HP Insight Control Server Provisioning 7.
© Copyright 2012-2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Insight Control server provisioning overview...................................................8 Components of Insight Control server provisioning........................................................................9 HP Insight Control server provisioning concepts............................................................................9 2 Managing the appliance...........................................................................11 Activating Insight Control server provisioning.......
Adding a server via its iLO..................................................................................................32 PXE booting a server into maintenance mode........................................................................32 Adding servers that are already running an operating system.......................................................33 Provisioning servers.................................................................................................................
Securing the appliance............................................................................................................59 Best practices for maintaining a secure appliance.......................................................................60 Hypervisor and virtual machine security considerations................................................................62 Creating a login session..........................................................................................................
Troubleshoot adding and booting servers...................................................................................80 Unable to add a server via iLO............................................................................................80 Target servers cannot PXE boot into the appliance..................................................................81 Error: Cannot add user. The login/user name already exists ...................................................
Cannot add server for a directory service..............................................................................96 Cannot add directory group................................................................................................97 Directory service not available.............................................................................................97 Status messages.....................................................................................................................
1 Insight Control server provisioning overview What is Insight Control server provisioning? Insight Control server provisioning is a virtual appliance used to install and configure HP ProLiant servers. Insight Control server provisioning uses resources such as OS Build Plans and scripts to run deployment jobs.
Table 1 Where can I find information? (continued) Topic Where to find the information See the Insight Control server provisioning section of the HP Insight Control Release Notes available at http://www.hp.com/go/insightcontrol/docs. See the Insight Control server provisioning section of the HP Insight Management Support Matrix available at http://www.hp.com/go/insightcontrol/docs. User interface In the general How do I ...? section of the online help see the topic: Navigate the user interface.
appliance database. These resources and how they work together are described below. Expanded information can be found by browsing the online help table of contents, which is organized by resource. TIP: Each Insight Control server provisioning resource has its own entry in the main menu. Insight Control server provisioning resources • Servers – Servers in IC server provisioning generally refer to target servers that need to be or have been discovered and are available to be managed.
2 Managing the appliance Activating Insight Control server provisioning Licensed customers must register Insight Control server provisioning by retrieving a key via an HP web address and entering the key via the Insight Control server provisioning UI. Until you activate Insight Control server provisioning, a link is displayed in the Recommended actions list, available from the Help menu in the banner.
• Create self-signed certificate • Create certificate signing request • Import certificate • View end-user license agreement • Authorized support access • Create backup • Download backup • Restore from backup • Restart • Shutdown You can find detailed information on each of these actions in the online help.
3 Managing your Media Server The Media Server holds deployment software and is separate from the Insight Control server provisioning appliance. OS Build Plans use the software on the Media Server to provision managed servers. Software (media) on the Media Server can include vendor-supplied OS distribution files, HP-provided OS distribution files, captured images, and firmware and driver updates such as HP Service Packs for ProLiant (HP SPP).
The HP recommended Media Server layout includes the following: • Top-level directory, shared by the SMB (Windows File Share) protocol, that contains all Media Server files. This directory can have any name. • Second-level sub-directories named Media and Images, under the top-level directory . • Images stores all captured images. • Media, the base directory for HTTP, stores all operating system distribution files as well as SPPs sub-directories for each distribution served by the Media Server.
parameter, a URL representing the location of the media to be used in that OS Build Plan.
Table 3 Media Server custom attributes (continued) Custom Attribute Name Media Server Setting Format __OPSW-Media-WinPath IP address and sharename for Windows deployments @x.x.x.x/sharename __OPSW-Media-LinURI Media Server Linux URI for Linux and ESXi deployments http://x.x.x.x/mnt/sharename/media These custom attributes are built into the appliance as a convenience. OS Build Plans can be edited and those custom attributes can be replaced by hard coded values or user-defined custom attributes.
Provisioning Installation Guide for requirements and details on the Media Server Setup Utility. However, you can also set up a Windows-based Media Server without the utility, as described in this section. IC server provisioning requires two types of access to the Media Server: • Windows file share access to read operating system distribution files and HP SPP, and to store the Windows images created using the provided Windows OS Build Plans.
4. Set the Permission Level to Read/Write and click Share. NOTE: If the user is not given write access then all Image capture Build Plans will fail while trying to store the captured image to this share. 5. Enable use of ntlmv2 authentication for access validation on the file share. Create/update the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\AllowLegacySrvCall 6. with value 1 (DWORD).
5. Add required exceptions into IIS to allow serving files without extension, unknown extensions or files with special characters. By default IIS 7 does not serve these files. Since some of the Linux distribution files fall into this category, it is necessary to add required exceptions into IIS to allow serving these files over HTTP. For more information refer to the following articles: • http://support.microsoft.com/kb/326965 • http://blogs.iis.
2. 3. 4. will need to replace all instances of /usr/MediaServer in these examples with the directory name you used. Under this top level directory, create two subdirectories: Images and Media. For example, /usr/MediaServer/Images and /usr/MediaServer/Media. For each operating system distribution, create a subdirectory under Media and copy the appropriate operating system distributions, including hidden or system files using the directory names in Table 2 (page 14).
