Tag: Home Folder

Upgrade VCF to 9.0.1: Setting Up an Offline Depot on Ubuntu

Upgrade VMware VCF 9.0.1: Essential Setting Up an Offline Depot on Ubuntu Instructions

If you are planning to upgrade to latest release of VMware Cloud Foundation (VCF) 9.0.1 and you what to install/upgrade you need to have a offline depot.

I had some struggle with the VCF Fleet upgrades. I thought the VCF installer Offline Depot was sufficient. I seems not.

William Liam did a nice explaining about the options: VCF Software Depot Structure Deep Dive for Install & Upgrade. Which confirms my struggle.

Sow I build my own offline depot

Prerequisites

First, download the required bundle files from the Broadcom VMware portal. This includes:

  • vcf-9.0.1.0-offline-depot-metadata.zip (mandatory)
  • vcf-download-tool-9.0.1.0.24962179.tar.gz (mandatory)

On the Depot Server (Ubuntu)

Sizing for the disk is minimal 100GB I used 200GB thin Provisiond

I did a Ubuntu install on a 200GB disk (Partition without lvm)

Login

Login with the user account that you create

Sudo passwd root

Vim /etc/ssh/sshd_config

 if the following line exists, possibly commented out (with a # in front):

PermitRootLogin

Then change it to the following, uncommenting if needed (remove the # in front):

PermitRootLogin yes

sudo service ssh restart

now you can login als root

Install Apache and tools

Sudo update

sudo apt install apache2 openssl apache2-utils unzip

Create a certificate config file

nano ~/vcf-openssl.cnf

Paste the following:

[ req ]

default_bits = 2048

prompt = no

default_md = sha256

distinguished_name = dn

x509_extensions = v3_req

[ dn ]

C = US

ST = CA

L = LA

O = TS

OU = IT

CN = flt-depot.wardhomelab.nl

emailAddress = a@b.c

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[ alt_names ]

DNS.1 = flt-depot.wardhomelab.nl

IP.1 = 192.168.150.246

Replace the values with your organization’s details.

Generate the certificate

cd /etc/apache2
sudo mkdir ssl

sudo openssl req -x509 -nodes -days 365 \

-newkey rsa:2048 \

-keyout /etc/apache2/ssl/vcf.key \

-out /etc/apache2/ssl/vcf.crt \

-config ~/vcf-openssl.cnf

Create a basic auth user

Sudo htpasswd -c /etc/apache2/.htpasswd vcfadmin

Configure Apache

sudo nano /etc/apache2/sites-available/default-ssl.conf

Paste the following:

<VirtualHost *:443>

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/vcf.crt

SSLCertificateKeyFile /etc/apache2/ssl/vcf.key

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

RequestHeader unset Proxy early

<Directory /var/www/html>

Options Indexes FollowSymLinks

AllowOverride None

AuthType Basic

AuthName “VCF Depot”

AuthUserFile /etc/apache2/.htpasswd

Require valid-user

</Directory>

</VirtualHost>

Enable modules and restart Apache

sudo a2enmod ssl headers

sudo a2ensite default-ssl

sudo systemctl restart apache2

Extract the metadata ZIP

Sudo chmod 777 /home

Upload vcf-9.0.1.0-offline-depot-metadata.zip /home/ with Winscp

Sudo unzip vcf-9.0.1.0-offline-depot-metadata.zip -d /var/www/html

Make sure this file exists:

ls /var/www/html/PROD/metadata/productVersionCatalog/v1/productVersionCatalog.json

Remove Index.html

sudo rm -f /var/www/html/index.html

Create your Download token

Create your Download token in de Broadcom portal

Create a token file in /home folder

Upload the VCF download tool

Sudo mkdir /home/vcf-download-tool

Sudo chmod 777 /home/vcf-download-tool


cd /tmp/vcf-download-tool

Upload the tool in /tmp/vcf-download-tool folder

tar -xf vcf-download-tool-9.0.1.0.24962179.tar.gz

sudo reboot

Run the following

Cd /tmp/vcf-download-tool/bin

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –automated-install –type=INSTALL

Download all the appliances

sudo ./vcf-download-tool binaries list –depot-download-token-file=/home/token –vcf-version=9.0.1 –type=INSTALL –sku=VCF


Upgrade

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component SDDC_MANAGER_VCF

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VCENTER

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VRSLCM

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VROPS

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component NSX_T_MANAGER

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VCF_OPS_CLOUD_PROXY

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VRA

Additional

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VRNI

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VRLI

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component HCX

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VRO

sudo ./vcf-download-tool binaries download –depot-download-token-file=/home/token -d /var/www/html –vcf-version=9.0.1 –type UPGRADE –component VIDB

Afbeelding met tekst, schermopname, Lettertype, softwareDoor AI gegenereerde inhoud is mogelijk onjuist.

