<p>Creating a Custom VIB This paper shows how to use the vibauthor fling (http://labs.vmware.com/flings/vib-author) to create a VIB to add a custom firewall rule to your vSphere hosts. Install the vibauthor Tool Download the vibauthor tool and instructions from http://labs.vmware.com/flings/vib-author. Use RPM to install:</p><p># rpm -ihv vmware-esx-vib-author-5.0.0-0.0.783903.i386.rpm Preparing... ########################################### [100%] 1:vmware-esx-vib-author ########################################### [100%]</p><p>The vibauthor tool should run on pretty much any Linux distribution so long as the prerequisite packages are installed. I’m using CentOS 6.2. VMware recommends SLES 11 SP2. Note that there are a few package requirements so be sure to check the accompanying documentation for the prerequisites. </p><p>Once installed you are ready to go as there is no additional setup required. There are four basic steps to creating a custom VIB:</p><p>1) Create a payload directory 2) Add files to the payload directory 3) Create a VIB descriptor.xml file 4) Use vibauthor to create the VIB Setup The Payload Directory Create a staging directory where you will copy the files that will make up the payload of your VIB. </p><p># mkdir /stagedir</p><p>Inside this directory create a subdirectory called “payloads”:</p><p># cd /stagedir # mkdir payloads</p><p>Inside the /stagedir/payloads directory create a directory with the name of the VIB. In this example I’m calling the VIB “MyRule”. </p><p># cd /stagedir/payloads # mkdir MyRule</p><p>Inside the /stagedir/payloads/MyRule directory create a directory structure that reflects the full path where the files are to be installed on the vSphere host. As firewall rules are stored in /etc/vmware/firewall I will create this same directory structure underneath the /stagedir/payload/MyRule folder:</p><p># cd /stagedir/payload/MyRule # mkdir –p etc/vmware/firewall</p><p>The final directory structure looks like this:</p><p># /stagedir/payloads/MyRule/etc/vmware/firewall</p><p>Create The Custom Firewall Rule Definition In the “/stagedir/payloads/MyRule/etc/vmware/firewall” directory create an XML file for the custom firewall rule definition. Here I’m using a slightly modified example from the vSphere Security guide. </p><p>This example creates a firewall rule, called “MyRule” that will allow inbound connections over port 7777.</p><p># cd /stagedir/payloads/MyRule/etc/vmware/firewall/MyRule # vi MyRule.xml</p><p><ConfigRoot> <service id='0000'> <id>MyRule</id> <rule id = '0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>7777</port> </rule> <enabled>true</enabled> <required>false</required> </service> </ConfigRoot></p><p>Create the VIB Descriptor File The next step is to create the VIB’s descriptor.xml file. The descriptor.xml file contains information about the payload (files included in the VIB) along with any dependencies, conflicts, or installation requirements. There is a sample descriptor file included with the vibauthor tool in the /opt/vmware/vibtools/sample directory that you can use as a template.</p><p>Tip: rather than create a new descriptor.xml from scratch you can extract the descriptor.xml from an existing VIB and edit it. To extract a VIB’s payload use the command: # vibauthor –e –v <vib> -o <output directory></p><p># cd /stagedir # vi descriptor.xml</p><p><vib version="5.0"> <name>MyRule</name> <version>5.0.0-1.0</version> <vendor>None</vendor> <summary>Custom VIB Definition</summary> <description>Adds a Custom Firewall