cancel
Showing results for 
Search instead for 
Did you mean: 

Is this possible?

 
Highlighted
BradV
Trusted Contributor

Is this possible?

I have a few hundred DL 380 and 560 servers.  I'm trying to see if I can use OpenView to:

  1. Change the admin password in each iLO?
  2. Change the ldap setup in iLO?
  3. Install new firmware (iLO, system, etc)?

I've been searching through the user guide and searching on the Internet, but have not found any answer yet.

20 REPLIES 20
MeFromil
Frequent Advisor

Re: Is this possible?

hi 

if you talk about One view 

1. when you add server to One view it user SSO to open the ilo , in Ov 4.20 there is some option i dont know for 100%

2.  you can config One view to use Ldap / ad

3 . yes you can update firmware of manged server if you  add the servers to One view for Manage 

 

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

For any of the features you are asking a out require an HPE OneView Advanced license. We added LDAP and local Administrator account management in OneView 4.20. To update firmware on a server, including iLO, you would assign a server profile with a firmware bundle!/baseline associated.

All of these are documented in the appliance online help.

Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

I do have a oneview advanced license.  I have not set up server profiles.  So, I'll have to work on that.  I guess I should have been a little more clear.  All of those updates I mentioned were relative to each iLO and not to OpenView.  That is, I want to see if I can use OpenView to change the iLO administrator password in each iLO?  I want to see if I can set up each to connect to an LDAP directory server and set up the allowed groups and permissions without having to visit each iLO.  I know I can do the LDAP setup through hponcfg.  So, if I can't do it from OpenView, I can run the hponcfg commands from our salt master and hit all of the iLOs that way.  Thanks for the feedback!  I'll have to work on the server profiles next.

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

As I stated above what you are asking for is available in OneView 4.20, and only with a server profile, or associated server profile template.

Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

Hi Chris,

Yes, we are using vs 4.20.  I see in the API reference an example for setting the iLO admin password, iLO LDAP integration and directory group setup.  I'm working on that.  We have three hardware URIs.  None involve any enclosures.  In my post for creating the server profile templates, should I include: 

"enclosureGroupUri": null

or just leave enclosureGroupUri out entirely? 

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

The enclosureGroupUri is only needed for BladeSystem or HPE Synergy.  You can include that property in your JSON POST and leave it null if you are designing for any other supported platform.


Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

Hi Chris,

Thanks!  Is there some place to get the whole api for server-profile-templates?  When making the connection to AD, I need to use my admin credentials to do that.  I don't see that in the example provided.  Is that what 'iloObjectDistinguisedName is?  I guess in the example they are using a service account?  Plus, I need a little bit better definition of the directoryUserContext.  

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

Both on appliance, and on the HPE OneView Enterprise Information Library.  You want to search (Ctrl+F) for API Reference.  The current version is here.


Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

That seems to be the exact same thing as one gets from the help page which doesn't seem to list all possible values, just gives you several very good examples. I'm going to try and see if I can find how the ansible interface does this.  Might be a little more clear. 

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

The Ansible library has not been updated to support the newer 4.20 API calls.  It does support a 4.20 appliance, but using the older API version a 4.20 appliance supports.

As for iloObjectDistinguishedName, it is the DN value of a service account that is needed for Common Access Cards (CAC) or smartcard authentication by the iLO.  If you are simply needing to configure LDAP/AD authentication, you would leave that propertyempty, along with the password property.


Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

Thanks.  I'll keep working on it. 

BradV
Trusted Contributor

Re: Is this possible?

I'm working towards defining the server profile template definitions.  How specific do I need to get?  I have four different server hardware type URIs with systems in multiple locations.  The different locations have different domain controllers (local to the site).  So, I know I will need a hardware type/site.  Some of the systems have GPUs (not all).  Most have dual SSDs for the OS and either dual fusion i/o or nvme cards for data.  The RAID controllers are the same within a group of like hardware, but not all are exactly the same.  Most systems are running RHEL/CentOS 7, but several are running ESXi.  How detailed do I need to make the server profile templates?

BradV
Trusted Contributor

Re: Is this possible?

I might be trying to get too specific?  The API reports 4 different server hardware type URIs.  I guess I really don't need to worry about which one has a 556 NIC vs a 557 NIC vs a 408i-a RAID card?  I think I just need to worry about a given hardware type within a given data center (each data center has different domain controllers).  I created a server hardware template through the gui just so that I could extract it via the API and get a better look at what it should look like.  I'm using that as my point of reference.

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

The serverHardwareTypeUri is required.  You need to be specific, as the hardware in that location will map to a specific Server Hardware Type.  If you have different servers in different locations that are the same base model, but have different adapters, that will create more than 1 Server Hardware Type.  You can take the Server Hardware Type's URI, and build a filter for server hardware:

GET /rest/server-hardware?filter=serverHardwareTypeUri={URI1}&filter=serverProfileUri=null

This is how the Get-HPOVServer PowerShell Cmdlet works when a Server Hardware Type is provided, and caller wants all that are available without an assigned Server Profile resource.


Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

Thanks Chris.  I'll work on that.  Making some progress with python oneview, but still no where close. 

BradV
Trusted Contributor

Re: Is this possible?

Hi Chris,

When I try that search, I get back errors.  If I just try 

curl --insecure \
     --header "auth: ${sessionID}" \
     --header "X-API-Version: ${currentVersion}" \
     --request GET ${OneView}/rest/server-hardware?filter=serverHardwareTypeUri={/rest/server-hardware-types/1058352E-0FFB-4F8B-80A3-4A7C037D0195F} | \jq -r '.'

I get back: 

"message": "Listing resouces failed.\nFilters [serverHardwareTypeUri=/rest/server-hardware-types/1058352E-0FFB-4F8B-80A3-4A7C037D0195F, hidden=false] failed to parse.  Invalid character: /."

 Not sure what it is complaining about?  I tried without the '/rest/server-hardware-types/' and just leaving the id, but that gives back: 

"message": "Listing resouces failed.\nFilters [serverHardwareTypeUri=1058352E-0FFB-4F8B-80A3-4A7C037D0195F, hidden=false] failed to parse.  No viable input after: 1058352E-0FFB-4F8B-80A3-4A7C037D0195F."

So, I'm obviously not understanding the filter logic. 

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

The URI you are trying to use is slightly incorrect.  It should be:

curl --insecure \
     --header "auth: ${sessionID}" \
     --header "X-API-Version: ${currentVersion}" \
     --request GET ${OneView}/rest/server-hardware?filter=serverHardwareTypeUri=/rest/server-hardware-types/1058352E-0FFB-4F8B-80A3-4A7C037D0195F | \jq -r '.'


The only reason why I put {} around URI1 in my example was it would be a token replacement, not the proper syntax.  Whenever you attempt to provide an associated resource URI value, like for the serverHardwareTypeUri property, you need to provide the relative URI, not the GUID.  GUIDs are globally unique and are not indexed themselves, so you cannot just search or provide the GUID of an object to find or reference it. 


Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

Got a little closer to creating a server profile template using the API, but getting: "parse error: Invalid numeric literal at line 1, column 9."   This is how I got to that: 

