Added Error Handling and Pre-Checks
This commit is contained in:
Markus Kraus
@@ -16,16 +16,20 @@ function Set-VMHostSecureNTP {
|
|||||||
|
|
||||||
function SetSecure ($MyHost) {
|
function SetSecure ($MyHost) {
|
||||||
## Get NTP Service
|
## Get NTP Service
|
||||||
|
"Get NTP Service from VMHost ..."
|
||||||
$NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"}
|
$NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"}
|
||||||
## Stop NTP Service if running
|
## Stop NTP Service if running
|
||||||
|
"Stop NTP Service if running ..."
|
||||||
if($NTPService.Running -eq $True){
|
if($NTPService.Running -eq $True){
|
||||||
Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null
|
Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null
|
||||||
}
|
}
|
||||||
## Enable NTP Service
|
## Enable NTP Service
|
||||||
|
"Enable NTP Service if disabled..."
|
||||||
if($NTPService.Policy -ne "on"){
|
if($NTPService.Policy -ne "on"){
|
||||||
Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null
|
Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null
|
||||||
}
|
}
|
||||||
## Remove all existiing NTP Servers
|
## Remove all existiing NTP Servers
|
||||||
|
"Remove all existiing NTP Servers ..."
|
||||||
try {
|
try {
|
||||||
foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) {
|
foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) {
|
||||||
$MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false
|
$MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false
|
||||||
@@ -35,28 +39,79 @@ function Set-VMHostSecureNTP {
|
|||||||
Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'."
|
Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'."
|
||||||
}
|
}
|
||||||
## Set New NTP Servers
|
## Set New NTP Servers
|
||||||
|
"Set New NTP Servers ..."
|
||||||
foreach ($myNTP in $NTP) {
|
foreach ($myNTP in $NTP) {
|
||||||
$MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null
|
$MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null
|
||||||
}
|
}
|
||||||
## Set Current time on Host
|
## Set Current time on Host
|
||||||
|
"Set Current time on VMHost ..."
|
||||||
$HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem
|
$HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem
|
||||||
$HostTimeSystem.UpdateDateTime([DateTime]::UtcNow)
|
$HostTimeSystem.UpdateDateTime([DateTime]::UtcNow)
|
||||||
## Start NTP Service
|
## Start NTP Service
|
||||||
|
"Start NTP Service ..."
|
||||||
Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null
|
Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null
|
||||||
## Get NTP CLient Forewall Rule
|
## Get ESXCLI -V2
|
||||||
$esxcli = Get-ESXCLI -VMHost $MyHost -v2
|
$esxcli = Get-ESXCLI -VMHost $MyHost -v2
|
||||||
$esxcliargs = $esxcli.network.firewall.ruleset.rule.list.CreateArgs()
|
## Get NTP Client Firewall
|
||||||
$esxcliargs.rulesetid = "ntpClient"
|
"Get NTP Client Firewall ..."
|
||||||
try {
|
try {
|
||||||
$esxcli.network.firewall.ruleset.rule.list.Invoke($esxcliargs)
|
$FirewallGet = $esxcli.network.firewall.get.Invoke()
|
||||||
}
|
}
|
||||||
catch [System.Exception] {
|
catch [System.Exception] {
|
||||||
Write-Warning "Error during Rule List. See latest errors..."
|
Write-Warning "Error during Rule List. See latest errors..."
|
||||||
}
|
}
|
||||||
|
"`tLoded: $($FirewallGet.Loaded)"
|
||||||
|
"`tEnabled: $($FirewallGet.Enabled)"
|
||||||
|
"`tDefaultAction: $($FirewallGet.DefaultAction)"
|
||||||
|
## Get NTP Client Firewall Rule
|
||||||
|
"Get NTP Client Firewall RuleSet ..."
|
||||||
|
$esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs()
|
||||||
|
$esxcliargs.rulesetid = "ntpClient"
|
||||||
|
try {
|
||||||
|
$FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs)
|
||||||
|
}
|
||||||
|
catch [System.Exception] {
|
||||||
|
Write-Warning "Error during Rule List. See latest errors..."
|
||||||
|
}
|
||||||
|
"`tEnabled: $($FirewallRuleList.Enabled)"
|
||||||
|
"Get NTP Client Firewall Rule AllowedIP ..."
|
||||||
|
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs()
|
||||||
|
$esxcliargs.rulesetid = "ntpClient"
|
||||||
|
try {
|
||||||
|
$FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs)
|
||||||
|
}
|
||||||
|
catch [System.Exception] {
|
||||||
|
Write-Warning "Error during Rule List. See latest errors..."
|
||||||
|
}
|
||||||
|
"`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses)"
|
||||||
|
## Remove Existing IP from firewall rule
|
||||||
|
## BUG: If AllowedIP was enabled and is disabled now, old IPs will not be removed
|
||||||
|
"Remove Existing IP from firewall rule ..."
|
||||||
|
if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") {
|
||||||
|
foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) {
|
||||||
|
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs()
|
||||||
|
$esxcliargs.rulesetid = "ntpClient"
|
||||||
|
$esxcliargs.ipaddress = $IP
|
||||||
|
try {
|
||||||
|
$esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs)
|
||||||
|
}
|
||||||
|
catch [System.Exception] {
|
||||||
|
Write-Warning "Error during AllowedIP remove. See latest errors..."
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
## Set NTP Client Firewall Rule
|
## Set NTP Client Firewall Rule
|
||||||
|
"Set NTP Client Firewall Rule ..."
|
||||||
|
if ($FirewallRuleList.Enabled -ne $True -or $FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") {
|
||||||
$esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs()
|
$esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs()
|
||||||
|
if ($FirewallRuleList.Enabled -ne $True) {
|
||||||
$esxcliargs.enabled = "true"
|
$esxcliargs.enabled = "true"
|
||||||
|
}
|
||||||
|
if ($FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") {
|
||||||
$esxcliargs.allowedall = "false"
|
$esxcliargs.allowedall = "false"
|
||||||
|
}
|
||||||
$esxcliargs.rulesetid = "ntpClient"
|
$esxcliargs.rulesetid = "ntpClient"
|
||||||
try {
|
try {
|
||||||
$esxcli.network.firewall.ruleset.set.Invoke($esxcliargs)
|
$esxcli.network.firewall.ruleset.set.Invoke($esxcliargs)
|
||||||
@@ -64,7 +119,10 @@ function Set-VMHostSecureNTP {
|
|||||||
catch [System.Exception] {
|
catch [System.Exception] {
|
||||||
Write-Warning "Error during Rule Set. See latest errors..."
|
Write-Warning "Error during Rule Set. See latest errors..."
|
||||||
}
|
}
|
||||||
|
}
|
||||||
## Set NTP Client Firewall Rule AllowedIP
|
## Set NTP Client Firewall Rule AllowedIP
|
||||||
|
## BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added
|
||||||
|
"Set NTP Client Firewall Rule AllowedIP ..."
|
||||||
foreach ($myNTP in $NTP) {
|
foreach ($myNTP in $NTP) {
|
||||||
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
|
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
|
||||||
$esxcliargs.ipaddress = $myNTP
|
$esxcliargs.ipaddress = $myNTP
|
||||||
@@ -73,7 +131,7 @@ function Set-VMHostSecureNTP {
|
|||||||
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs)
|
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs)
|
||||||
}
|
}
|
||||||
catch [System.Exception] {
|
catch [System.Exception] {
|
||||||
Write-Warning "Error during Rule Update. See latest errors..."
|
Write-Warning "Error during Rule AllowedIP Update. See latest errors..."
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user