Best Practices: BSA Provisioning INTERNATIONALTOLLFREE ... · ©"Copyright8/6/13"BMC"So4ware,"Inc"...

© Copyright 8/6/13 BMC So4ware, Inc 1

Argen=na: 0800 444 6440 Australia: 1 800 612 415 Austria: 0800 295 780 Bahamas: 1 800 389 0491 Belgium: 0 800 75 636 Brazil: 0800 891 0266 Bulgaria: 00 800 115 1141 Chile: 123 0020 6707 China, Northern Region: 10 800 714

1509 China, Southern Region: 10 800 140

1376 Colombia: 01 800 518 1171 Czech Republic: 800 700 715 Denmark: 80 883 277 Dominican Republic: 1 888 752 0002 France: 0 800 914 176 Germany: 0 800 183 0299 Greece: 00 800 161 2205 6440 Hong Kong: 800 968 066

Hungary: 06 800 112 82 India: 000 800 1007 613 Indonesia: 001 803 017 6440 Ireland: 1 800 947 415 Israel: 1 80 925 6440 Italy: 800 789 377 Japan: 00348 0040 1009 Latvia: 8000 3523 Lithuania: 8 800 3 09 64 Luxembourg: 800 2 3214 Malaysia: 1 800 814 723 Mexico: 001 800 514 6440 Monaco: 800 39 593 Netherlands: 0 800 022 1465 New Zealand: 0 800 451 520 Norway: 800 138 41 Panama: 00 800 226 6440 Peru: 0800 54 129

Philippines: 1 800 111 010 55 Poland: 00 800 112 41 42 Portugal: 800 827 538 Russian Federa=on: 810 800 2915 1012 Singapore: 800 101 2320 Slovenia: 0 800 80439 South Africa: 0 800 982 304 South Korea, Korea, Republic Of: 003 0813 2344 Spain: 900 937 665 Sweden: 02 079 3266 Switzerland: 0 800 894 821 Taiwan: 00 801 127 186 Thailand: 001 800 156 205 2068 Trinidad and Tobago: 1 800 205 6440 United Kingdom: 0 808 101 7156 Uruguay: 0004 019 0348 Venezuela: 0 800 100 8540

INTERNATIONAL TOLL FREE: Par0cipant Code: 625920

Best Practices: BSA Provisioning

Sean Berry Customer Engineering

BSA Best Prac=ces Webinar Provisioning


!  What’s the value? What’s it do?

!  Plaborms/Technologies

!  How does it work?

!  Let’s go! - Setup - Execu=on

!  Where does it get interes=ng?

Agenda

What’s the value? What’s it do?


Value!

!  New servers in a frac=on of the effort =me of a non-‐automated process.

!  Full Stack Provisioning: -  OS, Agents, Hardening -  Applica=ons & Patches -  Compliance / Valida=on

!  Let go of custom provisioning systems: -  Let your very smart NIM/Jumpstart/AI/etc. experts focus on more valuable areas

!   If already fairly automated, look for value in reducing maintenance overhead


What’s the dream?

!  The server factory: hardware goes in, consistent, quickly built servers come out, like clockwork, with no embarrassments or apologies


What’s the reality?

!  Like star=ng up any factory -  There’s a process to it -  In a perfect environment… -  If you follow the direc=ons exactly… -  There’s always something… usually human error


Cut to the chase: I’m impa=ent!

!  Upgrade to a Modern BSA version! -  (at least in your lab!) -  (8.2 SP4+/8.3 SP1+ preferred as of early August 2013

!  BSA PXE Provisioning White Paper -  hops://docs.bmc.com/docs/display/bsa83/How+to+use+BMC+Server+Automa=on+for+PXE-‐based+provisioning

!  BSA Provisioning Doc (at one point, 25% of all doc) -  hops://docs.bmc.com/docs/display/public/bsa83/Provisioning+and+deployment

-  hops://docs.bmc.com/docs/display/public/bsa83/Bare+metal+provisioning+tasks+and+stages

