthy production VMFS volume, I recommend that you remove this option once your testing cycle is complete and only add it to destroy a confirmed existing targeted VMFS volume.”
##########################################################
# Accept the EULA
vmaccepteula
“Obvious”
##########################################################
#
%post –interpreter=bash
“In pre VMware ESX 4 releases it was not possible to directly configure most of the ESX config elements. ESX 4’s initrd.img contains all most everything to need to configure the host without creating any special first time startup scripts on the systems reboot cycle. Now if we can just use vimsh directly … it’s still very cool!”
##########################################################
# Allow hostd etc. some time to load
/usr/bin/sleep 90
“We need to create a delay to aloow the VMware processes some time to load, this is required in order to run vim commands. We could have grepped the output of ps but it still would not tell us its ready to accept work thus a simple delay will do. I am using 90 seconds here but some slower servers may require more. “
##########################################################
# Enable Kerberos Auth
/usr/sbin/esxcfg-auth –enablead –addomain=domain.local –addc=domain.local
“Sets up the Linux Plugable Authentication Module (PAM) to autheticate users against a Window Domain over Kerberos”
##########################################################
# Add Groups and Users
/usr/sbin/groupadd -g 5000 lg-esxsu
/usr/sbin/useradd -u 501 -G lg-esxsu super1
/usr/sbin/useradd -u 502 -G lg-esxsu super2
/usr/sbin/useradd -u 503 -G lg-esxsu super3
“Create a local group which will allow members full admin rights to the ESX ha-folder-root and create three user id’s that are members of the group. These user id’s will be authenticated against the domain.local Windows Domain”
##########################################################
# NTP time config
esxcfg-firewall -e ntpClient
echo restrict default kod nomodify notrap noquerynopeer > /etc/ntp.conf
echo restrict 127.0.0.1 >> /etc/ntp.conf
echo server 10.20.0.200 >> /etc/ntp.conf
echo driftfile /var/lib/ntp/drift >> /etc/ntp.conf
/sbin/chkconfig –level 345 ntpd on
/etc/init.d/ntpd start
“Enable outgoing NTP client port access and build the ntp.conf file to use a Windows Domain time service, this is important for kerberos authentication. Start the NTP client daemon.”
# Create vSwitch0, VMMotion1 and the Service Console port group
/usr/sbin/esxcfg-vswitch -a vSwitch0:64
/usr/sbin/esxcfg-vswitch -A “Service Console” vSwitch0
/usr/sbin/esxcfg-vswitch -A Network-00 vSwitch0
/usr/sbin/esxcfg-vswitch -A VMMotion1 vSwitch0
/usr/sbin/esxcfg-vswitch -p VMMotion1 -v 600 vSwitch0
/usr/sbin/esxcfg-vswitch -p Network-00 -v 700 vSwitch0
/usr/sbin/esxcfg-vswitch -L vmnic1 vSwitch0
/usr/sbin/esxcfg-vswitch -L vmnic0 vSwitch0
/usr/sbin/esxcfg-vswitch -M vmnic0 vSwitch0 -p “Service Console”
/usr/sbin/esxcfg-vswitch -M vmnic0 vSwitch0 -p VMMotion1
/usr/sbin/esxcfg-vswitch -M vmnic1 vSwitch0 -p Network-00
“Defines vSwitch0 for the Service Console and the default gateway IP, vMotion on VLAN 600 with a vMotion IP and create a VM Network-00. This vSwitch will be further configured for a custom standby adapter during the initial reboot with a post config script”
# Create vSwitch1 for iSCSI traffic
/usr/sbin/esxcfg-vswitch -a vSwitch1:64
/usr/sbin/esxcfg-vswitch -A iSCSI_Initiator vSwitch1
/usr/sbin/esxcfg-vswitch -p iSCSI_Initiator -v 500 vSwitch1
/usr/sbin/esxcfg-vswitch -L vmnic3 vSwitch1
/usr/sbin/esxcfg-vswitch -L vmnic2 vSwitch1
/usr/sbin/esxcfg-vswitch -M vmnic3 vSwitch1 -p iSCSI_Initiator
/usr/sbin/esxcfg-vswitch -M vmnic2 vSwitch1 -p iSCSI_Initiator
/usr/sbin/esxcfg-vmknic -a -i 10.20.10.64 -n 255.255.255.0 iSCSI_Initiator
“Defines vSwitch1 for iSCSI on VLAN 500”
##########################################################
#
%post –interpreter=bash
# Create post config script
cat << EOF > /etc/rc3.d/S99postconf
#!/bin/bash
“Some configuration elements still require a post run this statement sends the follow on text to the s99postconf file until the EOF marker is met.”
# Enable TCP outgoing kerberos, there are issues with udp and enable blockOutgoing
/usr/sbin/esxcfg-firewall -–openport 88,tcp,out,KerberosClientTCP
/usr/sbin/esxcfg-firewall –blockOutgoing
“Seriously, this is important, udp kerberos port 88 is defaulted with ‘esxcfg-auth –enablead ..’, bad default! Also the VWware Kerberos client default uses tcp first and this needs to be fixed as it does not comply with RFC 4120. Even if this works why would we risk dropping an auth packet since any fragged udp packet would be dropped over VPN’s etc. Also turn on the outgoing firewall rules that were disabled previously.”
# Enable VMotion on the VMKernel Interface
/usr/bin/vmware-vim-cmd hostsvc/vmotion/vnic_set vmk1
“Enables vMotion on vmkernel interface 1”
# Define Active and Standby failover for shared vSwitche0
/usr/bin/vmware-vim-cmd hostsvc/net/portgroup_set vSwitch0 ‘Service Console’ –nicorderpolicy-active vmnic0 –nicorderpolicy-standby vmnic1
/usr/bin/vmware-vim-cmd hostsvc/net/portgroup_set vSwitch0 VMMotion1 –nicorderpolicy-active vmnic0 –nicorderpolicy-standby vmnic1
/usr/bin/vmware-vim-cmd hostsvc/net/portgroup_set vSwitch0 Network-00 –nicorderpolicy-active vmnic1 –nicorderpolicy-standby vmnic0
“Here we are overriding our adapter team for vSwitch0 so that we can separate our active traffic on the two adapters while maintaining failover capability.”
# Grant the group named lg-esxsu admin permission to ha-folder-root
/usr/bin/vmware-vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root lg-esxsu true Admin true
“Enables any member of the local group lg-esxsu Administrator permissions to the VMware host”
# Reset system to normal boot mode
echo “Removing automated post script.”
rm /etc/rc3.d/S99postconf
EOF
chmod +x /etc/rc3.d/S99postconf
“Obvious”
As you can see the process is quite involved, however the benefits are outstanding. I can build or recover an ESX 4 host in 10 minutes or less and I can reconfigure it to a different target with ease.
Hope you found the entry usefull and interesting.
Regards,
Mike
Tags: automation, central, ESX 4.0, iso, kickstart, repository, script, syslinux, vSphere
Site Contents: © 2009 Mike La Spina
Subscribe in a reader
Follow me on Twitter
[…] La Spina has written a nice post about automatic installation of ESX 4.0 hosts utilizing PXE, kickstart and a lot of scripts. Mike […]
[…] Go here to read the rest: Automating vSphere ESX4 host installations […]
Good post !!
Don’t you also need a line to turn on webAccess – as per http://communities.vmware.com/thread/211378 ?
Hi Steve,
VMware changed the default to disabled which is a best practice. If you require it then yes you could certainly add it. I don’t use it on production hosts at all and it is not required to manage a host using a VC or vSphere Client.
Regards,
Mike
[…] Laspina – Automating vSphere ESX4 Host InstallationsThe custom VMware kernel incorporates Linux kickstart scripting functionality to invoke automated […]
Hi Mike,
thanks
Can you imagine any way to create VMFS with 8M block size while setting up server? (at least) I need it so to rdm 2TB LUN…
And/Or (at most) set the server up on top of existing partition layout preserving esxconsole VMFS volume
http://communities.vmware.com/thread/217248?tstart=0 ?
Hi,
The 8MB is not an issue, just define the maxsize parameter which should force the larger allocation unit.
e.g
part storage1 –fstype=vmfs3 –size=8192 -maxsize=2047000 –grow –onfirstdisk
Alignment is a function that would have to be initiated with fdisk if your storage system does not default to a 64. For the local and boot from SAN methods this would be have to be done before the automated ESX run and then simply do not clear the partitions but build on the existing ones.
Regards,
Mike
Thanks again, Mike
one thing remains uncatched by me
Assume installing ESX on top of existing layout, how to reuse existing esxconsole vmdk or correctly clean up the vmfs partition before creating new one?
And what about %pre kisckstart command?
is it possible to run fdisk here?
And is it possible to interrupt interactive installation at some such good point and perform partitioning with tty2?
I think it would be possible to intervene the install process but I would personally avoid that hack method completely from a supportable perspective. I suspect you can use the %pre section to process your partition with fdisk but I have not checked myself. In theory the initrd.img should contain the fdisk executable since it is availble during the %post install process.
You would clean all the partitions with the initial fdisk call and create the boot part with the correct alignment. Then proceed with the automated install and use the part command for any additional ones normally. You cannot save an existing vmfs partition on the same disk if you need to realign because it is part of the initial disk starting block. Hopefully the %pre statement will work which allows the full process to occur within an ESX 4 automated run.
Hopefully… But this is overchallenge for me, as I am no more than casual scripter.
Thank you for understanding the problem.
trying in workstation…
part ‘Stor’ –fstype=vmfs3 –size=4944 –maxsize=2047000 –grow –onfirstdisk
this created a standard 1Mb-block size storage
What size of raw disk is the vmfs volume created on? That may restrict the maxsize element.
There is also the option to create a smaller vmfs for the COS install e.g. 16G and then create a second vmfs volume on the %post install using the S99postconf script which will allow the use of vmkfstools.
Thank you again for the directions. May you be more specific?
What are the raw disk requirements for –maxsize?
Is there any web example of creating second vmfs partition on the boot device? (if I’vee caught the point)
If the raw disk is smaller than 2TB then the maxsize setting could not occur regardless of what is set at the kickstart command. So that may be why nothing changes. I suspect the best course of action is to use a smaller VMFS volume for the COS and then do the larger one in the S99postconf script so you can use vmkfstools.
My personal goal here is to fit ESX in sole SATA drive with RDMs, no local guests are planned, but I definitely need to enable the maximum 2TB mapping size.
As I’ve taught from past, it is impossible to have two vmfs partitions in one disk. Is this wrong now?
Nice stuff, have you thought about incorporating the ability of vSphere Host Profiles to handle most of the ESX configuration and making the KickStart script smaller and more focused on just building the physical ESX Host?
Hi,
Yes .. thanks .. I did think about that method and as well using Power Shell to completely automate installs from a base ESX install. In this case I was trying to provide the ground work so others could get a quick start to some quick and easy automation methods.
Regards,
Mike
i was trying to use your ks.cfg and it knocks me out by the network portion of it.
#Network install type
network –bootproto=static –ip=10.20.0.1 –gateway=10.20.0.254 –netmask=255.255.255.0 –hostname=vh1.laspina.ca –nameserver=10.20.0.200 –device=vmnic0 –addvmportgroup=0
copy and pasted as is, i get bougus token found : nameserver= … , same with the rest of the fieleds
then i get warnings “unknown arguments bootroto=static to command network”
i must be missing something very important
has the “network” portion worked for you ?
i can’t seem to get it to work
Hi, Yes it all works on my systems. The only things changed are the IPs and Names. What editor did you use? You most likely have embedded some html or other characters that Unix does not work with into the cfg file. Also can you try using – – in front of the token e.g. – -nameserver, looks like wp changed it to –
Hi, I’m having issues with isolinux.cfg when specifying
label test
kernel vmlinuz
append initrd=initrd.img mem=512M quiet ksdevice=eth0 ip=10.0.0.1 netmask=255.255.0.0 gateway=10.0.0.2 dns=10.0.0.102 ks=http://10.0.0.4:8088/vmware/esx40/cfg/ks.cfg
Problem shows there is a problem with the network device specified on the command line – it comes up with “No NIC found with the name eth0” within ESX. I have tried on VMware workstation and as well as dell server, same issue…any clue?
Hi,
The device may be enumerated as another name like vmnic0, keep in mind that these parameters are passed to a vmware based installation image.
Regards,
Mike
Nice post. Couple of observations:
You no longer need the 2nd COS connection for iSCSI. You did in ESX3, but not in ESX4.
Some one asked how you could do the install interactively. If you use PXE boot via your ILO, but don’t specify a KS file – the installer loads across the network in graphical… pretty neat if you want to a manual install with a DVD…
Regards
Mike
Thanks Mike,
I will update the iSCSI network section with a better description, I imported the text from a 3.5 script.
Nice tip on the manual method over pxe.
Regards,
Mike
Will this Method of scripted installation keep the VMFS intact? I have lot of VMs on 4.0 and I want to reinstall my system keeping VMFs as it is. I dont get the option of Keep vmfs as I used to get for esx 35.
Hi,
Yes this method of scripted install can leave the current VMFS volumes intact. You can use the upgrade option instead of install. Install presumes you are running a clean setup and skips the examination of existing configuration elements.
See page 46 of the installation guide http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esx_vc_installation_guide.pdf
Regards,
Mike
Just a small fyi…. “vmaccepteula” is no longer supported in 4.0 installs – it is just “accepteula” now. (per 4.0 release notes under Installation.)
Hi Mike,
Thanks for the note.
Yes the vmaccepteula command is deprecated however it is still supported, both accepteula or vmaccepteula are valid and included in the installation documentation on page 48.
Regards,
Mike
Hi Mike,
I cant upgrade my system as I am using beta builds and beta to beta upgrade is not supported. and secondly I want to fresh install my systems for testing and yet keep my VMFS intact I will try this out..
Thanks for your response the post is very helpful.
Hi, cool stuff here. We had also problems to switch ofer from autmated installation esx3.5 to
esx4 with the beta. We finished ist too. But still we have one little problem left, but also a workarround this problem. Sometimes esx identified the networkcards in a different way and so vmnic0 is not
the expected adapter we need for the cos, so that the installation will faild. So we switch
from device=vmnic0 to the macadress from the adapter we need for cos.
Then the installation faild too, because we have to change in the network section the device from device=vmnic0 to mac-adress too. Now it seems to work, but know anybody another way to specify the
right adapter (identified by mac)for the cos during installation? Or a way to rename vmnic8
to vmnic0 at the beginning of Installation?
Regards Bernd
Hi,
If your working with the same server hardware then the enumeration of nics may be more consistent after clearing CMOS.
This is occurs on some systems since they try to keep previously connected hardware options on the same bus resources.
Regards,
Mike
In ESX 3.5 it was possible to use the kssendmac bootstrap command, so that the MAC addresses of all known NICs would be sent a long with the kickstart file request (as HTTP POST params, like “x-rhn-provisioning-mac-0: eth0 mac-address”). I can’t seem to find this functionality for 4.0… is there a different method to use?
Thanks for your time, and great website!
Hi Ian,
Thanks.
That function is not longer applicable since the install process uses a custom vmkernel wrapper setup process.
You can pass it to the vmkernel image but it will likely not parse it as a known parameter.
What were you hoping to use it for?
Regards,
Mike
Mike,
Just like Ian, I’m interested in this. Since you can no longer interactively set IP information by leaving network info blank during a scripted install, I’d like to grab the IP information from the bootstrap command to apply to the service console during setup. We’d really like the ability to set the service console NIC information without having to go through the hassle of setting up a deployment appliance. Any ideas?
Thanks!
Andy,
You do not need to pass the boostrap info into the syslinux image to assign an IP to the cos. This can be accomplished by using DHCP on the network you are using. For example define the ks script to use vmnic0 and dhcp. The console will use its dhcp assigned address. You could alternately experiment with the IPAPPEND 2 statement to see if it passes the syslinux eth0 ip to the console. Normally that is used with a PXE boot function. I have not tried it with a USB boot but there is a possibility that it will work.
The ks script would look like the following:
network – -bootproto=dhcp – -device=vmnic0 – -hostname=vh1.laspina.ca
Yeah, I’m aware of the DHCP option. Unfortunately, no DHCP server in this environment. I’ll experiment with the IPAPPEND to see if it’ll work. As an alternative, I might have my http server hosting the cfg file dynamically create it based on the requesting IP address in the host header.
Can you still use esxcfg-auth –maxfailedlogins=3 to set the maximum number of attempts? I’ve tried this on my systems (vSphere) and it states “unknown option”….??
