ESXi Config Automation
Scenario
Virtual Infrastructure Administrators enforce security hardening rules within virtualized environments to mitigate the risks and vulnerabilities of the underlying infrastructure. Automating ESXi baseline configuration ensures the rapid establishment of compliant IT services while minimizing the risk of configuration errors. This approach ensures efficient, consistent, and secure virtual environments. You’ll learn how to use Automation Config to automate ESXi security configuration settings.
Task A. Create Target - Salt Masters
- Click Targets in the side menu to open the Targets workspace and view your targets
- Click Create button
- Input the following details
- Name =
Salt Masters - Description =
Salt Masters - All masters = (Checked)
- Criteria
- Target type (1) =
Grain - Grain key (1) =
id - Grain value (1) =
saltmaster
- Target type (1) =
- Name =
- Input the following details
- Click SAVE button
Task B. Configure ESXi Credentials
- Click Configurations > Pillars from the side menu
- Click + CREATE button
- Input the following details for the new pillar
- Pillar name =
vmware_config - JSON Contents = (Using the following JSON as template, and replace HOST_ADDR, USERNAME & PASSWORD)
{ "vmware_config": { "host": "HOST_ADDR", "user": "USERNAME", "password": "PASSWORD" } } - For Example:
- Pillar name =
- Click SAVE button
- Now that you’ve saved the ESXi credentials
- Click UPDATE TARGETS button
- Select
Salt Masters
- Click SAVE button
- Now the Salt Masters will be able to access this Pillar data
host can be IP address or hostname Pillars can securely store credentials, and Role-Based Access Control (RBAC) could be applied to restrict access to permitted Roles. Optionally, Username & Password could be further encrypted if display in plaintext for administrator is also not allowed. For encryption documentation, please refer to SALT.MODULES.GPG and SALT.RENDERERS.GPG
Task C. Create Job - Install SDDC Modules
- Click Configurations > Jobs in the side menu
- Click Create Job button
- Input the following details for the new job and save the job
- Name =
Install SDDC Modules - Description =
Install SDDC Modules - Command =
salt - Targets =
Salt Masters - Function =
cmd.shell - Arguments =
python3 -m pip install --upgrade pip && salt-call pip.install 'importlib_metadata==4.13.0' && salt-call pip.install saltext.vmware - Job Inputs = (Blank)
- Name =
- Click SAVE button
Task D. Run Job - Install SDDC Modules
- Click Configurations > Jobs in the side menu
- Click the button besides Install SDDC Modules and select Run Now
- In the Run Job dialog box
- Input the information as follows
- Options = (Unchanged)
- Input the information as follows
- Click RUN NOW button
- Click Activity > Completed in the side menu
- The job will appear on the list once it is done. If not, Refresh the page in your browser
- Check if this job is completed successfully without error
- Check Success is 1 or higher, and Failed is 0
Task E. Create Job - Check ESXi Security Config
- Click Configurations > Jobs in the side menu
- Click Create Job button
- Input the following details for the new job and save the job
- Name =
Check ESXi Security Config - Description =
Check ESXi Security Config - Command =
salt - Targets =
Salt Masters - Function =
cmd.shell - Arguments =
salt-call vmware_esxi.get_advanced_config config_name=Security - Job Inputs = (Blank)
- Name =
- Click SAVE button
Task F. Run Job - Check Current ESXi Security Config
- Click Configurations > Jobs in the side menu
- Click the button besides Check ESXi Security Config and select Run Now
- In the Run Job dialog box
- Input the information as follows
- Options = (Unchanged)
- Input the information as follows
- Click RUN NOW button
- Click Activity > Completed in the side menu
- The job will appear on the list once it is done. If not, Refresh the page in your browser
- Check if this job is completed successfully without error
- Check Success is 1 or higher, and Failed is 0
- Click the JID value of the completed job to show job summary
- Click Raw tab to show raw JSON results
- Locate return, scroll to right and note the values of Security.PasswordMaxDays and Security.AccountUnlockTime. The default values should be Security.PasswordMaxDays: 99999 and Security.AccountUnlockTime: 900 respectively
Task G. Baseline ESXi Security Config
- Click Configurations > File Server from the side menu
- Expand base folder in the file server folder tree
- Locate
/POV/sddc-automation/esxi/esxi_security_settings.sls - Click
esxi_security_settings.slsand examine its SaltStack State File YAMLset_sec_config_max_days: module.run: - name: vmware_esxi.set_advanced_config - config_name: Security.PasswordMaxDays - config_value: 99998 set_sec_config_unlock_time: module.run: - name: vmware_esxi.set_advanced_config - config_name: Security.AccountUnlockTime - config_value: 899
- Running this state file will apply baseline security settings to ESXi, but we are NOT going to run it now. We will create job to apply this baseline config
Task H. Create Job - Baseline ESXi Security Config
- Click Configurations > Jobs in the side menu
- Click Create Job button
- Input the following details for the new job and save the job
- Name =
Baseline ESXi Security Config - Description =
Baseline ESXi Security Config - Command =
salt - Targets =
Salt Masters - Function =
state.apply - Environments =
base - States =
POV.sddc-automation.esxi.esxi_security_settings - Arguments = (Blank)
- Job Inputs = (Blank)
- Pillar override = (Blank)
- Name =
- Click SAVE button
Task I. Run Job - Baseline ESXi Security Config
- Click Configurations > Jobs in the side menu
- Click the button besides Baseline ESXi Security Config and select Run Now
- In the Run Job dialog box
- Input the information as follows
- Options = (Unchanged)
- Input the information as follows
- Click RUN NOW button
- Click Activity > Completed in the side menu
- The job will appear on the list once it is done. If not, Refresh the page in your browser
- Check if this job is completed successfully without error
- Check Success is 1 or higher, and Failed is 0
Task J. Run Job - Check Updated Security Config
- Click Configurations > Jobs in the side menu
- Click the button besides Check ESXi Security Config and select Run Now
- In the Run Job dialog box
- Input the information as follows
- Options = (Unchanged)
- Input the information as follows
- Click RUN NOW button
- Click Activity > Completed in the side menu
- The job will appear on the list once it is done. If not, Refresh the page in your browser
- Check if this job is completed successfully without error
- Check Success is 1 or higher, and Failed is 0
- Click the JID value of the completed job to show job summary
- Click Raw tab to show raw JSON results
- Locate return, scroll to right and note the values of Security.PasswordMaxDays and Security.AccountUnlockTime, to see if new values have been applied, i.e. Security.PasswordMaxDays: 99998 and Security.AccountUnlockTime: 899
Summary
Automation Config empowers the achievement of consistent and compliant SDDC configuration through automation:
- Enhance virtualized environment security by automating hardening rules, particularly vSphere configuration
- Rapidly establish compliant IT services and reduce configuration error risks through ESXi baseline automation
- Illustrated with examples like PasswordMaxDays and AccountUnlockTime; many other security settings can be automated
- In addition to ESXi management, SDDC modules support automation for vSphere clusters, data centers, networks, NSX-T manager, policies, transparent zones, and more