Using kickstart to automate ESX deployments:
Provisioning an ESX server with kickstart can take deployment time from hours to just a few minutes. Using a CD for deployment and not accounting for the time it takes to boot, my typical installation will last 6.5 minutes. In this article I will break down each section of the kickstart and provide an example of each option. At the end of the article I will provide a downloadable kickstart file that you can modify to fit your own specific needs. In Part II: Creating a custom boot CD, I'll show you how to take one or more kickstart files and slipstream them into a single CD.
General Kickstart Options
install # Localization lang en_US keyboard us # Mouse Configuration mouse generic3ps/2 --device psaux # Skip X configuration skipx # Text install text # Network information network --device eth0 --bootproto static --ip 172.16.1.10 --netmask 255.255.255.0 \ --gateway 172.16.1.1 --nameserver 172.16.1.2 --hostname esx01.yourdomain.com # Encrypted root password rootpw imaweenie # Disable the firewall firewall --disabled # Auth Configuration authconfig --enableshadow --enablemd5 # Timezone timezone America/Los_Angeles # Bootloader config bootloader --useLilo --location=mbr # Reboot reboot
VMware Licensing
There are 2 options that can be set here. First, the "vmaccepteula" can be specified to acknowledge that you have read and understand the EULA. Secondly serial number for both ESX and vSMP can be specified.
# VMware Licensing vmaccepteula vmserialnum --esx=XXXXX-XXXXX-XXXXX-XXXXX --esxsmp=XXXXX-XXXXX-XXXXX-XXXXX
Console Memory
The option "vmservconmem" can be specified to allocate memory to the service console. 192 for up to 8 virtual machines, 272 for up to 16 virtual machines, 384 for up to 32 virtual machines, 512 for over 32 virtual machines, or 800 if you want to assign the maximum amount of memory to the console.
# Amount of memory to reserve for the console OS vmservconmem --reserved=512
Partitioning
Here is an example of how I set up my partition table. If you use Compaq/HP hardware as I do, you will need to prepend the "ccis" driver and use the non-standard disk naming convention. If you don't use Compaq/HP hardware you will most likely just need to use "sda" or whatever disk it is you want to partition. I like to place the vmkcore partition at the end of the drive so that in the unlikely event that a coredump writes beyond 100M it will not "bleed" into any of my other paritions.
# Partitioning # *Note: ESX 3.0 Will require a 100M /boot parition for an upgrade. clearpart --all --initlabel part /boot --size 100 --ondisk cciss/c0d0 --fstype ext3 --asprimary part / --size 10240 --ondisk cciss/c0d0 --fstype ext3 --asprimary part swap --size 2048 --ondisk cciss/c0d0 --fstype swap --asprimary part /vmimages --size 10240 --ondisk cciss/c0d0 --fstype ext3 part local --size 1 --ondisk cciss/c0d0 --fstype vmfs2 --grow part vmkcore --size 100 --ondisk cciss/c0d0 --fstype vmkcore
VMKswap
Here an 8.0G VMkernel swapfile is generated, and placed on the partition that is labeled "local" in the step above. The swap file name can be changed, but SwapFile.vswp is the standard.
# VMKernel Swap vmswap --volume="local" --size="8192" --name "SwapFile.vswp"
PCI Devices
For this step you will need to gather data from /etc/vmware/devnames.conf about the PCI devices in your system. For my test system I
have 2 onboard GigE ports, an Intel 1000MT quad port GigE card, and a single Qlogic 2340 HBA. The first NIC and the local storage
controller are set to "shared" all other devices are assigned exclusively to the virtual machines.
Examining /etc/vmware/devnames.conf gave me all the following pci information which is shown in bus/slot/function notation.