# Follow instructions in: OneView-API_Get_Session_Credentials.txt
#
# You need a list of the current hardware.  In order to get that, run:
# Create a variable pointing to a file to hold the hardware output:
HARDW=hardw
# Get the list of current server hardware:
curl --insecure \
     --header "auth: ${sessionID}" \
     --header "X-API-Version: ${currentVersion}" \
     --output ${HARDW} \
     --request GET ${OneView}/rest/server-hardware?start=0&count=-1
#
# That only pulls down 32 devices.  Need to look for nextPageUri:
i=1
NEXT=$(/bin/sed -e 's|^.*nextPageUri":"\(/rest/server-hardware.*\)","prevPageUri.*|\1|' ${HARDW})
while [[ ${NEXT} != *"null"* ]]; do
   curl --insecure \
     --header "auth: ${sessionID}" \
     --header "X-API-Version: ${currentVersion}" \
     --output ${HARDW}${i} \
     --request GET ${OneView}${NEXT}
   NEXT=$(/bin/sed -e 's|^.*nextPageUri":"\(/rest/server-hardware.*\)","prevPageUri.*|\1|' ${HARDW}${i})
   if [[ ${#NEXT} -gt 50 ]]; then
      NEXT=$(/bin/sed -e 's|^.*nextPageUri":\(.*\)","prevPageUri.*|\1|' ${HARDW}${i})
   fi
   ((i++))
done
cat ${HARDW} ${HARDW}1 ${HARDW}2 ${HARDW}3 ${HARDW}4 ${HARDW}5 > hardw-all-raw
cat hardw-all-raw | jq -r '.' > hardw-all
#
# For the task of creating a server profile template, we need serverHardwareTypeUri's.
# To get a list of server hardware type uri's:
RAW_DATA=$(grep -E 'serverHardwareTypeUri|model' hardw-all | sed -e 's|^\s\(.*\)$|\1' | sed -e '{$!{ N;s|","model|}}' | sed -e 's|": "|":"|g' | tr ' ' '_' | sort -u)
i=0
declare -A HWR
for f in $(echo ${RAW_DATA}); do
   echo "f = ${f}"
   HWR[${i},0]=$(echo ${f} | cut -d ':' -f2 | cut -d ',' -f1 | sed -e 's|^"||' -e 's|"$||')
   HWR[${i},1]=$(echo ${f} | cut -d ':' -f3 | tr '_' ' ' | sed -e 's|",$||' -e 's|^"||')
   ((i++))
done
j=${i}
i=0
while [[ ${i} -lt ${j} ]]; do
   echo "HWR[${i},0] = ${HWR[${i},0]}"
   echo "HWR[${i},1] = ${HWR[${i},1]}"
   ((i++))
done
#
# Need the uri pointing to the SPP image uploaded to OneView.  So, download
# a listing of the firmware in OneView with:
curl --insecure \
     --header "auth: ${sessionID}" \
     --header "X-API-Version: ${currentVersion}" \
     --output firmware \
     --request GET ${OneView}/rest/firmware-drivers
#
# That puts the results in local file, firmware.  Then to find the SPP URI, use:
SPPURI=$(cat firmware | jq -r '.[] | .[] | (.uri)' 2>/dev/null)
#
# Need a list of domain controllers.  Pick the one associated with the data center location.
/usr/bin/dig SRV _ldap._tcp.my.org +noall +answer | awk '{ print $8 }' \
  | sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2  -k 1,1
#
DIRSRV=<controller from above>
#
# Now, need the server certficate from the domain controller:
retrieve-cert() {
   REMHOST=${1:-my.domain}
   REMPORT=${2:-443}
   echo | \
   openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 | \
   /bin/sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
}
#
# Need the certficate on one line:
CHQ=$(retrieve-cert ${DIRSRV} 636 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' | sed -e 's|\(.*