Hi,
Yep. Gone. use the /etc/pam.d/system-auth-local settings to control login sessions or if your using ad, spec the number of retries there.
Regards,
Mike
What if I’m not using AD?? Same file..?
Hi,
Ok, maybe a better explanation of how it works will help.
The esxcfg-auth python script just makes it easy for admins to edit the COS security environment . The script encapsulates the functions for security admin within a vmware centric scope. The script makes changes to a variety of areas including the plugable authentication module daemon files based on parsing tis text input stream.
In the case of ESX 3.x the maxfailedlogins parm is defined as the following call:
Managers[‘PAM’].AddModule(‘/lib/security/pam_tally.so’, ‘account’, ‘required’, ‘deny=%i no_magic_root’ % value, 0)
This is applied to the /etc/pam.d/system-auth file and would appear as the following text entry.
auth required /lib/security/pam_tally.so deny=% no_magic_root reset
where % is the count value you enter.
In the case of ESX 4 the script incorporates advanced security functions but omits the maxfailedlogins function and also splits out vpxuser (which is an agent application connection) from all other users. If you wish to control remote logins you would add the pam_tally module construct to the system-auth-generic file if you wish to control local login then add it to the system-auth-local file.
Here is the ESX 4 user pam login mapping.
cat /etc/pam.d/login.map
vpxuser : system-auth-local
* : system-auth-generic
Active Directory auth uses the pam_krb5 module and does not handle the option locally, it will just receive a krb5 ticket based on the authentication the remote servers actions.
Regards,
Mike
That was awesome. I’ve looked everywhere for this information and it clears up alot! Where do you get your information? Rather, how do you find this type of detailed information??
Thanks again!
mark
Hi Mike,
The nightmare I am having is with partitioning my HDD’s at present we have HP hard ware Generation 4-5-6, HP DL580-G5, HP DL370-G6 the five works fine with clearpart –drives=mpx.vmhba0:C0:T0:L0,mpx.vmhba0:C0:T1:L0 and it does not work on the G6. So I am assuming mpx is the driver the install is using. I know this would be a lot easier if just used one disk for everything, but our policy has been to use two one for vmkcore and swap, one for the vmfs esxconsole. I guess my question is there a way to determine what kind of drive is being used? The rest of my script works like a charm, creating switches, nics, everything.
Oh here is another disks as well where is ESX getthing naa:465783b57392 from??
Any help or info would be much appreicated.
Thanks.
Hi Richard,
I do have some info for you that should help resolve this issue.
The install script partition command will accept any valid vml based disk identifier, in vmkernel terms this translates to a series of interchangeable values which you can find in this document KB1014953
So in other words the vml.value:1 is treated the same as an mpx.value:1 and as well naa.value:1
Hope that helps.
Regards,
Mike
This reference has great information, thanks so much. We have been out on the web, in the VMware communities, and seen other people with our same issue, but slightly different. We are booting from the original ESX media and using the USB KS as a reference to get our KS.cfg from an ftp repository (which is also where the install media is). The process works to pull the KS.cfg file, but we receive the error ‘no cos nics have been added by the user’. Everything we have found about this error points to either PXE and the use of IPAPPEND or that the error can be ignored and the install will continue. We are not using PXE and the install does not continue.
We have tried the less is more approach and commented out the bulk of our config, feeling that the problem has to be in the config file somewhere. We have also disabled our 2nd onboard NIC in hopes of eliminating that as a potential issue. We’re not even sure what direction to take at this point, but if you can provide any help or info it would be much appreicated.
Thanks,
Mike
Hi Mike,
The “no cos nics have been added by the user” message will not prevent you from running a remote ks script over ftp. The message is issued when there are no assigned cos nics and it will continue by assigning one using an IP you statically set or obtained with DHCP for the network install ks statements parameter of –device=vmnic0.
The issue is more likely access to the ftp instance or the source repository files. Can you connect to your ftp site with a browser or an ftp client?
Regards,
Mike
[…] level of documentation on the subject. This best beginning source of information for me was this blog….. and it is from here that the following excerpt was taken to help remind me of the basiss […]
[…] level of documentation on the subject. This best beginning source of information for me was this blog….. and it is from here that the following excerpt was taken to help remind me of the basiss […]