Monday, March 25, 2019

Securely Adding Powershell Core and PowerCLI (VMware CLI for Powershell) to a Mac without Using Homebrew

Powershell Core is a fork from Microsoft's Powershell that is supported by Microsoft for use on Linux, Mac, and Linux ARM systems.  That's really useful for us that wanted a way to run scripted commands for changes in AD directly from a Mac (or Linux).

PowerCLI is VMware's contribution to scripting VMware

This wasn't a difficult task, but most of the sites really push Homebrew.  I'm in a spot where Homebrew is not used.  Loading VMware's CLI for Powershell called PowerCLI involved two steps of loading the Powershell Core 6.1.3 source tarball, then using the installed Powershell to install the VMware CLI.  There were some associated tasks for Powershell Core such as loading Openssl and Xcode Command Line tools that Powershell Core will use for remote scripting.  I followed the directions from the Microsoft Installing Powershell Core on MacOS page, but I did run into a few unexpected gotchas.

Here's how I did it:

Right now, the latest release is Powershell 6.1.3.  That will change over time.  You can grab the source from Microsoft's Git site for Powershell Core.  I used the powershell-6.1.3-osx-x64.tar.gz version for my download.

Once downloaded, be aware that the tarball is not a polite tarball.  If you open it in a common folder, it will spray about 267 items into that folder.  Microsoft wants you to create a directory under /usr/local for the contents of the tarball.  Microsoft suggests creating:

/usr/local/microsoft/powershell/6.1.3

to match the version downloaded.  Once you create the directory, move the tarball to that directory and unpack it with:

# gunzip powershell-6.1.3-osx-x64.tar.gz | tar -xvf powershell-6.1.3-osx-x64.tar

Once the tarball has been unpacked, Powershell's command, "pwsh" is in that directory but not in an executable state.  The Microsoft directions encourage you to just add executable bits to the file in the broadest way of "chmod +x pwsh".

Don't do that.  You'll create an admin owned, world-writable file.  Utterly dangerous and Microsoft's directions show that the writer really didn't know much about Unix permissions or how to exploit them.

Instead, use the following command:

# chmod 755 pwsh

Once you've made the file executable, you may want to tighten up the permissions on all of the rest of the files in that /usr/local/microsoft/powershell/6.1.3 directory because most of them are 766:
rwxrw-rw-  which means that any user or group on the system can write into those files and they're going to be owned by your Administrator account.  This is the definition of Dangerous on a Linux or Mac system.  Fix it with (because there are directories to descend into):

# find . -exec chmod g-w,o-w * {} \;

That command will strip write privileges from both group and other (plain users) from all of the files and directories.

Microsoft then asks you to link the "pwsh" executable file into /usr/local/bin which is on most users executable path.  Do this with:

#ln -s  /usr/local/bin/pwsh  /usr/local/microsoft/powershell/6.1.3/pwsh

Now you've got Powershell Core working for everyone.  Before celebrating, add the two dependencies that allow for remote scripting:  X-code Command Line Tools and OpenSSL

X-code Command Line Tools can be installed with this command:

# xcode-select --install

OpenSSL does not come installed on a Mac but Powershell Core obviously needs it.  Mac is using the Common Crypto package that Apple supports.  Our shop has installed LibreSSL and linked the openssl command to it.  This is going to require another full document to discuss how to install OpenSSL on a Mac without Homebrew.  I'll link the document Here when I finish it.

Powershell Core is now installed.  You can start celebrating.

Once you've finished the Powershell Core install, you can set up the PowerCLI install through Powershell like so:

# pwsh

PowerShell 6.1.3
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.

PS /usr/local/microsoft/powershell/6.1.3>

At the PS prompt, enter the command:

Install-Module -Name VMware.PowerCLI -Scope CurrentUser

And there....you've installed the PowerCLI API for Powershell Core.

Reference Docs for PowerCLI API:
https://www.vmware.com/support/developer/PowerCLI/PowerCLI651/html/

Commands to try:
Get-Module “VMware.PowerCLI” -ListAvailable | FT -Autosize

Connect-VIserver -server servername















No comments:

Post a Comment