HowTo Install Dell OpenManage 5.3 on Citrix XenServer 4.1 and have it listed in a central OpenManage Management System

Update 10/3/2008: I have successfully followed these directions to install OpenManage 5.4 under XenServer 5.0.

A few months ago I posted an article on how to install Dell OpenManage on a Citrix XenServer. Since then I've been wanting to have the Xen servers appear in our central OpenManage Management System so we can get central alerting of hardware issues. I've discovered a few gotcha's along the way, and figured it'd be a good idea to post one consolidated how-to for anyone interested.

This article pulls heavily on vendor documentation, but let me stress that as of the posting of this how-to, neither Citrix nor Dell officially support running OpenManage on a XenServer.

For reference, here are the documents I've used:

• Citrix's KnowledgeBase article on how to get IT Assistant, the client-side component also called "OpenManage Managed Node", also called "OpenManage Server Administrator", also known as "Dell OpenManage Server Administrator Managed Node". Seriously, different names names all depending on the readme, package file, or Dell's support site.
• Dell's page from the 5.3 manual on configuring SNMP under Linux

And the software you'll need is:

• Citrix XenServer 4.1
• Dell OpenManage Management Station installed on a Windows server somewhere and properly configured/working, with your SNMP traps/destinations/communities configured for the IP range the XEN server is on.
  
• Dell OpenManage Managed Node 5.3 for RedHat Enterprise
  

Okay, now lets begin. I suggest doing all of these changes on a test system first. At the end, I'd suggest consolidating all of the changed files and make a new .tar.gz file to deploy to your other servers.

Step 1: Modify the OpenManage installation package
Remember, this isn't an officially supported solution, so if you try to run the Server Administrator Managed Node installation right away, you'll get an error that it doesn't recognize Xen's linux distribution (CentOS, fyi).

1. Copy the tar.gz file to your Xen host. I use WinSCP for this.
   
2. Extract the tar.gz you downloaded to a temporary folder:
   tar -xzf OM_5.3.0_ManNode_A00.tar.gz
   
3. Edit the file "setup.sh":
   vi setup.sh
   
4. Change the lines 2972 and 2973 as follows:
   2972: GBL_OS_TYPE=${GBL_OS_TYPE_UKNOWN}
   2973: GBL_OS_TYPE_STRING="UKNOWN"
   Become:
   2972: GBL_OS_TYPE=${GBL_OS_TYPE_RHEL5}
   2973: GBL_OS_TYPE_STRING="RHEL5"
5. Save the file

Step 2: Aquire "lockfile"
I noticed originally when running the "setup.sh" script, that as it tried to start the services the inventory service would fail with an error

Warning: The lockfile utility is not found in PATH or /usr/bin.
This utility prevents concurrent executions of setup.sh
which can lead to unexpected or invalid installation results.

Or with:

no lockfile in (/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin)
invcol Error: Cannot find utilities on the system to execute Inventory
Collector.
Make sure the following utilities are in the path: tar gzip tail rm mkdir
chmod ls basename wc lockfile stat

I figured the easiest way to get this file would be to run YUM, the CentOS repository system which Xen helpfully left in. This, of course, had its own set of issues. From my previous article on YUM under Xen, you may need to do the following. I'd suggest first testing if "lockfile" exists by typing "which lockfile". If you don't have "lockfile" installed, then proceed:

Xen is using CentOS for their host OS, but they disable the CentOS repository and enable what appears to be a non-existent/functional Xen repository. Whenever you try to use Yum, it throws an error that the repository checksum is invalid:

http://updates.xensource.com/XenServer/4.0.96/domain0/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum
Trying other mirror.
Error: failure: repodata/primary.xml.gz from xensource: [Errno 256] No more mirrors to try.

To resolve this temporarily, and only on my test system, I edited /etc/yum.repos.d/XenSource.repo and changed the following line:

enabled=1

to:

enabled=0

I then edited /etc/yum/repos.d/CentOS-Base.repo and changed the following line under the top "[base]" section

enabled=0

to:

enabled=1

"yum whatprovides lockfile" now returned a bunch of results. It seems "lockfile" is part of the postfix package. To get this file I:

1. ran "yum install postfix"
2. copied "/usr/bin/lockfile" to a temporary location
3. ran "yum remove postfix"
4. copied "lockfile" back to "/usr/bin/lockfile"

Now starting the services ("/opt/dell/srvadmin/omil/supportscripts/srvadmin-services.sh restart") no longer shows an error and I can see the inventory in the GUI

Step 3: Configure SNMP
This can actually be fairly complex depending on your SNMP setup in your environment. I'm going to assume you're doing a simple configuration here, where you have two communities set up in your OpenManage Management System for this IP range: "MY_READ" and "MY_WRITE" configured for read and write access, respectively. In this case, just copy in what I have below, after making a backup of the original.

If you want an explanation of the options and conventions used below, try "man snmpd.conf", Google "snmpd.conf", or read Dell's page from the 5.3 manual on configuring SNMP under Linux. If you get stuck, feel free to leave a comment here and I'll help you as best I can.

1. Rename the original snmpd.conf file:
   mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig
2. Copy the following into a new /etc/snmp/snmpd.conf file, changing the "MY" strings to your own:

# Map users to community strings
# sec.name source community
com2sec U_ReadOnly default MY_READ
com2sec U_ReadWrite default MY_WRITE

# Map users to groups
# groupName securityModel securityName
group G_ReadOnly any U_ReadOnly
group G_ReadWrite any U_ReadWrite

# create view
# name incl/excl subtree mask(optional)
view all included .1

# grant rights to the above views
# group context sec.model sec.level prefix read write notif
access G_ReadOnly "" any noauth exact all none none
access G_ReadWrite "" any noauth exact all all none

# Set trap destination
trapsink my.openmanage.server MY_MANAGEMENT

# Allow localhost access
rocommunity MY_READ 127.0.0.1
rwcommunity MY_WRITE 127.0.0.1

# Allow remote hosts access
rocommunity MY_READ my.openmanage.server
rwcommunity MY_WRITE my.openmanage.server


# Below has been left in from the default snmpd.conf file:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)

# Added for support of bcm5820 cards.
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat

# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX
smuxpeer .1.3.6.1.4.1.674.10892.1

Now, restart SNMP by typing:
service snmpd restart

Step 4: Modify IPTABLES
XenServer contains a firewall that needs to be modified before OpenManage can see this node.

Below are my modifications to the iptables file. You only really need the lines for UDP 161 and UDP 162. The TCP 1311 is if you choose to install the "Web Administration Console", which I don't because it takes up 100M of RAM.

1. Make a backup copy of the current iptables file, just in case:
   cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
2. Edit the file as below, adding in the BOLD lines in the same place. This is important as the order of the file determines what is allowed. If you simply append these lines to the end, traffic will be blocked:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 162 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1311 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Now, restart iptables by typing:
service iptables restart

Step 5: Install OpenManage
Finally :)

1. Change to the directory where you extracted "setup.sh"
2. Execute the setup script:
   ./setup.sh
3. You'll be prompted with a screen asking you which options to select. I generally only install 1,3,4,5. Option 2, "Server Administrator Web Server" will consume at least 100M of the XenServer RAM so I usually leave it off. After you selected your options, press "i" to install
4. Follow the prompts checking for errors. I usually take all the defaults from here
5. When prompted, go ahead and start the services. Watch for errors

Thats it!

Now go to your OpenManage Management System console and initiate a "Discovery and Inventory" of the IP range for this XenServer. It should show up.

For reference, you can stop/start the OpenManage services by running:
/opt/dell/srvadmin/omil/supportscripts/srvadmin-services.sh stop
/opt/dell/srvadmin/omil/supportscripts/srvadmin-services.sh start

And you can uninstall it by running:
/opt/dell/srvadmin/omil/supportscripts/srvadmin-uninstall.sh

Step 6 (optional): Repackage all of this as a new tar.gz
I did the following to ease deployment, as this is a lot of steps.

1. I copied the snmpd.conf, iptables, and lockfile to my extracted "openmanage" folder:
   cp /etc/snmp/snmpd.conf /root/openmanage/
   cp /etc/sysconfig/iptables /root/openmanage/
   cp /usr/bin/lockfile /root/openmanage/
2. I wrote a wrapper for setup.sh to make the above changes for me prior to running setup.sh. The contents of the wrapper script are below.
3. After creating the wrapper script, I made sure it was executable:
   chmod +x /root/openmanage/setup_wrapper.sh
4. I made a new tarball of all of this:
   cd /root
   tar -czf modified_om_5.3_mannode.tar.gz openmanage/

Pay attention, there's a space between "gz" and "openmanage/"

My wrapper script:

#!/bin/sh
# version 8.5.20 Aaron Dodd
# back up existing config files
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

#copy in new config files
cp iptables /etc/sysconfig/iptables
cp snmpd.conf /etc/snmp/snmpd.conf

cp lockfile /usr/bin/lockfile

# restart affected daemons
service snmpd restart
service iptables restart

./setup.sh