\)\\n$|\1|')
#
ADUSER='mysid'
ADPASS='mypass'
PASSW='ilo-pass'
DESCRIPT="DL380 in Location with 2SSDs, 2NVMEs, and a P408i-a controller."
#
i=1
# The following will put all of the data into a variable on one line:
DATA=$(echo '{
  "connectionSettings": {
    "complianceControl": "Unchecked",
    "manageConnections": false,
    "connections": []
  },
  "firmware": {
    "complianceControl": "Checked",
    "manageFirmware": true,
    "firmwareInstallType": "FirmwareAndOSDrivers",
    "forceInstallFirmware": false,
    "firmwareBaselineUri": "'${SPPURI}'",
    "firmwareActivationType": "Scheduled"
  },
  "osDeploymentSettings": null,
  "iscsiInitiatorNameType": "AutoGenerated",
  "serialNumberType": "Physical",
  "wwnType": "Physical",
  "macType": "Physical",
  "hideUnusedFlexNics": null,
  "type": "ServerProfileTemplateV6",
  "uri": "'${HWR[${i},0]}'",
  "name": "'${HWR[${i},1]}'",
  "description": "'${DESCRIPT}'",
  "sanStorage": {
    "complianceControl": "Unchecked",
    "manageSanStorage": false,
    "sanSystemCredentials": [],
    "volumeAttachments": []
  },
  "category": "server-profile-templates",
  "localStorage": {
    "complianceControl": "Unchecked",
    "sasLogicalJBODs": [],
    "controllers": []
  },
  "managementProcessor": {
    "complianceControl": "Checked",
    "manageMP": true,
    "mpSettings": [
      {
        "settingType": "AdministratorAccount",
        "args": {
          "deleteAdministatorAccount": false,
          "password": "'${PASSW}'"
        }
      },
      {
        "settingType": "DirectoryGroups",
        "args": {
          "directoryGroupAccounts": [
            {
              "groupDN": "admin_OneView",
              "groupSID": "S-1-5-21-1346723-2839128191-28188919111-431291",
              "UserConfigPriv": true,
              "remoteConsolePriv": true,
              "virtualMediaPriv": true,
              "virtualPowerAndResetPriv": true,
              "iLOConfigPriv": true
            },
            {
              "groupDN": "user_OneView",
              "groupSID": "S-1-5-22-1446723-2843128191-2818919111-431291",
              "UserConfigPriv": false,
              "remoteConsolePriv": true,
              "virtualMediaPriv": true,
              "virtualPowerAndResetPriv": true,
              "iLOConfigPriv": false
            }
          ]
        }
      }
    ]
  },
  "bios": {
    "complianceControl": "Checked",
    "manageBios": true,
    "overriddenSettings": [
      {
        "id": "UncoreFreqScaling",
        "value": "Maximum"
      },
      {
        "id": "MinProcIdlePower",
        "value": "NoCStates"
      },
      {
        "id": "PowerRegulator",
        "value": "StaticHighPerf"
      },
      {
        "id": "IntelUpiPowerManagement",
        "value": "Disabled"
      },
      {
        "id": "CustomPostMessage",
        "value": "Welcome to our Project!"
      },
      {
        "id": "EnergyEfficientTurbo",
        "value": "Disabled"
      },
      {
        "id": "EnergyPerfBias",
        "value": "MaxPerf"
      },
      {
        "id": "AdminName",
        "value": "Server Team"
      },
      {
        "id": "CollabPowerControl",
        "value": "Disabled"
      },
      {
        "id": "NumaGroupSizeOpt",
        "value": "Clustered"
      },
      {
        "id": "AsrTimeoutMinutes",
        "value": "Timeout30"
      },
      {
        "id": "ServerPrimaryOS",
        "value": "RHEL 7"
      },
      {
        "id": "EmbeddedSata",
        "value": "Raid"
      },
      {
        "id": "WakeOnLan",
        "value": "Disabled"
      },
      {
        "id": "AdminEmail",
        "value": "server_team@our.com"
      },
      {
        "id": "SubNumaClustering",
        "value": "Enabled"
      },
      {
        "id": "HttpSupport",
        "value": "Disabled"
      },
      {
        "id": "DynamicPowerCapping",
        "value": "Auto"
      },
      {
        "id": "MinProcIdlePkgState",
        "value": "NoState"
      },
      {
        "id": "WorkloadProfile",
        "value": "Virtualization-MaxPerformance"
      }
    ]
  },
  "boot": {
    "complianceControl": "Unchecked",
    "manageBoot": false,
    "order": []
  },
  "bootMode": {
    "complianceControl": "Checked",
    "manageMode": true,
    "mode": "UEFI",
    "pxeBootPolicy": "IPv4",
    "secureBoot": "Disabled"
  },
  "affinity": null,
  "enclosureGroupUri": null,
  "serverHardwareTypeUri": "'${HWR[${i},0]}'"
}' | jq -c '.')
#
# Create a server profile template:
TaskURI=$(curl --insecure \
     --header "content-type: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data "${DATA}" \
     --request POST ${OneView}/rest/server-profile-templates | jq -r '.')

I saw the error when I add '--include" to the curl command.  I assume the error is referencing the data section?

ChrisLynchHPE
Neighborhood Moderator

Re: Is this possible?

I would generate the desired JSON test string before submitting to the API, then use a JSON parser utility, like this online JSON viewer, to see if the format is compliant.


Accept or Kudo

BradV
Trusted Contributor

Re: Is this possible?

Hi Chris,

That was my main reason for putting the data in a variable.  I did 

echo "${DATA}" | jq -r '.'

and it came out with no errors.