Rule</description> <urls/> <relationships> <depends> </depends> <conflicts/> <replaces/> <provides/> <compatibleWith/> </relationships> <software-tags> <tag>driver</tag> <tag>module</tag> </software-tags> <system-requires> <maintenance-mode>false</maintenance-mode> </system-requires> <file-list> <file>/etc/vmware/firewall/</file> </file-list> <acceptance-level>community</acceptance-level> <live-install-allowed>true</live-install-allowed> <live-remove-allowed>true</live-remove-allowed> <cimom-restart>false</cimom-restart> <stateless-ready>true</stateless-ready> <overlay>false</overlay> <payloads> <payload name="MyRule" type="vgz"> </payload> </payloads> </vib></p><p>Create the VIB Finally, use the vibauthor tool to create the VIB . The options used to create the VIB are:</p><p>-C = compose -t = staging directory -v = name of the VIB -O = name of the depot</p><p># cd /stagedir # vibauthor -C -t /stagedir -v MyRule.vib -O MyRlule.zip Successfully created CustomVIB.vib. Successfully created CustomVIB.zip.</p><p>The output of the above command will be two files: MyRule.vib: This is the actual VIB. You can use this file to add the VIB to a running ESXi hosts using the “esxcli” command.</p><p>MyRule.zip: This file is a software depot that contains the VIB. You also can use this file to add the VIB to a running ESXi host with the “esxcli” command, but you can also use this file with the Image Builder CLI to add the VIB to an ESXi Image Profile.</p><p>Installing the VIB to a Running ESXi Host To install the custom VIB to a running ESXi host follow these steps:</p><p>Copy the depot to the vSphere host:</p><p># scp MyRule.ZIP root:/tmp</p><p>Set the host’s Acceptance Level to CommunitySupported</p><p># esxcli -s esx01.company.local software acceptance \ set –level=CommunitySupported</p><p>Install the VIB</p><p># esxcli -s esx01.company.local software vib install \ -d /tmp/MyRule.ZIP -n MyRule</p><p>Adding the Custom VIB to an Image Profile Use the ESXi Image Builder CLI to add the custom VIB to a custom image profile. Copy the MyRule.zip depot to a host where you have PowerCLI installed.</p><p>Start PowerCLI and connect to the vCenter Server:</p><p>PowerCLI C:\> Connect-VIServer <ip></p><p>Import the ESXi 5.0 software depot (from the ESXi 5.0 bundle):</p><p>PowerCLI C:\> Add-EsxSoftwareDepot C:\ESXi-Depot\VMware-ESXi5.0.0-469512- depot.zip</p><p>Import the MyRule.zip software depot:</p><p>PowerCLI C:\> Add-EsxSoftwareDepot C:\ESXi-Depot\MyRule.zip</p><p>Create a new image profile. In this example I am creating a new image profile by cloning one of the default image profiles included with the ESXi 5.0 offline depot. Note that because I’m adding a custom VIB I need to set the acceptance level to “CommunitySupported”.</p><p>PowerCLI C:\> New-EsxImageProfile –CloneProfile ESXi-5.0.0-469512-standard – Name MyCustomProfile –Vendor Custom –AcceptanceLevel “CommunitySupported”</p><p>Add the custom VIB:</p><p>PowerCLI C:\> Add-EsxSoftwarePackage –ImageProfile MyCustomProfile – SoftwarePackage MyCustomRule</p><p>At this point the image profile is complete. You can now export the image as an offline depot (.zip) or as a bootable ISO (.iso). </p><p>.ZIP PowerCLI C:\> Export-EsxImageProfile –ImageProfile MyCustomProfile – ExportToBundle –FilePath C:\ESXi-Depot\CustomImage.zip</p><p>.ISO PowerCLI C:\> Export-EsxImageProfile –ImageProfile MyCustomProfile –ExportToISO –FilePath C:\ESXi-Depot\CustomImage.zip</p><p>You can now use the custom image profile to install your ESXi hosts. When the host is installed the “/etc/vmware/firewall/MyRule.xml” file will be installed on the host.</p><p>Verify the Custom Rule “MyRule” You can verify the custom firewall rule has been added to a host using the esxcli command:</p><p># esxcli -s esx01.company.local software vib list</p><p>In addition you can view the custom rule in vCenter by selecting the host and choosing “Configuration -> Security Profile and in the Firewall section verify the custom firewall rule named “MyRule” exists. </p>