Automation and scripting are the most complicated and the most rewarding items to implement for enterprise administrator use. While there are many different processes that can be used to script firmware deployments, this scenario focuses on leveraging existing tools for this functionality. This scenario scripts the use of the BladeSystem Firmware Update Bundles through HP SUM to update the OA firmware, the VCSU to update the VC firmware, and the HP BladeSystem FDT to update all server blade firmware. Because the HP Firmware Maintenance CD does not have an automated option, it is not considered for this automation process.
Before beginning, we will review the HP-recommended installation order to understand the process.
80
If the VC Ethernet firmware is 1.34 or later, HP recommends the following steps to update the firmware in multiple enclosures.
1. Use the BladeSystem Firmware Update Bundles and the included HPSUM tool to update the OA firmware using the inputfile method.
2. Use the HP BladeSystem Firmware Deployment.
3. Use the VCSU to update the VC firmware Tool ISO image to update all server-specific firmware.
If the VC Ethernet firmware is earlier than 1.34, HP recommends these steps to update the firmware in multiple enclosures.
1. Use the VCSU to update the VC firmware.
2. Use the BladeSystem Firmware Update Bundles and the HPSUM tool to update the OA firmware by using the inputfile method.
3. Use the HP BladeSystem FDT ISO image to update all server-specific firmware.
Note:
The following instructions focus on the effort needed to update, assuming the VC firmware is at least at 1.34 or later. If the VC firmware is earlier than 1.34, the setup is still the same but in the installation sequence, the steps for the VC firmware update and the OA firmware update should be reversed.
Because there is not a single tool available for updating all firmware in the BladeSystem infrastructure at once, this must be handled as a multi-step process. A summary of the process involved follows.
1. Obtain all necessary files.
2. Set up either Microsoft IIS or Apache web servers.
3. Install OpenSSH (Windows only), and generate the SSH keys needed to automate the OA communications process without the constant need to re-enter passwords.
4. Populate the web server and script directory with all necessary files.
5. Validate the iLO Advanced License is installed on each blade.
6. Update the iLO license for multiple servers to the iLO Advanced License if needed.
7. Obtain the iLO firmware version to confirm iLO firmware is at least at 1.50 or later, which is necessary to support the automation process.
8. Script the deployment of the OA firmware update process by using the BladeSystem Firmware Update Bundles and HP SUM.
9. Script the deployment of the VC firmware update process by using the BladeSystem Firmware Update Bundles and VCSU.
10. Script the deployment of the HP FDT ISO image through the iLO Virtual Media support.
Obtaining all necessary files
The following files must be obtained to complete this scenario:
OpenSSH for Windows (The SSH RPM must be installed for Linux)
http://softlayer.dl.sourceforge.net/project/sshwindows/OpenSSH%20for%20Windows%20-%20Release/3.8p1-1%2020040709%20Build/setupssh381-20040709.zip
A web server
81
o Microsoft Windows Internet Information Server (obtained from Windows Server 2003/2008 installation CDs)
or
o Apache web server located at:
http://www.ecoficial.com/apachemirror/httpd/binaries/win32/apache_2.2.13-win32-x86-openssl-0.9.8k.msi
HP BladeSystem Firmware Update Bundles for Windows or Linux
o Windows located (choose highest numbered directory for the latest version) located at ftp://ftp.hp.com/pub/softlib2/software1/supportpack-windows/p1116845569\
o Linux located (choose highest numbered directory for the latest version) located at ftp://ftp.hp.com/pub/softlib2/software1/supportpack-linux/p1418640128
HP BladeSystem FDT ISO (choose highest numbered directory for the latest version) located at ftp://ftp.hp.com/pub/softlib2/software1/cd/p1255591055
Perl RPM for Linux only
For more information, see the Linux distribution CD/DVDs to obtain the Perl RPM. Perl is required for the Linux RIBCL scripts to work.
Perl-IO-Socket-SSL RPM for Linux only
See the Linux distribution CD/DVDs to obtain this RPM. The Perl SSL socket support is required for the Linux RIBCL scripts to work.