-  hops://docs.bmc.com/docs/display/public/bsa83/Linux+Provisioning+Flowchart

!  Use something easy to start, like RHEL 6


Sample docs Flowcharts: Provisioning Setup


Sample docs Flowcharts: Provisioning Execu=on

PlaJorms/Technologies/Buzzwords


Plaborms

!  What plaborms are supported? -  Basically every plaborm BSA runs on has provisioning support. -  Windows (Unaoended & WIM image) -  Linux (RHEL: kickstart, SuSE: autoyast, even ESX) -  AIX (NIM) -  Solaris (Jumpstart & AI) -  HPUX (Ignite)


Build-‐based provisioning vs. image based

!  Build-‐based: -  Windows "Unaoended", -  RHEL "kickstart", -  SuSE "autoyast", -  AIX “bosinst”, -  Solaris, -  HPUX

!   Image-‐based: -  Windows Image (WIM), -  Solaris Flash Archive (FLAR), -  AIX mksysb

How does this stuff generally work?


What do I start with, what do I need, what do I get?

!  Bare metal hardware: server/blade or "bare" VM instance capable of boo=ng from the network

!   "miniroot" or intermediate "mini" opera=ng system (WinPE, Linux/Solaris installer OS images) -  RAID reconfigura=on -  Firmware updates -  Complex disk par==oning (diskpart etc.)

!  OS install media or OS image


What do I start with, what do I need, what do I get? (cont’d)

!  RSCD Agent installa=on

!  Post-‐install configura=on -  Agents / infrastructure -  OS hardening -  Middleware installs -  Content installs -  Patching -  Policy/standards valida=on/audit

© Copyright 8/6/13 BMC So4ware, Inc 17 © Copyright 8/6/13 BMC So4ware, Inc 17

!  

Consistent, reliable builds, easy onboarding

How does PXE work under the hood?


How does PXE work under the hood?

!  First Boot (No OS): -  Star=ng up with just a MAC

§  Gevng our first IP (DHCP) §  Gevng "mini root" loca=on (PXE) §  Acquiring the "mini root" and/or kernel (TFTP)

!  “Mini OS” -  Talking to the app server (mothership) and acquiring our OS -  Windows: ("bmi" + SMB share) -  Linux: ("bmi" + hop share)

!  Post OS install ac=vi=es -  RSCD Agent install (enables all following) -  “bmiwin”/“bmilinux”: OS install was successful! -  Post Provisioning Ac=vi=es


Some notes about WinPE

!  WinPE was released primarily to make Windows Vista deployment easier

!  Although designed to detect and enable hardware with built-‐in drivers, if unable to find them they require preconfigura=on/injec=on

!   It runs in RAM/memory

!   It is not a full-‐featured OS but a mini OS

!   Instead of customizing commands or scripts during the DOS process, you customize the whole image (imagex /mountrw)

!  Use the Windows Automated Installa=on Kit to work with it (set it all up once somewhere and re-‐use it!)


Where do I need drivers?

OS Type Drivers Needed? Examples

BIOS/Firmware Boot

No: Most hardware that can boot to the network can do so na=vely.

Mini OS Yes: correspond to the Mini OS WinPE, older Linux, (AIX?)

Full OS (installed) Yes: "Plug and Play" or Slipstreamed Windows 2003/2008


About WinPE vs Windows “Full OS” Drivers

!  The drivers required for WinPE are o4en different than the drivers required for the full opera=ng system! -  WinPE based on specific OS versions: WinPE 3.1 -‐> Windows 7 -  hop://technet.microso4.com/en-‐us/library/dd349350(v=ws.10).aspx

!  WinPE drivers: look for “RIS” or “WinPE” driver sets -  hops://www.google.com/search?q=HP+DL380+winpe+drivers

Let’s Go!


Setup

!  Where should I set this up (the first =me)? -  A lab! -  (not that kind of Lab!)

!  Somewhere you have: -  control or knowledge of the network,

-  know the environment, and -  can quickly troubleshoot issues.


