Creating a Custom VIB

Creating a Custom VIB

This paper shows how to use the vibauthor fling (http://labs.vmware.com/flings/vib-author) to create a VIB to add a custom firewall rule to your vSphere hosts.

Install the vibauthor Tool

Download the vibauthor tool and instructions from http://labs.vmware.com/flings/vib-author. Use RPM to install:

# rpm -ihv vmware-esx-vib-author-5.0.0-0.0.783903.i386.rpm

Preparing... ########################################### [100%]

1:vmware-esx-vib-author ########################################### [100%]

The vibauthor tool should run on pretty much any Linux distribution so long as the prerequisite packages are installed. I’m using CentOS 6.2. VMware recommends SLES 11 SP2. Note that there are a few package requirements so be sure to check the accompanying documentation for the prerequisites.

Once installed you are ready to go as there is no additional setup required. There are four basic steps to creating a custom VIB:

1) Create a payload directory

2) Add files to the payload directory

3) Create a VIB descriptor.xml file

4) Use vibauthor to create the VIB

Setup The Payload Directory

Create a staging directory where you will copy the files that will make up the payload of your VIB.

# mkdir /stagedir

Inside this directory create a subdirectory called “payloads”:

# cd /stagedir

# mkdir payloads

Inside the /stagedir/payloads directory create a directory with the name of the VIB. In this example I’m calling the VIB “MyRule”.

# cd /stagedir/payloads

# mkdir MyRule

Inside the /stagedir/payloads/MyRule directory create a directory structure that reflects the full path where the files are to be installed on the vSphere host. As firewall rules are stored in /etc/vmware/firewall I will create this same directory structure underneath the /stagedir/payload/MyRule folder:

# cd /stagedir/payload/MyRule

# mkdir –p etc/vmware/firewall

The final directory structure looks like this:

# /stagedir/payloads/MyRule/etc/vmware/firewall

Create The Custom Firewall Rule Definition

In the “/stagedir/payloads/MyRule/etc/vmware/firewall” directory create an XML file for the custom firewall rule definition. Here I’m using a slightly modified example from the vSphere Security guide.

This example creates a firewall rule, called “MyRule” that will allow inbound connections over port 7777.

# cd /stagedir/payloads/MyRule/etc/vmware/firewall/MyRule

# vi MyRule.xml

<ConfigRoot>

<service id='0000'>

<id>MyRule</id>

<rule id = '0000'>

<direction>inbound</direction>

<protocol>tcp</protocol>

<porttype>dst</porttype>

<port>7777</port>

</rule>

<enabled>true</enabled>

<required>false</required>

</service>

</ConfigRoot>

Create the VIB Descriptor File

The next step is to create the VIB’s descriptor.xml file. The descriptor.xml file contains information about the payload (files included in the VIB) along with any dependencies, conflicts, or installation requirements. There is a sample descriptor file included with the vibauthor tool in the /opt/vmware/vibtools/sample directory that you can use as a template.

Tip: rather than create a new descriptor.xml from scratch you can extract the descriptor.xml from an existing VIB and edit it. To extract a VIB’s payload use the command: # vibauthor –e –v <vib> -o <output directory>

# cd /stagedir

# vi descriptor.xml

<vib version="5.0">

<name>MyRule</name>

<version>5.0.0-1.0</version>

<vendor>None</vendor>

<summary>Custom VIB Definition</summary>

<description>Adds a Custom Firewall Rule</description>

<urls/>

<relationships>

<depends>

</depends>

<conflicts/>

<replaces/>

<provides/>

<compatibleWith/>

</relationships>

<software-tags>

<tag>driver</tag>

<tag>module</tag>

</software-tags>

<system-requires>

<maintenance-mode>false</maintenance-mode>

</system-requires>

<file-list>

<file>/etc/vmware/firewall/</file>

</file-list>

<acceptance-level>community</acceptance-level>

<live-install-allowed>true</live-install-allowed>

<live-remove-allowed>true</live-remove-allowed>

<cimom-restart>false</cimom-restart>

<stateless-ready>true</stateless-ready>

<overlay>false</overlay>

<payloads>

<payload name="MyRule" type="vgz">

</payload>

</payloads>

</vib>

Create the VIB

Finally, use the vibauthor tool to create the VIB . The options used to create the VIB are:

-C = compose

-t = staging directory

-v = name of the VIB

-O = name of the depot

# cd /stagedir

# vibauthor -C -t /stagedir -v MyRule.vib -O MyRlule.zip

Successfully created CustomVIB.vib.

Successfully created CustomVIB.zip.

The output of the above command will be two files:

MyRule.vib: This is the actual VIB. You can use this file to add the VIB to a running ESXi hosts using the “esxcli” command.

MyRule.zip: This file is a software depot that contains the VIB. You also can use this file to add the VIB to a running ESXi host with the “esxcli” command, but you can also use this file with the Image Builder CLI to add the VIB to an ESXi Image Profile.

Installing the VIB to a Running ESXi Host

To install the custom VIB to a running ESXi host follow these steps:

Copy the depot to the vSphere host:

# scp MyRule.ZIP root:/tmp

Set the host’s Acceptance Level to CommunitySupported

# esxcli -s esx01.company.local software acceptance \

set –level=CommunitySupported

Install the VIB

# esxcli -s esx01.company.local software vib install \

-d /tmp/MyRule.ZIP -n MyRule

Adding the Custom VIB to an Image Profile

Use the ESXi Image Builder CLI to add the custom VIB to a custom image profile. Copy the MyRule.zip depot to a host where you have PowerCLI installed.

Start PowerCLI and connect to the vCenter Server:

PowerCLI C:\> Connect-VIServer <ip>

Import the ESXi 5.0 software depot (from the ESXi 5.0 bundle):

PowerCLI C:\> Add-EsxSoftwareDepot C:\ESXi-Depot\VMware-ESXi5.0.0-469512-depot.zip

Import the MyRule.zip software depot:

PowerCLI C:\> Add-EsxSoftwareDepot C:\ESXi-Depot\MyRule.zip

Create a new image profile. In this example I am creating a new image profile by cloning one of the default image profiles included with the ESXi 5.0 offline depot. Note that because I’m adding a custom VIB I need to set the acceptance level to “CommunitySupported”.

PowerCLI C:\> New-EsxImageProfile –CloneProfile ESXi-5.0.0-469512-standard –Name MyCustomProfile –Vendor Custom –AcceptanceLevel “CommunitySupported”

Add the custom VIB:

PowerCLI C:\> Add-EsxSoftwarePackage –ImageProfile MyCustomProfile –SoftwarePackage MyCustomRule

At this point the image profile is complete. You can now export the image as an offline depot (.zip) or as a bootable ISO (.iso).

.ZIP

PowerCLI C:\> Export-EsxImageProfile –ImageProfile MyCustomProfile –ExportToBundle –FilePath C:\ESXi-Depot\CustomImage.zip

.ISO

PowerCLI C:\> Export-EsxImageProfile –ImageProfile MyCustomProfile –ExportToISO –FilePath C:\ESXi-Depot\CustomImage.zip

You can now use the custom image profile to install your ESXi hosts. When the host is installed the “/etc/vmware/firewall/MyRule.xml” file will be installed on the host.

Verify the Custom Rule “MyRule”

You can verify the custom firewall rule has been added to a host using the esxcli command:

# esxcli -s esx01.company.local software vib list

In addition you can view the custom rule in vCenter by selecting the host and choosing “Configuration -> Security Profile and in the Firewall section verify the custom firewall rule named “MyRule” exists.