Perl-Net-SSLeay RPM for Linux only
See the Linux distribution CD/DVDs to obtain this RPM. The Perl network interface with SSL is required for the Linux RIBCL scripts to work.
Expect RPM for Linux only
See the Linux distribution CD/DVDs to obtain the expect RPM. Expect is required for HPSUM to be able to remotely deploy the OA and VC firmware in Linux
After the files have been obtained, you must set up a web server. The basics for installing and setting up a basic Microsoft IIS and Apache web server for Linux follow.
Setting up the Microsoft IIS web server
The web server should be a system that houses the files and serves them for the OA and other
devices, if configured. The web server setup is a one-time operation. After it has been set up, files can be added to the web server so that updates can be easily handled when new versions of the various deployment tools are released.
To install Microsoft IIS, follow these steps:
1. Use the Add or Remove Programs Option in Control Panel (Windows Server 2003) or add the role of web server (IIS) (Windows Server 2008) to install IIS.
2. Visit the Microsoft Update site to ensure all fixes are installed prior to enabling IIS to prevent possible security breaches.
3. Once the web server is setup, locate and click the Internet Information Services (IIS) Manager option in the Start menu to launch the web configuration manager.
4. Click Web Sites, click Default Web Sites, click Properties, and then click Home Directory to locate the web server root file system.
For IIS, this is typically c:\inetpub\wwwroot. Once the home directory is determined, ensure the Write option is not checked to prevent unauthorized writing to the web server.
5. Next, click the HTTP Headers tab, and then click MIME Types.
6. In the MIME Types dialog, add three new MIME types as shown if they do not already exist.
82
Extension MIME Type
.img application/octet-stream
.iso application/octet-stream
.bin application/octet-stream
7. Click OK, click Apply, and then click Exit to exit the IIS Manager.
8. Skip the next section about setting up an Apache server and continue with the Configuring the SSH keys for scripted installations section that follows.
Setting up the Apache web server in Linux
The web server should be a system that houses the files and serve them for the OA and other devices, if configured. The web server setup is a one-time operation. After it has been set up, files can be added to the web server so that updates are easily handled when new versions of the various deployment tools are released.
To install the Apache web server, follow these steps:
1. Download the Apache web server from the Apache mirror site or directly from the Apache HTTP Server website at http://httpd.apache.org/.
2. Extract the files by using the tar zxvf httpd-<version>.tar.gz command.
3. Change directory to the httpd-<version> directory.
4. Execute the configure command to configure Apache:
./configure --prefix=/usr/local/apache2
The --prefix directory becomes the web server root location. The default location for Apache is /usr/local/apache2 in Linux.
1. Once Apache is configured, run the make command to build the product.
2. After the make is complete, use the make install command to install Apache.
3. After Apache is installed, you have to modify the httpd.conf file located in the PREFIX/conf directory, when PREFIX is typically /usr/local/apache2. The changes that need to be made are as follows:
ServerAdmin you@example must be changed to your email address
ServerName must be set to Port 80 plus the DNS name or the IP address of this new web server. For example, a ServerName could be 10.7.78.144:80
DefaultTypetext/plain must be modified to DefaultType application/octet-stream.
Note:
This is a minimum set of changes to enable the basic web server functionality. It is recommended that the user see the Apache documentation for full details regarding server configuration.
83
4. Next, the Apache server needs to be started. The command to start the server is:
PREFIX/bin/apachectl -k start PREFIX/bin/apachectl -k stop
Note:
If updating an existing Apache server after changing the httpd.conf file, be sure to stop and restart the web server first.
5. Continue to the next section to configure the SSH keys needed for scripted installation.
Configuring the SSH keys for scripted installations
To script deployments by using the OA command-line interface and not have to enter the OA
administrator password when each script is executed, it is necessary to generate public key pairs and upload them to the location where the OA systems updates occur.
For Windows, download the OpenSSH software as shown in Obtaining necessary files. Once the OpenSSH zip file has been downloaded, unzip it, and install the setupssh executable on the web server that was previously prepared.
