A while ago I posted a PowerCLI method for deploying vShield 5.0 which can be found here, as mentioned in the comments of that post this did not work for vCNS 5.5, this is because the process of deploying it changed and actually became a lot neater than what it was before. Before we had to reach inside the guest OS and mess around with configuration files. In the 5.5 release the vCNS team made some changes to make this easier for people to automatically deploy,
I actually wrote this a while ago and forgot about it until recently when I was asked if it could be done, this was a great reminder for me to post the code for others to use.
You will see in the code that we need to specify some variables at the start of the script, you will see in the code that you need to specify a cluster to deploy vCNS to, as part of this script it automatically picks a random host and a shared datastore which has enough room to deploy the appliance to, this is just an example and can be changed to your requirements as needed – I was just having fun with a kind of automated placement
You will need PowerCLI 5.8 R1 for this and don’t forget, once vShield has been deployed you can easily take the configuration further by using the vShield module I created here. For other examples of deployment scripts for VMware appliances check out the repo here and contribute!
A while back I was asked if we could automate some areas of vShield, VMware Security suite of products. I was asked to do this for a demo which was to be used at VMworld, having never touched vShield before I was thrown into the world of security at the deep end. The first thing I found on my quest was the vShield API, there is a great document by VMware which explains the vShield proprietary Web-RPC API (Based on Rest API) and all the calls you would ever need to make to work with the vShield products.
Now I had the API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a proprietary Web-RPC based Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.
Following on from my previous post in this series where I showed how we could deploy vShield manager into our virtual infrastructure I thought I would take it one step further and show how we can use the vShield API’s within PowerShell to make some nice PowerShell advanced functions which will install the vShield services on our hosts.
Forgetting about the functions for a moment this really does show the power of PowerShell and how we can simplify everything down into a couple of lines of code which can be used over and over. The last line of this code is all that is now needed to install vShield services on not just 1 host but 100’s of hosts !
I have been learning a little about vShield lately, mainly for some work I had to complete for VMworld Las Vegas but also as I started coming up with some cool stuff when using PowerShell to talk the the REST API of vShield. More on that will come in a following post but I wanted to give just a quick idea of what was possible.
Starting from the beginning, the first thing we will need to do is install vShield 5 into your existing environment, this could be done by downloading the software and installing it manually but why would we do this ? Automation is king !
So the following PowerShell script will show you how to automate the following:
- Install the vShield ova file into vSphere as a new VM
- Start the vShield VM
- Set the IP information
- Restart the vShield VM
- Use the vShield API to connect it to vCenter
Of course once we have done this we will need to install the vShield Agent VMs onto our hosts but that’s a great start and we need to leave some things for me to write about in future blog posts !
I would like to point out at this point that I struggled with setting the IP address on the machine, I knew I could connect to the VM using the great Invoke-VMScript cmdlet but tried several ways until I asked for help from the legend that is Mr William Lam, you can see from this post how he managed to do this. Thanks to William I was also able to follow his method (but with less of that Perl stuff) and enable the last piece of the jigsaw.
A big thanks to Jeff Hicks who also wrote a nice easy to use function to test if your website is available, this came in useful when I was waiting for the management website to come up before I could hook into the API and connect vShield to vCenter. Continue reading