|
|
| Line 1: |
Line 1: |
|
| |
| My stuff
| |
| Gems
| |
| Chats
| |
| OVF Deployment Error: Unsupported ExtraConfig
| |
| Importing OVA Files via OVF Tool
| |
| Python Script For Session Extension
| |
| Agentic AI Services STIG Status
| |
| RBAC vs ABAC: Access Control Explained
| |
| Understanding GraphQL: Concepts and Comparison
| |
| Ubuntu NTP Time Synchronization Guide
| |
| Professionalizing Security Input Validation
| |
| Linux Folder Search Commands
| |
| Offline Python Dependency Installation Guide
| |
| Fix Python 3.12 Dependency Errors
| |
| Write some powershell that can run this command after prompting the user in a GUI for the ip address and username: ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username@ipaddress -D 9999
| |
| Pip3 Proxy Configuration Methods
| |
| Fixing `bash\r`: No Such File Error
| |
|
| |
| Settings & help
| |
| Conversation with Gemini
| |
| Got this problem again trying to deploy a OVF to vSphere:
| |
|
| |
|
| |
|
| |
| ./ovftool --noSSLVerify --name="SSPI" \
| |
|
| |
| --datastore="nfs" \
| |
|
| |
| --network=" pg-01" \
| |
|
| |
| /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova \
| |
|
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/esx-2.test/cluster-01'
| |
|
| |
| Opening OVA source: /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova
| |
|
| |
| The manifest validates
| |
|
| |
| Source is signed but could not verify certificate (possibly self-signed)
| |
|
| |
| Certificate information:
| |
|
| |
| CertIssuer:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
| |
|
| |
| CertSubject:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
| |
|
| |
| -----BEGIN CERTIFICATE-----
| |
|
| |
| MIIDyzCCArOgAwIBAgIJAIR/y018RgMXMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
| |
|
| |
| BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8x
| |
|
| |
| FTATBgNVBAoMDFZNd2FyZSwgSW5jLjAeFw0xNjA5MDgwMTE3MjFaFw0yOTEyMzEw
| |
|
| |
| MTE3MjFaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYD
| |
|
| |
| VQQHDAlQYWxvIEFsdG8xFTATBgNVBAoMDFZNd2FyZSwgSW5jLjCCASAwDQYJKoZI
| |
|
| |
| hvcNAQEBBQADggENADCCAQgCggEBALU9NUtC39fqG7yo2XAswUmtli9uA+31uAMw
| |
|
| |
| 9FFHAEv/it8pzBQZ/4r+2bN+GnXOWhuDd1K4ApKMRvoO4LwQfZxrkx4pXrsu0gdb
| |
|
| |
| 4OunHw0D8MrdzSoob8Js/uq+IJ+8Bhsc6b7RzTUt9HeDWzHasAJVgMsjehGt23ay
| |
|
| |
| 9FKOT6dVD6D/Xi3qJnB/4t/XNS6L63dC3ea4guzKDyLaXIP5bf/m56jvVImFjhhT
| |
|
| |
| W2ASbnEUlZIVrEuyVcdG7e3FvZufE553JmHL0YG/0m5bIHXKRzBRx0D3HHOAzOKw
| |
|
| |
| kkOnxJHSTN4Hz8hSYCWvzUAjSYL3Q8qiTd7GHJ2ynsRnu3KlzKUCAQOjga8wgaww
| |
|
| |
| HQYDVR0OBBYEFHg8KQJdm8NPQDmYP41uEgKG+VNwMH0GA1UdIwR2MHSAFHg8KQJd
| |
|
| |
| m8NPQDmYP41uEgKG+VNwoVGkTzBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
| |
|
| |
| aWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMRUwEwYDVQQKDAxWTXdhcmUsIElu
| |
|
| |
| Yy6CCQCEf8tNfEYDFzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAD
| |
|
| |
| K9uUhsXzpuUcWJq83Vh2HHSxZ/DdR6h+FNYHfEX8h8DOIwhRHhIHoqXkwwnpbjip
| |
|
| |
| FBtSzNKzTmzMQBwB7GwzGSsBO2TU8alX2ssnDg2AqwgIeLzclfaQlYoid678Krew
| |
|
| |
| nFryr9PYMntr7uyU1duesmey12GS2z5UIhA4BaOnrPJcLCP22nXVlPEsa46ob7XH
| |
|
| |
| j4ngZ0ck/qE58Z90GaAuxaa2R3OlHQ+AhXc3q5IixqMDa0MLPd41Qv2kC5iZ+tCf
| |
|
| |
| XVdlf4/RqQBNHR8FFVxcjpaROId9Y9/yHdsMt55nN7pf7vRf5vSk1bHvLmlOYgiR
| |
|
| |
| tAj6rdPq0c+/C+fct1cM
| |
|
| |
| -----END CERTIFICATE-----
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| Error: OVF Package is not supported by target:
| |
|
| |
| - Line -1: Unsupported value 'ethernet0.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'ethernet1.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'ethernet2.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'ethernet3.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.diskWiper.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.memSchedFakeSampleStats.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.diskShrink.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.vmxDnDVersionGet.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.unityActive.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.guestDnDVersionSet.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'snapshot.maxSnapshots' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'RemoteDisplay.maxConnections' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| Completed with errors
| |
|
| |
| root@vc [ ~/ovftool ]#
| |
|
| |
| This error is a classic case of vCenter strictness. The OVA you are trying to deploy contains ExtraConfig parameters (advanced VMX settings) that your target vCenter or ESXi host doesn't recognize or doesn't allow via the OVF import process.
