Archive
More HP sauce on ESXi 5.0
On my first post about HP ESXi 5.0 customized image I discussed about the new esxcli namespaces added by HP. But those tools aren’t the only ones included.
If you list the software bundles and filter the output to display only the included by HP will notice an hponcfg package.
~ # esxcli software vib list |grep Hewlett char-hpcru 5.0.0.8-1OEM.500.0.0.434156 Hewlett-Packard PartnerSupported 2011-05-24 char-hpilo 500.9.0.0.8-1OEM.500.0.0.434156 Hewlett-Packard PartnerSupported 2011-05-24 hp-smx-provider 500.02.10.13.44-434156 Hewlett-Packard VMwareAccepted 2011-05-24 hpbootcfg 01-00.10 Hewlett-Packard PartnerSupported 2011-05-24 hponcfg 03-02.04 Hewlett-Packard PartnerSupported 2011-05-24 ~ #
Hponcfg, also included on ProLiant Support Pack for Linux, is a tool that enable a System Administrator to manage the iLO of a ProLiant server from the operative system.
~ # esxcli software vib get -n hponcfg Hewlett-Packard_bootbank_hponcfg_03-02.04 Name: hponcfg Version: 03-02.04 Type: bootbank Vendor: Hewlett-Packard Acceptance Level: PartnerSupported Summary: HP ProLiant Lights-Out Configuration Utility for ESXi Description: HP ProLiant Lights-Out Configuration Utility for ESXi Release Date: 2011-08-09 Depends: Conflicts: Replaces: Provides: Maintenance Mode Required: False Hardware Platforms Required: HP, Hewlett-Packard Company, Hewlett-Packard, hp Live Install Allowed: False Live Remove Allowed: False Stateless Ready: True Overlay: False Tags: Payloads: hponcfg ~ #
The tool is located at /opt/hp/tools.
/opt/hp/tools # ls hpbootcfg hpbootcfg_esxcli hponcfg /opt/hp/tools #
Launch the utility without arguments and you will get the usage and it will also display current firmware version of the iLO.
/opt/hp/tools # ./hponcfg HP Lights-Out Online Configuration utility Version 3.2-4 (c) Hewlett-Packard Company, 2011 Firmware Revision = 1.26 Device type = iLO 3 Driver name = hpilo USAGE: hponcfg -? hponcfg -h hponcfg -m minFw hponcfg -r [-m minFw ] hponcfg [-a] -w filename [-m minFw] hponcfg -g [-m minFw] hponcfg -f filename [-l filename] [-s namevaluepair] [-v] [-m minFw] hponcfg -i [-l filename] [-s namevaluepair] [-v] [-m minFw] -h, --help Display this message -? Display this message -r, --reset Reset the Management Processor to factory defaults -f, --file Get/Set Management Processor configuration from "filename" -i, --input Get/Set Management Processor configuration from the XML input received through the standard input stream. -w, --writeconfig Write the Management Processor configuration to "filename" -a, --all Capture complete Management Processor configuration to the file. This should be used along with '-w' option -l, --log Log replies to "filename" -v, --xmlverbose Display all the responses from Management Processor -s, --substitute Substitute variables present in input config file with values specified in "namevaluepairs" -g, --get_hostinfo Get the Host information -m, --minfwlevel Minimum firmware level /opt/hp/tools #
As a non intrusive example you can use -g switch to get the server info.
/opt/hp/tools # ./hponcfg -g HP Lights-Out Online Configuration utility Version 3.2-4 (c) Hewlett-Packard Company, 2011 Firmware Revision = 1.26 Device type = iLO 3 Driver name = hpilo Host Information: Server Name: esxi01.hp.local Server Number: /opt/hp/tools #
I’ll let you to investigate the rest of the options carefully.
Juanma.
Introducing HP iLO app for iOS
Quietly released by HP less than a week ago, the HP iLO Mobile Application for iOS allows you to control your ProLiant server through their iLO console from your iOS device. It is compatible with iPhone 4/4S and iPad 1/2 and can be found on Apple AppStore.
The application is much more than a simple remote console to access the operating system running on the server. You can operate the power controls of the server, mount ISO images, access and interact with the iLO web interface and even launch iLO scripts from your mobile device.
Of course you can also store a list of the servers to manage and save the login the credentials for each of them.
The product page can be accessed here on the HP site. There is also a user guide with useful info and tips.
Following are a couple of screenshot from the app running on my iPad and another one taken from HP with the output generated by an iLO3 script.
Main screen
Configure iLO screen
iLO script output
Juanma.
vMotion error, virtual machine refuses to be migrated.
Last night during a patching job in a customer I found the following error for several VMs when I put a host in maintenance mode and DRS tried to evacuate the virtual machines to the other nodes of the cluster.
Very strange since as far as I could see the virtual machines were running without errors, I was logged into some of them through SSH, and they also appeared as powered on in vSphere Client.
I decided to go to Tech Support Mode on the ESXi and check the virtual machine power state.
Everything looked exactly as it should be, no error logs, nothing. At this point I decided to restart the ESXi management agents.
And it worked, after a few seconds I was able to perform a successful vMotion and the host could be evacuated.
