Sam has been working in the IT industry for nearly 20 years now, and is currently working for VMware as a Senior Technical Marketing Manger in the Cloud Management Business Unit (CMBU) focussed on Automation. Previously, he has worked as consultant for VMware PSO, specializing in cloud automation and network virtualization. His technical experience includes design, development and implementation of cloud solutions, network function virtualisation and the software defined datacentre. Sam specialises in automation of network virtualisation for cloud infrastructure, enabling public cloud solutions for service providers and private or hybrid cloud solutions for the enterprise.
Sam holds multiple high level industry certifications, including the VMware Certified Design Expert (VCDX) for Cloud Management and Automation. He is also a proud member of the vExpert community, holding the vExpert accolade from 2013-present, as well as being selected for the vExpert NSX, vExpert VSAN and vExpert Cloud sub-programs.
In my post yesterday (vexpert.me/hS) I talked about how to recover from an expired default SSO administrator password – this prompted a discussion on twitter with Anthony Spiteri (@anthonyspiteri) and Grant Orchard (@grantorchard) about the defaults for expiration and how to mitigate the risk.
The first solution is to modify the password expiration policy for SSO. I’m not advocating this necessarily – I think that expiring passwords ensure that you change them regularly and increase the overall security of your SSO solution. However, I can envisage situations (similar to mine) when the SSO administrator account is not used for a long time and expired – that causes headaches.
There are different schools of thought as to whether you should have SSH enabled on your hosts. VMware recommend it is disabled. With SSH disabled there is no possibility of attack, so that’s the “most secure” option. Of course in the real world there’s a balance between “most secure” and “usability” (e.g. the most secure host is powered off and physically isolated from the network, but you can’t run any workloads ). My preferred route is to have it enabled but locked down.
Last night was the VMworld party which was loads of fun, I took some pictures so I won’t write loads! Highlights include watching people fall over on the roller disco, losing to @shogan85 at street fighter (he has some skills showing a misspent youth) and a rather amusing game of spot the difference.
#vcm5477 Cloud Service Automation with NSX and vCloud Automation Center with Cargi Keeling and Phil Fleischer
This was one of the most technically cool sessions I’ve been in this week, setting how vCAC and NSX come together to deploy multi tiered applications with the networks provisioned on demand, including firewalls and routing. There’s no doubt this is a very exciting hook up, I wonder how many network teams will be happy to see it deployed. That’s going to be an uphill battle.
Today was always going to be a bit of a funny day as I scheduled the VCAP5-DCD exam for 10am this morning. I am happy to say that I passed! I’m a bit light on VMworld to report today, so forgive my DCD experience to pad it out!
Preparation
I have to confess my prep for this exam was light – I literally only watched the TrainSignal course by Scott Lowe (@scott_lowe) and just about finished that last night in the hotel! I don’t spend much time focussing on design during my day job, so I approached this exam as a bit of a learning experience rather than a serious bid to pass. I decided to book the exam here at VMworld just because you can get 75% off – if you’re funding yourself it’s not a discount to be dismissed easily!
I flew from Gatwick to Barcelona last night to my very first VMworld!
I’m staying in a hotel that is actually quite far from the conference, it’s a metro, train and bus journey away from the conference center and it takes about 40 minutes to get here. On the plus side I was only 5 minutes away from the VMUG party last night so I went over there for an hour or so. Note for future years - stay a little closer to the conference!
Losing a root password isn’t something that happens often, but when it does it’s normally a really irritating time. I have to rotate the password of all hosts once a month for compliance, but sometimes a host drops out of the loop and the root password gets lost. Fortunately, as the vpxuser is still valid I can manage the host via vCenter - this lends itself to this little recovery process:
This is the second article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant. The first article in this series was vSphere Security: Understanding ESXi 5.x Lockdown Mode
.
Why would you want to join an ESXi host to an Active Directory domain? Well you’re not going to get Group Policies applying, what you’re really doing is adding another authentication provider directly to the ESXi host. You will see a computer object created in AD, but you will still need to create a DNS entry (or configure DHCP to do it for you). What you will get is a way to audit root access to your hosts, to give administrators a single sign on for managing all aspects of your virtual environment and more options in your administrative arsenal – for example, if you’re using an AD group to manage host root access, you don’t have to log onto however many ESXi hosts you have to remove a user’s permissions, simply remove them from the group. You can keep your root passwords in a sealed envelope for emergencies! 😉
This is the first article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant.
I think lockdown mode is a feature that is rarely understood, and even more rarely used. Researching this article I’ve already encountered several different definitions that weren’t quite right. As far as I can see there are no differences between lockdown more in 5.5 and 5.1.
John Troyer (@jtroyer) asked a question on Twitter last night about a CloudCred prize of $1000-2000:
That got me thinking – was it possible to create an entire 2 host lab with storage on a $2000 budget? My first step was to convert it into a proper currency:
I figured that I’d stick to the Intel NUC route that I’ve gone down for my lab
at home – I love the NUC for its tiny form factor, silent operation and really low power consumption. There are down sides – it can only take 16GB RAM, only one mSATA disk and only has one gigabit NIC. I don’t think any of those are too big a deal for a personal lab though – certainly I’ve not had any problems building and testing VMware products on my single NUC. I’d drop in an 8GB stick of RAM and an Intel 60GB mSATA SSD per NUC – you could always go 16GB later by adding another 8GB stick in the 2nd slot. I picked the Intel mSATA disk for it’s controller and throughput figures – there are larger and cheaper ones but not with the same write performance. Since the use of SSD is massively in focus with vFlash, PernixData FVP and several other technologies, you wouldn’t want to miss out. I’ve also added an 8GB USB3 flash drive per NUC to boot ESXi from.
There are different schools of thought as to whether you should have SSH enabled on your hosts. VMware recommend it is disabled. With SSH disabled there is no possibility of attack, so that’s the “most secure” option. Of course in the real world there’s a balance between “most secure” and “usability” (e.g. the most secure host is powered off and physically isolated from the network, but you can’t run any workloads ). My preferred route is to have it enabled but locked down.
Last night was the VMworld party which was loads of fun, I took some pictures so I won’t write loads! Highlights include watching people fall over on the roller disco, losing to @shogan85 at street fighter (he has some skills showing a misspent youth) and a rather amusing game of spot the difference.
Losing a root password isn’t something that happens often, but when it does it’s normally a really irritating time. I have to rotate the password of all hosts once a month for compliance, but sometimes a host drops out of the loop and the root password gets lost. Fortunately, as the vpxuser is still valid I can manage the host via vCenter - this lends itself to this little recovery process: