Archives For February 2012

More HP sauce on ESXi 5.0

February 24, 2012 — 3 Comments

On my first post about HP ESXi 5.0 customized image I discussed about the new esxcli namespaces added by HP. But those tools aren’t the only ones included.

If you list the software bundles and filter the output to display only the included by HP will notice an hponcfg package.

~ # esxcli software vib list |grep Hewlett
char-hpcru            5.0.0.8-1OEM.500.0.0.434156         Hewlett-Packard     PartnerSupported  2011-05-24 
char-hpilo            500.9.0.0.8-1OEM.500.0.0.434156     Hewlett-Packard     PartnerSupported  2011-05-24 
hp-smx-provider       500.02.10.13.44-434156              Hewlett-Packard     VMwareAccepted    2011-05-24 
hpbootcfg             01-00.10                            Hewlett-Packard     PartnerSupported  2011-05-24 
hponcfg               03-02.04                            Hewlett-Packard     PartnerSupported  2011-05-24 
~ #

Hponcfg, also included on ProLiant Support Pack for Linux, is a tool that enable a System Administrator to manage the iLO of a ProLiant server from the operative system.

~ # esxcli software vib get -n hponcfg
Hewlett-Packard_bootbank_hponcfg_03-02.04
   Name: hponcfg
   Version: 03-02.04
   Type: bootbank
   Vendor: Hewlett-Packard
   Acceptance Level: PartnerSupported
   Summary: HP ProLiant Lights-Out Configuration Utility for ESXi
   Description: HP ProLiant Lights-Out Configuration Utility for ESXi
   Release Date: 2011-08-09
   Depends:
   Conflicts:
   Replaces:
   Provides:
   Maintenance Mode Required: False
   Hardware Platforms Required: HP, Hewlett-Packard Company, Hewlett-Packard, hp
   Live Install Allowed: False
   Live Remove Allowed: False
   Stateless Ready: True
   Overlay: False
   Tags:
   Payloads: hponcfg
~ #

The tool is located at /opt/hp/tools.

/opt/hp/tools # ls
hpbootcfg         hpbootcfg_esxcli  hponcfg
/opt/hp/tools #

Launch the utility without arguments and you will get the usage and it will also display current firmware version of the iLO.

/opt/hp/tools # ./hponcfg
HP Lights-Out Online Configuration utility
Version 3.2-4 (c) Hewlett-Packard Company, 2011
Firmware Revision = 1.26 Device type = iLO 3 Driver name = hpilo
USAGE:
  hponcfg  -?
  hponcfg  -h
  hponcfg  -m minFw
  hponcfg  -r [-m minFw ]
  hponcfg  [-a] -w filename [-m minFw]
  hponcfg  -g [-m minFw]
  hponcfg  -f filename [-l filename] [-s namevaluepair] [-v] [-m minFw]
  hponcfg  -i [-l filename] [-s namevaluepair] [-v] [-m minFw]
  -h,  --help           Display this message
  -?                    Display this message
  -r,  --reset          Reset the Management Processor to factory defaults
  -f,  --file           Get/Set Management Processor configuration from "filename"
  -i,  --input          Get/Set Management Processor configuration from the XML input
                        received through the standard input stream.
  -w,  --writeconfig    Write the Management Processor configuration to "filename"
  -a,  --all            Capture complete Management Processor configuration to the file.
                        This should be used along with '-w' option
  -l,  --log            Log replies to "filename"
  -v,  --xmlverbose     Display all the responses from Management Processor
  -s,  --substitute     Substitute variables present in input config file
                        with values specified in "namevaluepairs"
  -g,  --get_hostinfo   Get the Host information
  -m,  --minfwlevel     Minimum firmware level
/opt/hp/tools #

As a non intrusive example you can use -g switch to get the server info.

/opt/hp/tools # ./hponcfg  -g
HP Lights-Out Online Configuration utility
Version 3.2-4 (c) Hewlett-Packard Company, 2011
Firmware Revision = 1.26 Device type = iLO 3 Driver name = hpilo
Host Information:
                        Server Name: esxi01.hp.local
                        Server Number:
/opt/hp/tools #

I’ll let you to investigate the rest of the options carefully.

Juanma.

Quietly released by HP less than a week ago, the HP iLO Mobile Application for iOS allows you to control your ProLiant server through their iLO console from your iOS device. It is compatible with iPhone 4/4S and iPad 1/2 and can be found on Apple AppStore.

The application is much more than a simple remote console to access the operating system running on the server. You can operate the power controls of the server, mount ISO images, access and interact with the iLO web interface and even launch iLO scripts from your mobile device.

Of course you can also store a list of the servers to manage and save the login the credentials for each of them.

The product page can be accessed here on the HP site. There is also a user guide with useful info and tips.

Following are a couple of screenshot from the app running on my iPad and another one taken from HP with the output generated by an iLO3 script.

Main screen

photo 1

Configure iLO screen

photo 2

iLO script output

iLO3-script

Juanma.

Last night during a patching job in a customer I found the following error for several VMs when I put a host in maintenance mode and DRS tried to evacuate the virtual machines to the other nodes of the cluster.

image

Very strange since as far as I could see the virtual machines were running without errors, I was logged into some of them through SSH, and they also appeared as powered on in vSphere Client.

