Deploy VMware vCSA with CLI Installer

The whole point of a homelab is having an environment that’s detached from production and can be broken without consequence. Recently though, my homelab has become a bit more prod/DC/darling, why is the internet not working again?-ish. My solution was to build destructible, nested labs. A real game changer was the ability to script deployment of vCenter Server Appliances quickly and with minimal input, so I thought I’d run over the process of a vCSA CLI deployment.

CLI deployment starts at the same place as with a GUI install. Download the vCSA ISO of your choice from My VMware.

Mount the ISO and browse to the following folder

(Drive letter):\vcsa-cli-installer\templates\install

I’m going to take advantage of enhanced link mode on embedded appliances in 6.7, and copy the embedded_vCSA_on_VC.json template to my local file system. You can also deploy to an ESXi host with embedded_vCSA_on_ESXi.json or install PSCs and standalone vCSAs with other templates here, but more on that later.

The template should look as follows

{
    "__version": "2.13.0",
    "__comments": "Sample template to deploy a vCenter Server Appliance with an embedded Platform Services Controller on a vCenter Server instance.",
    "new_vcsa": {
        "vc": {
            "__comments": [
                "'datacenter' must end with a datacenter name, and only with a datacenter name. ",
                "'target' must end with an ESXi hostname, a cluster name, or a resource pool name. ",
                "The item 'Resources' must precede the resource pool name. ",
                "All names are case-sensitive. ",
                "For details and examples, refer to template help, i.e. vcsa-deploy {install|upgrade|migrate} --template-help"
            ],
            "hostname": "<FQDN or IP address of the vCenter Server instance>",
            "username": "<The user name of a user with administrative privileges or the Single Sign-On administrator on vCenter.>",
            "password": "<The password of a user with administrative privileges or the Single Sign-On administrator on vCenter. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>",
            "deployment_network": "VM Network",
            "datacenter": [
                "Folder 1 (parent of Folder 2)",
                "Folder 2 (parent of Your Datacenter)",
                "Your Datacenter"
            ],
            "datastore": "<A specific datastore accessible to the ESXi host or DRS cluster in the 'target' path.>",
            "target": [
                "Folder A (parent of Folder B)",
                "Folder B (parent of Your ESXi Host, or Cluster)",
                "Your ESXi Host, or Cluster"
            ]
        },
        "appliance": {
            "__comments": [
                "You must provide the 'deployment_option' key with a value, which will affect the VCSA's configuration parameters, such as the VCSA's number of vCPUs, the memory size, the storage size, and the maximum numbers of ESXi hosts and VMs which can be managed. For a list of acceptable values, run the supported deployment sizes help, i.e. vcsa-deploy --supported-deployment-sizes"
            ],
            "thin_disk_mode": true,
            "deployment_option": "small",
            "name": "Embedded-vCenter-Server-Appliance"
        },
        "network": {
            "ip_family": "ipv4",
            "mode": "static",
            "ip": "<Static IP address. Remove this if using dhcp.>",
            "dns_servers": [
                "<DNS Server IP Address. Remove this if using dhcp.>"
            ],
            "prefix": "<Network prefix length. Use only when the mode is 'static'. Remove if the mode is 'dhcp'. This is the number of bits set in the subnet mask; for instance, if the subnet mask is 255.255.255.0, there are 24 bits in the binary version of the subnet mask, so the prefix length is 24. If used, the values must be in the inclusive range of 0 to 32 for IPv4 and 0 to 128 for IPv6.>",
            "gateway": "<Gateway IP address. Remove this if using dhcp.>",
            "system_name": "<FQDN or IP address for the appliance. Remove this if using dhcp.>"
        },
        "os": {
            "password": "<Appliance root password; refer to --template-help for password policy. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>",
            "ntp_servers": "time.nist.gov",
            "ssh_enable": false
        },
        "sso": {
            "password": "<vCenter Single Sign-On administrator password; refer to --template-help for password policy. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>",
            "domain_name": "vsphere.local"
        }
    },
    "ceip": {
        "description": {
            "__comments": [
                "++++VMware Customer Experience Improvement Program (CEIP)++++",
                "VMware's Customer Experience Improvement Program (CEIP) ",
                "provides VMware with information that enables VMware to ",
                "improve its products and services, to fix problems, ",
                "and to advise you on how best to deploy and use our ",
                "products. As part of CEIP, VMware collects technical ",
                "information about your organization's use of VMware ",
                "products and services on a regular basis in association ",
                "with your organization's VMware license key(s). This ",
                "information does not personally identify any individual. ",
                "",
                "Additional information regarding the data collected ",
                "through CEIP and the purposes for which it is used by ",
                "VMware is set forth in the Trust & Assurance Center at ",
                "http://www.vmware.com/trustvmware/ceip.html . If you ",
                "prefer not to participate in VMware's CEIP for this ",
                "product, you should disable CEIP by setting ",
                "'ceip_enabled': false. You may join or leave VMware's ",
                "CEIP for this product at any time. Please confirm your ",
                "acknowledgement by passing in the parameter ",
                "--acknowledge-ceip in the command line.",
                "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
            ]
        },
        "settings": {
            "ceip_enabled": true
        }
    }
}