Juanma.
How to integrate SUSE Linux Enterprise 11 with Windows Active Directory
Getting SUSE Enterprise Linux integrated with Microsoft Active Directory is much easier than it sounds.
There are a few prerequisites to meet before:
- Samba client must be installed.
- Packages samba-winbind and krb5-client must be installed.
- The primary DNS server must be the Domain Controller.
For this task we will use YaST2, the SUSE configuration tool.
YaST2 can be run either in graphical…
…or in text mode.
I decided to use the text mode since it will be by far the most common use case, anyway in both cases the procedure is exactly the same.
Go to Network Services section and later select Windows Domain Membership. The Windows Domain Membership configuration screen will appear.
In the Membership area enter the domain name and configure the options that best suit your environment, including the other sections of the screen.
I configure it to allow SSH single sign-on, more on this later, and to create a home directory for the user on his first login.
You should take into account the NTP configuration since it’s a critical component in Active Directory authentication.
Select OK to acknowledge your selection and a small pop-up will show up to inform that the host is not part of the domain and if you want to join it.
Next you must enter the password of the domain Administrator.
And YaST will finally confirm the success of the operation.
At this point the basic configuration is done and the server should be integrated on the Windows Domain.
Under the hood this process has modified several configuration files in order the get the system ready to authenticate against Active Directory:
- smb.conf
- krb5.conf
- nsswitch.conf
smb.conf
The first is the configuration file for the samba service. As you should know Samba is an open source implementation of the Windows SMB/CIFS protocol, it allows Unix systems to integrate almost transparently into a Windows Domain infrastructure and also provides file and print services for Windows clients.
The file resides in /etc/samba. Take a look at the contents of the file, the relevant part is the global section.
[global] workgroup = VJLAB passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap gid = 10000-20000 idmap uid = 10000-20000 realm = VJLAB.LOCAL security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes
krb5.conf
The krb5.conf is the Kerberos daemon configuration file which contains the necessary information for the Kerberos library.
jreypo@sles11-01:/etc> cat krb5.conf
[libdefaults]
default_realm = VJLAB.LOCAL
clockskew = 300
[realms]
VJLAB.LOCAL = {
kdc = dc.vjlab.local
default_domain = vjlab.local
admin_server = dc.vjlab.local
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.vjlab.local = VJLAB.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
jreypo@sles11-01:/etc>
nsswitch.conf
The nsswitch.conf file as stated by its man page is the System Databases and Name Service Switch configuration file. Basically it includes the different databases of the system to look for authentication information when user tries to log into the server.
Have a quick look into the file and you will notice the two fields changed, passwd and group. In both the winbind option has been added in order to indicate the system to use Winbind, the Name Service Switch daemon used to resolve NT server names.
passwd: compat winbind group: compat winbind
SSH single sign-on
Finally we need to test the SSH connection to the host using a user account of the domain. When asked for the login credentials use the DOMAIN\USER formula for the user name.
This kind of integration is very useful, specially for the bigger shops, because you don’t have to maintain the user list of your SLES servers individually, just only the root account since the other accounts can be centrally managed from the Windows Domain.
However there is one issue that must be taken into account, the SSH single sign-on authentication means that anyone with a domain account can log into your Linux servers and we don’t want that.
To prevent this potentially dangerous situation we are going to limit the access only to those groups of users that really need it. I’m going to use the Domain Admins to show you how.
First we need to look for the Domain Admins group ID within our Linux box. Log in as DOMAIN\Administrator and use the id command to get the user info.
VJLAB\administrator@sles11-01:~> id uid=10000(VJLAB\administrator) gid=10000(VJLAB\domain users) groups=10000(VJLAB\domain users),10001(VJLAB\schema admins),10002(VJLAB\domain admins),10003(VJLAB\enterprise admins),10004(VJLAB\group policy creator owners) VJLAB\administrator@sles11-01:~>
There are several group IDs, for our purposes we need the VJLAB\domain admins which is 10002.
You should be asking yourself, but the GID is not 10002 but 10000? Yes you are right and because of that we need to make some changes at Domain Controller level.
Fire up Server Manager and go to Roles –> Active Directory Domain Services –> Active Directory Users and Computers –> DOMAIN –> Users.
On the right pane edit the properties of the account you want to be able to access the linux server via SSH. In my case I used my own account juanma. In the Member of tab select the Domain Admins group and click Set Primary Group.
Now we need to modify how the pam daemon manage the authentication. Go back to SLES and edit /etc/pam.d/sshd.
#%PAM-1.0 auth requisite pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session
Delete the account line and add the following two lines.
account sufficient pam_localuser.so account sufficient pam_succeed_if.so gid = 10002
The sshd file should look like this:
#%PAM-1.0 auth requisite pam_nologin.so auth include common-auth account sufficient pam_localuser.so account sufficient pam_succeed_if.so gid = 10002 password include common-password session required pam_loginuid.so session include common-session
What we did? First eliminated the ability to login via SSH for every user and later we allow the server local users and the Domain Admins to log into the server.
And we are done. Any comment would be welcome as always :-)
Juanma.
