30 Mar 2015

vRealize Automation 6.2 - Specifying a New Root Password Using Custom Properties

VMware vRealize Automation makes it easy for us to provide our end users with the ability to request and manage their own virtual machines using a “self-service” portal. With very little configuration required, we can add vSphere virtual machine templates to a vRA service catalog for users to consume. vRA can then handle the request management for new virtual machines and when approved by the appropriate approvers, even provision the new VMs by cloning the template.

Out of the box, vRA is capable of calling the vSphere Guest Customization Specification to customize the OS. This takes care of SIDs, network settings, host names, etc. If we need to take this customization a little further, we can use the vRA guest agent and custom properties.

In this post, I’m going to demonstrate how to use custom properties with the guest agent to give the user the option of specifying an initial (note the word “initial”) root password when requesting a new Linux VM, based on CentOS 6.6 from the service catalog. When the user requests a new VM from the service catalog, a mandatory field named “InitialRootPassword” is displayed on the request from. The requester (user) must enter a value into this field before the request can be submitted, and it is that value that the root password will be set to once the VM is provisioned.

However, as the root password is passed to the guest agent in plain text, and is also included in the GuestAgent.log file in clear text, when the user logs into the new VM for the first time as the root user, they will be prompted for a new root password.

This is not ground breaking or overly complex, but it will provide an overview of the process required to carry further guest customization when provisioning with vRA and by using the vRA guest agent.

<Note> Setting up the template in vRA and getting the vRA guest agent installed and talking correctly to the vRA IaaS server is outside the scope of this post. </note>

In order to be able to generate a new root password on the newly provisioned VM, we need to execute a bash script inside the VM during the customization process of the deployment. The execution of the script is triggered by the vRA guest agent, based on the custom properties that were provided in the blueprint / build profile. In this post, all custom properties are specified in a build profile that gets included in the blueprint.

The Password Reset Script

Inside the template VM, we need to create a new script that will be executed by the vRA Guest Agent when the VM is provisioned. I have created a new directory under /usr/share/gugent/ called scripts where I place all my custom scripts and I’ve placed a new script in this directory called newrootpasswd.sh:

Contents of /usr/share/gugent/scripts/newrootpasswd.sh


# The following line will set the root account password to the
# InitialRootPassword custom property in the vRealize Automation Blueprint.

echo -e $1 | passwd --stdin root

# Comment out the following (passwd -e) line if you would not like force the root
# account to change its password on next login.

passwd -e root

The script is very simple. The first line (#!/bin/sh) indicates that this is an executable script to be run from the bash shell.

The line “echo –e $1 | passwd --stdin root” is the command that sets the new password for the root user account to that value passed in by the InitialRootPassword property. $1 represents the first parameter passed to the script, which is the value of {InitiaRootPassword} as described in the build profile, which we will look at later on in this post.

The command basically echos out the contents of the $1 variable, which holds the contents of the first parameter passed to the script when the script was called, in our case the values of {InitialRootPassword}. This is then piped (|) through the passwd command. The passwd command is used in Linux to change the password for a user account. The --stdin option to the passwd command specifies that we would like standard input to be used to specify a new password. In our case, this standard input is provided by the preceding echo –e $1 command. The final part of the command is the name of the account that we are changing the password for, in this case it’s the root account.

The next line (passwd –e root) simply “expires” the password for the root account, and forces the user to specify a new password during the next login attempt.

Once the script is in place, we simply shut down the template VM and mark it as a template again in vCenter.

Creating a build profile in vRealize Automation Center

We need to create a new build profile that contains at least the following properties:

Property Name Value Encrypted Prompt User
InitiaRootPassword   No Yes
VirtualMachine.Admin.UseGuestAgent true No No
VirtualMachine.Customize.WaitComplete true No No
VirtualMachine.Software0.Name Generate new root password No No
VirtualMachine.Software0.ScriptPath /usr/share/gugent/scripts/newrootpassword.sh {InitialRootPassword} No No
VMware.VirtualCenter.OperatingSystem rhel6_64Guest No No

The InitialRootPassword property is the only property that will prompt the user for a value. The VirtualMachine.Software0.Name property is simply a name that we provide for the Software0 command that is specified by the VirtualMachine.Software0.ScriptPath.

Looking further into the VirtualMachine.Software0.ScriptPath property, notice that the value of the property points to the location of the script that we would like to execute inside the guest OS. More importantly, notice the {InitialRootPassword} that follows the script location. This allows us to pass the value of the InitialRootPassword custom property which was provided by the requester to be used as the root password, to the script as a parameter. Looking back into the contents of the script, this will be represented by $1 inside the script as it is the first parameter passed to the script.