| |
|
| |
| The "Line -1" error is often a red herring; it just means the ovftool parser hit these unsupported keys within the XML structure of the .ovf file inside your .ova package.
| |
|
| |
| Here is how to fix this:
| |
|
| |
| Option 1: Use the --allowExtraConfig Flag
| |
| The easiest way to bypass this without modifying the file is to tell ovftool to ignore the fact that it doesn't recognize these specific configuration keys.
| |
|
| |
| Add --allowExtraConfig to your command:
| |
|
| |
| Bash
| |
| ./ovftool --noSSLVerify --allowExtraConfig --name="SSPI" \
| |
| --datastore="nfs" \
| |
| --network=" pg-01" \
| |
| /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova \
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/esx-2.test/cluster-01'
| |
| Option 2: Extract and Manually Edit the OVF
| |
| If the flag doesn't work (which happens if the target ESXi version strictly forbids those specific hardware keys), you’ll need to strip them out manually.
| |
|
| |
| Unpack the OVA:
| |
| The OVA is just a tar archive.
| |
|
| |
| Bash
| |
| tar -xvf Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova
| |
| Edit the .ovf file:
| |
| Open the resulting .ovf file in a text editor (like vi or nano). Search for the ExtraConfig section. It will look something like this:
| |
|
| |
| XML
| |
| <vmw:ExtraConfig vmw:key="ethernet0.rxDataRingEnabled" vmw:value="false"/>
| |
| Delete all the lines corresponding to the errors you received (e.g., rxDataRingEnabled, isolation.tools.*, etc.).
| |
|
| |
| Handle the Manifest (.mf):
| |
| Because you edited the .ovf file, the checksum in the .mf file will no longer match. You have two choices:
| |
|
| |
| Delete the .mf file entirely.
| |
|
| |
| Deploy the .ovf directly using ovftool (pointing to the .ovf file instead of the .ova) and add the --skipManifestCheck flag.
| |
|
| |
| Why is this happening?
| |
| Version Mismatch: The OVA was likely built on a newer version of Workstation or ESXi than the one you are deploying to.
| |
|
| |
| Security Hardening: The isolation.tools settings are hardening parameters. Some vCenter versions treat these as "restricted" and won't let an OVF import inject them into the VMX file for security reasons.
| |
|
| |
| Pro-tip: If you find yourself doing this often for vDefend or NSX-related appliances, Option 1 is almost always the winner. It allows the tool to pass the "extra" info to the host and let the host decide whether to use it or ignore it, rather than failing the whole deployment.
