2013 has been an amazing year for me – I was awarded the vExpert title, I’ve taken and passed my VCP5-DCV, VCAP5-DCA and VCAP5-DCD and spoken at the London and UK national VMUGs. I’ve attended my first VMworld and spent countless hours in the lab and on study, generating about 30 blog posts. All I can say is that it’s been a truly blessed year.
After two and a half years working as a Senior Infrastructure Analyst for a global insurance company, the time has come for a change! For a while now I’ve felt that I’ve outgrown my current role and that perhaps it was time for a change. I have worked with some really excellent people on my team while here, and I’ll definitely be sad to say goodbye to some of them! I’ve had the opportunity to work on some huge-scale environments and highly complex systems – all of which allowed me to learn and grow in ways not possible in a “normal” size environment.
I’ve had the opportunity to get to know a lot of really good guys through Twitter, VMUGs and VMworld – including several of my colleagues-to-be at Xtravirt. Gregg Robertson, Daren Woollard and the rest of the Xtravirt guys are a real testament to the company and so when Gregg asked if I’d be interested, I jumped at the chance to interview for a role there – despite being quite far along the process for 2 other roles and having an offer on the table.
In the end, I chose to join Xtravirt because I believe they are market leaders for virtualisation and specifically cloud consulting, and they continue to learn and strive for excellence as a matter of course, which fits closely with how I approach my work. I am really excited to be joining and for the chance to be part of a company that I feel I can make a difference for, as well as developing and learning myself. While it may sound cheesy (or even a little obsequious) Xtravirt has a bit of a family feel to it, and that too makes it a very attractive place to work.
So there it is – I will be starting in January as a Senior Consultant for Xtravirt and I am really excited to get my teeth into the role!
Finally, I have to thank my amazing wife Ruth for supporting, encouraging and believing in me, and for her patience and understanding while I went through the process that ended here.
In my post yesterday (vexpert.me/hS) I talked about how to recover from an expired default SSO administrator password – this prompted a discussion on twitter with Anthony Spiteri (@anthonyspiteri) and Grant Orchard (@grantorchard) about the defaults for expiration and how to mitigate the risk.
The first solution is to modify the password expiration policy for SSO. I’m not advocating this necessarily – I think that expiring passwords ensure that you change them regularly and increase the overall security of your SSO solution. However, I can envisage situations (similar to mine) when the SSO administrator account is not used for a long time and expired – that causes headaches.
To modify the SSO password policy log onto the vSphere Web Client as the SSO admin (admin@system-domain for 5.1 or firstname.lastname@example.org 5.5) and select Administration, then Sign-On and Discovery > Configuration. Select the Policies tab – you should see the default config:
Click edit and set the password policy as required. This only applies to SSO users (i.e. those in the System-Domain or vSphere.local domains). To set the password to never expire set the Maximum Lifetime to 0. IF you chose to do that, I’d beef up the complexity of your password policy to include upper, lower, numeric and special characters and increase the length from 8 to 13.
Similarly, you can edit the lockout policy which by default will lock you out if it has 3 failed attempts within 24 days. It will lock you out for 15 minutes. Setting the lockout time to 0 forces a manual unlock by an SSO admin.
The second option seems preferable to me (and Anthony and Grant) – that is to add some AD users or groups to the SSO administrators group. To do this, again log in as an SSO admin and select Administration, then Access > SSO Users and Groups, then the Groups tab. Select “__Administrators__” and click on the add principals button below. Select your AD domain from in the Identity Source field and search for your required user or group. Add them and click OK. Now those users, or group members have the ability to log on and reset or unlock the SSO admin account. AD accounts are obviously subject to your AD password policy, but can be reset independently of SSO and therefore don’t require you to use some command-line kung-fu to unlock.
vCenter Single Sign-On account (SSO) passwords expire after 365 days, including the password for admin@system-domain.
In vSphere 5.5 it gets even better – the password expires every 90 days by default! (See the vSphere 5.5 SSO documentation)
By default, vCenter Single Sign-On passwords, including the password for email@example.com, expire after 90 days.
There are different schools of thought as to whether you should have SSH enabled on your hosts. VMware recommend it is disabled. With SSH disabled there is no possibility of attack, so that’s the “most secure” option. Of course in the real world there’s a balance between “most secure” and “usability” (e.g. the most secure host is powered off and physically isolated from the network, but you can’t run any workloads ). My preferred route is to have it enabled but locked down.