[root@esx01 vmware]# more devnames.conf
002:04.0 scsi vmhba0
003:06.0 nic vmnic0
003:06.1 nic vmnic1
006:04.0 nic vmnic2
006:04.1 nic vmnic3
006:06.0 nic vmnic4
006:06.1 nic vmnic5
007:09.0 fc vmhba1
# Assign all PCI devices # ( All of these device IDs can be obtained by looking at /etc/vmware/hwconfig ) # 2/4/0 scsi = vmhba0 (shared) Onboard RAID controller # 3/6/0 nic = vmnic0 (shared) First onboard GigE NIC # 3/6/1 nic = vmnic1 (vm) Second onboard GigE NIC # 6/4/0 nic = vmnic2 (vm) Intel 1000MT NIC Port 1 # 6/4/1 nic = vmnic3 (vm) Intel 1000MT NIC Port 2 # 6/6/0 nic = vmnic4 (vm) Intel 1000MT NIC Port 3 # 6/6/1 nic = vmnic5 (vm) Intel 1000MT NIC Port 4 # 7/9/0 fc = vmhba1 (vm) Qlogic 2340 Fibre HBA vmpcidivy --shared=2/4/0 --shared=3/6/0 --vms=3/6/1 --vms=6/4/0 --vms=6/4/1 \ --vms=6/6/0 --vms=6/6/1 --vms=7/9/0
Virtual Switches
Below I have 3 virtual switches: "vmotion", "dmz1" and "dmz2" which each have a single vmnic assigned to them. I have also created a bond named "internal" which has 2 vmnics assigned, as well as port groups for 5 seperate VLANS. An internal only vSwitch (vmxnet) named "private_network" has been created and no vmnic have been assigned to it.
# Set up virtual switches. vmnetswitch --name="vmotion" --vmnic=vmnic0 vmnetswitch --name="internal" --vmnic=vmnic1 --vmnic=vmnic2 vmnetswitch --name="vlan_1" --vmnic="internal.1" vmnetswitch --name="vlan_2" --vmnic="internal.2" vmnetswitch --name="vlan_3" --vmnic="internal.3" vmnetswitch --name="vlan_4" --vmnic="internal.4" vmnetswitch --name="vlan_5" --vmnic="internal.5" vmnetswitch --name="dmz1" --vmnic=vmnic4 vmnetswitch --name="dmz2" --vmnic=vmnic5 vmnetswitch --name="private_network"
%post configuration
You can do most anything in the %post section of your kickstart, and most of it will be specific to your environment. One piece that nearly everyone needs is to download and apply the latest patch to the installation which can be done like so: (note, this section still under development ).
Another general modification is to set up /etc/resolv.conf for your secondary ( or tertiary ) nameservers and list any domains that you want to search first for name resolution information.
# Modify /etc/resolv.conf cat > /etc/resolv.conf << EOF search yourdomain.com nameserver 172.16.1.2 nameserver 172.16.1.3 EOF
Configure NTP ( replace 172.16.1.4 with the ip address or FQDN of your timeserver ).
# NTP Configuration chkconfig --level 345 ntpd on perl -spi -e 's|# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap \ noquery| restrict 172.16.1.4 mask 255.255.255.255 nomodify notrap noquery|' /etc/ntp.conf perl -spi -e 's|# server mytrustedtimeserverip|server 172.16.1.4|' /etc/ntp.conf cat > /etc/ntp/step-tickers << EOF 172.16.1.4 EOF
Install vmkusage
# Install vmkusage /usr/bin/vmkusage -regroove cat > /etc/cron.d/vmkusage-cron.sh << EOF #!/bin/bash */1 * * * * root /usr/bin/vmkusage > /dev/null 2>&1 EOF /bin/chmod +x /etc/cron.d/vmkusage-cron.sh
Throw up a banner to scare away hackers..
# Set up restriction banners perl -spi -e 's|#Banner /some/path|Banner /etc/restricted_access|' /etc/ssh/sshd_config cat > /etc/restricted_access << EOF WARNING: U R NOT 3L33t, b3w4r3 of h4X0r! EOF
Download
Download the sample ks.cfg here.