Hacking Photon OS to Do Your Bidding

I’m really happy to hear that only a week after VMworld the PowerCLI team is all over trying to get us to market with a version of PowerCLI that can be consumed by the masses. As a Apple and Linux user, I’ve always been a second class automation citizen in the VMware space… There are few scripting tools out there, but none as big or maintained as much as PowerCLI.

I’m, Tim, I’m not a traditional Microsoft user….

Frankly, I grew up in the Linux world running distributed e-discovery systems that were a bear to troubleshoot and get performing. For that I’m thankful, because by being around such piles of awesome, I was able to pick up a lot of tidbits around networking/storage that make me the tech nerd that I am today… So this linux tech nerd is very happy about the VMware push of PowerShell and eventually PowerCLI to Photon OS.

Today I’d like to talk (er type) about how to make Photon OS a more easy to use extension of your operating system. I envision photon as a very lightweight way of getting PowerCLI functionality out of your Mac/Linux host with VMware Fusion/Workstation or this as a way to include a small management VM in your local vSphere environment. To bring this vision to reality, we need to set a static ip’s/nameservers, enable root login, setup some SSH keys and install PowerCLI with the built in package manager.

First and foremost, download photon os and deploy it to Workstation/Fusion or vSphere…

Boot it up and get to the console:

Initial password for the os is root/changeme (go ahead and follow the prompts to get the root password changed and get moving. Now that we have logged in as root:

should_look_like_this

let’s move on to enabling SSH access to our Photon OS.

Enabling Root Login:

In my use cases I’d like to make sure that I can use Photon OS as an extension of my local OS, meaning that i’ll use Fusion to execute Photon OS on boot and allow ssh access to that host directly from my local machine. I’d like to be able to just use Photon how I need to as a root user and because it’s a local box, I really just want to make it easy for me to login as the root user. To get that going let’s enable the root user to ssh into the host:

First we’ll need to permit root ssh login by adding the following line to the /etc/ssh/ssh_config file:

PermitRootLogin yes

To accomplish this we’ll use a text editor, the directions here will get you started in vi (the one true text editor).

If you would like to use vi (and I do) at the command line simply type:

vi /etc/ssh/ssh_config

The ssh_config file will open in your vi window… use your arrow keys to get to the bottom of the host section.

Press i to insert new text and type the following into a new line:

PermitRootLogin yes

Should look like this:

PermitRootLogin

Press the ESC button

Type :wq! to write the changes to the file and exit (did you mess up? That’s okay, type :q! to quit without making any changes and start over).

Now restart the ssh service by using the systemctl service:

systemctl restart sshd

systemctl restart sshd

You can also use the ip addr command to show your local ip address (which you’ll need to establish an SSH connection).

Test your SSH connection into Photon as root from your OSX box… Fire up a terminal and execute:

ssh root@photonsipaddress

ssh_from_mac

You’ll see that we’ve appropriately established an ssh connection as root.

Adding some keys to make life a bit easier…

SSH keys can be used in lieu of passwords to make connections to your ssh host happen without a password (saving you a bit of time). Let’s talk about the process of how this works. First a set of keys is generated on your local machine. You then place a copy of your public key into a file called authorized_keys on the host that you wish to remotely connect to without a password.

To start, on your client machine (in this case my mac) fire up a terminal and move to your home directory by typing:

cd ~/

We then need to have a look to make sure that a directory called .ssh doesn’t exist. Do this by executing the following looking to make sure that you don’t have the following:

ls -la

ssh_exists

You can see in my case that I already have a directory called .ssh. If you DON’T you’ll need to do the following:

mkdir .ssh

You’ll need to ensure that the permissions of the directory are appropriately secure to keep ssh key files. That is satisfied by the following:

chmod go-rwx .ssh

We’ll then need to change directories into .ssh 

cd .ssh

It’s now time to create our keys:

ssh-keygen -b 1024 -t rsa -f id_rsa -P ""

Some quick notes:

  • -f indicates the name of the file
  • -t indicates that we’re using RSA
  • -b 1024 bit key (feel free to amp this up if you’d like)
  • most importantly -P “” indicates that the password should be empty

keygen

NB: I’ve created my keys in a temp directory as I already have an existing pair of id_rsa keys…

You should now have a pair setup in your .ssh directory:

keypairs

Let’s talk over this really quick. The id_rsa key is your private key… Don’t ever give that bad boy out to anyone. Frankly, just leave it alone. The id_rsa.pub is your public key, and the thing that we’re going to put on our remote hosts to make logging in a breeze.

Copy your key to the photon machine:

From your client machine (my mac in this case) run the following:

more id_rsa.pub

more_id_rsa

Copy the text into your clipboard omitting the next command prompt line.

SSH into your photon host as root:

ssh root@photonhostip

rolling_an_ssh_session

You’ll notice that we’re in root’s home directory indicated by the “~”

Change directories into .ssh on the photon host:

cd .ssh

List the contents of the .ssh directory on the photon host:

ls -la

ssh_contents

We’re going to edit that authorized_keys file in the next step. Same vi stuff as before:

vim authorized_keys

type dd - to remove the first line that says <ssh-key-here>.

type i - to place vi into insert mode and paste your key into this file

hit ESC

type :wq!

Test it out!

Log out of the photon machine and from your local box type ssh root@photonmachineip

You shouldn’t have to enter a password this time to login:

look-ma-no-password

Setting a static IP

Setting a static ip for Photon OS is not as straightforward as it should be… Linux FTW (I admit it). First we need to tell the system that we’ll not be using DHCP and secondly we’ll need to make sure that that we actually set the IP statically and bits for search domains and name resolution To do this we’ll need to edit a few key files. First go ahead and ensure that your ethernet interface is setup as eth0 on your photon host by executing the following:

ip addr

ip_addr

Here you can see that eth0 is setup as our DHCP interface.

To set that as static, we’ll need to first move that file:

mv /etc/systemd/network/10-dhcp-en.network /etc/systemd/network/10-static-eth0.network

Next, let’s use our vi skills to edit that file:

vi /etc/systemd/network/10-static-eth0.network

First let’s empty the file out:

type dd several times until the file is clean.
type i to insert text and insert the following template and customize:

[Match]
Name=eth0

[Network]
Address=192.168.10.176/24
Gateway=192.168.10.1
DNS=192.168.10.50
Domains=timcarr.net

Next restart networking to pick up the new config:

systemctl restart systemd-networkd.service

You can verify that everything is working properly by executing:

ip addr

and verifying your ip address is what you’ve configured.

Get some PowerCLI in your life – COMING SOON!

I’m happy that VMware will be releasing powercli for photon… We just need to install it into our newly hacked together lightweight management VM. That’s ultimately will be a very simple one-liner using the package manager named tdnf (or tiny dandified yum – what a name).

tdnf -y install powercli

With this post and the previous post on building and running powershell in a docker container, we’re now just waiting on Microsoft and VMware to get the rest of the legalese and coding done to bring PowerCLI to the platform as part of a fling. We’re really looking forward to that release!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *