VMware vRealize Automation makes it easy for us to provide our end users with the ability to request and manage their own virtual machines using a “self-service” portal. With very little configuration required, we can add vSphere virtual machine templates to a vRA service catalog for users to consume. vRA can then handle the request management for new virtual machines and when approved by the appropriate approvers, even provision the new VMs by cloning the template.
Out of the box, vRA is capable of calling the vSphere Guest Customization Specification to customize the OS. This takes care of SIDs, network settings, host names, etc. If we need to take this customization a little further, we can use the vRA guest agent and custom properties.
In this post, I’m going to demonstrate how to use custom properties with the guest agent to give the user the option of specifying an initial (note the word “initial”) root password when requesting a new Linux VM, based on CentOS 6.6 from the service catalog. When the user requests a new VM from the service catalog, a mandatory field named “InitialRootPassword” is displayed on the request from. The requester (user) must enter a value into this field before the request can be submitted, and it is that value that the root password will be set to once the VM is provisioned.
However, as the root password is passed to the guest agent in plain text, and is also included in the GuestAgent.log file in clear text, when the user logs into the new VM for the first time as the root user, they will be prompted for a new root password.
This is not ground breaking or overly complex, but it will provide an overview of the process required to carry further guest customization when provisioning with vRA and by using the vRA guest agent.
<Note> Setting up the template in vRA and getting the vRA guest agent installed and talking correctly to the vRA IaaS server is outside the scope of this post. </note>
In order to be able to generate a new root password on the newly provisioned VM, we need to execute a bash script inside the VM during the customization process of the deployment. The execution of the script is triggered by the vRA guest agent, based on the custom properties that were provided in the blueprint / build profile. In this post, all custom properties are specified in a build profile that gets included in the blueprint.
The Password Reset Script
Inside the template VM, we need to create a new script that will be executed by the vRA Guest Agent when the VM is provisioned. I have created a new directory under /usr/share/gugent/ called scripts where I place all my custom scripts and I’ve placed a new script in this directory called newrootpasswd.sh:
Contents of /usr/share/gugent/scripts/newrootpasswd.sh
#!/bin/sh # The following line will set the root account password to the # InitialRootPassword custom property in the vRealize Automation Blueprint. echo -e $1 | passwd --stdin root # Comment out the following (passwd -e) line if you would not like force the root # account to change its password on next login. passwd -e root
The script is very simple. The first line (#!/bin/sh) indicates that this is an executable script to be run from the bash shell.
The line “echo –e $1 | passwd --stdin root” is the command that sets the new password for the root user account to that value passed in by the InitialRootPassword property. $1 represents the first parameter passed to the script, which is the value of {InitiaRootPassword} as described in the build profile, which we will look at later on in this post.
The command basically echos out the contents of the $1 variable, which holds the contents of the first parameter passed to the script when the script was called, in our case the values of {InitialRootPassword}. This is then piped (|) through the passwd command. The passwd command is used in Linux to change the password for a user account. The --stdin option to the passwd command specifies that we would like standard input to be used to specify a new password. In our case, this standard input is provided by the preceding echo –e $1 command. The final part of the command is the name of the account that we are changing the password for, in this case it’s the root account.
The next line (passwd –e root) simply “expires” the password for the root account, and forces the user to specify a new password during the next login attempt.
Once the script is in place, we simply shut down the template VM and mark it as a template again in vCenter.
Creating a build profile in vRealize Automation Center
We need to create a new build profile that contains at least the following properties:
| Property Name | Value | Encrypted | Prompt User |
| InitiaRootPassword | No | Yes | |
| VirtualMachine.Admin.UseGuestAgent | true | No | No |
| VirtualMachine.Customize.WaitComplete | true | No | No |
| VirtualMachine.Software0.Name | Generate new root password | No | No |
| VirtualMachine.Software0.ScriptPath | /usr/share/gugent/scripts/newrootpassword.sh {InitialRootPassword} | No | No |
| VMware.VirtualCenter.OperatingSystem | rhel6_64Guest | No | No |
The InitialRootPassword property is the only property that will prompt the user for a value. The VirtualMachine.Software0.Name property is simply a name that we provide for the Software0 command that is specified by the VirtualMachine.Software0.ScriptPath.
Looking further into the VirtualMachine.Software0.ScriptPath property, notice that the value of the property points to the location of the script that we would like to execute inside the guest OS. More importantly, notice the {InitialRootPassword} that follows the script location. This allows us to pass the value of the InitialRootPassword custom property which was provided by the requester to be used as the root password, to the script as a parameter. Looking back into the contents of the script, this will be represented by $1 inside the script as it is the first parameter passed to the script.
Now is simply a case of attaching the build profile to the blueprint and requesting a new VM form the catalog to test out configuration
When requesting the a new from the service catalog using the blueprint, we can now specify a new initial root password:
Once provisioned, we can log into the new VM using the specified password. We are then prompted to enter a new password.
Also, when looking at the guest agent log file (located at /usr/share/gugent/GuestAgent.log), we can see what properties were passed through:
2015-03-30 15:48:12 Application: [Debug] Uninitializing subsystem: Logging Subsystem 2015-03-30 15:48:53 Application.MachineQuery: [Information] uuid = 422d3915-7455-c298-8ccc-2a7d871a2827 2015-03-30 15:48:53 Application: [Debug] Using the network enabled proxy ... 2015-03-30 15:48:53 Application: [Debug] The vCAC endpoint is https://vcaciaas.spiesr.com:443/VMPS2. 2015-03-30 15:48:53 Application: [Debug] The AXIS2C directory is axis2/. 2015-03-30 15:48:54 Application: [Debug] Requesting work for agent ID 15392d42-5574-98c2-8ccc-2a7d871a2827. 2015-03-30 15:48:54 Application: [Debug] Fetching a work item ... 2015-03-30 15:48:54 Application: [Debug] Fetched work item id=b4e70bc8-49a4-48d9-99c8-41265946917a 2015-03-30 15:48:54 Application: [Information] WorkItem: task=CustomizeOS, id=b4e70bc8-49a4-48d9-99c8-41265946917a 2015-03-30 15:48:54 Application: [Information] api.request.id -> 6fe2362a-e288-4e9c-9fb7-c5e00e5a1f0a 2015-03-30 15:48:54 Application: [Information] blueprintid -> 7e5361a1-6439-4bbd-9052-456eff294074 2015-03-30 15:48:54 Application: [Information] clonefrom -> Template_Centos65 2015-03-30 15:48:54 Application: [Information] clonefromid -> ef9ab79b-6976-42a8-bd81-afdda6d754e0 2015-03-30 15:48:54 Application: [Information] clonespec -> vCAC Linux - CentOS 6 2015-03-30 15:48:54 Application: [Information] infrastructure.admin.machineobjectou -> 2015-03-30 15:48:54 Application: [Information] infrastructure.resourcepool.name -> 2015-03-30 15:48:54 Application: [Information] initialrootpassword -> Password123