Friday, May 3, 2013

vShield 5.1.2 offline bundle for Auto Deploy ESXi hosts

Edit: Since this article was written VMware has come out with a new KB, http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2036701

The Problem

I use VMware Auto Deploy to manage my ESXi hosts.  Despite the trouble setting it up I find the major benefits; eliminating configuration and software version drift, to be invaluable.  We've started experimenting with vShield Endpoint to deploy a certain antivirus vendor's beta product to replace the traditional antivirus agent on our VDI infrastructure.  vShield Endpoint utilizes a management appliance that is used to install the vShield Endpoint software on the ESXi host.

If stateless Auto Deploy is used in an environment the changes will be lost upon reboot of the host.  One would have to use vShield Manager to reinstall the vShield Endpoint software on the host.

I found VMware KB2036701 that describes how to download the following bundles from the vShield Manager:
  • https://<vShield Manager IP>/bin/offline-bundles/VMware-vShield-fastpath-esx5x-5.1.0-766127.zip
  • https://<vShield Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux.zip
We're running vShield Manager 5.1.2 and these URLs don't work.  I tried using the version number from our vShield Manager, 5.1.2-943471, but that didn't work.

Plan B - Search The vShield Manager Filesystem

Searching Google for VMware-vShield-fastpath-esx5x-5.1.2 turned up nothing. I needed the correct filenames for the offline bundles. vShield Manager is a locked down linux appliance. No browsing the filesystem there. Trying to escape the bootloader and perform the init=/bin/sh trick didn't work. Guess we're booting from ISO and mounting the filesystem from there.

I turned on the vShield Manager VM and booted from a Linux ISO. Once at a shell prompt I was able to mount vShield Manager's filesystem and begin exploring.

The vShield Manager Filesystem

The vShield Manager filesystem looks like this:
I found what I needed on /dev/sda6.

At first I was just looking for the zip files.  Using the find command I found the zip files in the directory /em/components.  That path, /em/components, is the web server root directory which makes any files in it accessible.

After I found the .zip files I figured there might a vib depot also available and searched for an index.xml file which would indicate that.  You can see two XML files were found, located in different paths: /em/components/zones and epsec.

I was able to add the vShield Endpoint MUX VIB to my image using the depot URL, http://<vShield Manager URL>/epsec/vibs/5.0/index.xml.
For vShield 5.1.2 and Auto Deploy you will want to retrieve the following two zip files and add them to your image:
  1. http://<vShield Manager URL>/offline-bundles/vShield-Endpoint-Mux.zip
  2. http://<vShield Manager URL>/offline-bundles/VMware-vShield-fastpath-esx5x-5.1.2-896234.zip
Alternatively you can add the following two URLs to your Software Depot:
  1. http://<vShield Manager URL>/epsec/vibs/5.0/index.xml
  2. http://<vShield Manager URL>/zones/vibs/5.0/index.xml