| |
|
| |
| /ovftool --noSSLVerify --allowExtraConfig --name="SSPI" \
| |
|
| |
| --datastore="nfs" \
| |
|
| |
| --network=" pg-01" \
| |
|
| |
| /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova \
| |
|
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/esx-2.test/cluster-01'
| |
|
| |
| Opening OVA source: /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova
| |
|
| |
| The manifest validates
| |
|
| |
| Source is signed but could not verify certificate (possibly self-signed)
| |
|
| |
| Certificate information:
| |
|
| |
| CertIssuer:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
| |
|
| |
| CertSubject:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
| |
|
| |
| -----BEGIN CERTIFICATE-----
| |
|
| |
| MIIDyzCCArOgAwIBAgIJAIR/y018RgMXMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
| |
|
| |
| BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8x
| |
|
| |
| FTATBgNVBAoMDFZNd2FyZSwgSW5jLjAeFw0xNjA5MDgwMTE3MjFaFw0yOTEyMzEw
| |
|
| |
| MTE3MjFaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYD
| |
|
| |
| VQQHDAlQYWxvIEFsdG8xFTATBgNVBAoMDFZNd2FyZSwgSW5jLjCCASAwDQYJKoZI
| |
|
| |
| hvcNAQEBBQADggENADCCAQgCggEBALU9NUtC39fqG7yo2XAswUmtli9uA+31uAMw
| |
|
| |
| 9FFHAEv/it8pzBQZ/4r+2bN+GnXOWhuDd1K4ApKMRvoO4LwQfZxrkx4pXrsu0gdb
| |
|
| |
| 4OunHw0D8MrdzSoob8Js/uq+IJ+8Bhsc6b7RzTUt9HeDWzHasAJVgMsjehGt23ay
| |
|
| |
| 9FKOT6dVD6D/Xi3qJnB/4t/XNS6L63dC3ea4guzKDyLaXIP5bf/m56jvVImFjhhT
| |
|
| |
| W2ASbnEUlZIVrEuyVcdG7e3FvZufE553JmHL0YG/0m5bIHXKRzBRx0D3HHOAzOKw
| |
|
| |
| kkOnxJHSTN4Hz8hSYCWvzUAjSYL3Q8qiTd7GHJ2ynsRnu3KlzKUCAQOjga8wgaww
| |
|
| |
| HQYDVR0OBBYEFHg8KQJdm8NPQDmYP41uEgKG+VNwMH0GA1UdIwR2MHSAFHg8KQJd
| |
|
| |
| m8NPQDmYP41uEgKG+VNwoVGkTzBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
| |
|
| |
| aWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMRUwEwYDVQQKDAxWTXdhcmUsIElu
| |
|
| |
| Yy6CCQCEf8tNfEYDFzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAD
| |
|
| |
| K9uUhsXzpuUcWJq83Vh2HHSxZ/DdR6h+FNYHfEX8h8DOIwhRHhIHoqXkwwnpbjip
| |
|
| |
| FBtSzNKzTmzMQBwB7GwzGSsBO2TU8alX2ssnDg2AqwgIeLzclfaQlYoid678Krew
| |
|
| |
| nFryr9PYMntr7uyU1duesmey12GS2z5UIhA4BaOnrPJcLCP22nXVlPEsa46ob7XH
| |
|
| |
| j4ngZ0ck/qE58Z90GaAuxaa2R3OlHQ+AhXc3q5IixqMDa0MLPd41Qv2kC5iZ+tCf
| |
|
| |
| XVdlf4/RqQBNHR8FFVxcjpaROId9Y9/yHdsMt55nN7pf7vRf5vSk1bHvLmlOYgiR
| |
|
| |
| tAj6rdPq0c+/C+fct1cM
| |
|
| |
| -----END CERTIFICATE-----
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| Error: Locator does not refer to an object: vi://administrator%40vsphere.local@vc.test:443/dc-01/esx-2.test/cluster-01
| |
|
| |
| Completed with errors
| |
|
| |
| It looks like you've moved past the OVF parsing error and hit a pathing/locator error. Even though your syntax looks mostly correct, ovftool is very picky about the hierarchical path when you are targeting a cluster.
| |
|
| |
| The error Locator does not refer to an object means ovftool can't find a valid ESXi host or Cluster object at the end of that string.
| |
|
| |
| The Fix: Check your VI Path
| |
| Usually, this happens because the path structure in your environment doesn't match the command. In vSphere, a Cluster is logically "inside" a Host Folder or directly under the Datacenter, but an ESXi host is usually "inside" the cluster.
| |
|
| |
| Try these three variations based on how your vCenter is actually organized:
| |
|
| |
| 1. The "Standard Cluster" Path (Most Likely)
| |
| If cluster-01 is the name of your cluster, you usually don't include the ESXi host name in the path if you want vCenter to decide which host to put it on.
| |
|
| |
| Bash
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/host/cluster-01'
| |
| Note the addition of /host/ — vCenter internally maps clusters under a hidden or visible "host" managed object folder.
| |
|
| |
| 2. The "Resource Pool" Path
| |
| If you are deploying into a cluster, it technically has a "Resources" root.