Note: VMware use the term “ESXi Shell”, most of us would term it “SSH” – the two are used interchangeably in this article although there is a slight difference. You can have the ESXi Shell enabled but SSH disabled – this means you can access the shell via the DCUI. For the sake of this article assume ESXi Shell and SSH are the same.
Today was always going to be a bit of a funny day as I scheduled the VCAP5-DCD exam for 10am this morning. I am happy to say that I passed! I’m a bit light on VMworld to report today, so forgive my DCD experience to pad it out!
I have to confess my prep for this exam was light – I literally only watched the TrainSignal course by Scott Lowe (@scott_lowe) and just about finished that last night in the hotel! I don’t spend much time focussing on design during my day job, so I approached this exam as a bit of a learning experience rather than a serious bid to pass. I decided to book the exam here at VMworld just because you can get 75% off – if you’re funding yourself it’s not a discount to be dismissed easily!
Taking the exam
As with the DCA exam the DCD is a gruelling 4 hours, with 100 questions of which normally around 6 are Visio style designs. Again, same as the DCA, time management is massively important – I was actually so concerned with the time after running out in the DCA that I went probably too quickly and finished with 45 minutes to spare.
It’s also a very wordy exam – you have to read a lot of text and pull out the relevant info. On the one hand you need to read it very carefully to ensure you pick up the right requirements etc, and on the other you really need to read as fast as possible to keep on track time-wise. The technique I used was to find out what they were asking me for first, and then scan back through the text for the relevant information.
The Visio style questions are a bit clunky, and I’d definitely recommend using the demo of the interface that VMware provide to make sure you’re familiar with how it works – you don’t want to do a “Gregg” (ahem @GreggRobertson5, I am looking at you) and delete your whole diagram by accident.
There are absolutely loads of exam experiences out there to read up on – just Google “VCAP5-DCD exam experience” (though, probably, that’s how you ended up here). I used http://thesaffageek.co.uk/vsphere-5-study-resources/vcap5-dca-dcd/
TrainSignal (now PluralSight) – I am really lucky to have access to TrainSignal’s library via the vExpert program, but it’s such a good resource I’d definitely pay for it if I didn’t. The course I used was Designing VMware Infrastructure.
I have also read Scott Lowe’s Mastering VMware vSphere 5 which is a fantastic book, even if you’re not going to do the exam. If you plan on buying it you could always use the links in my booklist page
The rest of the day
After the exam I was pretty wrung out and needed a bit of time to recover – I’m still feeling the effects of the concentration now 3 hours later.
Hands On Labs
I spent some time doing hands on labs (HOL) this afternoon, specifically doing the vCAC v6 labs. I’ve been involved with the beta for “project nee” which is what the HOL were based on. The HOL infrastructure is huge here, with a full suite of desktops and a BYOD version. It’s pretty slick – at the time of writing there are over 28,000 VMs created in over 3,100 labs.
I braved the Solutions Exchange again after yesterdays car crash of a visit, determined this time that I would not let my badge get scanned by any pushy sales person. It was more tolerable this time, I got to the stands I was aiming for and was relatively un-harrassed.
I was happy to hand over my info to PernixData for a copy of the vSphere Design Pocketbook, especially as it’s got a contribution from DefinIT’s Simon Eady in it!
It’s impossible to explain how good it is to be able to talk to so many really awesome people who I am honoured to call peers – It’s great to chat with people who have similar goals and find out how and why they’re doing the things they are. For me that’s been one of the best parts of VMworld and I have learned at least as much through conversations with people as I have from the sessions.
Tonight is the VMworld Party, I am torn between going to that, and going to bed! Whatever I decide, tomorrow is a new day and I will be aiming to go to a few more sessions as well as keep on with the networking.
I flew from Gatwick to Barcelona last night to my very first VMworld!
I'm staying in a hotel that is actually quite far from the conference, it's a metro, train and bus journey away from the conference center and it takes about 40 minutes to get here. On the plus side I was only 5 minutes away from the VMUG party last night so I went over there for an hour or so. Note for future years - stay a little closer to the conference!
The keynote session was a very slick presentation (think lasers and smoke) from VMware's CEO Pat Gelslinger with various guests laying out VMware's vision for the future of the Software Designed DataCenter (SDDC). You can watch the general session here, if you're interested.
