Cloud-Init for VMs in private and public Clouds

Initialize VMs in a vSphere private Cloud using Cloud-Init

Cloud-Init Datasource for VMware GuestInfo is deprecated

The Web is full of explanations, how to use „Cloud-Init Datasource for VMware GuestInfo“ but https://github.com/vmware-archive/cloud-init-vmware-guestinfo it is deprecated.

It is now integrated natively into Cloud-Init

Cloud-Init 21.3 has been released https://discourse.ubuntu.com/t/release-of-cloud-init-21-3/23857 which integrates this software.

New name:

I’d expect it to be in the current Ubuntu 21.10 (Impish Indri) https://cloud-images.ubuntu.com/impish/current/ – the release notes for 21.10 don’t specify the exact version.

Ubuntu 20.04 (Focal Fossa) is still at cloud-init 20.1-10 according to https://wiki.ubuntu.com/FocalFossa/ReleaseNotes which is too old.

Prepare a VM-Template

Unfortunately Ubuntu provides the „cloud“-images in OVA-Format.

Create VM-Template from OVA

Deploy

  • impish-server-cloudimg-amd64.ova

as

  • VM
  • keep all settings set to default

Customize VM

  • disable (or remove) the „Serial“-port
  • disable vApp-Properties
    • those would break the cloud-init process later on
    • VM=>Configure
    • Settings=>vApp-Options
    • disable [ ] vApp-Properties

Convert to Template

  • VM-Template „ubuntu-impish-21.10-cloudimg“.

Clone a VM from this VM-Template

This shouldn’t be done manually, I’d suggest using terraform

Verify that Cloud-Init 21.3 is available and the „VMware“-Datasource is included

Cloud-Init Version

Release 21.3 is available:

ubuntu@ubuntu:~$ cloud-init --version
/usr/bin/cloud-init 21.3-1-g6803368d-0ubuntu3

Check the Cloud-Init Datasource

Datasource „vmware“ is included:

ubuntu@ubuntu:~$ cloud-id
vmware

Update Terraform and vSphere-Provider

Terraform is a single .EXE-File so installation is about adding it’s folder to the $PATH-Variable and upgrading is about replacing „terraform.exe“ by the current version.

Update Terraform

C:\RH\LAB\TERRAFORM\vSphere_N9K>terraform --version
Terraform v0.15.2
on windows_amd64

Your version of Terraform is out of date! The latest version
is 1.0.11. You can update by downloading from https://www.terraform.io/downloads.html

C:\dir "c:\Program Files (exe)"\terraform*.*
 Volume in drive C is Windows
 Volume Serial Number is 583C-0C08

 Directory of c:\Program Files (exe)

05.05.2021  22:34        81.442.168 terraform.exe
               1 File(s)     81.442.168 bytes
               0 Dir(s)   8.344.129.536 bytes free

Download the current release („terraform_1.0.11_windows_amd64.zip“) unzip it and copy it to the correct destination:

C:\>dir "c:\Program Files (exe)"\terraform*.*
 Volume in drive C is Windows
 Volume Serial Number is 583C-0C08

 Directory of c:\Program Files (exe)

12.11.2021  17:41        60.838.776 terraform.exe
05.05.2021  22:34        81.442.168 terraform.bak

               2 File(s)    227.786.808 bytes
               0 Dir(s)   8.344.129.536 bytes free

C:\terraform --version
Terraform v1.0.11
on windows_amd64

Update vSphere-Provider

Using this „.tf“-File referencing the „hashicorp/vsphere“-Provider:

terraform {
  required_version = ">= 0.13"
  required_providers {
    vsphere = {
      source  = "hashicorp/vsphere"
    }
  }
}

and initialize the project with current provider(s):

C:\>terraform init -upgrade

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/vsphere...
- Installing hashicorp/vsphere v2.0.2...
- Installed hashicorp/vsphere v2.0.2 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.


VMware ESXi: Generate Self-Signed Certificate for FQDN and retrieve SSL-Thumbprint

Background

VMware wants us to prepopulate an Excel-Sheet with SSH-Keys and SSL-Thumbprints of all ESXi-Hosts, who have been freshly deployed minutes before, which effectivly protects against man-in-the-middle-attacks – maybe a problem in US-datacenters.

Beginning with VMware Cloud Foundation Release VCF 4.2 the Cloud-Builder-App verifies the „CN“ of all ESXi-SSL-Certificates, which is in default-setup set to „localhost“ (to be overwritten when connecting to the vCenter so this is seemed to be no issue) – not accepted, CN has to be set to <server-fqdn>.

VCF PreCheck: SSL Certificate CN Error

Solution

plink.exe

„plink.exe“ from the Putty-Suite allows to be called from PowerShell in automated fashion without interactive Password-Prompt. (In May 2021 there seems to be no other choice for Power-Shell Core 7)

Algorithm

  1. generate „correct“ self-signed certificate with „CN“ set to „fqdn“ not for „localhost“
  2. read the new certificate SSL-sha256-thumbprint
  3. reboot the ESXi-Host to activate the new SSL-Server-Certificate

Result

Correct SSL Server-Certificate

Server SSL-Certificate with correct CN

Log for four ESXi-Hosts

Contains SSL-Thumbprints to get copied into the VCF-Excel-Sheet.

Variables

  • $VMPassword
  • $VMUsername

have to be prepopulated.

PS T:\vmware vcf4> .\esxi_ssl_ssh.ps1
Generate SSL Self-Signed Certificate [ham01-m01-esx01]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
Generate SSL Self-Signed Certificate [ham01-m01-esx02]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
Generate SSL Self-Signed Certificate [ham01-m01-esx03]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
Generate SSL Self-Signed Certificate [ham01-m01-esx04]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint

*** Result ***
172.16.11.101 ham01-m01-esx01
SSL-Thumbprint: D2:6E:01:AD:36:82:3E:D2:AC:F3:66:6E:27:FC:A5:2C:26:99:57:8D:E6:D9:24:E3:42:61:F3:C3:52:65:8C:36
172.16.11.102 ham01-m01-esx02
SSL-Thumbprint: 21:67:3F:11:E4:FE:F3:D2:D9:C6:C2:66:85:7D:3D:3F:02:49:F2:FE:D6:74:86:E1:8E:BE:CC:A2:66:41:72:D2
172.16.11.103 ham01-m01-esx03
SSL-Thumbprint: F6:D3:12:BD:53:36:F0:E5:FD:C9:F9:3C:41:60:80:79:C8:C4:69:30:52:AF:6C:AF:24:C3:C6:DE:2A:75:80:14
172.16.11.104 ham01-m01-esx04
SSL-Thumbprint: AC:0B:D0:E3:6D:03:12:3F:7E:69:5F:0F:75:F0:F5:F2:E1:59:61:46:83:35:1F:AD:2C:15:9D:EB:C1:9D:EF:DE

PowerShell Sourcecode

$NestedESXiHosts = @{
    "ham01-m01-esx01"=@{"vmk0"="172.16.11.101"};
    "ham01-m01-esx02"=@{"vmk0"="172.16.11.102"};
    "ham01-m01-esx03"=@{"vmk0"="172.16.11.103"};
    "ham01-m01-esx04"=@{"vmk0"="172.16.11.104"};
}

$NestedESXiHosts.GetEnumerator() | Sort-Object -Property key | Foreach-Object {
	$VMName = $_.Key
	$VMIPAddress = $_.Value.vmk0
	
	write-host -ForegroundColor Green "Generate SSL Self-Signed Certificate [$VMName]"
	#
	$SSLThumbPrint = echo y | plink -ssh -pw $VMPassword $VMUsername@$VMIPAddress "/sbin/generate-certificates;openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha256 -noout;reboot;"
    #
	write-host -ForegroundColor Green "Fetch SSL-Thumbprint"
	#
	$SSLThumbPrint = $SSLThumbPrint.split("=")[1]
	$_.Value.SSL = $SSLThumbPrint
}

write-host
write-host -ForegroundColor Green "*** Result ***"

$NestedESXiHosts.GetEnumerator() | Sort-Object -Property key | Foreach-Object {
	$VMName = $_.Key
	$VMIPAddress = $_.Value.vmk0
	$VMSSL = $_.Value.SSL
	write-host -ForegroundColor Green "$VMIPAddress $VMName"
	write-host "SSL-Thumbprint: $VMSSL"
}              

Azure CLI: Default-Values for config-Session

In most cases, at least some parameters for a set of CLI-Commands remain the same. Setting those as „default“ saves time and reduces human error.