| |
|
| |
| Bash
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/host/cluster-01/Resources'
| |
| 3. Targeting the Specific Host Directly
| |
| If you really want it on esx-2.test and that host is not in a cluster:
| |
|
| |
| Bash
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/host/esx-2.test'
| |
| How to verify the exact path
| |
| If the above don't work, you can "browse" your vCenter using ovftool to see exactly what names it expects. Run this command (it will just list the objects):
| |
|
| |
| Bash
| |
| ./ovftool 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/'
| |
| This will output the contents of dc-01. You might see a folder named host or vm. Keep appending the names you see to your URL until you reach your intended destination.
| |
|
| |
| One small syntax check
| |
| In your previous command, you had:
| |
| --network=" pg-01"
| |
|
| |
| Check if that leading space inside the quotes was intentional. If your port group is actually named "pg-01" (no space), remove that extra space, as it can occasionally cause the deployment to fail later in the process.
| |
|
| |
| Which folder structure did you see when you ran the "browse" command?
| |
|
| |
| root@vc [ ~/ovftool ]# ./ovftool --noSSLVerify --name="SSPI" \
| |
|
| |
| --datastore="nfs" \
| |
|
| |
| --network="pg-01" \
| |
|
| |
| /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova \
| |
|
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/host/cluster-01'
| |
|
| |
| Opening OVA source: /root/Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova
| |
|
| |
| The manifest validates
| |
|
| |
| Source is signed but could not verify certificate (possibly self-signed)
| |
|
| |
| Certificate information:
| |
|
| |
| CertIssuer:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
| |
|
| |
| CertSubject:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
| |
|
| |
| -----BEGIN CERTIFICATE-----
| |
|
| |
| MIIDyzCCArOgAwIBAgIJAIR/y018RgMXMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
| |
|
| |
| BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8x
| |
|
| |
| FTATBgNVBAoMDFZNd2FyZSwgSW5jLjAeFw0xNjA5MDgwMTE3MjFaFw0yOTEyMzEw
| |
|
| |
| MTE3MjFaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYD
| |
|
| |
| VQQHDAlQYWxvIEFsdG8xFTATBgNVBAoMDFZNd2FyZSwgSW5jLjCCASAwDQYJKoZI
| |
|
| |
| hvcNAQEBBQADggENADCCAQgCggEBALU9NUtC39fqG7yo2XAswUmtli9uA+31uAMw
| |
|
| |
| 9FFHAEv/it8pzBQZ/4r+2bN+GnXOWhuDd1K4ApKMRvoO4LwQfZxrkx4pXrsu0gdb
| |
|
| |
| 4OunHw0D8MrdzSoob8Js/uq+IJ+8Bhsc6b7RzTUt9HeDWzHasAJVgMsjehGt23ay
| |
|
| |
| 9FKOT6dVD6D/Xi3qJnB/4t/XNS6L63dC3ea4guzKDyLaXIP5bf/m56jvVImFjhhT
| |
|
| |
| W2ASbnEUlZIVrEuyVcdG7e3FvZufE553JmHL0YG/0m5bIHXKRzBRx0D3HHOAzOKw
| |
|
| |
| kkOnxJHSTN4Hz8hSYCWvzUAjSYL3Q8qiTd7GHJ2ynsRnu3KlzKUCAQOjga8wgaww
| |
|
| |
| HQYDVR0OBBYEFHg8KQJdm8NPQDmYP41uEgKG+VNwMH0GA1UdIwR2MHSAFHg8KQJd
| |
|
| |
| m8NPQDmYP41uEgKG+VNwoVGkTzBNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
| |
|
| |
| aWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMRUwEwYDVQQKDAxWTXdhcmUsIElu
| |
|
| |
| Yy6CCQCEf8tNfEYDFzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAD
| |
|
| |
| K9uUhsXzpuUcWJq83Vh2HHSxZ/DdR6h+FNYHfEX8h8DOIwhRHhIHoqXkwwnpbjip
| |
|
| |
| FBtSzNKzTmzMQBwB7GwzGSsBO2TU8alX2ssnDg2AqwgIeLzclfaQlYoid678Krew
| |
|
| |
| nFryr9PYMntr7uyU1duesmey12GS2z5UIhA4BaOnrPJcLCP22nXVlPEsa46ob7XH
| |
|
| |
| j4ngZ0ck/qE58Z90GaAuxaa2R3OlHQ+AhXc3q5IixqMDa0MLPd41Qv2kC5iZ+tCf
| |
|
| |
| XVdlf4/RqQBNHR8FFVxcjpaROId9Y9/yHdsMt55nN7pf7vRf5vSk1bHvLmlOYgiR
| |
|
| |
| tAj6rdPq0c+/C+fct1cM
| |
|
| |
| -----END CERTIFICATE-----
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| Error: OVF Package is not supported by target:
| |
|
| |
| - Line -1: Unsupported value 'ethernet0.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'ethernet1.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'ethernet2.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'ethernet3.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.diskWiper.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.memSchedFakeSampleStats.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.diskShrink.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.vmxDnDVersionGet.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.unityActive.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'isolation.tools.guestDnDVersionSet.disable' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'snapshot.maxSnapshots' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| - Line -1: Unsupported value 'RemoteDisplay.maxConnections' for attribute 'key' on element 'ExtraConfig'.
