Pure Storage PowerShell ESXi Connections

I have been using Pure Storage for a few months now and discovered that they have a PowerShell SDK to manage their storage system. My previous script for creating iSCSI connection from my host to the storage is great but it only creates the connection. The bit that was missing is to ensure the storage system authorises the ESXi to see the LUNS and usually you would need to pass the iSCSI IQN details to the storage admin. With the Pure Storage Powershell SDK I have now automated this section as well making my step towards Infrastructure as Code a step closer.

I will step through my script explaining;

Under the variables section we store all the relevant details

We store the Pure Storage Array management IP or FQDN name

$PureArrayIP = "Pure Storage Managment IP or FQDN"

In Pure Storage I group all the ESXi servers in “host groups” so I store the host group that I would like to have the ESXi host place in

$PureHostGroup = "Host Group Name"

Depending how you define your display name for host in Pure Storage you store the correct format information in this variable. For me we kept it simple where we just used the shortname of the ESXi server name which matches our vCenter server inventory

$ESXHost = "ESXi Host Display Name"

The iSCSI IQN name that belongs to the host that you are adding 

$ESXHostIQN = "IQN String"

First we check if Pure Storage SDK is installed, if it is not installed then we exit the script

If (!(Get-Module | Where {$_.Name -eq "PureStoragePowerShellSDK"}))

{Write-host "You need to install the PURE Storage PowerShell before carrying on"

Exit

}

Store the connection string in the variable $PureArray. The command will prompt for credentials to authenticate to the Pure Storage Array on the screen for you to input

$PureArray = New-PfaArray -EndPoint $PureArrayIP -Credentials (Get-Credential) -IgnoreCertificateError

We now get the $ESXHost detail from Pure Storage

$PureVMHost = Get-pfahosts -Array $PureArray| where {$_.name -eq $ESXHost}

The next section is where the actual work takes place. We first check if a value was returned for $PureVMHost

If (!$PureVMhost)

If no value was returned into that variable then it would mean that no such host information exists on the Pure Storage Array. So we issue a command to create a new host in Pure Storage and add the IQN details

New-PfaHost -Array $PureArray -Name $ESXHost -IqnList $ESXHostIQN  

We then add it to the host group within Pure Storage

Add-PfaHosts -Array $PureArray -Name $PureHostGroup -HostsToAdd $ESXHost

If the host exist on the storage array then we just issue a set/update command to change the iqn
Set-PfaHostIqns -Array $PureArray -Name $PureVMHost.Name -IqnList $ESXHostIQN

So with this script you can easily configure via lines of code in to Pure Storage for your ESXi hosts. From my previous script I had a section where I used a command to print the host iSCSI iqn name "$hba.iscsiname". This could be your input source for the IQN name into Pure Storage. The full code for the above script is at github. Pure Storage has good documentation around Powershell here to get you started. Happy scripting !!!

CIS Benchmark - Configuration Guides

Recently I attended a cloud security course and was introduced to Center for Internet Security (https://www.cisecurity.org/). They are a non-profit organisation providing guidance/best practices for securing IT systems again attacks. They have guides which are called "benchmark" and most of the guides are produce by subject matter experts, vendors and the community. These guides are very comprehensive where they explain what you can secure, why you would secure, how you can audit that particular setting, how to remediate /secure the system and what impact it may cause if you do apply the secure settings. There are guides ranging from the traditional Windows/Linux OS/Cisco to cloud (Azure/AWS) to IOS/Android and the likes of Docker/Kubernetes.

Head over to https://www.cisecurity.org/cis-benchmarks/ to see if there are any guides that are useful for you. You will need to provide email address to download these free guides. For VMware 6.0 onwards you will need to go to VMware site to pick up their VMware's guide

https://www.vmware.com/uk/security/hardening-guides.html

Deploying VCSA 6.5 to Workstation

Previously to deploy VCSA to Workstation you would need to go through some painful steps to get it going. With 6.5 the process has been a lot more easier. I will go through the steps I’ve taken to just deploy a basic VCSA on Workstation 12 so that you can start playing with it.

My setup:

I used Workstation 12.5.7 build-5813279 running on Windows 10 and VCSA 6.5 ISO Build 7119157 (U1c). Make sure you have a working DNS server where the VCSA appliance can use and resolve to for the VCSA appliance name. 