5. 6. Execute the command smbpasswd -a username and enter the new samba password. The password cannot be (null), cannot contain leading or trailing space and no " (Double quotes). Make sure Samba runs after reboot with this command: chkconfig smb on 7. Make note of the share name, username and password as you will need these when setting up your appliance Media Server settings.
\ (backslash) | (vertical bar or pipe) ? (question mark) * (asterisk) [ (open square bracket) ] (close square bracket) ; (semicolon) = (equal sign) , (comma) + (plus) & (ampersand) ~ (tilde) ? (Question mark) (null) and No leading or trailing space. 2. Start the httpd service. service httpd start Use a browser to confirm the web server is properly configured. You should be able to browse to: http:///Deploy and see any files you have in /usr/MediaServer/Media.
8. To test the share was created successfully, access the file share from another Linux client and do the following: a. Create a mount point. b. Mount the NFS export to that mount point. c. Once mounted, the remote file system should be accessible. Modify the operating system installation OS Build Plans for NFS To use the HP-provided Linux and ESXi OS Build Plans with a Linux File Share, the OS Build Plans require modification.
/mnt/media is the location where the directory will be mounted. NOTE: If you receive an error from the OS Build Plans about “mount.nfs: requested NFS version or transport protocol is not supported”, add NFS version to the Set Media Source step parameter field. For example: nfs://IP_of_LinuxMediaServer /usr/MediaServer#/mnt/media?vers=4 where vers=4 is the NFS version.
4 Managing user accounts User login accounts on the Insight Control server provisioning appliance must be assigned a role. The role determines what the user account has permission to view and do. For instance, a Server administrator cannot edit an OS Build Plan. See “Specifying user accounts and roles” (page 63) for a description of the different user roles in Insight Control server provisioning. User refers to a regular IC server provisioning user.
5 Special OS and hardware considerations There are several special cases in Insight Control server provisioning that need to be treated individually if you have particular kinds of servers or specific OS releases. If you have one of these special-case servers or OS releases, you will need to do something tailored for your situation to make your build plan run. In addition, there are limitations you need to know about if you have specific kinds of network hardware.
Legacy BIOS boot mode, some OS Build Plans can be run in either boot mode, and some OS Build Plans may support UEFI boot mode, but only if optimized is disabled. See the Insight Management Support Matrix for details on what operating system versions support UEFI and any other limitations. NOTE: RBSU. By default, UEFI secure boot is not enabled. To enable it, you must manually set it in the NOTE: You cannot install an OS in UEFI mode if secure boot has been enabled.
b. PCA ALOM 10GbE 2-port Intel 82599 2. For HP ProLiant BL servers only: a. HP Ethernet 10Gb 2-port 560FLR SFP+ Adapter and b. PCA Mezz 10GbE 2-port Intel 82599 3. Deployment of RHEL 5.9, SLES 11.2, or ESXi 5.x is not supported with: a. Qlogic SN1000Q 16Gb 1P FC HBA 4. Deployment of Windows and ESXi are not supported with: a. HP InfiniBand FDR/EN 10/40Gb Dual Port 544FLR-QSFP Adapter b. HP InfiniBand FDR/EN 10/40Gb Dual Port 544M Adapter 5.
6 Managing and provisioning servers Server life cycle The following diagram illustrates the typical life cycle for a target server managed by Insight Control server provisioning. Figure 1 Insight Control server provisioning target server life cycle Target Server Life Cycle Start Target server is running default service OS and is waiting for a Build Plan to be run.
Target server requirements Before you discover servers, be sure the servers are set up properly and meet the following requirements: • Be sure it's a supported server as specified in the Insight Control server provisioning section of the HP Insight Management Support Matrix available at http://www.hp.com/go/ insightcontrol/docs.
Figure 2 Insight Control server provisioning discovery Target Server Discovery Start 1 Are you using PXE as your discovery method? Yes No Add target server via iLO using appliance UI Gen8 or newer target server? Power on target server manually No Server is automatically PXE booted to default service OS Yes Server is automatically booted to default HP Intelligent Provisioning service OS Indicates a target server state Discovery is complete.
• The Build Plan you want to run requires the default service OS, so this will save time later. • You want to see the server listed by its default DNS name. Reasons to not boot to maintenance mode when using iLO • You want to run a Build Plan immediately and do not want to wait for the server to boot. • You want to leave the server powered off until you are ready to install it. • All your servers are of the same type so you do not need the full properties information.
Adding servers that are already running an operating system Servers currently running a production operating system can be added to IC server provisioning without rebooting by adding the HP Server Automation (SA) agent to the target server, and then registering the server’s iLO. To add the HP Server Automation Agent to a managed server: 1. Determine the SA agent filename from http://xxx.xxx.xxx.xxx:8081 where xxx.xxx.xxx.
Provisioning servers Server are provisioned by running OS Build Plans on them. A Build Plan running on a server is called a job. For information on OS Build plans see “Using OS Build Plans” (page 35) and the OS Build Plans section of the online help. Adding servers to a device group Device Groups are user defined groups of servers used for organizing servers in ways that are meaningful to you and acting on them together.
7 Using OS Build Plans Insight Control server provisioning provides OS Build Plans, scripts, packages, and configuration files you can use to create custom Build Plans to deploy operating systems, configure hardware, and update firmware. IMPORTANT: See the Insight Control server provisioning All About OS Build Plans and Steps white paper found at http:www.hp.com/go/insightcontrol/docs for detailed descriptions of HP supplied OS Build Plans, scripts, packages and configuration files.
• “Capture configuration files step” (page 36) Run script step The run script step is the key component of the product, and represents the vast majority of steps used in Build Plans. This step type causes a script to be executed, either on the target server or on the appliance. IC server provisioning comes with an extensive library of scripts that perform many of the most common tasks you will need when creating Build Plans.
configuration can be applied to other servers. Use caution with this step as you can easily create a large number of configuration files if you run a Build Plan against many servers. Working with OS Build Plans All of the HP-provided Build Plans and Build Plan steps are read only to ensure a consistent and reliable source for working samples. Although most of the HP-provided Build Plans will work without modification, it is highly unlikely the HP-provided Build Plans will exactly meet your requirements.
HP-provided sample configuration file with a customized configuration file. See the online help section on Configuration Files for details on configuration files and how to use the UI to create, edit and delete configuration files. Adding scripts Another common modification is to perform additional tasks on the target server after it has been installed. You can do this by creating scripts, and then adding those scripts to the end of the Build Plan after the operating system installation is complete.
8 Using custom attributes About custom attributes A custom attribute is a simple name/value pair you define, that is used as a form of variable substitution in scripts, configuration files, parameters, and other appliance functions. When referenced, the custom attribute name is replaced by the value of that custom attribute. Custom attributes do not stand alone; they are always associated with an object in the management database, such as servers, device groups, facility, or OS Build Plans.
• The value can contain special characters and spaces, and you may also leave it blank. Special characters might require double quotes if the value will be executed, for example “echo hello > temp.txt”. • A custom attribute value can be multiple lines. • Since it is used as a delimiter, the @ sign cannot be used in the default value you specify in a custom attributes. • You may not use a custom attribute within a custom attribute value.
Name Description Example values to the ProLiant Intelligent Provisioning flash drives. During reprovisioning, this value might be left over from a previous installation and cause the installation to fail. If this happens, simply delete the custom attribute before running the Build Plan. NOTE: During a Windows OS installation, boot files are always placed on drive 0. Drive 0 must be partitioned and formatted for the Windows installer to access it. ComputerName Network name of the installed target server.
Name Description hpsa_netconfig, netconfig Special custom attributes used to pass static network configuration information. hpsa_netconfig is read by the Inject personalization settings step to configure static networking as part of an OS installation. netconfig is used when running a configure network job after the server is installed. These custom attributes are set automatically by the static networking configuration (see the online help topic on Run as OS Build Plan).
9 How IC server provisioning works with Matrix OE and HP OneView Insight Control server provisioning works with both HP Matrix Operating Environment and HP OneView appliances.
NOTE: See the HP OneView Appliances section of the online help for more information. IC server provisioning Build Plans use the plan Type field to identify what services they manage. This Type field is used when integrating with HP OneView to identify where the services managed by a Build Plan may overlap services of HP OneView appliances.
10 Backing up and restoring your appliance Overview Insight Control server provisioning provides services to back up and restore an appliance. If an appliance is lost or corrupted, it might be necessary to restore the appliance from a backup. A backup contains configuration settings and management data and is stored in a file of proprietary format. You can use the IC server provisioning UI to do backup and restore operations from the Settings menu (see the online help for details).
resources, or other tasks. Only the Infrastructure administrator or the Backup administrator can create a backup file, either through the UI or REST APIs.
NOTE: You can also use the Insight Control server provisioning UI to create and download a backup file. From the Settings screen, select Actions→Create Backup (see the online help for details). The backup REST API provides REST calls to the following: • request a backup • check the backup status • download the completed backup • cancel a backup. These calls are summarized in the following table.
Sample backup script An example PowerShell script is provided for creating and downloading a backup. The sample script is available on the Insight Control server provisioning media and in the product download zip file. This script uses PowerShell version 3.0. It makes REST calls to create and download a backup and can be scheduled to run automatically on a regular basis.
Sample backup script main processing and functions The sample script does the following to create and download a backup: 1. Calls queryfor-credentials() to get the appliance host name, user name, and password by either prompting the user or reading the values from a file. 2. Calls login-appliance() to issue a REST request to obtain a session ID used to authorize backup REST calls. 3. Calls backup-appliance() to issue a REST request to start a backup. 4.
