Updating HPE iLO Firmware using PowerShell
Introduction
On the Scottish VMUG Slack the other day James Cruickshank alerted us about a vulnerability on HPE iLO 4’s running firmware prior to v2.53.
I was already covered as I was running 2.55 but I thought I would detail how I use the HPE iLO PowerShell cmdlets to mass update my iLOs.
v2.00 of the HPE iLO Cmdlets
I previously wrote about HP iLO Cmdlets in the post HPE ProLiant iLO Configuration using PowerShell back in February 2017. Back then the Cmdlets were snap-ins that needed to be installed via a downloaded installer.
I’m glad to say HPE have released them now as a module in the PowerShell Gallery. If you have the previous version installed uninstall the program. You can then go to a PowerShell session (ran as an Administrator) and install from the gallery:
Install-Module -Name HPEiLOCmdlets
Get-InstalledModule -Name HPEiLOCmdlets
Version Name Repository Description
------- ---- ---------- -----------
2.0.0.0 HPEiLOCmdlets PSGallery Scripting Tools for Windows PowerShell : iLO Cmdlets...
Defining the variables
Lets setup some required variables first:
# Variables
$iLOs = "10.10.1.100-120"
$iLOType = "Integrated Lights-Out 4 (iLO 4)"
$firmwareVersion = "2.60"
$firmwareFile = "C:\Temp\ilo4_260.bin"
$username = "Administrator"
$password = ConvertTo-SecureString -String "Password1" -AsPlainText -Force
$credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username,$password
Let’s look at what we did. First of all we set an IP range we scan for iLOs to respond on. I keep my iLOs on a defined range of addresses such as 10.10.1.100-120
. Next we are only interested in iLO 4’s so we define the type in $iLOType
. Valid entries are:
- Integrated Lights-Out 3 (iLO 3)
- Integrated Lights-Out 4 (iLO 4)
- Integrated Lights-Out 5 (iLO 5)
Next we define the iLO version we want to upgrade to (2.60 is the latest available) and where we are storing the downloaded firmware file.
Finally we store some credentials. Username is a plain text but we need to store the password as a secure string. Next we combine the username and password to create a credential object. This will be used later to connect to the iLOs.
Find the iLOs to Update
Next up is to find the servers we need to update and put them into a variable:
# Find all iLO's that don't match the required version
$foundServers = Find-HPEiLO -Range $iLOs | Where-Object -Property PN -EQ $iLOType | Where-Object -Property FWRI -NE $FirmwareVersion
I’m going to break that down. First of all we are going to put the list of iLOs to update into a variable called $foundServers
. We use the cmdlet Find-HPEiLO
to do this. We pass it the -Range
of IP’s we want to scan, which we defined as the variable $iLOs
. From all the servers that respond in the list we only want to select the ones requiring a firmware update.
First we only find iLO 4’s so we use Where-Object -Property PN -EQ $iLOType
. We are saying to only choose iLOs where the iLO Property Part Number, PN
is equal -EQ
to the variable $iLOType
. Next we refine this list even further. We check the firmware version property FWRI
and find where that is not equal NE
to the firmware version defined in the variable $firmwareVersion
.
If you want to check which servers it found, just type in $foundServers
and it will list all the servers identified.
Connecting to the iLOs
Now we have a list of the servers in the variable $foundServers
we need to connect to them. We use the cmdlet Connect-HPEiLO
:
# Connect the iLOs that need updated
$connection = $foundServers | Connect-HPEiLO -Credential $credential
We are creating another variable $connection
and passing to it the connected iLOs. We use pipe the list of iLOs, $foundServers
to Connect-HPEiLO
. We send the credential object we created earlier for authentication. Note if you don’t have the iLOs signed by a valid certificate you will need to add the parameter -DisableCertificateAuthentication
.
So we now have a connection setup to all the iLOs that need an update.
Updating the Firmware
This is very simple:
Update-HPEiLOFirmware -Connection $connection -Location $firmwareFile -Confirm:$false
We pass the $connection
created with the Location of the firmware file on the local drive. If you want to skip the confirmation use -Confirm:$false
. The firmware is pushed to the iLOs.
