How to use Ansible to automate VMware OVAs

If you build software and ship as a virtual machine, chances are that building VMware compatible OVAs for customers is a top priority.  Storage Made Easy is sharing tricks and tips for the Ansible creation of vCenter compatible OVAs…

At Storage Made Easy automation is key to our agile development process.  To continue on our Ansible series of posts this guide will go over tips and tricks we use in our build process.

The Ansible module for exporting VMs from vCenter or ESXi is vmware_export_ovf.  It’s fairly well documented, but is deficient in two areas for our build of the Enterprise File Fabric:

    1. It creates OVFs and most customers would prefer an OVA
    2. It fails far too often for our automated builds with “read timeouts”

Both of the points above are addressed by the Open Virtualization Format Tool (ovftool) from VMware.  At the time of this writing, the current edition is 4.3.0 U2.  The ovftool is available for Mac, Windows, and Linux and works synergistically with Ansible when called with the shell command.

Here is the playbook code which will power off and download a VM (or template) and package an OVA in one step.

 - name: Create OVA
   shell: | 
       /bin/ovftool \
       --powerOffSource
       --shaAlgorithm=SHA1 \
       --targetType=ova \
       --privateKey=/my/cert/certAndKey.pem \
       'vi://{{ vcenter_username }}:{{ vcenter_password }}@{{vcenter FQDN or IP}}:443/{{Datacenter}}/vm/{{Folder}}/{{ vm nae }}' \
       /my/build/vm.ova
   delegate_to: localhost

Let’s break down the code:

/bin/ovftool
The location of the ovftool binary in CentOS Linux

–powerOffSource
This ensures the VM is powered off

–shaAlgorithm=SHA1
Why SHA1 vs the default SHA256?  Well some of our customers are still using the vCenter 5.5 Desktop Client which doesn’t support SHA256.  The web clients (HTML5 and Flash) both support SHA1 and SHA256, so we opt for the most compatible images

–targetType=ova
Exports a single file (OVA) vs OVF

–privateKey=/my/cert/certAndKey.pem
Signs the image with a certificate.  Best to use a valid public certificate with at least a year left before expirations vs a self-signed certificate.  Looks better for customers and is a best practice.

‘vi://{{ vcenter_username }}:{{ vcenter_password }}@{{vcenter FQDN or IP}}:443/{{Datacenter}}/vm/{{Folder}}/{{ vm name }}’
This long string is the source of the image.  It requires a vCenter username and password as well as the FQDN or IP address of the vCenter/esxi server.  Lastly it needs the Datacenter, Folder location and Name of the virtual machine or template.

/my/build/vm.ova
Location to save the OVA

delegate_to: localhost
This informs Ansible to run ovftool on the localhost, but this can be set to whatever host has ovftool installed

Problem solved!  Well…Not so fast.  Exporting in one step from vCenter to OVA is nice, but has one compatibility issue.  OVFtool 4.3 exports an extra configuration for nvram which creates an annoying warning when importing in vCenter 6.5 and below.

How does Storage Made Easy work around this issue?

    • We export the VM as an OVF
    • Remove the XML lines which result in a compatibility warning
    • Delete the manifest file with the existing checksums
    • Package the OVA
    • Delete the OVF

Below is the full example of our process:

- name: Create OVF
  shell: | 
      /bin/ovftool \
      --powerOffSource
      'vi://{{ vcenter_username }}:{{ vcenter_password }}@{{vcenter FQDN or IP}}:443/{{Datacenter}}/vm/{{Folder}}/{{ vm name }}' \
      /my/build/
  delegate_to: localhost

- name: Remove nvram lines in ovf for backwards compatibility
  lineinfile:
    path: /my/builds/{{ vm name }}/{{ vm name }}.ovf
    state: absent
    regexp: 'nvram'
  delegate_to: localhost

- name: Manifest no longer valid with removal of nvram
  file:
    path: /my/builds/{{ vm name }}/{{ vm name }}.mf
    state: absent 
  delegate_to: localhost

- name: Create OVA
  shell: | 
      /bin/ovftool \
      --shaAlgorithm=SHA1 \
      --targetType=ova \
      --privateKey=/my/cert/certAndKey.pem \
      '/mnt/builds/{{ vm name }}/{{ vm name }}.ovf' \
      /my/builds/vm.ova
  delegate_to: localhost

- name: Cleanup OVF files used in the build
  file:
    path: /my/builds/{{ vm name }}/
    state: absent 
  delegate_to: localhost

Happy Building!!!

Facebooktwitterredditpinterestlinkedinmailby feather
The following two tabs change content below.

Douglas Soltesz

Director Product Solutions at Storage Made Easy
Doug's focus is in Object and Cloud Storage APIs, Data Governance, Virtualization, and Containerization.