For Linux, ensure the SSH RPM is installed.
Once SSH support is installed, it is necessary to generate the SSH keys by using the ssh-keygen executable. To generate a key, use the following commands.
1. Windows:
C:\Program Files\OpenSSH\bin\ssh-keygen -t dsa -C Administrator -f id_dsa
Note:
If the Windows system is an x64-based version, the directory location will be C:\Program Files (x86)\OpenSSH\bin.
2. Linux:
ssh-keygen -t dsa -C Administrator
Note:
The parameter after the -C must be an OA administrator ID and is case-sensitive. If you are using an OA administrator ID other than Administrator, it must be substituted here.
Note:
An RSA-based key can be generated in place of the DSA-based key above by changing out the dsa parameter with rsa. Consult the ssh-keygen documentation for more details on which key is appropriate to the environment in which it is being deployed.
Note:
If prompted for a pass-phrase, the phrase must be left empty by pressing Enter. If any pass-phrase is entered, the automated script process fails as the pass-phrase is prompted for when the script is initiated.
84
The resulting keys are placed in the following file locations:
3. Windows:
Private key: C:\Program Files\OpenSSH\bin\id_dsa Public key: C:\Program Files\OpenSSH\bin\id_dsa.pub
Note:
If the Windows system is an x64-based version, the directory location will be C:\Program Files (x86)\OpenSSH\bin.
Note:
The files will default to the current directory or the directory indicated in the -f parameter.
4. Linux:
Private key: /root/.ssh/id_dsa Public Key: /root/.ssh/id_dsa.pub
Important:
To maintain security, the private key must be on the system where it was generated and protected. The public key can be sent to other computers and devices such as the OA without worry of compromising security.
Once the public key has been generated, it can be copied to the root directory of the web server (c:\inetpub\wwwroot for IIS and /usr/local/apache2/htdocs for Apache) so it can be pulled by the OAs that are configured to support the automated scripting.
Uploading the SSH keys to the OAs
The following describes how to upload the SSH key into the OA so scripts can be executed from the workstation where the SSH public keys were generated without the need to enter a password for each script. Figure 3 shows the OA screen where the SSH keys are uploaded.
85
Figure 3. OA screen where the SSH keys are uploaded
The steps to upload the SSH keys follow.
1. Browse to the OA web interface, and log in with administrator credentials.
2. Click Users/Administration under Systems and Devices on the left panel.
3. Click SSH Administrator to open the SSH administrator panel.
To upload the key, perform on the following options:
1. Open the id_dsa.pub file in Notepad, copy the entire key, and paste it into the Authorized SSH Keys panel at the top of the web page.
2. Provide the URL to the web server file (http://<web_server_ip_address/id_dsa.pub) if the file was copied into the root of the web server as discussed above.
3. Click the Apply button to upload the key from the web server or accept the pasting of the contents.
4. Once the SSH keys are uploaded, continue to the next section.
Populate the web servers and script directory with all necessary files
Once the web servers and SSH configuration is properly configured, it is now time to populate the web server and local script directories necessary to execute the scripts with all files needed to update the servers.
Populating the script directory
The script directory must be populated with all sample scripts you will use, plus HP SUM, VCSU, and the VC, and OA firmware components files from the HP BladeSystem Firmware Update Bundles. The following steps show how to put all of these files into a location on the workstation that you will use to
86
update the servers. The script directory in this scenario is named c:\scripts in Windows and /scripts in Linux.
1. Download the HP BladeSystem Firmware Update Bundles from http://hp.com.
Links to the latest versions are posted on the BladeSystem Compatibility Chart web pages and can be accessed at http://www.hp.com/go/bladesystemupdates. The files are named hpblade_fw_bndl-<version>.w2k3.i386.exe for Windows and
hp_blade_fw_bundle-<version>.linux.tar.gz for Linux.
2. To extract the Windows bundles, execute the downloaded file and select the c:\scripts directory location to place the extracted files.
In Linux, copy the file to the /scripts directory and untar/unzip the downloaded file as follows:
tar zxvf hp_blade_fw_bundle-<version>.linux.tar.gz.
