Tag Archives: Auto Deploy

Build a hardened ESXi 6.5 image for HPE hardware

As part of the series for ESXi 6.5 this post should give you an idea of how to handle a ESXi image build in detail. No long introduction. Let’s start:

Preparation

  1. Get you the latest ESXi 6.5 offline bundle available from
    VMware Patch Repository (MyVMware Login required)

  2. Get the required drivers and agents from HPEFirst check the recipe for the right firmware and driver combinations. This maybe requires you to update firmware on your boxes.
    HPE ProLiant server and option firmware and driver support recipe 

    Download the required drivers for the latest folder container esxi-650-* hierachie
    http://vibsdepot.hpe.com/hpe/nov2016/
    (alternatively you could connect this online, but have to build the image without a proper internet connection)

    The “esxi-650-devicedrivers” folder contains the right offline bundles for the drivers. Pick the ones you need for your hardware. If you have no idea how to find our what driver is required, please play around a little bit with the “esxcfg-*” commands on the ESXi Shell. List your network and storage adapters on an existing ESXi, best installed with vendor image, and note down the drivers are used.

    The “esxi-650-bundles” contains all additional agents and tooling. Just download the hpe-esxi6.5uX-bundle-* file as this does contain the  hpe-smx-provider CIM provider integration you need for proper hardware monitoring.Some of the drivers are double zipped. Just extract the first layer so you have the offline bundle. The second zip file should not contain any further *.zip file, but *.vib or a vib20 folder.

  3. Setup a PowerCLI 6.5 environment on a compatible Windows machine

Build

  1. Load the VMware ESXi vanilla image
    Add-EsxSoftwareDepot .\ESXi650-201703002.zip
  2. Clone it for further modification
    PS> Get-EsxImageProfile | Select Name
    
    Name
    ----
    ESXi-6.5.0-20170304101-standard
    ESXi-6.5.0-20170304101-no-tools
    Select the standard image. For other patch offline depots you might see for Image Profiles. Pick the standard one without “s” behind the number.
    New-EsxImageProfile -CloneProfile ESXi-6.5.0-20170304101-standard -Name "ESXi-650-custom-hpe-hardened"  -Vendor "schoen computing"
    The Acceptance Level gets automatically inherited from the source image. You don’t need to explicitly specify the parameter.

  3. Remove packages
    Remove-EsxSoftwarePackage -ImageProfile ESXi-650-custom-hpe-hardened -SoftwarePackage xhci-xhci
    I removed these packages for my use case:
    sata-ata-piix
    net-usbnet
    sata-sata-sil
    lsi-msgpt2
    scsi-megaraid2
    scsi-mptspi
    ata-pata-hpt3x2n
    shim-libata-9-2-1-0
    net-forcedeth
    scsi-mpt2sas
    ata-pata-pdc2027x
    scsi-megaraid-mbox
    lsu-hp-hpsa-plugin
    ata-pata-cmd64x
    ata-pata-serverworks
    lsu-lsi-mpt2sas-plugin
    ata-pata-atiixp
    shim-iscsi-linux-9-2-2-0
    mtip32xx-native
    scsi-adp94xx
    nmlx4-en
    lsu-lsi-lsi-msgpt3-plugin
    misc-cnic-register
    scsi-bnx2i
    net-bnx2x
    net-fcoe
    scsi-aacraid
    scsi-qla4xxx
    scsi-megaraid-sas
    ata-pata-sil680
    scsi-iscsi-linux-92
    scsi-aic79xx
    net-nx-nic
    shim-libfc-9-2-1-0
    net-bnx2
    ata-pata-via
    lsu-lsi-megaraid-sas-plugin
    i40en
    net-cnic
    net-vmxnet3
    emulex-esx-elxnetcli
    shim-libfc-9-2-2-0
    nvme
    scsi-ips
    qfle3
    net-enic
    scsi-bnx2fc
    net-mlx4-en
    shim-libfcoe-9-2-2-0
    nvmxnet3
    sata-sata-nv
    vmware-esx-esxcli-nvme-plugin
    lsu-lsi-lsi-mr3-plugin
    net-cdc-ether
    usb-storage-usb-storage
    sata-sata-promise
    scsi-mptsas
    scsi-hpsa
    nmlx4-rdma
    ata-pata-amd
    pvscsi
    net-mlx4-core
    shim-libfcoe-9-2-1-0
    lsi-mr3
    nhpsa
    shim-vmklinux-9-2-1-0
    block-cciss
    scsi-fnic
    lsi-msgpt3
    nmlx4-core
    qlnativefc
    shim-libata-9-2-2-0
    lpfc
    nmlx5-core
    sata-sata-svw
    ima-qla4xxx
    nenic
    elxnet
    qedentv
    sata-sata-sil24
    shim-iscsi-linux-9-2-1-0
    This list does also contain drivers now get removed, but later added from the HPE depot in a newer version.

    Attention: Not all packages can be removed in the listed order as there dependencies between them. If the CLI does not allow you to remove a package as it is a required for another package, just remove the other first and try again.

  4. Export the stripped image
    Export-EsxImageProfile -ImageProfile ESXi-650-custom-hpe-hardened -ExportToBundle -FilePath .\ESXi-650-custom-hpe-hardened.zip
    This image now does contain only the left packages. I prefer now to close the PowerCLI session and load the exported image in a new session like in step 1.

  5. Add HPE offline depots
    Add-EsxSoftwareDepot .\<hpe driver/bundle>.zip
    Add all downloaded and extracted zips in the way above.

  6. Add the HPE packages to the image
    Add-EsxSoftwarePackage -ImageProfile ESXi-650-custom-hpe-hardened -SoftwarePackage <package name>
    The package names can be get from the offline depot zip files. These contain a folder for each package name in  vib20  folder. For my use case these packages were added:
    net-bnx2x
    hpe-esxi-fc-enablement
    net-bnx2
    misc-cnic-register
    qfle3
    scsi-mpt2sas
    lpfc
    hpe-smx-provider
    net-cnic
    nhpsa
    scsi-bnx2fc
  7. Export the finale image
    Export-EsxImageProfile -ImageProfile ESXi-650-custom-hpe-hardened -ExportToBundle -FilePath .\ESXi-650-custom-hpe-hardened.zip
    
    Export-EsxImageProfile -ImageProfile ESXi-650-custom-hpe-hardened -ExportToIso -FilePath .\ESXi-650-custom-hpe-hardened.iso

     Keep the ZIP store anywhere as you can use it for updating and extending the image.