Go through the scripted installation via the VI web page on a host. It can encrypt your password for you in that ks.cfg file. Then you can take that string and paste it into your own ks.cfg files. There is definately no reason to use plaintext
Hi Thomas, I have already done all that and that is not my problem. I don't think I explained my problem/concern very well. I have used the wizard and have my ks.cfg file with the encrypted password and I am happy with all of that.
The problem is we could end up having any of over 30 people build ESX server depending on peoples availability, the issue is ensuring that only the bare minimum people have access to the root password. i.e. the core team responsible for the inital setup and day to day maintainence of the environment. What I was hoping to do was make an addition to the ks.cfg file that creates an additional "build" account that the person building the server could use so they would never need to know the root password.
So far I guess I am looking at using a script that is executed at the post section of the ks.cfg file. I was just hoping to make it all in one.
After I have the account then the only other thing I need to do is restrict what it can do.
Working in a security conscious environment means we have to restrict right and access where ever is possible.
If what I am hoping to achieve is not possible then I was planning on building the server with a less secure password, then providing the engineer with a script to run following the first boot that creates the account with the correct limited rights and changes the root password.
I just thought saying the growing usage and community I would not be the first or only person trying to achieve this so I would see what anyone else has tried.
In the post section of the ks.cfg file add the command useradd to add the users
So I can just add commands there as if being run from the shell?
1 person found this helpful
That or you can use rc.local to run scripts or add commands. Just make sure you create a backup of rc.local first so when the scripts or commands are done you can restore the original rc.local otherwise those scripts or commands will run everytime ESX boots
1 person found this helpful
Yup, you can add users there. Additionally I create scripts for after the first reboot that add AD authentication in for those users I create.
Any chance of getting hold of that script as that would be a massive help, although I did find the thread earlier that detailed wht was needed.
Thank you both for your help
Call me stupid, but I've searched high and low for a solution to enabling the scripted install feature via the web interface in ESX 3.0.1. When I click on the wizard link here is the message I get: Google reveals nothing on this error.
Scripted Install is disabled
Message: Your ESX Server is not configured to support scripted installations. To support scripted installations, please refer to the VMware Web Access Administrators Guide.
VMware Web Access
In 2.5.x I could run the scriptedinstall-setup.pl script to enable. How is this done in 3.0. the Web Access Administrators Guide does not have anything in it about this that I can find.
Enabling Scripted Installation
Once you have installed ESX Server 3.0.1 on a system, you must enable the scripted installation feature before you can use Web Access to create an installation script.
To enable scripted installation
1 Log in to the ESX Server 3.0.1 service console as root.
2 Open the file /usr/lib/vmware/webAccess/tomcat/apache-tomcat-5.5.17/webapps/ui/WEB-INF/struts-config.xml in a text editor such as vi.
3 Locate the scripted section.
4 Comment out the line reading:
6 Save and close the file.
7 Type service vmware-webAccess restart.
Thanks! Where did you find this doc? It was likely on VMTN and I never found it.
Yeah, where did you find this??? I had the same problem and couldn't find it in any doc. Thanks for the steps!
How do you comment out, have a blonde moment big style?
With most scripts, simply addnig a # at the start of a line will comment out the line.