What do I need to do to set this up? (non-‐PXE UNIXes)

!  For AIX, Solaris, HPUX: -  An exis=ng, func=oning provisioning environment, and -  Setup BSA integra=on to it (datastore etc.) -  Easy to setup, well-‐supported by their vendors -  Easy to test from the command line


Setup for PXE-‐based installs

!  Setup DHCP (3 liole op=ons) !   Install BSA PXE/TFTP !  Build boot images if necessary

-  Windows: WinPE -  Linux: RHEL "skip" or Gentoo (“skip” more common than Gentoo) -  Include drivers! (#1 issue users hit)

STOP HERE !  Bill Robinson Wisdom:

-  “If you’re sevng up pxe first make sure it can boot to the pxe image -‐ don't bother w/ the system package and job setup yet -‐ just get the pxe boot working -‐ this is [the source of] 90% of the problems w/ [bare metal provisioning]. PXE is not BSA specific -‐ lots of network troubleshoo=ng here.”


Setup for PXE-‐based installs: Tes=ng

!  Once successfully booted into WinPE / Linux Miniroot: -  Make sure you can see the network

§ Windows: “ipconfig /all”, “route print” §  Linux: “ifconfig -‐a”, “netstat -‐rn”

-  Make sure you can see the disk/storage § Windows: “diskpart” §  Linux: “fdisk” / “dmesg | grep hd” (or sd)

!   If you can’t do any of these, you have a WinPE/miniroot driver problem! -  Windows: Inject drivers -  Linux: try a later OS’s miniroot, maybe inject drivers

!  Connec=vity -  Make sure you can see the appserver

§  Look for messages about the appserver IP and port coming from DHCP §  bmi <appserver ip> <appserver port>


Setup for PXE-‐based installs (cont.)

!  Setup the datastore (HTTP/SMB share, username & password)

!  Stock the datastore -  Use stock OS media if possible (Avoid Ghost & other images) -  Make sure the bmiwin.exe and bmilinux.tar are at the root of the datastore so they can end the provisioning job

-  Include drivers & config u=li=es (SAN, RAID) -  Test it!

§ Windows: “net use x: \\servername\pxeshare” §  Linux: curl/wget §  Are the installables where you expect them to be?

!  Configure the datastore in BSA (Property Dic=onary) -  Server name -  Loca=on on the server -  “Virtual” loca=on -  Authen=ca=on (user/password, should be read-‐only in Prod!)


What do I need to do to use it once setup?

!  Define at least one System Package -  start with something simple -  Boot, import or define at least one device -  Step through a test provisioning to make sure all the plumbing's ready to go

!  Then branch out into more interes=ng configura=ons


Post Provisioning (Batch Jobs)

!  Requires a running RSCD agent! -  (and successful silent install of the agent during provisioning) -  (and open firewall ports)

!  Requires successful bmiwin/bmilinux/bmisolaris callback (AIX is automa=cally detected)

!  Greatest value comes from Post Provisioning: no maoer how ini=ally provisioned

!  Patch boxes as part of the post-‐install or figure out how to slipstream the os media


So4ware Installs

!   Ideally use exis=ng packages

!  Start with a known working package, or test installs on already-‐built boxes,

!  Don't use automated provisioning to test so4ware install commands un=l you know they work (poten=ally very long lead =me & very frustra=ng) -  Build one “fresh” instance of the machine and work on the install on that machine

!  Don’t delete So4ware Deploy Jobs, change their payloads or targets (dependency trees)


Post Provisioning Compliance

!  Best opportunity to validate the server was correctly built

!  Build Compliance -  Server built to our build spec

!  Security Compliance -  Server is secure when we release it

!  Patch Compliance -  Server is correctly patched to today’s standard (not 6 months ago)

!  Use the same policies as in Produc=on

Where does it get interes0ng?