For example, specify your location and ressource-group exactly one time and never repeat it:

ronald@Azure:~$ az configure --defaults group=RG-TEST location=westeurope

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

RG_NAME=RG_TEST
LOCATION_NAME=westeurope
az group create --resource-group $RG_NAME --location $LOCATION_NAME

az configure --defaults group=$RG_NAME location=$LOCATION_NAME

vSphere vCenter – PowerShell: reliable Connection

From time to time the first try to connect to a vCenter-Server fails, building a simple loop to allow a limited number of retries fixes this possible issue.

$vSphereServer = "vcsa.local"
$vSphereUser = "administrator@vsphere.local"
$vSpherePassword = "********"

$result = @{}

$retries = 6
$viConnection = $null
#
while ($viConnection -eq $null) {
    # My-Logger 'Connecting to Management vCenter Server $vSphereServer ...'
    #
    $error.clear()
    $viConnection = Connect-VIServer $vSphereServer -User $vSphereUser -Password $vSpherePassword -WarningAction SilentlyContinue
    #
    if ($viConnection -eq $null) {
        $retries = $retries - 1
        if ($retries -eq 0) {
            throw ("Connecting to vCenter ($vSphereServer) failed ($vSphereUser): $error")
        }
        Start-Sleep -s 10
    }
}
$result.viConnection = $viConnection

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

New Windows 2019 Jump-Host

Until everything in my lab runs on Terraform, PowerShell will be a valid solution for automation purposes.

Install PowerShell 7

https://docs.microsoft.com/de-de/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.1

https://github.com/PowerShell/PowerShell/releases/tag/v7.0.4

Allow Execution of PowerShell-Scripts

Set-ExecutionPolicy Unrestricted

Install Power-CLI

Install-Module -Name VMware.PowerCLI

Allow Self-Signed Certs

[Lab Environment]

Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

Terraform: Enable persistent Debugging

Setting the variable

  • TF_LOG

to an arbitrary value enables „TRACE“-level Debugging

  • available too: DEBUG, INFO, WARN or ERROR

to „STDOUT“,

  • TF_LOG_PATH

to write to a file.

PS C:\RH\> $env:TF_LOG = "TRACE"
PS C:\RH\> $env:TF_LOG_PATH = "c:\temp\tf.log"

When running eg. „terraform apply“ all debug-messages will get appended to the specified file.

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

OVF/OVA-Properties

When deploying Virtual-Machines by OVF/OVA-Files in automated manner, eg. using PowerShell of Terraform, it’s crucial to set all individual deployment parameters using the provisioning system.

Discover the available Properties using

  • PowerShell
  • OFV-Tool

Using PowerShell

Create a vCenter-Connection

PS C:\Program Files\PowerShell\7>

$VIServer = "vcenter.lab.local"
$VIUsername = "administrator@vsphere.local"
$VIPassword = "VMware!23"

$viConnection = Connect-VIServer $VIServer -User $VIUsername -Password $VIPassword

Retrieve the OVF-Config-Object

PS C:\Program Files\PowerShell\7>

$OVA = "T:\csr1000v-universalk9.16.09.01.ova"

$ovfconfig = Get-OvfConfiguration -Server $viConnection $OVA
$ovfconfigHashTable = $ovfconfig.ToHashTable()

Display all contained Properties („=Keys“)

PS C:\Program Files\PowerShell\7>

$ovfconfigHashTable.Keys | Sort-Object

com.cisco.csr1000v.domain-name.1
com.cisco.csr1000v.enable-scp-server.1
com.cisco.csr1000v.enable-ssh-server.1
com.cisco.csr1000v.hostname.1
com.cisco.csr1000v.license.1
com.cisco.csr1000v.login-password.1
com.cisco.csr1000v.login-username.1
com.cisco.csr1000v.mgmt-interface.1
com.cisco.csr1000v.mgmt-ipv4-addr.1
com.cisco.csr1000v.mgmt-ipv4-gateway.1
com.cisco.csr1000v.mgmt-ipv4-network.1
com.cisco.csr1000v.mgmt-vlan.1
com.cisco.csr1000v.pnsc-agent-local-port.1
com.cisco.csr1000v.pnsc-ipv4-addr.1
com.cisco.csr1000v.pnsc-shared-secret-key.1
com.cisco.csr1000v.privilege-password.1
com.cisco.csr1000v.remote-mgmt-ipv4-addr.1
com.cisco.csr1000v.resource-template.1
DeploymentOption
NetworkMapping.GigabitEthernet1
NetworkMapping.GigabitEthernet2
NetworkMapping.GigabitEthernet3

Deployment-Option?

PS C:\Program Files\PowerShell\7>

$ovfconfig.DeploymentOption

Key                : DeploymentOption
Value              :
DefaultValue       : 1CPU-4GB
OvfTypeDescription : string["1CPU-4GB", "2CPU-4GB", "4CPU-4GB", "4CPU-8GB"]
Description        : Small
                     Minimal hardware profile - 1 vCPU, 4 GB RAM

                     Medium
                     Medium hardware profile - 2 vCPUs, 4 GB RAM

                     Large
                     Large hardware profile - 4 vCPUs, 4 GB RAM

                     Large + DRAM Upgrade
                     Large hardware profile (requires purchase of DRAM upgrade SKU) - 4 vCPUs, 8 GB RAM

Using OVF-Tool

OVFTOOL.EXE, provided by VMware (Download OVFTOOL) allows to inspect existing OVA/OFV-Files, too.

T:\"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --verifyOnly csr1000v-universalk9.16.09.01.ova
OVF version:   1.0
VirtualApp:    false
Name:          Cisco CSR 1000V Cloud Services Router
Version:       16.09.01
Full Version:  Cisco IOS-XE Software, version 16.09.01
Vendor:        Cisco Systems, Inc.
Product URL:   http://www.cisco.com/en/US/products/ps12559/index.html
Vendor URL:    http://www.cisco.com

Download Size:  413.23 MB

Deployment Sizes:
  Flat disks:   8.40 GB
  Sparse disks: 692.60 MB

Networks:
  Name:        GigabitEthernet1
  Description: Data network 1

  Name:        GigabitEthernet2
  Description: Data network 2

  Name:        GigabitEthernet3
  Description: Data network 3

Virtual Machines:
  Name:               Cisco CSR 1000V Cloud Services Router
  Operating System:   other3xlinux64guest
  Virtual Hardware:
    Families:         vmx-10 vmx-11 vmx-13
    Number of CPUs:   1
    Cores per socket: 1
    Memory:           4.00 GB

    Disks:
      Index:          0
      Instance ID:    3001
      Capacity:       8.00 GB
      Disk Types:     SCSI-VirtualSCSI

    NICs:
      Adapter Type:   VMXNET3
      Connection:     GigabitEthernet1

      Adapter Type:   VMXNET3
      Connection:     GigabitEthernet2

      Adapter Type:   VMXNET3
      Connection:     GigabitEthernet3

Properties:
  ClassId:     com.cisco.csr1000v
  Key:         hostname
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Router Name
  Type:        string(..63)
  Description: Hostname of this router

  ClassId:     com.cisco.csr1000v
  Key:         login-username
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Login Username
  Type:        string(..64)
  Description: Username for remote login

  ClassId:     com.cisco.csr1000v
  Key:         login-password
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Login Password
  Type:        password(..25)
  Description: Password for remote login.
               WARNING: While this password will be stored securely within IOS,
               the plain-text password will be recoverable from the OVF
               descriptor file.

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-interface
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management Interface
  Type:        string
  Description: Management interface (such as "GigabitEthernet1" or
               "GigabitEthernet1.100")
  Value:       GigabitEthernet1

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-vlan
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management VLAN
  Type:        string(..5)
  Description: Management dot1Q VLAN (requires specifying a subinterface such
               as "GigabitEthernet1.100" for the Management Interface)

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-ipv4-addr
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management Interface IPv4 Address/Mask
  Type:        string(..33)
  Description: IPv4 address and mask for management interface (such as
               "192.0.2.100/24" or "192.0.2.100 255.255.255.0"), or "dhcp" to
               configure via DHCP

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-ipv4-gateway
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management IPv4 Gateway
  Type:        string(..16)
  Description: IPv4 gateway address (such as "192.0.2.1") for management
               interface, or "dhcp" to configure via DHCP

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-ipv4-network
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management IPv4 Network
  Type:        string(..33)
  Description: IPv4 Network (such as "192.168.2.0/24" or "192.168.2.0
               255.255.255.0") that the management gateway should route to.

  ClassId:     com.cisco.csr1000v
  Key:         pnsc-ipv4-addr
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       PNSC IPv4 Address
  Type:        string(..15)
  Description: IPv4 address without mask (such as "192.0.2.110") of PNSC
               service controller

  ClassId:     com.cisco.csr1000v
  Key:         pnsc-agent-local-port
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       PNSC Agent Local Port
  Type:        string(..5)
  Description: PNSC service agent SSL port (on local CSR) to receive policies
               from service manager.
               The port shall be in the range of [55001, 61000] if shared IP is
               used, i.e., Remote Management IPv4 Address is not configured.

  ClassId:     com.cisco.csr1000v
  Key:         pnsc-shared-secret-key
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       PNSC Shared Secret Key
  Type:        password(..64)
  Description: PNSC service controller shared secret key (8-64 characters) for
               PNSC agent to get SSL certificate from the controller.
               WARNING: While this password will be stored securely within IOS,
               the plain-text password will be recoverable from the OVF
               descriptor file.

  ClassId:     com.cisco.csr1000v
  Key:         remote-mgmt-ipv4-addr
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Remote Management IPv4 Address (optional, deprecated)
  Type:        string(..15)
  Description: Secondary IPv4 address without mask (such as "192.0.2.101") for
               access to remote management features (REST API, etc.). This
               should be in the same IP subnet as the Management Interface IPv4
               Address entered above.
               Warning: THIS IS A DEPRECATED OPTION IN THIS RELEASE.

  ClassId:     com.cisco.csr1000v
  Key:         enable-scp-server
  InstanceId   1
  Category:    2. Features
  Label:       Enable SCP Server
  Type:        boolean
  Description: Enable IOS SCP server feature
  Value:       False

  ClassId:     com.cisco.csr1000v
  Key:         enable-ssh-server
  InstanceId   1
  Category:    2. Features
  Label:       Enable SSH Login and Disable Telnet Login
  Type:        boolean
  Description: Enable remote login via SSH and disable remote login via telnet.
               Requires login-username and login-password to be set!
  Value:       False

  ClassId:     com.cisco.csr1000v
  Key:         privilege-password
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       Enable Password
  Type:        password(..25)
  Description: Password for privileged (enable) access.
               WARNING: While this password will be stored securely within IOS,
               the plain-text password will be recoverable from the OVF
               descriptor file.

  ClassId:     com.cisco.csr1000v
  Key:         domain-name
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       Domain Name
  Type:        string(..238)
  Description: Network domain name (such as "cisco.com")

  ClassId:     com.cisco.csr1000v
  Key:         license
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       License boot level
  Type:        string(..30)
  Description: Configure license boot level(such as ax, security, appx, ipbase,
               lite, vacs)
  Value:       ax

  ClassId:     com.cisco.csr1000v
  Key:         resource-template
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       Resource template
  Type:        string(..30)
  Description: Configure Resource template(service_plane_medium,
               service_plane_heavy or default)
  Value:       default

Deployment Options:
  Id:          1CPU-4GB  (default)
  Label:       Small
  Description: Minimal hardware profile - 1 vCPU, 4 GB RAM

  Id:          2CPU-4GB
  Label:       Medium
  Description: Medium hardware profile - 2 vCPUs, 4 GB RAM

  Id:          4CPU-4GB
  Label:       Large
  Description: Large hardware profile - 4 vCPUs, 4 GB RAM

  Id:          4CPU-8GB
  Label:       Large + DRAM Upgrade
  Description: Large hardware profile (requires purchase of DRAM upgrade SKU) -
               4 vCPUs, 8 GB RAM

References:
  File:  csr1000v_harddisk.vmdk
  File:  bdeo.sh
  File:  README-OVF.txt
  File:  README-BDEO.txt
  File:  cot.tgz
  File:  csr1000v-universalk9.16.09.01-vga.iso

OVF-Tool – Extra-Config?

Error: OVF Package is not supported by target:
 - Line -1: Unsupported value 'ethernet0.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'ethernet1.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'ethernet2.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'ethernet3.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.diskWiper.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.memSchedFakeSampleStats.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.diskShrink.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.vmxDnDVersionGet.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.unityActive.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.guestDnDVersionSet.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'snapshot.maxSnapshots' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'RemoteDisplay.maxConnections' for attribute 'key' on element 'ExtraConfig'.

The CLI-Switch „–allowExtraConfig“ enables the support for ExtraConfig-Key/Values:

T:\>"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --verifyOnly --allowExtraConfig nsx-unified-appliance-3.1.3.5.0.19068437.ova
The provided certificate is in valid period
Source is signed and the certificate validates
Certificate information:
  CertIssuer:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
  CertSubject:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
  -----BEGIN CERTIFICATE-----
  MIIDyzCCArOgAwIBAgIJAKH7xLtwMqSZMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
  BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8x
  FTATBgNVBAoTDFZNd2FyZSwgSW5jLjAeFw0xMDAyMjYyMjE3NDFaFw0yNjAxMDMy
  MjE3NDFaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYD
  VQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwgSW5jLjCCASAwDQYJKoZI
  hvcNAQEBBQADggENADCCAQgCggEBALU9NUtC39fqG7yo2XAswUmtli9uA+31uAMw
  9FFHAEv/it8pzBQZ/4r+2bN+GnXOWhuDd1K4ApKMRvoO4LwQfZxrkx4pXrsu0gdb
  4OunHw0D8MrdzSoob8Js/uq+IJ+8Bhsc6b7RzTUt9HeDWzHasAJVgMsjehGt23ay
  9FKOT6dVD6D/Xi3qJnB/4t/XNS6L63dC3ea4guzKDyLaXIP5bf/m56jvVImFjhhT
  W2ASbnEUlZIVrEuyVcdG7e3FvZufE553JmHL0YG/0m5bIHXKRzBRx0D3HHOAzOKw
  kkOnxJHSTN4Hz8hSYCWvzUAjSYL3Q8qiTd7GHJ2ynsRnu3KlzKUCAQOjga8wgaww
  HQYDVR0OBBYEFHg8KQJdm8NPQDmYP41uEgKG+VNwMH0GA1UdIwR2MHSAFHg8KQJd
  m8NPQDmYP41uEgKG+VNwoVGkTzBNMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
  aWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUsIElu
  Yy6CCQCh+8S7cDKkmTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCP
  nVEBVF2jYEsgaTJ1v17HNTVTD5pBPfbQk/2vYVZEWL20PtJuLeSWwoo5+TnCSp69
  i9n1Hpm9JWHjyb1Lba8Xx7VC4FferIyxt0ivRm9l9ouo/pQAR8xyqjTg1qfr5V8S
  fZElKbjpzSMPrxLwF77h+YB+YjqWAJpVV+fAkAvK7K9vMiFgW60teZBxVW/XlmG0
  IJaSUWSI3/A+bA6fuIy8PMmpQMtm0droHrCnViAVRhMMgEC/doMH1GqUSmoiyQ1G
  PifLAp5wV5/HV+S9AGrb8HGdWIvW+kBgmCl0wSf2JFYm1bpq30CVE4EC0MAY1mJG
  vSqQGIbCybw5KTCXRQ8d
  -----END CERTIFICATE-----


OVF version:   1.0
VirtualApp:    false
Name:          nsx-unified-appliance
Version:       3.1.3.5
Full Version:  3.1.3.5.0.19068437
Vendor:        VMware, Inc

Download Size:  8.37 GB

Deployment Sizes:
  Flat disks:   300.00 GB
  Sparse disks: 4.74 GB

Networks:
  Name:        Network 1
  Description: Network 1

Virtual Machines:
  Name:               nsx-unified-appliance
  Operating System:   ubuntu64guest
  Virtual Hardware:
    Families:         vmx-10 vmx-11 vmx-13
    Number of CPUs:   6
    Cores per socket: 1
    Memory:           24.00 GB

    Disks:
      Index:          0
      Instance ID:    5
      Capacity:       200.00 GB
      Disk Types:     SCSI-lsilogic

      Index:          1
      Instance ID:    6
      Capacity:       100.00 GB
      Disk Types:     SCSI-lsilogic

    NICs:
      Adapter Type:   VmxNet3
      Connection:     Network 1

Properties:
  Key:         nsx_passwd_0
  Category:    Application
  Label:       System Root User Password
  Type:        password(12..)
  Description: The password for root user for this VM.
               Please follow the password complexity rule as below:
                   - minimum of 12 characters in length
                   - >=1 uppercase character
                   - >=1 lowercase character
                   - >=1 numeric character
                   - >=1 special character
                   - >=5 unique characters
                   - default password complexity rules as enforced by the Linux
               PAM module
                   NOTE: Password strength validation will occur during VM
               boot.  If the password does not meet the above criteria then
               login as root user for the change password prompt to appear.


  Key:         nsx_cli_passwd_0
  Category:    Application
  Label:       CLI "admin" User Password
  Type:        password(12..)
  Description: The password for default CLI user for this VM.
               Please follow the password complexity rule as below:
                   - minimum of 12 characters in length
                   - >=1 uppercase character
                   - >=1 lowercase character
                   - >=1 numeric character
                   - >=1 special character
                   - >=5 unique characters
                   - default password complexity rules as enforced by the Linux
               PAM module
                   NOTE: Password strength validation will occur during VM
               boot.  If the password does not meet the above criteria then
               login as admin user for the change password prompt to appear.


  Key:         nsx_cli_audit_passwd_0
  Category:    Application
  Label:       CLI "audit" User Password
  Type:        password
  Description: The password for audit CLI user for this VM.
               Please follow the password complexity rule as below:
                   - minimum of 12 characters in length
                   - >=1 uppercase character
                   - >=1 lowercase character
                   - >=1 numeric character
                   - >=1 special character
                   - >=5 unique characters
                   - default password complexity rules as enforced by the Linux
               PAM module
                   NOTE: Password strength validation will occur during VM
               boot.  If the password does not meet the above criteria then
               login as admin user and use the NSX CLI command "set user audit"
               to change the audit user password.


  Key:         nsx_cli_username
  Category:    Application
  Label:       CLI "admin" username (default: admin)
  Type:        string
  Description: Username of administrator user.

  Key:         nsx_cli_audit_username
  Category:    Application
  Label:       CLI "audit" username (default: audit)
  Type:        string
  Description: Username of auditor user.

  Key:         extraPara
  Category:    Application
  Label:       Optional parameters
  Type:        password
  Description: For internal use only.


  Key:         nsx_hostname
  Category:    Network properties
  Label:       Hostname
  Type:        string(1..)
  Description: The hostname for this VM.
                   NOTE: Underscores in hostname are not allowed.  If hostname
               contains underscore, then the appliance gets deployed with
               'nsx-manager' as hostname.


  Key:         nsx_role
  Category:    Network properties
  Label:       Rolename
  Type:        string["NSX Manager","nsx-cloud-service-manager","NSX Global
               Manager"]
  Description: The role for this VM. Currently supports
               'nsx-cloud-service-manager', 'NSX Global Manager' OR 'NSX
               Manager' as rolename.

  Value:       NSX Manager

  Key:         nsx_ip_0
  Category:    Network properties
  Label:       Management Network IPv4 Address
  Type:        string(1..)
  Description: The IPv4 Address for the first interface.

  Key:         nsx_netmask_0
  Category:    Network properties
  Label:       Management Network Netmask
  Type:        string(1..)
  Description: The netmask for the first interface.

  Key:         nsx_gateway_0
  Category:    Network properties
  Label:       Default IPv4 Gateway
  Type:        string
  Description: The default gateway for this VM.

  Key:         nsx_dns1_0
  Category:    DNS
  Label:       DNS Server list
  Type:        string
  Description: The space separated DNS server list for this VM (valid only if
               an IPv4 address is specified for the first interface).
                   NOTE: At most three name servers can be configured (first 3
               name servers passed in list will be used and all other will be
               ignored)


  Key:         nsx_domain_0
  Category:    DNS
  Label:       Domain Search List
  Type:        string
  Description: The space separated domain search list for this VM (valid only
               if an IPv4 address is specified for the first interface).

  Key:         nsx_ntp_0
  Category:    Services Configuration
  Label:       NTP Server List
  Type:        string
  Description: The NTP server list(space separated) for this VM.

