In this recipe, we will enable Orchestrator to execute PowerShell scripts on a Windows host and deal with the results.
We need a Windows host where the PowerShell scripts are stored and can be executed from. This can be any Windows host; however, a Windows 2008 R2 (or better) server contains all the programs required to allow Orchestrator to connect to the Windows host.
To configure the Windows host, we need to use Windows Remote Management (WinRM), which is already installed and integrated into Windows.
Installing the VMware PowerCLI add-on to PowerShell on the Windows host is optional.
You may also add a Linux PowerShell host to vRO. Check this: http://kaloferov.com/blog/how-to-add-a-linux-machine-as-powershell-host-in-vro-skkb1030/
This recipe is split into preparation, adding the host, executing a PowerShell script, and generating a workflow.
In this part, we will configure WinRM with basic authentication, HTTP, and unencrypted transfer. To configure WinRM for HTTPS, please refer to the PowerShell plugin documentation:
winrm quickconfig
winrm set winrm/config/service/auth @{Basic="true"} winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="2048"}
TCP 5985
is accessible from Orchestrator to the PowerShell host.This is a fast and easy configuration that leaves security wanting; however, it enables you to connect Orchestrator to a PowerShell host and run PowerShell scripts without facing any obstacles. If this connection works, you might want to shift to the more secure Kerberos connections (discussed later).
Now that have we configured the Windows host, we need to connect Orchestrator to the Windows host. As this is a one-off operation, we will use the existing workflow to do this:
5985
HTTP:5985
, HTTPS:5986
) as the transport protocol and Basic for the authentication.
In this section, we are configuring Orchestrator to connect to the PowerShell host using Kerberos authentication:
winrm set winrm/config/service/auth @{Kerberos="true"}
Administrator
group.Add a PowerShell host
workflow but, this time, use Kerberos as the authentication type.This should work in most cases; however, Windows can be a bit tricky. If you experience problems, take a look at Spas Kaloferov's awesome article (see the See also section of this recipe for the link).
Now that we have added a PowerShell host, we can run a script. There are two workflows that can be used for this by navigating to Library | PowerShell; they are discussed in upcoming sections.
For this to work, you need a PowerShell script on the PowerShell host, preferably one that requires some arguments, such as get-PSDrive -name c
:
-Argument1 value1 -Argument2 value2
Get-PSDrive -name c
.The PowerShell plugin brings with it the ability to automatically create an action and a workflow from a PowerShell script. This allows you to integrate PowerShell permanently into your automation:
{#ParamName#}
placeholder. Here's an example:
Original |
|
Enter |
|
Invoke Script [Action Name]
:
{#Parameter#}
has been changed into an in-parameter in the action you created:
Adding PowerShell to Orchestrator will give you a far greater perspective on what Orchestrator can be used for. In the last few years, PowerShell has become a broadly used tool to write automation scripts. Microsoft uses PowerShell for a lot of management functions, such as System Center Configuration Manager (SCCM), System Center Virtual Machine Manager (SCVMM), and System Center Operations Manager (SCOM).
Using PowerShell with Orchestrator, we are basically able to execute PowerShell scripts with a right-click in the vSphere Web Client and even transport VMware objects to PowerShell scripts.
A workflow or action that has been generated by Orchestrator will require some TLC (tender loving care), for instance, changing a password entry from string
to SecureString
, reworking the naming structure, rearranging the variables in the workflow call, and so on.
Another typical and vital task is escaping variables. When you run a command that requires entering a string that contains special characters such as spaces, backslashes or quotation marks
"
, you need to escape them using an additional or use single quotation marks
'
. In the following example, we will show you both methods:
Original |
Output:
|
Using |
Output:
|
Escaping |
Output:
|
The difference between "
and '
is that PowerShell will look inside " "
for $
and assumes that what follows is a variable, whereas it will take all content between the '
as it is.
Entry |
|
|
Output |
|
|
In this recipe, we used the basic connection to connect Orchestrator to the PowerShell host. As mentioned, this is the easiest way to build the connection, and therefore it is good for a beginner. As a professional, you want to use Kerberos as the authentication; however, you should first try to connect via the basic method to make sure that you don't have any Firewall or other basic connection problems before going for the secure connect.
One of the differences between basic and Kerberos authentication is that basic authentication can only use local users, whereas Kerberos uses AD users. Secondly, Kerberos uses encryption when communicating, whereas basic doesn't. This is quite a big difference, especially in a business environment where local users should really not be used and encryption is a must.
As already mentioned, if you use Orchestrator with SSO, you can only use Shared Session, as Orchestrator is not able to forward the session. You can use Session per User only with an LDAP-connected Orchestrator.
To convert the PowerShell output into XML, run the following lines:
psXML = PowerShellOutput.getXml();
The XML output of PowerShell can be quite messy. The first thing that one needs to realize is that the PowerShell XML output adds a large amount of spaces between tags. To clean this up, run the following regular expression:
xmlClean = psXML.replace(/>s+</g, "><");
The following is an example of the Get-Culture
PowerShell command. You can clearly see how the diminished command-line output (the blue PowerShell window) looks in PowerShell XML:
As you can see, PowerShell creates tag names along with the variable names (Obj
=Object, S
=String, and I32
=32-bit Integer) and sets the name of the output as an attribute with the N
key. It's not easy to phrase these constructs; however, it's doable.
http://blogs.vmware.com/orchestrator/2012/06/vco-powershell-plugin-how-to-set-up-and-use-kerberos-authentication.html
10.04.1 Invoke Script psExample
and the psExample
action in the com.packtpub.Orchestrator-Cookbook
module10.04.2 Cleanup PS XML