Mass Removal of VIB (in this case, Nexus 1kv)

I have a customer that is migrating off the Nexus 1000v onto the (much preferred IMHO) VMware Distributed Virtual Switch.  The last step of clean-up after migrating ESXi hosts off the Nexus DVS calls for removal of the Cisco VEM installed on each ESXi host by way of a VIB.

To simplify removal of this across multiple hosts, safely and with respect to production environment change requirements (host must be in maintenance mode when making changes), I wrote this short PowerCLI script that leverages Get-EsxCli to avoid using SSH on each host.

Using the script: I placed several ESXi hosts into maintenance mode, ran the script to remove the VIBs on those hosts, and then repeated the process with a new group of hosts until the VIB had been removed from all hosts in the environment.

This can be modified to remove any VIB in a similar manner, by changing last parameter of the .remove() method call.

The definition for this method: remove(boolean dryrun, boolean force, boolean maintenancemode, boolean noliveinstall, string[] vibname)

  • dryrun – set to $true for a test, I set to $false since I want the VIB removed
  • force – I set to $false as I want to throw an error if the VIB can’t be removed normally
  • maintenancemode – I set to $true as that was a requirement when using esxcli to remove the VIB manually
  • noliveinstall – This apparently optionally excludes the running ESXi image from the removal, and only targets the boot image for removal.  I assume this would be useful if you wanted to wait until the next reboot to enforce your changes.  I set to $false to allow the live image to be modified
  • vibname – string array containing a list of VIBs to remove, in this case just a single VIB.

Sample output:

Worked like a charm.  Since Get-EsxCli object methods follow the same command space as esxcli, you also have .get(), .install(), .list(), and .update() at your disposal.  Have fun!


Windows Certificate Authority and VMware NSX Manager

Using a Windows Server 2012 R2 Certificate Authority to issue a new cert to NSX Manager, I followed the KB below to add a new certificate template to my Windows CA.

After opening the NSX Manager web interface, I generated a new certificate request and submitted the CSR to my AD Certificate Authority using the web enrollment feature.

And then downloaded the new certificate and chain in base64 format:

Then I opened the certificate chain file (.p7b) and exported the CA cert into its own .CER file:

And saved this as chain.cer, which I then combined using Notepad++ with certnew.cer downloaded from the Windows CA in a previous step.

I then uploaded this new combined .cer file back to the NSX Manager:


As you can see, both the CA certificate and new NSX Manager certificate loaded successfully.  If this were a more complex PKI deployment, with intermediate CAs, those would have been added to the combined .cer file and would also show up in the NSX Manager SSL Certificates list here.