  Key:         nsx_isSSHEnabled
  Category:    Services Configuration
  Label:       Enable SSH
  Type:        boolean
  Description: Enabling SSH service is not recommended for security reasons.
  Value:       False

  Key:         nsx_allowSSHRootLogin
  Category:    Services Configuration
  Label:       Allow root SSH logins
  Type:        boolean
  Description: Allowing root SSH logins is not recommended for security
               reasons.
  Value:       False

  Key:         nsx_swIntegrityCheck
  Category:    Services Configuration
  Label:       Software Integrity Checker
  Type:        boolean
  Description: Software Integrity Checker is required only for NDcPP 2.2
  Value:       False

  Key:         mpIp
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager IP
  Type:        string
  Description: For internal use only. Do not set this parameter.


  Key:         mpToken
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager Token
  Type:        password
  Description: For internal use only. Do not set this parameter.


  Key:         mpThumbprint
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager Thumbprint
  Type:        string
  Description: For internal use only. Do not set this parameter.


  Key:         mpNodeId
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager Node ID
  Type:        string
  Description: For internal use only. Do not set this parameter.


  Key:         mpClusterId
  Category:    Internal Properties - Do not set these parameters.
  Label:       Cluster ID of First Manager Cluster
  Type:        string
  Description: For internal use only. Do not set this parameter.


Deployment Options:
  Id:          extra_small
  Label:       ExtraSmall
  Description:
               IMPORTANT: This configuration is only supported for the
               nsx-cloud-service-manager role.

               This configuration requires the following:
               * 2 vCPU
               * 8GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


  Id:          small
  Label:       Small
  Description:
               IMPORTANT: This configuration is supported for Global Manager
               Production deployment

               This configuration requires the following:
               * 4 vCPU
               * 16GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


  Id:          medium  (default)
  Label:       Medium
  Description:
               IMPORTANT: This configuration is supported for Local Manager
               Production deployment ('NSX Manager' role)
                          This is supported for Global Manager Production
               deployment (but not required)

               This configuration requires the following:
               * 6 vCPU
               * 24GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


  Id:          large
  Label:       Large
  Description:
               IMPORTANT: This configuration is supported for Local Manager
               Production deployment ('NSX Manager' role)
                          This is supported for Global Manager Production
               deployment (but not required)

               This configuration requires the following:
               * 12 vCPU
               * 48GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


References:
  File:  nsx-unified-appliance.vmdk
  File:  nsx-unified-appliance-secondary.vmdk


Azure – Pricing API

This is a really nice feature – the Azure Pricing REST-API:

https://docs.microsoft.com/en-us/rest/api/cost-management/retail-prices/azure-retail-prices

It pulls a structured JSON-Dataset for (not only) Virtual Machines out of the Azure-Webshop.

For example – the following filter:
https://prices.azure.com/api/retail/prices?$filter=serviceName eq ‚Virtual Machines‘ and priceType eq ‚Consumption‘ and endswith(armRegionName, ‚europe‘) and (startswith(skuName, ‚D‘) or startswith(skuName, ‚E‘) or startswith(skuName, ‚F‘) or startswith(skuName, ‚M‘)) and endswith(skuName,‘ Spot‘)
displays the price for only

  • „VMs“

with specific properties:

  • no Reservation
  • in „.*europe“-Locations
  • with Types „D.*“ or „E.*“ or „F.*“ or „M.*“
  • Spot-Intances

but – if you don’t want „Spot“ Instances, you’d guess this filter-Statement: https://prices.azure.com/api/retail/prices?$filter=serviceName eq ‚Virtual Machines‘ and priceType eq ‚Consumption‘ and endswith(armRegionName, ‚europe‘) and (startswith(skuName, ‚D‘) or startswith(skuName, ‚E‘) or startswith(skuName, ‚F‘) or startswith(skuName, ‚M‘)) and not endswith(skuName,‘ Spot‘)

to end with … and not endswith(skuName,‘ Spot‘) according to https://docs.microsoft.com/en-us/azure/search/search-query-odata-logical-operators but this breaks the call – the API returns :

{"Error":{"Code":"BadRequest","Message":"Invalid OData parameters supplied"}}