Hi All,
I have spent the better part of today scripting a kickstart file from the UDA app to completely build our ESX host's with great consistency. Everything works great... but no Patching...
Can anyone possibly advise how they've incorporated an un-attended patching into the Post section of the kickstart file?
Cheers,
Sam
The esx-autopatch perl script (http://www.vmprofessional.com/) works a treat for me.
This is my Post section.
It DLs the Dominic's excellent perl script to a Utils Dir and runs it.
If you use IIS you will need to rename the perl file to a different file type because IIS will reformat it to windows text if you dont. You can see where I rename it back in the script.
You will need to set up the http or ftp server as described in his documentation.
%post
\# Your postinstall script goes here!
cat > /tmp/esxcfg.sh <<\EOF1
#!/bin/sh
\# DANGEROUS Allow ROOT access using SSH
echo "WARNING - COMPUTER MISUSE ACT 1990" > /etc/ssh/banner
echo " " >>/etc/ssh/banner
echo "You will commit a criminal offence blah blah." >> /etc/ssh/banner
echo " " >> /etc/ssh/banner
echo "The penalty is a FINE, IMPRISONMENT or DEATH.." >> /etc/ssh/banner
echo " " >> /etc/ssh/banner
echo "Or Being called a Moron blah blah" >> /etc/ssh/banner
echo " " >> /etc/ssh/banner
echo "If you are acting blah blah DO NOT PROCEED any further." >> /etc/ssh/banner
echo " " >> /etc/ssh/banner
echo "If you are acting within your authority please blah blah." >> /etc/ssh/banner
echo " " >> /etc/ssh/banner
echo "banner /etc/ssh/banner" >> /etc/ssh/sshd_config
esxcfg-auth --usecrack=3 8 0 0 0 0
sed -e 's/PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
mv -f /etc/ssh/sshd_config.new /etc/ssh/sshd_config
service sshd restart
sleep 20
\# Configure ESX Server NICs and Portgroups
esxcfg-vswif -d vswif0
esxcfg-vswif -a vswif0 -p "Service Console" -i xxx.xxx.xxx.xxx -n xxx.xxx.xxx.xxx -b xxx.xxx.xxx.xxx
esxcfg-vswitch -v xxx -p "Service Console" vSwitch0
esxcfg-vswitch -A vmotion vSwitch0
esxcfg-vswitch -v xxx -p vmotion vSwitch0
esxcfg-vmknic -a vmotion -i xxx.xxx.xxx.xxx -n xxx.xxx.xxx.xxx
esxcfg-vswitch -a vSwitch1
esxcfg-vswitch -L vmnic1 vSwitch1
esxcfg-vswitch -A int-prd vSwitch1
esxcfg-vswitch -v xxx -p int-prd vSwitch1
esxcfg-vswitch -A int-dev vSwitch1
esxcfg-vswitch -v xxx -p int-dev vSwitch1
esxcfg-vswitch -A cboki vSwitch1
esxcfg-vswitch -v xxx -p cboki vSwitch1
esxcfg-vswitch -A clustering vSwitch1
esxcfg-vswitch -v xxx -p clustering vSwitch1
esxcfg-vswitch -A hrc vSwitch1
esxcfg-vswitch -v xxx -p hrc vSwitch1
esxcfg-vswitch -A mgmt vSwitch1
esxcfg-vswitch -v xxx -p mgmt vSwitch1
esxcfg-vswitch -A pxe vSwitch1
esxcfg-vswitch -v xxx -p pxe vSwitch1
#service network restart
vimsh -n -e "/internalsvc/refresh_network"
sleep 30
\# Add Secondary & Territory DNS settings
echo nameserver xxx.xxx.xxx.xxx >> /etc/resolv.conf
echo nameserver xxx.xxx.xxx.xxx >> /etc/resolv.conf
\# Enable vMotion
vimsh -n -e "/hostsvc/vmotion/vnic_set portgroup2"
\# add dns entries for new server.
nsupdate << EOF4
server web-nrt-dc1.webservices.nrt
prereq nxdomain int-esx4b.webservices.nrt
zone webservices.nrt
update add int-esx4b.webservices.nrt 86400 A xxx.xxx.xxx.xxx
send
zone xxx.xxx.xxx.in-addr.arpa
update add xxx.xxx.xxx.xxx .in-addr.arpa 600 IN PTR int-esx4b.webservices.nrt.
send
EOF4
mkdir /Utils/
cd /Utils/
esxcfg-firewall --allowOutgoing
lwp-download http://xxx.xxx.xxx.xxx:8080/utils/esx-autopatch.test
esxcfg-firewall --blockOutgoing
mv -f ./esx-autopatch.test ./esx-autopatch.pl
EOF1
sleep 3
\# Backup original rc.local file
cp /etc/rc.d/rc.local /etc/rc.d/rc.local.bak
\# run esxcfg.sh and esx-autopatch.pl from rc.local and make rc.local reset itself
cat >> /etc/rc.d/rc.local <<\EOF2
\# Make esxcfg.sh executable
chmod +x /tmp/esxcfg.sh
cd /tmp/
./esxcfg.sh
sleep 20
cd /Utils/
\# make esx-autopatch.pl executable
chmod +x /Utils/esx-autopatch.pl
./esx-autopatch.pl --http --open-firewall --no-mm
mv -f /etc/rc.d/rc.local.bak /etc/rc.d/rc.local
\# shutdown -r
EOF2
cp -f /etc/rc.d/rc.local /tmp/rc.sh
Yes thanks guys, what im running into a problem now is that I dont have a NFS/HTTP/FTP share to copy over the config files that run my post. My Shell scripts have no problem being created using:
echo 'script script script script' >> config.sh
but the esx-autopatch.pl I cannot output the same way. Does anyone know how I could redirect the output of a perl script to a files contents? As I need to add the file to the rc.local.
also tried this but seem's to strip any var strings out so $test would not be present in the file:
cat >> esxupdate.pl <<EOF1
Hello,
cat >> esxupdate.pl <<EOF1>
Should work as long as you drop the trailing >.
cat >> esxupdate.pl <<EOF1
... script
EOF1
Note that anything that could be shell expanded will need to be escaped... $ is a big one. You should be able to extract your %POST section and run it from the command line with no errors. If you have errors you need to fix them before using the script.
If it was me, I would create a small Linux VM to act as a HTTPD server so you can just download the stuff you need.
Best regards,
Edward
Well I caved and just setup a IIS webserver to host all the files. So everything in my build work's Wonderfully except executing the esx-autopatch.pl script.
when its called in rc.local what user credential's will it use? Im assuming root is the only user able to make such changes but does anyone know how to login as root then run the post??
Texiwill thanks for your advice so I've got it working but what do you mean by:
"Note that anything that could be shell expanded will need to be escaped... $ is a big one."
Because any file I output using:
cat >> esxupdate.pl <<EOF1
End up fine but NO variables are in there : ex. $VMIP or $VMDNS will not show up. I haven't used shell scripting in about 8 years so im kinda rusty but is the escape character not a slash \ ??
CHeers,
Sam
Use << \EOF1
this will save your $ variables.
will this escape other characters such or command sub's ` `
Thanks,
Sam
Now that everythings working... (and thank you all for the great help
Is there anyway that after the install you can no view the main boot up screen and instead see the scripts running? So you have an idea of how far into the install it is?
Possibly send an email notification as a 2nd resort, but I just want to avoid sitting around for 2 hours waiting for the complete patching process to finish.
Cheers,
Sam