3. Find the bp00xxxx.txt file that is extracted from the bundle, and determine the component numbers for the VC firmware components.
Record these values for use later in the scripts.
4. Download the HP BladeSystem FDT from http://hp.com.
Links to the latest versions are posted on the BladeSystem Compatibility Chart web pages located at http://www.hp.com/go/bladesystemupdates.
5. Extract the FDT file from the downloaded zip file.
There are a number of files to unzip/unpack, including the default scripts that are provided with the FDT. HP will modify these scripts later to ensure they are unzipped/unpacked into the c:\scripts or /scripts directory.
Populating the web server directory
1. Once all of the files have been positioned correctly in the c:\scripts or /scripts directories, you must copy the FDT ISO file to the c:\inetpub\wwwroot or
/usr/local/apache2/htdocs directories so the web server can serve this file. The name of the FDT ISO is of the format BB<version>.<Year>.<Date>.<Build_Number>.iso. In the previous example the file name to copy is BB160.2009_0726.26.iso.
2. Once the FDT ISO is copied, you must verify that the web server is set up correctly.
Do this by creating a simple HTML file in the root of the web server (for IIS, this is normally c:\inetpub\wwwroot) to use to test out the web server. The following example can be used to create this default file. The file is normally named index.html.
<html>
<head>
<title>Firmware Deployment Tool Download Page</title>
</head>
<body>
<a name="top"></a>
<h1>Firmware Deployment Tool</h1>
<h2>Contents</h2>
<p>
<a href="BB160.2009_0726.26.iso">FDT 1.60</a>
<p>
</body>
</html>
87
3. Go to another workstation, open a browser, and try to load the web page that was just created on the web server, (for example, http://<workstation_IP_address/index.html). Once the page is loading, verify the download of the binary file to the workstation works. This is important as this is simulating the same type of interface the OA uses to pull the file from the newly created web server.
Now that the file system has been populated and the web server verified, write a few RIBCL XML files and SSH scripts. The following sections show the RIBCL XML files and an SSH script to obtain all the iLO addresses based off just the OA IP address and userid. All SSH commands are based on having the SSH key support as previously noted.
Important:
All RIBCL scripts require a LOGIN element. However, the data placed in this field, as long as it is not invalid XML data, is not used for the installation. These elements are overridden by the external scripts that HP writes around these functions.
Installing necessary RPMs in Linux
At this point, it is necessary to install the perl perl-IO-Socket-SSL, perl-Net-SSLeay, and expect RPMs from the distribution CDs for the version of Linux being used on the workstation. Without these RPMs installed, the RIBCL commands used by the UpdateBladeFirmware.sh script and the HP SUM commands to update OA and VC firmware will fail.
Obtaining a list of all iLO IP addresses by querying the OA for them
The first command we will look at is the SSH command to return a list of iLO IP addresses in a given enclosure with just the IP address for the OA and the OA Administrator ID used when we created the SSH keys previously. The show server list command takes a single SSH command and returns data allowing us to confirm the OA firmware version, OA role, and a list of all blades and their iLO IP addresses. This command can be executed against a number of enclosures to obtain all the iLO IP addresses, aggregate these addresses and allow different operations to be performed in batch mode.
The command is:
ssh -l Administrator 16.89.1.3 show server list A sample of the output from this command follows:
88
Validating the iLO Advanced License is installed on each blade
Now that we have a way to obtain a list of iLO IP addresses as shown above, we need to write several RIBCL XML files that is used later to build our scripts. The XML files contain the same format and data regardless of whether or not we plan to execute the m from a Windows or Linux system.
Note:
The login name and password within the RIBCL XML file is not used. It is there because iLO requires an entry in this field. Set the Password field to DoesNotMatter to show it doesn’t matter what you put in these fields, as long as it is valid XML data.
The XML file below is named Get_ILO_Firmware_Version.xml in the scripts created later. It is the
The XML file below is named Get_ILO_Firmware_Version.xml in the scripts created later. It is the