I am using Windows 10 so I am using the default built-in tool to mount the VCSA ISO. Make a note of which drive letter it has been mounted on

Fire up VMware workstation and select “File > Open”

Browse to the drive where the ISO has been mounted to. Go in to folder "vcsa" and you should see the “ova” file with the name starting with “VMware-vCenter-Server-Appliance-“. Select the file and click "open"

Give the VM the name you want and the location of where you would like this VM to reside. Click “import”

A licence agreement will appear where you have select "Accept" to continue

Once the VM has been deployed. Check if the Network Adapter of the VM is in the correct network for you where it can reach your DNS server and from the terminal where you would be running the web browser to do the final configuration later. Power on the VM once you are happy

For the following section the installation time would vary due to the type of hardware you are running workstation on. For me the process was around ½ hour. So if you watch the console screen you will see that the VM is booting up and going through the installation and at some point you will see this screen for login. DO NOT login at this time as the machine is still installing

You will soon see this familiar screen like a normal ESXi host and again DO NOT login as the machine is still installing 

Once the screen changes to display the text “Root password is not set” then we can press “F2” to start to configure the appliance. You may notice that if you have a DHCP server in your network it may have picked up an IP address.

As soon as you press “F2” you will be asked to change the password, once completed press “Enter”. As far as I can see there is no need for complex password required at this stage so you could have abc123 as password

You will be taken to the familiar screen of configuring a ESXi host. So we will head of the “Configure Management Network” and press “Enter”

Select “IP Configuration” and press “Enter”

Within “IP configuration” screen change to Static if you want to use static or leave it as DHCP if that is what you are using. If you are using DHCP then ensure you mark down the IP address that it has been assigned to. Press “Enter” to confirm any changes or “Esc” if you don’t need to make any

Back at the “Configure Management Network” menu screen go to “DNS Configuration” and press “Enter”

We are now configuring the DNS server where VCSA will use to resolve and the name (IP address or FQDN) for VCSA. Be sure to have this entry in your DNS server to be able to resolve if using name. I have just used IP address to make it simple. Press “enter” to make the changes

When you are back at the “Configure Management Network”. Press “Esc” and you will be prompted to restart the management network. Press “Y” to have the management network restarted

Once the management agent has been restarted you should see the IP address and hostname you have assigned to VCSA. If all the settings are correct then press “Esc” to log out

At the VCSA console screen press “F12” to initiate “shut down/restart” options. Enter password for your root account. Once you have logged in press “F11” to restart the appliance

Once the appliance has rebooted back to the console screen we can now go to a web browser to finish off the appliance build. The URL to go to is https://vcsa_ip_or_fqdn_address:5480. Replace vcsa_ip_or_fqdn_address with your details. You will be presented with the getting started screen. Select “Set up vCenter Server Appliance” to continue

You will be prompt to log in to the appliance as the user root. Supply the password and select “log in”

The introduction screen will appear and you will see that we have completed stage 1 which is to deploy VCSA. We will be working on stage 2 where we are configuring the appliance. Click “next”

It will now pull back the information from the VCSA. As we have assigned a static IP address it will show the details. Change the “Time synchronization mode” to “synchronize time with the ESXi host” and then Click “Next”. If you chose “Time synchronization mode” as “Synchronize time with NTP servers” then you would need to type in the NTP servers

On the SSO configuration screen, type in the Single Sign-On domain name you would like to use. Best to leave default as “vsphere.local”. Type in the password you would like to give for the single sign-on password for the account administrator. Define the site name you would like to use and then select “Next”

Decide if you would like to join VMware’s Customer Experience Improvement Program (CEIP) and then select “Next”

You will now be at the review screen before you start the final installation. Review all the settings before you select “Finish”

You will receive a warning message indicating once you click “OK” you cannot pause or stop the installation

The install will start and you will most likely see this error message appear “Failed to start setup. You can refresh this page, or restart again”. Wait about a minute and press “F5” to refresh the browser window

You should now see the appliance configuring itself now after the browser refresh. Wait till the appliance finish deploying

Once you get this screen it means the appliance has finished setup and you will see an URL you can go to for appliance configuration. If you click “close” it will take you to the getting started web page where you can select which vSphere client to use. The URLs are https://vcsa_ip_or_fqdn_address/ui (html 5 interface with limited funtionality) or https://vcsa_ip_or_fqdn_address/vsphere-client (flash interface)

At this point you can login to the appliance to change the time zone, enable SSH or Bash shell, change password expiry date and time etc by going to https://vcsa_ip_or_fqdn_address:5480 and logging with the root account.

Hopefully this will be a quick easy start for people to try out the vSphere 6.5 appliance on their VMware Workstation. Previously it was quite a hard process to get 6.0 appliance to work in workstation. So far all the functions that I need to test are working OK but if you do come across any errors please let me know.