I recently published an article demonstrating how to inject OVF properties into the VCSA and other virtual appliances when deploying directly onto ESXi using an unreleased version of ovftool (4.0). A fellow reader by the name of VirtualJMills, as he is known on Twitter left an interesting comment using an alternate solution which I thought was actually pretty clever!

The solution that he had used prior to finding my article was to append the OVF XML payload which contains the OVF properties into an advanced VM Setting called "guestinfo.ovfEnv" which in turns makes the information available to the virtual appliance through the OVF runtime environment. Instead of manually editing the VMX file by hand (which is a big no-no in my opinion. Read more about it here) and painfully crafting the XML blob with the appropriate escape characters, one can easily automate this using the vSphere API! In fact, I had written an article about this very topic back in 2012 for accessing the advanced settings of a VM and I even provided vSphere SDK for Perl and PowerCLI samples scripts.

Disclaimer: Though this alternate method may work, it is still pretty manual and potentially error prone and it is still recommended to either deploy an OVF/OVA directly to vCenter Server OR by leveraging ovftool.

To demonstrate this functionality, I have created two sample scripts: setOvfEnv.pl (vSphere SDK for Perl) and setOvfEnv.ps1 (PowerCLI)

Before you can use these scripts, you will need to capture the OVF XML that is passed into the guestOS and add that to the script. To do so, you will need to manually deploy the virtual appliance against a vCenter Server for the first time to capture this information. Once the virtual appliance has been deployed, you will need to power it on and copy the OVF XML by click on Edit Settings->Options->OVF Settings->View.

alternate-method-injectovf-0
Here is an example of the VCSA OVF XML:

If you have more than one virtual appliance deployed in your environment using OVF properties, you will see additional entries. Depending on the solution, you can strip it further down by removing unnecessary entries like EthernetAdapterSection. Once you have the XML, you can then add that to one of the scripts. In this example, we will use the PowerCLI script to configure a vCenter Server Appliance and the script already contains the minimum entry for configuring the VCSA. If you plan on automating other virtual appliances, remember to escape the double-quotes by using tick mark `.

Before running the PowerCLI script, you will need to edit the $esxname and $vmname variable along with substituting the OVF values in $ovfvalue variable. Once the script has completed, we can easily confirm guestinfo.ovfEnv was added by checking the .VMX file.

alternate-method-injectovf-1
Once we have verified the guestinfo.ovfEnv advanced setting has been configured, we can power on the VCSA and the OVF properties can now be accessible from within the guestOS which we can confirm by watching the VM console of the VCSA.

alternate-method-injectovf-2
As you can see from the screenshot above, the OVF values that we had configured has now been passed into VCSA and this allows you to deploy a virtual appliance directly onto an ESXi host and have the virtual appliance be properly configured without the need of a vCenter Server (for the most part).

Similarly, we can also do the same using the vSphere SDK for Perl script by editing the $ovfValue variable. In that sample, I have decided to configure the latest Log Insight 2.0 release and here are a couple of screenshots following the same workflow as the VCSA.

alternate-method-injectovf-3

alternate-method-injectovf-4

alternate-method-injectovf-5
As mentioned earlier, even though this method works it is also very error prone due to all the manual steps. In addition, for virtual appliances that require a password, you are also exposing plaintext passwords in the guestinfo.ovfEnv and you would need to perform an additional step to null out the value after the virtual appliance has finished configuring. There are also other virtual appliances which have a reliance on vServices which is only exposed in vCenter Server and this method may not work with those type of solutions. Though this is a neat "hack" to get OVF properties working when deploying directly to ESXi, I would still highly recommend using ovftool to properly set these parameters.

10 thoughts on “An alternate way to inject OVF properties when deploying virtual appliances directly onto ESXi

  1. > Though this is a neat “hack” to get OVF properties working when deploying directly to ESXi
    >

    My sole goal was bootstrapping an unmanaged ESXi node to managed-by-self-hosted VCSA, so I needed something which could be accomplished without making many in-VM changes to VCSA.

    Using the guestinfo.ovfEnv injection technique gets the VCSA up and configured sufficiently network wise that I can scp-in the second-round script to the VCSA local filesystem, and kick it off.

  2. I am trying to automate the deployment of vCAC 6.0 SSO and VA appliances using the ovftool.exe command inside a PowerCLi script using the below command to import the appliance onto a standalone ESXi host. But for some reason the script does not do anything.

    $VA1 = “L3_VCAC-SSO”
    ovftool.exe -ds=Lun1 -dm=thin –net:Network 1=”HQ Site” –name=$VA1 “B:\vCAC6.01\VMware-Identity-Appliance-2.0.1.0-1545089_OVF10.ovf” vi://root:VMware1!@Host3.lab.local/vCloud | Out-Null

    I have used the above methods to deploy other types of appliances in the past but for some reason the vCAC VAs just wont play ball.

    Could you please shed some light on what am I doing wrong here?

    Thanks
    MP

  3. Thanks William, this was really helpful.

    I have one question that if I am having password as one of the property field in my ProductSection, and at the time of deployment of my virtual appliance I am providing a password. Then I am using vmware tools to get my environment values inside my VM and then setting them appropriatly. But I don’t want my password to be in plain text. Do you have any suggestions in this? What additional steps are you talking about?

    Thanks
    Prakash

  4. Hi Bill,
    I am working on vcenter server 5 standard. I am generating an OVA using vsphere client. Since OVA is a tar file, unauthorized user can get hold of the software. So i am looking at solutions to prevent this.

    I could protect the tar file by using gcrypt however it will involve additional step of decrypting before deploying in vcenter or workstation.

    Are there any other means to protect the OVA while still retaining the simplicity of deployment ?

    I see that vcenter is generating OVA using OVF version 1.0 however OVF version 2.0 does have defined something for package protection.

    There does not seem to be information available on web about VMWare product that can generate 2.0 OVF…

    Any clues regarding this?

    • Even ovftool 4.x does not have options to protect OVA (except signing which is to ensure integrity of OVA not to protect OVA)

  5. Hi William

    do you think this should also with the deploying Orchestrator 6.0.x?

    following you guide very close and i;m getting

    â?oguestinfo.ovfEnvâ?? : The term ‘â?oguestinfo.ovfEnvâ??’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    any ideas?

Thanks for the comment!