Function Description Parameters Output 'authValue': The authorized session ID. 'hostname': The appliance to send the request to. Troubleshooting tips The following table contains REST API error codes and resolutions. HTTP error Response Body Error Code Description Resolution 401 Unauthorized AUTHORIZATION An incorrect user name or password was specified. Specify the correct user name and password. 404 Not Found RESOURCE_NOT_FOUND The incorrect URI was specified. Specify the correct URI.
operation cannot be canceled or undone after it has started. The appliance blocks login requests while a restore operation is in progress. IMPORTANT: A restore operation is required to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways. You can restore an appliance from a backup file that was created on the same appliance or, if an appliance fails and cannot be repaired, from a backup file from a different appliance.
Best Practice Description 5. Make the backup file accessible to the appliance from which you plan to issue the upload request. If you are using an enterprise backup product to archive backup files, follow any steps required by your backup product to prepare for the restore operation. Inform users • Make sure that all users logged in to the appliance log out. Users who are logged in when the restore operation begins are automatically logged out, losing whatever work was in progress.
5. 6. 7. 8. 9. 10. 11. 12. 13. Issue the REST request to start the restore. Check the response to the restore request to make sure the restore started successfully. The restore will fail if the backup version is incompatible with the firmware running on the appliance or if the backup is corrupted. If the backup is incompatible with the firmware on the appliance, update the firmware and then retry the restore or upload a different backup. If the backup is corrupt, upload a different backup.
REST call Request headers Request body Response headers Response body form-data, accept-language: locale, accept-content: application/json, X-API-Version: 1 POST auth: session ID, https://{appl}/rest/restores accept-language: locale, accept-content: application/json, X-API-Version: 1 GET https://{appl}/{uri} Description status, an id for restoring the the backup, and other appliance. information about the backup. A json object that N.A. contains 2 elements.
Example output Example output from running the script to upload and restore a backup: PS C:\Users\Joe> C:\Users\Joe\Documents\restore.ps1 Restoring from backup is a destructive process, continue anyway? y Enter directory backup is located in (ie: C:\users\joe\) C:\users\Joe\Documents Enter name of backup (ie: appliance_vm1_backup_2012-07-07_555555.bkp joe_vm_backup_2012-07-07_777777.bkp Enter appliance IP address (ie: https://10.10.10.10) https://10.10.10.
Function Description Parameters Output password: the password obtained from query-user function. hostname: the address of the appliance to send the login request to. uploadTo-appliance Uploads the designated backup file to the remote appliance. filePath: The absolute file uploadResponse: the path to the backup file. response body for the authInfo: The session ID upload request, which contains the backup ID to be from the login response. restored.
HTTP error Response body error code Description Resolution _backup_ YYYY-MM-dd_HHmmss 401 Unauthorized AUTHORIZATION An incorrect user name or password was specified. Specify the correct user name and password. 404 Not Found RESOURCE_NOT_FOUND The incorrect URI was specified. Specify the correct URI. You may need to wait for the appliance software to start. You can find out the correct URI using this guide. It may help to issue the REST request to get the last backup resource.
11 Security considerations Insight Control server provisioning is delivered as a security-hardened virtual appliance. The number of open ports and the protocols supported on them have been limited to the minimum necessary for the operation of Insight Control server provisioning.
Insight Control server provisioning lands an agent in the production operating system and this agent must be able to communicate back to the appliance. The assumption is that the deployment NIC will be active in the production OS or that there will be a route back to the deployment network for this communication. Securing the appliance CATA (Comprehensive Applications Threat Analysis) is a powerful HP security quality assessment tool designed to substantially reduce the number of latent security defects.
Best practices for maintaining a secure appliance Most security policies and practices used in a traditional environment apply in a virtualized environment. However, in a virtualized environment, these policies might require modifications and additions.
The following table comprises a partial list of security best practices that HP recommends in both physical and virtual environments. Differing security policies and implementation practices make it difficult to provide a complete and definitive list. Topic Best Practice Accounts • Limit the number of local accounts. Integrate the appliance with an enterprise directory solution such as Microsoft Active Directory or OpenLDAP.
Topic Best Practice ◦ Lowercase alphabetic character ◦ Uppercase alphabetic character ◦ Special character Roles • Clearly define and use administrative roles and responsibilities; for example, the Infrastructure administrator performs most administrative tasks. Service Management • Consider using the practices and procedures, such as those defined by the Information Technology Infrastructure Library (ITIL). For more information, see the following website: http://www.itil-officialsite.
saver/system lock mechanism of the operating system will provide some protection but the UI should not be left open and unprotected. If the browser UI is closed without logging out, the session token will remain valid for 24 hours before it times out due to inactivity. The browser session is stored in a session cookie stored in memory and will not be retained after the browser closes. It is a best practice to always log off before closing the browser.
as an enterprise directory) with the appliance, the directory service enforces password strength and expiration. The matrixuser account is not a local user account that can access the UI. It is used through a different channel to drive the underlying SA Foundation from the Matrix Operating Environment. The password is set through the UI and is never displayed. It can be re-entered as often as needed in case the value is lost. This password is not stored in clear text and is not retrievable.
Token Severity Description • DELETE • DISABLE • START • LOGOUT • ACCESS • SAVE • DONE • DOWNLOAD_START • RUN • SETUP • KILLED A description of the severity of the event, which can be one of the following values, listed in descending order of importance: • INFO • NOTICE • WARNING • ERROR • ALERT • CRITICAL Resource URI/name The resource URI/name associated with the task Message The output message that appears in the audit log Example 1 Sample audit entries: user login and logout 2013-09-16 14
Managing certificates from a browser Overview A certificate authenticates the appliance over SSL. The certificate contains a public key, and the appliance maintains the corresponding private key, which is uniquely tied to the public key. NOTE: This section discusses certificate management from the perspective of the browser. For information on how a non-browser client (such as cURL) uses the certificate, see the documentation for that client.
In a secure environment, it is never appropriate to download and import a self-signed certificate, unless you have validated the certificate and know and trust the specific appliance. In a lower security environment, it might be acceptable to download and import the appliance certificate if you know and trust the certificate originator. However, HP does not recommend this practice. Microsoft Internet Explorer and Google Chrome share a common certificate store.
• Always log out before closing the browser. In the browser, a memory-based cookie stores the authenticated user’s session ID. Memory-based cookies are deleted when you close the browser. When you log out, the session on the appliance is invalidated. • Avoid clicking links outside the appliance UI. While logged in to the appliance, avoid clicking links in email or instant messages. The links might be malicious and take advantage of your login session.
Target server iLO NIC Port Description Direction Communicating with 80 (tcp) http inbound Appliance NIC or Web browser 443 (tcp) https inbound (A user configurable port. If Appliance NIC or Web browser the user changes the port, it needs to be changed in the firewall and during iLO discovery.
Port Description Direction Communicating with 2049 (tcp, udp) NFS both appliance, possibly Linux Media Server 139 (tcp) Windows (‘net use”) both Media Server 123 (udp) ntp both appliance 445 (tcp) Samba both Media Server, appliance Using the virtual appliance console The virtual appliance console has a restricted browser interface that supports the following: • Appliance networking configuration in non-DHCP environments • Password reset requests for the Administrator account • Advan
• Enabling service access by an on-site authorized support representative. The virtual appliance console is displayed in a graphical console; password reset and HP Services access use a non-graphical console. Switching from one console to another (VMware vSphere and Microsoft Hyper-V) 1. 2. 3. 4. Open the virtual appliance console. Press and hold Ctrl+Alt. Press and release the space bar. Press and release F1 to select the non-graphical console or F2 to select the graphical console.
NOTE: For VMware vSphere users, Ctrl+Alt is used for another function. To send the command to the console, you must press Ctrl+Alt+Spacebar then press Ctrl+Alt+F1. 2. Log in with the user name pwreset. The appliance displays a challenge key. For example: login: pwreset Challenge = xyaay42a3a Password: 3. Telephone your authorized support representative and read the challenge key to them. They will provide you with a short-lived, one-time password based on the challenge key.
Table 5 Supported SSL cipher suites (continued) SSL cipher suite SSL version Kx Au Enc Mac DHE-RSA-AES128-SHA SSL v3 DH RSA AES (128) SHA1 AES128-SHA SSL v3 RSA RSA AES (128) SHA1 Files you can download from the appliance You can download the following data files from the appliance: • Support dump By default, all data in the support dump is encrypted and accessible by an authorized support representative only. The support dump file is located at /ci/etc/support-dumps.
12 Troubleshooting The following sections contain troubleshooting information and recommendations for solving issues found when using Insight Control server provisioning. If you encounter an issue that is not addressed in this chapter, contact your authorized support representative.
• ◦ If using an external DHCP server, make sure it is properly configured as described in the Insight Control Server Provisioning Installation Guide and has all the non-standard parameters defined. ◦ If your build plan requires WinPE, be sure you have built and uploaded the correct version of WinPE for your needs. Beginning in version 7.3.1, there are two versions of WinPE available, WinPE 4.0 and WinPE 3.1. Make sure you build and upload the proper version for your needs.
Troubleshoot general usage issues GUI has display problems Symptom Possible cause and resolution GUI displays incorrectly or text is not rendered properly. Certain combinations of screen resolution and screen content can cause the display to render incorrectly.
WinPE generation or upload fails Symptom Possible cause and resolution WinPE generation or upload fails A new WinPE must be generated and uploaded to your appliance every time your appliance is updated. If you try to upload a WinPE generated from a previous version, the upload will fail. Also, the requirements for building WinPE are very specific and are different if you are building WinPE 3.1 or WinPE 4.0.
Error occurs when booting the appliance Symptom Possible cause and resolution When booting the appliance, the boot process fails with an “UNEXPECTED INCONSISTENCY” error and requests an fsck be run. This happens when the date and time on the VM host is incorrect and is set to a date earlier than the date the appliance was created or last booted. • Change the date and time on the VM host to the correct time and reboot the appliance. The appliance displays the progress bar near completion 1.
Job status shows running never shows complete Symptom Possible cause and resolution A job status shows running, even if it is complete or the server it is running on is deleted. Occurrences of this are extremely rare and are typically related to deleting a server while a job is running on it. When this happens, wait until all other jobs are complete and then reboot the appliance. All job status is reset on appliance startup.
• Import certificate Symptom Possible cause and recommendation Unable to create or import a certificate Appliance lost connection with web server Minimum required privileges: Infrastructure administrator 1. When creating a certificate signing request or importing a certificate, verify that the networking is working properly. 2. Wait for the web server to restart, then try the action again.
Symptom Possible cause and resolution 5. Insufficient iLO permissions • The iLO account specified on the Add server screen requires all permissions except “admin”. 6. Target system is at the BIOS screen or powering on • If the target server is at the RBSU screen or if the server is running its power on self test, the proper boot parameters cannot be set automatically by the appliance. Exit RBSU, power off the target server, and try again. 7.
Error: Mid and crypto not found Symptom Possible cause and resolution Error: Mid and crypto not found This error is often seen when a server that was previously installed and managed is booted into a service OS that cannot access the server identification information stored on the server’s hard drive.
Troubleshoot OS Build Plan and build plan step failures • “Access the command prompt on your target server while in the service OS” (page 83) • “General failures” (page 83) • “Windows Build Plan failures” (page 84) • “ESXi Build Plan failures” (page 86) • “Linux Build plan failures” (page 87) • “Image capture and deploy failures” (page 88) • “Boot step failures” (page 89) • “Wait for HP SA Agent failures” (page 90) • “Set Media Source step and Media Server troubleshooting” (page 91) • “Cr
Symptom Possible cause and resolution 1. Verify the OS being deployed is supported on the target servers. 2. Verify the server has at least one disk that’s been properly configured. 3. Verify the VID (Virtual Install Disk) is DISABLED in the BIOS. (This is the default setting, but it might have been updated manually.) a. During the boot, select F9 to access the ROM-Based Setup Utility. b. Select Advanced Options→Advanced System ROM options. c. Select Virtual Install Disk and set it to Disabled. d.
Symptom Possible cause and resolution – Any VM guest installations on ESXi 5.0 • WinPE 3.1 (From PXE or Intelligent Provisioning 1.50 or earlier) ◦ Supported: – Windows 2008 SP2, 2008 R2 SP1, 2012, and 2012 R2 – Legacy BIOS boot mode installations ◦ Not supported: – UEFI boot mode installations Windows setup.exe reports “no images available” Symptom Possible cause and resolution Windows setup.
Windows Build Plan error: Please provide a value for custom attribute 'ProductKey_’ to proceed with installation Symptom Possible cause and resolution Windows Build Plan error: Please provide a value for custom attribute 'ProductKey_’ to proceed with installation Your Windows product key was not entered. On the Settings screen, select Edit Product Keys. Select Create product key and enter your Windows product key.
Symptom Possible cause and resolution Disable all disks except the installation disk on System RBSU or explicitly state in the ESXi answer file the disk number to install to. Linux Build plan failures RHEL6.3 OS deployment fails on server with iSCSI or FCoE Symptom Possible cause and resolution RHEL6.3 OS deployment fails. Target servers with iSCSI or FCoE require advanced configuration of the kickstart file; the default files will not install to these systems.
Red Hat Build Plan fails on last wait for agent step Symptom Possible cause and resolution The Build Plan fails on the last "wait for agent" step. Server is installed and if user logs in through the remote console and does "ifconfig" the eth* adapter is present, but does not have an IP address. Running dhclient on the adapter connected to the network will establish a network connection. Example: This was first seen on a ML350 configured with a 10GB option card. The server would successfully install RH5.
Server is in WinPE after capture image Symptom Possible cause and resolution The target server is left in the WinPE service OS after the This is the expected behavior. You will need to deploy the capture image Build Plan is run. image you just captured back to the reference server. Windows image capture and install limitations Symptom Possible cause and resolution Windows image deploy fails. The target server must have similar hardware to the reference server from where the image was captured from.
Linux or ESXi Build Plan fails with a copy boot error Symptom Possible cause and resolution A Linux or ESXi Build Plan may fail with error message: The OS distribution is not present in the Insight Control server provisioning Media Server. Copy Boot Media failed with exit code 3 Run the Insight Control server provisioning Media Server Setup utility on the Media Server to copy the OS distribution to the correct folder. Or manually copy the distribution to the correct folder location.
Symptom Possible cause and resolution 5. The target server red screens A red screen may occur on the target server during deployment if a USB port is in use or there are issues with firmware or BIOS. If a red screen is seen on the target server during deployment, try the following: • Check to ensure none of the USB ports are connected to a drive. • Check the target server firmware is supported by IC server provisioning. • Clear the BIOS and reset boot record in RBSU. • a.
appliance. If you do not have this connectivity, repair your Media Server network and try again. ◦ If you can ping the Media Server from a different server, verify that the target server is properly connected to the deployment network and that all switches are properly configured.