If I was to pick one word to describe how I feel after a couple of hours at my very first VMworld, it would have to be "overwhelmed". This place is massive and there are 8500 people here. I definitely felt a bit lost and isolated, but fortunately I found some familiar faces in the the Bloggers area. Great chats with @dawoo, @greggrobertson5, @vmfcraig, @egrigson and @gurusimran. Massive relief to finally find some people I know (at least from Twitter and LonVMUG). It was good to have some discussions around VCAP exams and also the VCDX process - it's all very topical and relevant for me as I look towards taking the DCD and moving on to the VCDX process.
#net5716 - Advanced VMware NSX Architecture with Bruce Davie
NSX is an area I am very interested in learning about, and this session provided an overview of NSX and how it's designed for scalability, how the nuts and bolts of that works (e.g. distributed services) and also how it interacts with physical VTEPs. I found the presenter engaging and the content was really good. The session was absolutely packed and there was plenty of interaction.
#vsvc4811 - Extreme Performance Series: Monster Virtual Machines with Peter Boone and Seongbeom Kim
This session kicked off with a good overview of various memory and processor management techniques. Overall I found this session quite dry with a lot of info and detail, but there's not much to spice it up. Very good understanding of NUMA/vNUMA and how they affect performance of huge 64 vCPU machines - and also some good info regarding the vSocket/vCore discussion I had with @vmfcraig and @simoneady earlier this year.
I spent some time wandering round the Solutions Exchange, which had some very in-your-face methods of attracting your attention and trying to get your badge scanned. It struck me a pretty shoddy to still be using pretty young girls to attract the primarily male geeks to a stand, but it's effective - it's much harder to be rude to one! I attempted to sit in on a couple of talks with vendors but found the hall too noisy to hear properly, with vendors seeming to compete with each other with loud and over-enthusiastic pitches! There's a huge range of technology and solutions on offer, if you can get past the sales patter.
#vBrownbag Unsupported with William Lam
It was great to listen to @lamw doing his unsupported session with some really useful tips on how to evaluate vSphere 5.5. He demoed vmtools for nested ESXi which is awesome, as well as some vCenter Simulator features in the VCSA. Definitely some things to try out in the DefinIT lab, the session should be available on the #vBrownbag feed soon.
Tonight is the vExpert reception which should be a great networking opportunity so I'm looking forward to that. I am hoping to get a relatively early night as today has been packed and tomorrow promises to be just as, if not more gruelling. Promise I'll try and get some pictures taken tomorrow!
Recently I had the privilege to be asked to attend a Google hangout with Joe Baguley (VMware CTO EMEA), Paul Saffo (Technology Forecaster) and several other well known guys from the VMUG community
It was a first for me but a really enjoyable experience.
Losing a root password isn’t something that happens often, but when it does it’s normally a really irritating time. I have to rotate the password of all hosts once a month for compliance, but sometimes a host drops out of the loop and the root password gets lost. Fortunately, as the vpxuser is still valid I can manage the host via vCenter - this lends itself to this little recovery process:
- Join the host to the domain (I’ve got a handy post for that here)
- Create the “ESX Admins” group in your AD and ensure that you are a member. The AD group will be given full administrator rights on the host automatically.
- Wait for replication, and the host to pick up the group and membership – it took about 15 minutes for me.
- You can now connect directly to the host using the vSphere Client – head on to the “Local Users & Groups” page and edit “root”:
- You should now be able to connect to the host using your new root password.
This is the second article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant. The first article in this series was vSphere Security: Understanding ESXi 5.x Lockdown Mode.
Why would you want to join an ESXi host to an Active Directory domain? Well you’re not going to get Group Policies applying, what you’re really doing is adding another authentication provider directly to the ESXi host. You will see a computer object created in AD, but you will still need to create a DNS entry (or configure DHCP to do it for you). What you will get is a way to audit root access to your hosts, to give administrators a single sign on for managing all aspects of your virtual environment and more options in your administrative arsenal – for example, if you’re using an AD group to manage host root access, you don’t have to log onto however many ESXi hosts you have to remove a user’s permissions, simply remove them from the group. You can keep your root passwords in a sealed envelope for emergencies!
This is the first article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant.
I think lockdown mode is a feature that is rarely understood, and even more rarely used. Researching this article I’ve already encountered several different definitions that weren’t quite right. As far as I can see there are no differences between lockdown more in 5.5 and 5.1.
The vSphere Security guide says (emphasis mine):
To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, all
operations must be performed through vCenter Server. Only the vpxuser user has authentication
permissions, no other users can perform operations against the host directly.
In short, lockdown mode means you can ONLY manage the host via vCenter. The only exception is via the DCUI.