General

!  Using scripts to execute Provisioning from another system

!  Using parameters in the system package (Device or local System Package) to simplify the build process -  parameterize as much as possible in the system package, users choose property sets during job for server 'profiles’

!  Don't delete so4ware deploy jobs used in PPBJ, change the package (dependencies)


General 2

!  Don't build many custom System Packages, instead do basic builds & add later where possible. -  *think* about what you need to build and don't crap os images and system packages all over

!  Where to provision (build network. Prod) is a philosophical ques=on

!  When to build and when to clone -  VM template provisioning -  vs VM container + BM provisioning


Upgrades

! bmi, bmiwin.exe, and bmilinux.tar all need to be upgraded when BSA is upgraded, many fixes in these over the years.

! WinPEs should be upgraded/rebuilt with new provisioning files a4er an upgrade (common cause of issues)

!  Create a driver repository to make it easier to upgrade the WinPEs in the future (avoid driver hun=ng)


Troubleshoo=ng

!  How to debug and fix PXE problems in a customer environment, par=cularly if they have exis=ng DHCP or PXE servers

!  How to manage build VLANs so that the IP address can be switched from Build to Produc=on a4er provisioning.

!  Managing the BMI callback and PXE-‐>DB connec=ons, par=cularly in a SOCKS port and/or Service Provider Environment


Known issues

!  WinPE image crea=on issue for BSA 8.3 SP1. -  A4er crea=ng winpe image, we can't see it listed under Configura=on -‐> Provisioning Configura=ons” and the last tab – “Image Files”. The image gets created and we can browse it from btproot directory but it is not listed in Image files lis=ng.

!  Dependency dele=on: -  dele=ng a given so4ware deploy job used in a PPB can poten=ally delete all the way back to system package. Be careful of “OK” buoons!


Networking

!  Provisioning in DMZs / "No DHCP allowed here” -  Op=on 1: Dedicated provisioning network w/ switchable VLANs -  Op=on 2: iLO/iDRAC/UCS etc. boot images

!  SOCKS-‐only networks -  Neither PXE nor BMI (nor the OS transport protocols) transit SOCKS well. Some customers use dedicated provisioning infrastructure, others use dedicated VLANs for provisioning.


IP-‐helpers vs. DHCP & PXE servers

!  Poten=al for: Regional PXE servers (requires access to BSA DB)

!  Could -‐conceivably-‐ reduce to one machine/subnet somewhere

!   In prac=ce, most customers with many networks end up having at least one per region

!  Can be shared more broadly, and s=ll use local data stores in each DC

!  Consider HA/load balancing/DR/performance (How many new OS builds / hr? including tes=ng?)


Windows

!  Windows Provisioning usually only configures the first NIC, some RFEs open for integra=ng into System Packages

!  Mul=-‐NIC servers: not all boot consistently from the same interface

!  SAN provisioning, generally requires knowing the disk configura=on so the correct diskpart commands can be applied.

!   Issues with the execu=on of a post-‐provision batch job (agent not correctly configured, server not accessible) Disable the firewall or configure it to allow RSCD traffic through.

!  You can do hardware changes (bios update, raid config, etc) in winpe preoy easily, can be a liole hacky w/ linux


Linux

!  BSA Gentoo build image scripts may not work with the latest Gentoo ISO (examine build #s carefully!

!  Using the "skip Linux" boot image for faster Linux builds if Gentoo is not required

!  Customizing the ks.cfg some=mes means you're responsible for the en=re config


Solaris

!  Can use an expect type script to connect to the console of a machine and ini=ate provisioning (boot net -‐ install)

!  Samples available in communi=es & others


For More Informa=on

!  BMC Communi=es – Server Automa=on: hops://communi=es.bmc.com/community/bmcdn/bmc_service_automa=on/server_configura=on_automa=on_bladelogic


Learn more at www.bmc.com

Best Practices: BSA Provisioning INTERNATIONALTOLLFREE ... · ©"Copyright8/6/13"BMC"So4ware,"Inc"...

Documents

Transcript of Best Practices: BSA Provisioning INTERNATIONALTOLLFREE ... · ©"Copyright8/6/13"BMC"So4ware,"Inc"...