◦ From a server running Linux or the Linux service OS enter the following: mkdir /mnt/ms mount —t cifs —o username=,sec=ntlmv2,noserverino /// /mnt/ms You can ignore mkdir command, if /mnt/ms already exists. The command will prompt for password. Enter the Media Server password and see whether the file share is mounted. If it is successful you should be able to go to the /mnt/ms folder and see the file share contents (Images, Media and so on).
Symptom Possible cause and resolution If a Linux OS Build Plan fails during a PXE-less deployment 2. There is a previously installed Windows OS on the boot disk and SAN. on the Create stub partition step with the following error then review the possible causes and resolution: • The boot disk on the target server is connected to a SAN with a multi-path configuration and contains a previously installed Windows operating system.
exist, which correspond to Intelligent Provisioning versions 1.50 and 1.60, the 1.60 version will be automatically selected, because 1.60 is larger than 1.50. • Verify that PXE is configured in your environment, since the Build Plan is dependent on the target server’s ability to PXE boot. • Using the iLO Remote Console, which is accessible via a web browser connection to your server’s iLO, verify that the server is PXE booting into the Linux Service OS.
Symptom Possible cause and resolution you create your unattend file you need to make sure you don’t overwrite the C: partition. Solution: To avoid overwriting the C: partition, you should not do your partitioning using the Create Windows System Drive script. For details see the Insight Control Server Provisioning Build Plans Reference Guide. Troubleshoot directory services Cannot add directory service Symptom Possible cause and recommendation Connectivity Lost connection with directory service host 1.
Symptom Possible cause and recommendation 4. Verify that the credentials of the authentication directory service administrator are correct. Cannot add directory group Symptom Possible cause and recommendation Cannot log in Lost connection with directory service host 1. 2. 3. 4. Verify that the settings for the directory service host are accurate. Verify that the correct port is used for the directory service. Verify that the port you are using for communication is not blocked by any firewalls.
Initially, a rotating in-progress icon is displayed, eventually followed by a progress bar. As web applications for the appliance become active, a progress bar advances. On completion, the login screen displays. Oops The appliance encountered a serious error and could not recover from it. Restarting the appliance might resolve the error. The error message might advise you to contact your authorized support representative. Restoring The appliance is currently being restored from a backup file.
13 Advanced topics REST calls for logging in and logging out All REST (Representational State Transfer) calls require that you first log in and get a token, perform your intended REST call, and then log out. The log in and log out REST calls are shown here. You will be directed to this topic for logging in and logging out information from all the other REST call topics in this chapter.
If the request fails, you will be returned an error diagnostics. Common errors are HTTP error 404 not found, if the URL is not correct, or an exception if the user/password is not correct. REST call to logout of the user session The REST call to logout of the user session requires you to pass the user-authorization-token as shown in the following table.
See“REST call to create the user session and get the authentication token” (page 99) for details on making the first REST call to create the user session. The second REST call adds a server via iLO. In this REST call you will need to provide the you received from the login REST call, and you will need to pass the IP address of the iLO as well as the iLO administrator user/password.
Content-Type: application/json Via: 1.1 cic.dns.hp cache-control: no-cache Transfer-Encoding: chunked This response is accompanied by returned job URI. Below is an example script that logs into the appliance, adds the server via iLO and logs out. This script uses cURL.
-d {\"type\":\"OSDIlo\",\"username\":\"\”, \”password\”:\”\”, \”port\”:443,\”ipAddress\”:\”\”} Response on success: HTTP/1.1 202 Accepted Date: Wed, 20 Feb 2013 17:33:30 GMT Content-Type: application/json Via: 1.1 cic.dns.hp cache-control: no-cache Transfer-Encoding: chunked This response is accompanied by returned job URI. Below is an example script that logs into the appliance, adds the server via iLO and logs out.
accomplish this programmatically. This alternate approach is valuable if the appliance user interface is unresponsive and you need to retrieve a support dump for diagnosing a problem. Programmatically, one needs to make two REST calls to the Insight Control server provisioning appliance. The first call creates the support dump and leaves it on the appliance, while the second call downloads it. Remember also that you need to first set up by making a REST call to log in and get a token.
A list of the components of the REST call to download the support dump is shown below: REST component Description URL: https:///rest/appliance/support-dumps/ where you supply and is obtained by the previous call to create the support dump.
A list of the components of the REST call is shown in the following table: REST component Description URL: https:///rest/appliance/settings/enableServiceAccess where you supply Message Type: PUT HTTP Headers: accept: application/json content-type: application/json accept-language: en-us (optional) auth: where you supply Request Body: “” specifying whether you want support
https:///rest/appliance/settings/enableServiceAccess -d "" # logout curl -k -i -X DELETE -H "auth:${AUTH}" https:///rest/login-sessions?action=logout REST APIs to enable support access or add a server via iLO 107
REST call to export customer content Currently there is no GUI available to export OS Build Plans. You can use REST calls to the IC server provisioning appliance to export OS Build Plans. You can only export/import Build Plans that you created. You can't export the HP-provided Build Plans. Exported OS Build Plans are presented as a compressed package in .zip format. The archive will contain only customer’s content.