| |
|
| |
| Completed with errors
| |
|
| |
| root@vc [ ~/ovftool ]#
| |
|
| |
| It looks like the --allowExtraConfig flag isn't behaving as expected here. While that flag usually allows unknown keys to pass through, some versions of ovftool and vCenter are still remarkably stubborn if they perceive those specific "ExtraConfig" keys as a security risk or a hardware incompatibility.
| |
|
| |
| Since the "soft" bypass (the flag) failed, we have to go with the "surgical" approach: stripping these requirements out of the OVF manually.
| |
|
| |
| Step 1: Unpack the OVA
| |
| The .ova file is just a tarball. Extract it so you can get to the XML descriptor.
| |
|
| |
| Bash
| |
| tar -xvf Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ova
| |
| You will now see a .ovf, a .mf (manifest), and one or more .vmdk files.
| |
|
| |
| Step 2: Strip the "ExtraConfig" lines
| |
| Open the .ovf file with vi or sed. We want to remove every line that contains ExtraConfig.
| |
|
| |
| The Quick Way (using sed):
| |
| This command creates a new file called cleaned.ovf with those lines removed.
| |
|
| |
| Bash
| |
| sed '/ExtraConfig/d' *.ovf > cleaned.ovf
| |
| The Manual Way (using vi):
| |
|
| |
| vi Security-Services-Platform-Installer-for-vDefend-5.2.0.0.0.25400625.ovf
| |
|
| |
| Search for ExtraConfig.
| |
|
| |
| Delete every line that looks like: <vmw:ExtraConfig vmw:key="..." vmw:value="..."/>.
| |
|
| |
| Save and exit (:wq).
| |
|
| |
| Step 3: Deploy using the OVF (Skipping Manifest)
| |
| Because you modified the .ovf file, the checksum stored in the .mf file is now "invalid." Instead of trying to recalculate the SHA hash, we will just tell ovftool to ignore the manifest check.
| |
|
| |
| Run this command:
| |
| (Note: We point to the .ovf file now, not the .ova, and we use --skipManifestCheck)
| |
|
| |
| Bash
| |
| ./ovftool --noSSLVerify --skipManifestCheck --name="SSPI" \
| |
| --datastore="nfs" \
| |
| --network="pg-01" \
| |
| cleaned.ovf \
| |
| 'vi://administrator%40vsphere.local:VMware1VMware!@vc.test/dc-01/host/cluster-01'
| |
| Why this is the "Nuclear Option"
| |
| By removing these lines, you are essentially telling vCenter: "Ignore the hardware optimizations (rxDataRing) and security hardening (isolation.tools) the developer requested; just give me a standard VM." For an installer/appliance like vDefend, this is perfectly fine for getting it booted. Once it's running, the appliance's internal logic usually takes over anyway.
| |
|
| |
| One final check: Ensure that pg-01 exists exactly as written (no spaces) on that cluster, as ovftool will error out immediately if the network mapping fails after the OVF is parsed.
| |
|
| |
| Does the cleaned.ovf get you past the "Unsupported value" errors?
| |
|
| |
| Thank works, can you turn it into a smple one-pager, seems to happen a lot
| |
|
| |
| Your PDF troubleshooting guide is ready.
| |
| PDF icon
| |
| ovftool_de...oyment_fix
| |
| PDF
| |
|
| |
| This one-pager covers the three-step "Surgical Fix" (Extract, Sed, and Deploy) and includes the correct syntax for the vCenter locator path, which was the second hurdle you encountered. Keep this on hand for future vDefend or NSX appliance deployments, as they frequently include these non-standard VMX parameters.
| |
|
| |
| Please turn it into mediawiki format
| |
|
| |
| Your MediaWiki formatted guide is ready.
| |
| TXT icon
| |
| ovftool_fi..._mediawiki
| |
| TXT
| |
|
| |
| MediaWiki Source Code
| |
| You can also copy and paste the source directly from here:
| |
|
| |
| Code snippet
| |
| == Troubleshooting: vSphere ovftool Deployment Errors == | | == Troubleshooting: vSphere ovftool Deployment Errors == |
|
| |
|
| Line 496: |
Line 36: |
| cleaned.ovf \ | | cleaned.ovf \ |
| 'vi://administrator%40vsphere.local:PASSWORD@vcenter-fqdn/DATACENTER/host/CLUSTER_NAME' | | 'vi://administrator%40vsphere.local:PASSWORD@vcenter-fqdn/DATACENTER/host/CLUSTER_NAME' |
| </source>
| |
|
| |
| === 3. Common Pathing (Locator) Fixes ===
| |
| If you receive the error <tt>Locator does not refer to an object</tt>, the path in your <tt>vi://</tt> URL is likely incorrect. vCenter requires a specific hierarchy:
| |
|
| |
| * '''Targeting a Cluster:''' <tt>vi://.../DATACENTER/host/CLUSTER_NAME</tt>
| |
| * '''Targeting a Resource Pool:''' <tt>vi://.../DATACENTER/host/CLUSTER_NAME/Resources/POOL_NAME</tt>
| |
| * '''Targeting a Specific Host:''' <tt>vi://.../DATACENTER/host/ESXI_HOSTNAME</tt>
| |
|
| |
| === 4. Notes ===
| |
| * '''ExtraConfig:''' Removing these lines deletes hardware optimizations and security hardening. For most appliances, this is non-critical for initial deployment and boot.
| |
| * '''Special Characters:''' Ensure the username (e.g., <tt>administrator@vsphere.local</tt>) is URL encoded (<tt>administrator%40vsphere.local</tt>).
| |
|
| |
|
| |
|
| |
|
| |
| Your Broadcom Inc. chats aren’t used to improve our models. Gemini is AI and can make mistakes. Your privacy & GeminiOpens in a new window
| |
|
| |
| == Troubleshooting: vSphere ovftool Deployment Errors ==
| |
|
| |
| This guide addresses common "Unsupported value" errors during OVF/OVA deployment to vCenter, typically caused by <tt>ExtraConfig</tt> parameters that are incompatible with the target host or security policies.
| |
|
| |
| === 1. The Common Error ===
| |
| Typically occurs when the OVA contains advanced VMX settings (like <tt>rxDataRingEnabled</tt> or <tt>isolation.tools</tt>) that the target vCenter/ESXi version does not recognize.
| |
|
| |
| <pre>
| |
| Error: OVF Package is not supported by target:
| |
| - Line -1: Unsupported value 'ethernet0.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
| |
| - Line -1: Unsupported value 'isolation.tools.*' ...
| |
| </pre>
| |
|
| |
| === 2. Solution: The Extraction & Clean Method ===
| |
| If the <tt>--allowExtraConfig</tt> flag fails, follow these steps to manually strip the problematic keys from the OVF descriptor.
| |
|
| |
| ==== Step 1: Unpack the OVA ====
| |
| The OVA file is a tar archive. Extract it to access the XML (.ovf) file.
| |
| <source lang="bash">
| |
| tar -xvf your-appliance.ova
| |
| </source>
| |
|
| |
| ==== Step 2: Strip ExtraConfig Lines ====
| |
| Use <tt>sed</tt> to remove all lines containing "ExtraConfig".
| |
| <source lang="bash">
| |
| sed '/ExtraConfig/d' *.ovf > cleaned.ovf
| |
| </source>
| |
|
| |
| ==== Step 3: Deploy via Cleaned OVF ====
| |
| Point ovftool to the new <tt>cleaned.ovf</tt> file. You '''must''' use the <tt>--skipManifestCheck</tt> flag because the OVF checksum has changed.
| |
| <source lang="bash">
| |
| ./ovftool --noSSLVerify --skipManifestCheck --name="MY_VM_NAME" --datastore="MY_DATASTORE" --network="MY_NETWORK" cleaned.ovf 'vi://administrator%40vsphere.local:PASSWORD@vcenter-fqdn/DATACENTER/host/CLUSTER_NAME'
| |
| </source> | | </source> |
|
| |
|
