[Update] ESXi5 Community Packaging Tools 2.1

I just published updated versions of my ESXi5 Community Packaging Tools. What's new:
  • The TGZ2VIB5 tool now allows to build the VIB payload file from a directory structure (rather than using a pre-packaged tgz file as input)
  • You can now change the Acceptance Level of the VIB package
It is important to understand the implications of changing the Acceptance Level of a VIB package. In the past TGZ2VIB5 would always build packages with an Acceptance Level of CommunitySupported. Such packages do not need to have a trusted electronic signature, but you can only modify a limited set of system directories this way. This information is taken from a technical note about the VMware VIB Author tool. It lists the following directories to be modifiable with a CommunitySupported package:
  • etc/vmware/shutdown/shutdown/
  • etc/vmware/pciid/
  • etc/vmware/vm-support/
  • etc/vmware/firewall/
  • etc/vmware/service/
  • etc/cim/openwsman/
  • opt/
  • usr/lib/cim/
  • usr/lib/pycim/
  • usr/lib/hostprofiles/plugins/
  • usr/lib/vmware/
  • usr/lib/vmware-debug/
  • var/lib/sfcb/registration/
  • etc/vmware/driver.map.d
  • usr/share/hwdata/driver.pciids.d
(Note: you can create files and also sub-directory trees in these allowed directories)

This is enough to create packages with hardware device drivers and firewall rules. However, if you want to modify files in directories that are not listed above (e.g. for putting an executable binary in /sbin) then you can not do this with a CommunitySupported VIB package. You need to change the Acceptance Level to accepted (VMwareAccepted), and then you can modify any system directory.

VIB files with an Acceptance Level other than CommunitySupported are supposed to come with a valid electronic signature though, but they can still be installed using one of the following ways:
  • With esxcli software vib install commands:
    • use the option --no-sig-check to skip the signature check
  • When using PowerCLI ImageBuilder:
    • use the -force option with the Add-ESXSoftwarePackage cmd-let to add such a package to an Image Profile
    • use the -NoSignatureCheck option when exporting the Image Profile into an Offline Bundle or ISO image with the Export-ESXImageProfile cmd-let
    • My ESXi-Customizer-PS script will use both these options if you call it with the -nsc switch
Unfortunately you will not be able to install such an Offline Bundle through Update Manager (You will be able to import the bundle, but remediation/installation will fail with an error message).

An important note and disclaimer to end with: Using my ESXi5 Community Packaging Tools or the VMware VIB Author Fling literally everyone is able to build unsigned software packages that can do arbitrary changes to your ESXi hosts if you install them in one of the ways explained above. So this could also be used by malicious attackers to compromise your systems!
Please do this only with software packages from sources that you fully trust and on systems that are not used in critical production environments!

3 comments:

  1. Hi Andreas
    Thank you for valuable information regardning VIB creation.
    Do you know where I can find the exact descriptions of the acceptance levels and what different operations are allowed at what level.
    Do you know how you actually get a VIB signed by Vmware?
    Thank is advance!
    -Richard

    ReplyDelete
    Replies
    1. Hi Richard,
      the acceptance levels only differentiate in the set of allowed directories. For that I only have the technical notes to the VIB Author tool that I referenced in the post.
      For getting a VIB signed you probably need to be a technology partner. See http://www.v-front.de/2013/04/how-to-build-device-drivers-for-esxi-5x.html for further information.

      - Andreas

      Delete
    2. Andreas,
      thank you for a quick reply. I am a Technology Alliance Partner but can't seem to find any information on the TAP-pages either.
      Seems like I have to dig deeper...

      -Richard

      Delete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!