Now is simply a case of attaching the build profile to the blueprint and requesting a new VM form the catalog to test out configuration


When requesting the a new from the service catalog using the blueprint, we can now specify a new initial root password:

Once provisioned, we can log into the new VM using the specified password. We are then prompted to enter a new password.



Also, when looking at the guest agent log file (located at /usr/share/gugent/GuestAgent.log), we can see what properties were passed through:

2015-03-30 15:48:12 Application: [Debug] Uninitializing subsystem: Logging Subsystem
2015-03-30 15:48:53 Application.MachineQuery: [Information] uuid = 422d3915-7455-c298-8ccc-2a7d871a2827
2015-03-30 15:48:53 Application: [Debug] Using the network enabled proxy ...
2015-03-30 15:48:53 Application: [Debug] The vCAC endpoint is https://vcaciaas.spiesr.com:443/VMPS2.
2015-03-30 15:48:53 Application: [Debug] The AXIS2C directory is axis2/.
2015-03-30 15:48:54 Application: [Debug] Requesting work for agent ID 15392d42-5574-98c2-8ccc-2a7d871a2827.
2015-03-30 15:48:54 Application: [Debug] Fetching a work item ...
2015-03-30 15:48:54 Application: [Debug] Fetched work item id=b4e70bc8-49a4-48d9-99c8-41265946917a
2015-03-30 15:48:54 Application: [Information] WorkItem: task=CustomizeOS, id=b4e70bc8-49a4-48d9-99c8-41265946917a
2015-03-30 15:48:54 Application: [Information] api.request.id -> 6fe2362a-e288-4e9c-9fb7-c5e00e5a1f0a
2015-03-30 15:48:54 Application: [Information] blueprintid -> 7e5361a1-6439-4bbd-9052-456eff294074
2015-03-30 15:48:54 Application: [Information] clonefrom -> Template_Centos65
2015-03-30 15:48:54 Application: [Information] clonefromid -> ef9ab79b-6976-42a8-bd81-afdda6d754e0
2015-03-30 15:48:54 Application: [Information] clonespec -> vCAC Linux - CentOS 6
2015-03-30 15:48:54 Application: [Information] infrastructure.admin.machineobjectou ->
2015-03-30 15:48:54 Application: [Information] infrastructure.resourcepool.name ->
2015-03-30 15:48:54 Application: [Information] initialrootpassword -> Password123



Written by  5 comments
Last modified on Thursday, 02 April 2015 12:21
Rate this item
(1 Vote)

Comments (5)

  1. John

Did you modify the /usr/share/gugent/axis2/axis2.xml to get this to work?

  1. Rynardt Spies    John

I do vaguely remember playing with axis2.xml, but for this implementation I don't believe I've made any changes to it, and I've certainly not made changes to it in the recent deployments.

Why are you asking? What problem are you having that...

I do vaguely remember playing with axis2.xml, but for this implementation I don't believe I've made any changes to it, and I've certainly not made changes to it in the recent deployments.

Why are you asking? What problem are you having that axis2.xml is fixing?

Read More
  1. Golf

When i select encrypt on InitialRootPassword. On the vra portal InitialRootPassword it's change to encrypt input.
After i've submit to provisioning. VM is not change to the new password. How to fix it.
thank you

  1. Rynardt Spies    Golf

You can't use encrypted fields to pass password to the guest agents with this method. The encrypted password will be passed to the guest agent which will be unable to decrypt the data.

  1. Golf    Rynardt Spies

I have a solution for fix this issue.
First you need to define property dictionary.
Name {InitialRootPassword}
Display Name {RootPassword}
Control Type {Password}
Required {Yes}
*Don't Encrypted Root Password on Build Profile. Property Dictionary...

I have a solution for fix this issue.
First you need to define property dictionary.
Name {InitialRootPassword}
Display Name {RootPassword}
Control Type {Password}
Required {Yes}
*Don't Encrypted Root Password on Build Profile. Property Dictionary will encrypt password.

Whatever, this solution cannot repeat password on vcac portal it's have only one textbox for input password. I'll find the way to do it.

Read More
There are no comments posted here yet

Leave your comments

Posting comment as a guest. Sign up or login to your account.
0 Characters
Attachments (0 / 3)
Share Your Location

RT @elonmusk: The Twitter Files on free speech suppression soon to be published on Twitter itself. The public deserves to know what really…
Follow Rynardt Spies on Twitter