Verification of the Update
So we sound check the firmware was applied. We use the cmdlet Get-HPEiLOFirmwareVersion
passing the $connection
again:
Get-HPEiLOFirmwareVersion -Connection $connection
Disconnecting from the iLOs
Finally we close the connection to the iLOs:
Disconnect-HPEiLO -Connection $connection
Sample Run
Here is an output of a sample run of the the cmdlets:
PS C:\> $iLOs = "10.10.1.100-120"
$iLOType = "Integrated Lights-Out 4 (iLO 4)"
$firmwareVersion = "2.60"
$firmwareFile = "C:\Temp\ilo4_260.bin"
$username = "Administrator"
$password = ConvertTo-SecureString -String "Password1" -AsPlainText -Force
$credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username,$password
PS C:\> $foundServers = Find-HPEiLO $iLOs | Where-Object -Property PN -EQ $iLOType | Where-Object -Property FWRI -NE $FirmwareVersion
WARNING: It might take a while to search for all the iLOs if the input is a very large range.Use Verbose for more information
.
PS C:\> $foundServers
IP : 10.10.1.100
Hostname : esxi-01-ilo.corp.contoso.com
SPN : ProLiant DL360p Gen8
FWRI : 2.55
PN : Integrated Lights-Out 4 (iLO 4)
SerialNumber : XXXXXXXXXX
cUUID : 39363436-3130-5A43-1234-333730433351
IP : 10.10.1.101
Hostname : esxi-02-ilo.corp.contoso.com
SPN : ProLiant DL360 Gen9
FWRI : 2.55
PN : Integrated Lights-Out 4 (iLO 4)
SerialNumber : XXXXXXXXXX
cUUID : 32353537-3236-584D-1234-323030364C44
IP : 10.10.1.107
Hostname : ma-01-ilo.corp.contoso.com
SPN : ProLiant DL380p Gen8
FWRI : 2.55
PN : Integrated Lights-Out 4 (iLO 4)
SerialNumber : XXXXXXXXXX
cUUID : 35343037-3935-5A43-1234-3432324B3138
PS C:\> $Connection = $foundServers | Connect-HPEiLO -Credential $credential
PS C:\> Update-HPEiLOFirmware -Connection $connection -Location $firmwareFile -Confirm:$false
WARNING: Update is in progress, this might take several minutes.
IP Hostname Status StatusInfo
-- -------- ------ ----------
10.10.1.100 esxi-01-ilo.corp.contoso.com WARNING HPE.iLO.Response.StatusInfo
10.10.1.101 esxi-02-ilo.corp.contoso.com WARNING HPE.iLO.Response.StatusInfo
10.10.1.107 ma-01-ilo.corp.contoso.com WARNING HPE.iLO.Response.StatusInfo
PS C:\> Get-HPEiLOFirmwareVersion -Connection $connection
FirmwareDate : May 23 2018
FirmwareVersion : 2.60
ManagerType : iLO 4
IP : 10.10.1.100
Hostname : esxi-01-ilo.corp.contoso.com
Status : OK
StatusInfo :
FirmwareDate : May 23 2018
FirmwareVersion : 2.60
ManagerType : iLO 4
IP : 10.10.1.101
Hostname : esxi-02-ilo.corp.contoso.com
Status : OK
StatusInfo :
FirmwareDate : May 23 2018
FirmwareVersion : 2.60
ManagerType : iLO 4
IP : 10.10.1.107
Hostname : ma-01-ilo.corp.contoso.com
Status : OK
StatusInfo :
PS C:\> Disconnect-HPEiLO -Connection $Connection
Conclusion
As you can see with a few simple commands you can automate the installation across many iLOs at the same time. Why waste time manually logging into each iLO web console and pushing the firmware. Automate all the things.
There are lots of other iLO cmdlets available as part of the module:
PS C:> Get-Command -Name *HPE* | measure
Count : 214
Go investigate!