I decided to go to Tech Support Mode on the ESXi and check the virtual machine power state.

image

Everything looked exactly as it should be, no error logs, nothing. At this point I decided to restart the ESXi management agents.

image

And it worked, after a few seconds I was able to perform a successful vMotion and the host could be evacuated.

Juanma.

suse_linux_logo1Getting SUSE Enterprise Linux integrated with Microsoft Active Directory is much easier than it sounds.

There are a few prerequisites to meet before:

  • Samba client must be installed.
  • Packages samba-winbind and krb5-client must be installed.
  • The primary DNS server must be the Domain Controller.

For this task we will use YaST2, the SUSE configuration tool.

YaST2 can be run either in graphical…

Screenshot-YaST2 Control Center-1

…or in text mode.

YaST2_text_mode

I decided to use the text mode since it will be by far the most common use case, anyway in both cases the procedure is exactly the same.

Go to Network Services section and later select Windows Domain Membership. The Windows Domain Membership configuration screen will appear.

In the Membership area enter the domain name and configure the options that best suit your environment, including the other sections of the screen.

YaST2_WinDom_config

I configure it to allow SSH single sign-on, more on this later, and to create a home directory for the user on his first login.

You should take into account the NTP configuration since it’s a critical component in Active Directory authentication.

Select OK to acknowledge your selection and a small pop-up will show up to inform that the host is not part of the domain and if you want to join it.

YaST2_domain_confirmation

Next you must enter the password of the domain Administrator.

YaST2_domain_admin_password

And YaST will finally confirm the success of the operation.

YaST2_domain_joined

At this point the basic configuration is done and the server should be integrated on the Windows Domain.

Under the hood this process has modified several configuration files in order the get the system ready to authenticate against Active Directory:

  • smb.conf
  • krb5.conf
  • nsswitch.conf

smb.conf

The first is the configuration file for the samba service. As you should know Samba is an open source implementation of the Windows SMB/CIFS protocol, it allows Unix systems to integrate almost transparently into a Windows Domain infrastructure and also provides file and print services for Windows clients.

The file resides in /etc/samba. Take a look at the contents of the file, the relevant part is the global section.

[global]
        workgroup = VJLAB
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = VJLAB.LOCAL
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes

krb5.conf

The krb5.conf is the Kerberos daemon configuration file which contains the necessary information for the Kerberos library.

jreypo@sles11-01:/etc> cat krb5.conf
[libdefaults]
        default_realm = VJLAB.LOCAL
        clockskew = 300
[realms]
        VJLAB.LOCAL = {
                kdc = dc.vjlab.local
                default_domain = vjlab.local
                admin_server = dc.vjlab.local
        }
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .vjlab.local = VJLAB.LOCAL
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
        }
jreypo@sles11-01:/etc>

nsswitch.conf

The nsswitch.conf file as stated by its man page is the System Databases and Name Service Switch configuration file. Basically it includes the different databases of the system to look for authentication information when user tries to log into the server.

Have a quick look into the file and you will notice the two fields changed, passwd and group. In both the winbind option has been added in order to indicate the system to use Winbind, the Name Service Switch daemon used to resolve NT server names.

passwd: compat winbind
group:  compat winbind

SSH single sign-on

Finally we need to test the SSH connection to the host using a user account of the domain. When asked for the login credentials use the DOMAIN\USER formula for the user name.

SSH_auth

This kind of integration is very useful, specially for the bigger shops, because you don’t have to maintain the user list of your SLES servers individually, just only the root account since the other accounts can be centrally managed from the Windows Domain.

However there is one issue that must be taken into account, the SSH single sign-on authentication means that anyone with a domain account can log into your Linux servers and we don’t want that.

To prevent this potentially dangerous situation we are going to limit the access only to those groups of users that really need it. I’m going to use the Domain Admins to show you how.

First we need to look for the Domain Admins group ID within our Linux box. Log in as DOMAIN\Administrator and use the id command to get the user info.

VJLAB\administrator@sles11-01:~> id
uid=10000(VJLAB\administrator) gid=10000(VJLAB\domain users) groups=10000(VJLAB\domain users),10001(VJLAB\schema admins),10002(VJLAB\domain admins),10003(VJLAB\enterprise admins),10004(VJLAB\group policy creator owners)
VJLAB\administrator@sles11-01:~>

There are several group IDs, for our purposes we need the VJLAB\domain admins which is 10002.

You should be asking yourself, but the GID is not 10002 but 10000? Yes you are right and because of that we need to make some changes at Domain Controller level.

Fire up Server Manager and go to Roles –> Active Directory Domain Services –> Active Directory Users and Computers –> DOMAIN –> Users.

server_manager

On the right pane edit the properties of the account you want to be able to access the linux server via SSH. In my case I used my own account juanma. In the Member of tab select the Domain Admins group and click Set Primary Group.

member_of

Now we need to modify how the pam daemon manage the authentication. Go back to SLES and edit /etc/pam.d/sshd.

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session

Delete the account line and add the following two lines.

account  sufficient     pam_localuser.so
account  sufficient     pam_succeed_if.so gid = 10002

The sshd file should look like this:

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  sufficient     pam_localuser.so
account  sufficient     pam_succeed_if.so gid = 10002
password include        common-password
session  required       pam_loginuid.so
session  include        common-session

What we did? First eliminated the ability to login via SSH for every user and later we allow the server local users and the Domain Admins to log into the server.

And we are done. Any comment would be welcome as always :-)

Juanma.