Most of this should be self explanatory, but there are a few gotchas. When specifying a resource pool as a target, the format should be “ClusterName”, “Resources”, “ResourcePoolName”. Resources should be entered as a literal string. The second issue I had was that datastore clusters cannot be entered as a target. If anyone finds a way around this, I’d love to know about it.

I chose to leave passwords blank in my configuration file, which translates to a not-quite-so-automated installation as shown below; but I’m not here to tell you about your security requirements.

You should end up with a configuration file that looks something like this

{
    "__version": "2.13.0",
    "new_vcsa": {
        "vc": {
            "hostname": "vcsa01.contoso.lab",
            "username": "Jonny@contoso.lab",
            "password": "",
            "deployment_network": "vxw-dvs-287-virtualwire-22-sid-5001-LS02-Nested-Lab",
            "datacenter": [
                "DC01"
            ],
            "datastore": "LUN01_D10_R10",
            "target": [
                "PROD01",
                "Resources",
                "Nested Lab"
            ],
            "vm_folder": [
            	"Nested-Lab",
            	"vc"
            ]
        },
        "appliance": {
            "__comments": [
                "You must provide the 'deployment_option' key with a value, which will affect the VCSA's configuration parameters, such as the VCSA's number of vCPUs, the memory size, the storage size, and the maximum numbers of ESXi hosts and VMs which can be managed. For a list of acceptable values, run the supported deployment sizes help, i.e. vcsa-deploy --supported-deployment-sizes"
            ],
            "thin_disk_mode": true,
            "deployment_option": "tiny",
            "name": "nest-vc01"
        },
        "network": {
            "ip_family": "ipv4",
            "mode": "static",
            "ip": "10.0.61.2",
            "dns_servers": [
                "10.0.61.1"
            ],
            "prefix": "24",
            "gateway": "10.0.61.254",
            "system_name": "10.0.61.2"
        },
        "os": {
            "password": "",
            "ntp_servers": "uk.pool.ntp.org",
            "ssh_enable": false
        },
        "sso": {
            "password": "",
            "domain_name": "vsphere.local"
        }
    },
    "ceip": {
        "description": {
            "__comments": [
                "++++VMware Customer Experience Improvement Program (CEIP)++++",
                "VMware's Customer Experience Improvement Program (CEIP) ",
                "provides VMware with information that enables VMware to ",
                "improve its products and services, to fix problems, ",
                "and to advise you on how best to deploy and use our ",
                "products. As part of CEIP, VMware collects technical ",
                "information about your organization's use of VMware ",
                "products and services on a regular basis in association ",
                "with your organization's VMware license key(s). This ",
                "information does not personally identify any individual. ",
                "",
                "Additional information regarding the data collected ",
                "through CEIP and the purposes for which it is used by ",
                "VMware is set forth in the Trust & Assurance Center at ",
                "http://www.vmware.com/trustvmware/ceip.html . If you ",
                "prefer not to participate in VMware's CEIP for this ",
                "product, you should disable CEIP by setting ",
                "'ceip_enabled': false. You may join or leave VMware's ",
                "CEIP for this product at any time. Please confirm your ",
                "acknowledgement by passing in the parameter ",
                "--acknowledge-ceip in the command line.",
                "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
            ]
        },
        "settings": {
            "ceip_enabled": true
        }
    }
}

I’m setting the –no-ssl-certificate-verification flag as I’m deploying to a target with a self signed SSL cert. Your mileage may vary.

We can verify our template is valid without installing like so

d:\vcsa-cli-installer\win32\vcsa-deploy.exe install --accept-eula --no-ssl-certificate-verification --verify-template-only c:\vcsa-cli\templates\embedded_vCSA_on_VC.json

Next up we need to run the installer which looks as follows

d:\vcsa-cli-installer\win32\vcsa-deploy.exe install --accept-eula --no-ssl-certificate-verification c:\vcsa-cli\templates\embedded_vCSA_on_VC.json

If you didn’t add passwords to the configuration.json file above, you’ll be prompted to enter them now

Some time later

If you run into problems you may also get help like so

d:\vcsa-cli-installer\win32\vcsa-deploy.exe install --template-help

Leave a Reply

Your email address will not be published. Required fields are marked *