REST component Description HTTP Headers: Content-Type: multipart/form-data auth: where you supply Request Parameter where you supply the full path to the file you exported. Request Body: Response Body: Text showing output of import content.
REST component Description Request Body: none Response Body: {"type":"OsdPaginatedCollection", "members":[ { "status":"error", "jobUserName":"administrator", "nameOfJobType":"ProLiant OS - Windows 2008 R2 SP1 Standard x64 Scripted Install", "running":"false", "jobProgress":null, "jobResult":[{ "jobServerUri":"/rest/os-deployment-servers/70001", "jobResultCompletedSteps":1, "jobResultTotalSteps":16, "jobResultLogDetails":"Running OS Build Plan ProLiant OS - Windows 2008 R2 SP1 Standard x64 Scripted Inst
HTTP/1.1 200 OK Date: Mon, 26 Aug 2013 19:52:13 GMT Content-Type: application/json;charset=UTF-8 Via: 1.
######################################################################################### # exit if an error occurs during login POST if( !$loginresponse) { Write-Host "*** ERROR *** Login Failed"; exit; } ######################################################################################### # extract token from response $bodytokens = $loginresponse.
if( !$loginresponse) { Write-Host "*** ERROR *** Login Failed"; exit; } ######################################################################################### # make all subsequent requests with the auth token $webclient.Headers.add('auth', $loginresponse.
REST component Description content-type: multipart/form-data accept-language: en-us (optional) auth: Request Body: None, but use —F option to supply form data with the absolute path of the IC-server-provisioning-7.3.1–update.bin update file to upload, depending on your system type as follows, for example: -F file=”@c:/IC-server-provisioning-7.3.1-update.bin” (Windows) -F file="@/home/user/IC-server-provisioning-7.3.1–update.
14 Support and other resources Contacting HP HP is dedicated the highest quality customer service and provides help in a wide variety of ways to accommodate our customers' needs. Use the information in the following sections to help resolve any questions you may have.
All appliance configuration information, including: • Revision of the appliance software • Network configuration • DNS servers • NTP servers Information about the running appliance, including: • All processes • Memory • Disk space • Network statistics • Routing • Hardware information. Log data, including: • All standard Linux operating system logs • All appliance logs • Logs from all jobs run in the past three days • Installation logs • The system audit log.
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/country/us/en/contact_us.html. After registering, you will receive email notification of product enhancements, new driver versions, firmware updates, and other product resources. Related information Documents The following documents are available at http://www.hp.com/go/insightcontrol/docs.
15 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
Glossary agent Software on managed servers used to make changes to the servers. Functions supported include software installation and removal, software and hardware configuration, and server status reporting. answer file See configuration file. appliance See virtual appliance. AutoYaST file The specific term to use when referring to a SUSE Linux Enterprise Server (SLES) configuration file. bare metal Describes a server that does not have a production operating system installed.
HP Scripting Toolkit (STK) A server deployment product for unattended server provisioning. HPSUM HP Smart Update Manager, a common tool for firmware and driver updates. iLO See Integrated Lights-Out (iLO). iLO Virtual Media An HP Integrated Lights-Out (iLO) feature that allows you to attach a removable storage device or image file from a client machine to the server, and have that appear to the server as a local device.
OS distribution files The files that make up an operating system before that operating system is installed on a server. These files are provided to consumers via ISO images or physical CD/DVDS from OS companies such as Microsoft, Red Hat, VMware, and Novell. OS personalization The process of giving a running server the characteristics that make it unique, including IP configuration, host name, and domain. A server can be personalized during the initial OS deployment or after the OS is already installed.
Table 6 Server statuses (continued) The server is unreachable. This means HP Insight Control server provisioning is not able to communicate with the server. Server status is unknown to Insight Control server provisioning. See also maintenance mode, provisioned, and unreachable. service OS A special purpose operating system that runs entirely in system memory and is used to perform various maintenance functions on a server, including preparing a system for operating system installation.
Index A RHEL5.
O OS Build Plans add scripts, 38 capture configuration files step, 36 combine, 38 deploy configuration file step, 36 deploy package step, 36 modify, 37 overview, 35 script step, 36 working with, 37 OS release considerations for OS build plans, 26 P password resetting administrator, 71 port list, 68 product registration, 117 R Red Hat Build Plan failure, 88 register appliance, 11 resetting administrator password, 71 REST API backup, 46 create and download support dump, 103 export Build Plans, 108 import cu
job status, 79 jobs, 78 known issues, 75 Matrix OE, 77 Mid and crypto, 82 multi-disk system , 95 OS Build Plans, 83 OS deployment error, 87 packet failure, 82 processing failure, 82 product key, 86 PXE boot error, 81 Python programs, 79 resource not found, 76 RHEL6.