Upgrade Binaries will be visible

Afbeelding met tekst, schermopname, nummer, LettertypeDoor AI gegenereerde inhoud is mogelijk onjuist.

On de SDDC manager

Open de VM console

Login with the root user

Vim /etc/ssh/sshd_config

 if the following line exists, possibly commented out (with a # in front):

PermitRootLogin

Then change it to the following, uncommenting if needed (remove the # in front):

PermitRootLogin yes

systemctl restart sshd

Copy vcf.crt

scp root@ftt-depot.wardhomelab.nl:/etc/apache2/ssl/vcf.crt /tmp/vcf.crt

Import the certificate into the Java truststore

sudo keytool -import -trustcacerts -alias vcfDepotCert1 \

-file /tmp/vcf.crt \

-keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts \

-storepass changeit

Reboot

Now u should connect VCF to you offline depot

Afbeelding met tekst, schermopname, software, nummerDoor AI gegenereerde inhoud is mogelijk onjuist.

Afbeelding met tekst, schermopname, nummer, LettertypeDoor AI gegenereerde inhoud is mogelijk onjuist.

You want you upgrade to 9.0.1 ivm Edge Issue

Special thanks to vmtechnics for putting me in the right direction

Fixing User Home Folder rights with Powershell

When i visit a lot of company’s i see many times that the home folder directory have not the right rights. To fix this that’s al lot of work. Sow it time to write about it. I wrote a nice powershell script to fix it and save me and you a lot of time.

Three steps :

1.  Set Share Permissions for the Everyone group to Full Control.

2.  Use the following settings for NTFS Permissions (http://support.microsoft.com/kb/274443):

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
  • System – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone – Read Attributes (Apply onto: This Folder Only)
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)

Pay attention when configuring the home directory or folder redirection policies.  If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and need to reset the ACL Winking smile

3. Run the Following script Repair-HomeFolderPermissions.ps1

________________________________________________________________________

#########################################################################
# Script: Repair-HomeFolderPermissions.ps1
# Author: Ward Vissers    http://www.wardvissers.nl
# Date: 20/11/2014
# Keywords:
# Comments:
# Pre-Requisites: Full Control over destination folder.
#
# +————+—–+———————————————————+
# |       Date | Usr | Description                                             |
# +————+—–+———————————————————+
# | 20/11/2014 | WV  | Initial Script                                          |
# |            |     |                                                         |
# +————+—–+———————————————————+
#
#   1. http://support.microsoft.com/kb/274443
#
#   2. Set Share Permissions for the Everyone group to Full Control.
#  
#   3.  Use the following settings for NTFS Permissions:
#
#   CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
#   System – Full Control (Apply onto: This Folder, Subfolders and Files)
#   Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
#   Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
#   Everyone – List Folder/Read Data (Apply onto: This Folder Only)
#   Everyone – Read Attributes (Apply onto: This Folder Only)
#   Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)
#
#
# DISCLAIMER
# ==========
# THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
# RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
#############################################################################

$dirpath = “D:\Data\user”

# get list of all child directories, in the current directory
$directories = dir $dirpath | where {$_.PsIsContainer}

# iterate over the directories
foreach ($dir in $directories)
{
# echo out what the full directory is that we’re working on now
write-host Working on $dir.fullname using $dir.name

# setup the inheritance and propagation as we want it
$inheritance = [system.security.accesscontrol.InheritanceFlags]“ContainerInherit, ObjectInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]“None”
$allowdeny=[System.Security.AccessControl.AccessControlType]::Allow

# get the existing ACLs for the directory
$acl = get-acl $dir.fullname

# add our user (with the same name as the directory) to have modify perms
$aclrule = new-object System.Security.AccessControl.FileSystemAccessRule($dir.name, “FullControl”, $inheritance, $propagation, “$allowdeny”)

# check if given user is Valid
$sid = $aclrule.IdentityReference.Translate([System.Security.Principal.securityidentifier])

# add the ACL to the ACL rules
$acl.AddAccessRule($aclrule)

# set the acls
set-acl -aclobject $acl -path $dir.fullname
}

__________________________________________________________________________

Translate »