Skip to main content

Illumio Core 22.2 Install, Configure, Upgrade

Prepare Scripts

The prepare script is used for creating golden images to activate the VEN the first time the image is booted.

Prepare Golden Image for Workload Installation

Many organizations use “golden images” for faster deployment. When using a golden image to install a VEN, you have two options for pairing with the PCE:

  • Option 1: Use a modified version of the Illumio Core pairing script called prepare to ensure these golden images have the VEN pre-installed.

  • Option 2: Use the illumio-ven-ctl control script.

Important

  • Avoid activating the VEN prematurely: If you will enable your images with the prepare script, make sure to do so as the last step in your process for building the image. The prepare script takes effect at the next system boot, which means the VEN might be activated prematurely on the image itself. If you have other software to install on the image and the image requires reboot, the VEN is activated at once, which is not desirable.

  • Specify the correct activation code type: There are two types of activation codes in the pairing profile available in the PCE web console: one-time use and unlimited use. Be sure to specify the correct type for your needs. For more information, see Configure Pairing Key Usage and Lifespan.

Option 1: Prepare the workload using the Pairing Profile/Pairing script

This option relies on a modified version of the Illumio Core pairing script called prepare to ensure these golden images have the VEN pre-installed.

  1. In the PCE web console, create a pairing profile or select an existing pairing profile. For information, see Pairing Profiles and Scripts.

  2. Copy the pairing script.

  3. In the copy of the script, change all occurrences of pair to prepare.

  4. Execute the modified script on the image.

The prepare script installs the VEN on the image. When the prepare script finishes, the VEN is stopped. The script configures the VEN to start the next time the workload is booted.

Option 2: Prepare the workload with illumio-ven-ctl

Use illumio-ven-ctl to place the image in prepare mode.

From a command line, execute illumio-ven-ctl, making sure to include the prepare argument and the management-server and activation-code information shown in the following examples.

Windows: use single dashes (-)

<VEN Installation Directory>\illumio-ven-ctl prepare -management-server <pce_fqdn:port> -activation-code <activation_key>

Linux: use double dashes (--)

<VEN Installation Directory>/illumio-ven-ctl prepare -–management-server <pce_fqdn:port> --activation-code <activation_key>
Auto Scaling Linux Workloads

To enable auto scaling for Linux workloads, perform the following steps:

  1. Select an existing VM instance that you want to create a new instance for.

  2. Inside the PCE web console, create a pairing profile (or select an existing pairing profile).

  3. Copy the Linux pairing script and paste it into a text editor.

    rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl --tlsv1 "https://pce.example.com:8443/api/v18/software/ven/image?pair_script=pair.sh&profile_id=1" -o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server pce.example.com:8443 --activation-code 11a12969c511197eb7ae1e175b9b49382fe1bc011b2a2228c8a184cc6c9f75663325146e5d5ac7c5d

  4. Find all occurrences in the script where pair.sh is used and replace them with prepare.sh so that the script looks like this:

    rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl --tlsv1 "https://pce.example.com:8443/api/v18/software/ven/image?pair_script=prepare.sh&profile_id=1" -o /opt/illumio_ven_data/tmp/prepare.sh && chmod +x /opt/illumio_ven_data/tmp/prepare.sh && /opt/illumio_ven_data/tmp/prepare.sh --management-server pce.example.com:8443 --activation-code 11a12969c511197eb7ae1e175b9b49382fe1bc011b2a2228c8a184cc6c9f75663325146e5d5ac7c5d

    The prepare.sh script installs the VEN on the new workload and configures it so the VEN starts running as soon as the new workload is instantiated.

  5. Run the modified script on the Linux instance.

  6. Configure your auto scaling policy to use an image that contains the prepare script.

The prepare.sh script installs the VEN on the new workload and configures it so the VEN starts running as soon as the new workload is instantiated.

Auto Scaling for Windows Workloads

To enable auto scaling for Windows workloads, perform the following steps:

  1. Select an existing VM instance that you want to create a new instance for.

  2. In the PCE web console, create a pairing profile (or use an existing pairing profile).

  3. Copy the Windows pairing script and paste it into a text editor.

    PowerShell -Command "& {Set-ExecutionPolicy -Scope process remotesigned -Force; Start-Sleep -s 3; Set-Variable -Name ErrorActionPreference -Value SilentlyContinue; [System.Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([System.Net.SecurityProtocolType], 3072); Set-Variable -Name ErrorActionPreference -Value Continue; (New-Object System.Net.WebClient).DownloadFile('https://pce.example.com:8443/api/v18/software/ven/image?pair_script=pair.ps1&profile_id=1', (echo $env:windir\temp\pair.ps1)); & $env:windir\temp\pair.ps1 -management-server pce.example.com:8443 -activation-code 11a12969c511197eb7ae1e175b9b49382fe1bc011b2a2228c8a184cc6c9f75663325146e5d5ac7c5d;}"

  4. Find all occurrences in the script where pair.ps1 is used and replace them with prepare.ps1. so that the script looks like this:

    PowerShell -Command "& {Set-ExecutionPolicy -Scope process remotesigned -Force; Start-Sleep -s 3; Set-Variable -Name ErrorActionPreference -Value SilentlyContinue; [System.Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([System.Net.SecurityProtocolType], 3072); Set-Variable -Name ErrorActionPreference -Value Continue; (New-Object System.Net.WebClient).DownloadFile('https://pce.example.com:8443/api/v18/software/ven/image?pair_script=prepare.ps1&profile_id=1', (echo $env:windir\temp\prepare.ps1)); & $env:windir\temp\prepare.ps1 -management-server pce.example.com:8443 -activation-code 11a12969c511197eb7ae1e175b9b49382fe1bc011b2a2228c8a184cc6c9f75663325146e5d5ac7c5d;}"

  5. Run the modified script on the Windows instance.

  6. Configure your auto scaling policy to use the prepared image.

The prepare.ps1 script installs the VEN and configures it such that the VEN starts running as soon as the new workload is instantiated.

See also: