vSphere Security: Advanced SSH Configurations
There are different schools of thought as to whether you should have SSH enabled on your hosts. VMware recommend it is disabled. With SSH disabled there is no possibility of attack, so that’s the “most secure” option. Of course in the real world there’s a balance between “most secure” and “usability” (e.g. the most secure host is powered off and physically isolated from the network, but you can’t run any workloads ). My preferred route is to have it enabled but locked down.
Note: VMware use the term “ESXi Shell”, most of us would term it “SSH” – the two are used interchangeably in this article although there is a slight difference. You can have the ESXi Shell enabled but SSH disabled – this means you can access the shell via the DCUI. For the sake of this article assume ESXi Shell and SSH are the same. (more…)
VMworld Europe 2013 – Day 1
I flew from Gatwick to Barcelona last night to my very first VMworld!
I’m staying in a hotel that is actually quite far from the conference, it’s a metro, train and bus journey away from the conference center and it takes about 40 minutes to get here. On the plus side I was only 5 minutes away from the VMUG party last night so I went over there for an hour or so. Note for future years – stay a little closer to the conference!
The keynote session was a very slick presentation (think lasers and smoke) from VMware’s CEO Pat Gelslinger with various guests laying out VMware’s vision for the future of the Software Designed DataCenter (SDDC). You can watch the general session here, if you’re interested.
If I was to pick one word to describe how I feel after a couple of hours at my very first VMworld, it would have to be “overwhelmed”. This place is massive and there are 8500 people here. I definitely felt a bit lost and isolated, but fortunately I found some familiar faces in the the Bloggers area. Great chats with @dawoo, @greggrobertson5, @vmfcraig, @egrigson and @gurusimran. Massive relief to finally find some people I know (at least from Twitter and LonVMUG). It was good to have some discussions around VCAP exams and also the VCDX process – it’s all very topical and relevant for me as I look towards taking the DCD and moving on to the VCDX process.
#net5716 – Advanced VMware NSX Architecture with Bruce Davie
NSX is an area I am very interested in learning about, and this session provided an overview of NSX and how it’s designed for scalability, how the nuts and bolts of that works (e.g. distributed services) and also how it interacts with physical VTEPs. I found the presenter engaging and the content was really good. The session was absolutely packed and there was plenty of interaction.
#vsvc4811 – Extreme Performance Series: Monster Virtual Machines with Peter Boone and Seongbeom Kim
This session kicked off with a good overview of various memory and processor management techniques. Overall I found this session quite dry with a lot of info and detail, but there’s not much to spice it up. Very good understanding of NUMA/vNUMA and how they affect performance of huge 64 vCPU machines – and also some good info regarding the vSocket/vCore discussion I had with @vmfcraig and @simoneady earlier this year.
I spent some time wandering round the Solutions Exchange, which had some very in-your-face methods of attracting your attention and trying to get your badge scanned. It struck me a pretty shoddy to still be using pretty young girls to attract the primarily male geeks to a stand, but it’s effective – it’s much harder to be rude to one! I attempted to sit in on a couple of talks with vendors but found the hall too noisy to hear properly, with vendors seeming to compete with each other with loud and over-enthusiastic pitches! There’s a huge range of technology and solutions on offer, if you can get past the sales patter.
#vBrownbag Unsupported with William Lam
It was great to listen to @lamw doing his unsupported session with some really useful tips on how to evaluate vSphere 5.5. He demoed vmtools for nested ESXi which is awesome, as well as some vCenter Simulator features in the VCSA. Definitely some things to try out in the DefinIT lab, the session should be available on the #vBrownbag feed soon.
Tonight is the vExpert reception which should be a great networking opportunity so I’m looking forward to that. I am hoping to get a relatively early night as today has been packed and tomorrow promises to be just as, if not more gruelling. Promise I’ll try and get some pictures taken tomorrow!
Recover ESXi Root Password using AD Authentication
Losing a root password isn’t something that happens often, but when it does it’s normally a really irritating time. I have to rotate the password of all hosts once a month for compliance, but sometimes a host drops out of the loop and the root password gets lost. Fortunately, as the vpxuser is still valid I can manage the host via vCenter – this lends itself to this little recovery process:
- Join the host to the domain (I’ve got a handy post for that here)
- Create the “ESX Admins” group in your AD and ensure that you are a member. The AD group will be given full administrator rights on the host automatically.
- Wait for replication, and the host to pick up the group and membership – it took about 15 minutes for me.
- You can now connect directly to the host using the vSphere Client – head on to the “Local Users & Groups” page and edit “root”:
- You should now be able to connect to the host using your new root password.
vSphere Security: Active Directory Authentication
This is the second article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant. The first article in this series was vSphere Security: Understanding ESXi 5.x Lockdown Mode.
Why would you want to join an ESXi host to an Active Directory domain? Well you’re not going to get Group Policies applying, what you’re really doing is adding another authentication provider directly to the ESXi host. You will see a computer object created in AD, but you will still need to create a DNS entry (or configure DHCP to do it for you). What you will get is a way to audit root access to your hosts, to give administrators a single sign on for managing all aspects of your virtual environment and more options in your administrative arsenal – for example, if you’re using an AD group to manage host root access, you don’t have to log onto however many ESXi hosts you have to remove a user’s permissions, simply remove them from the group. You can keep your root passwords in a sealed envelope for emergencies! 😉 (more…)
vSphere Security: Understanding ESXi 5.x Lockdown Mode
This is the first article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant.
I think lockdown mode is a feature that is rarely understood, and even more rarely used. Researching this article I’ve already encountered several different definitions that weren’t quite right. As far as I can see there are no differences between lockdown more in 5.5 and 5.1.
The vSphere Security guide says (emphasis mine):
To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, all
operations must be performed through vCenter Server. Only the vpxuser user has authentication
permissions, no other users can perform operations against the host directly.
In short, lockdown mode means you can ONLY manage the host via vCenter. The only exception is via the DCUI. (more…)
vSphere 5.5 – what I like from what’s new..
With vSphere 5.5 being announced at VMworld San Francisco I was very eager to see what was new and after devouring all of the great blog posts out there of the guys in attendance I wanted to summarize in my own way the aspects I think are great!
- VMDK 2TB limitation removed! (also virtual mode RDMs)
This has to be one of the best pieces of news as it has been in the rear trying to accommodate really large VMs (changes affect both VMFS and NFS)
IMPORTANT – You need to be running ESXi 5.5
You cannot grow the VMDK “hot” the VMDK must be offline. Also you must use the web client to make the changes beyond 2TB ( you will get a funky error message if you try with the .NET client)
- vSphere Flash Read Cache
I have been keeping an eye (where possible) since I heard it announced way back as vFlash by Cormac hogan at a VMUG meeting last year, so I was chuffed to bits to see it made the cut in 5.5 (From what I have read though thus far it is not as straight forward to deploy and use as PernixData‘s excellent product which I have had the pleasure in looking at and testing.)
- vSphere maximums
While the days of needing to know the maximums for the exams have pretty much gone, VMware are still eager to impress and with HyperV hot on it’s tail VMware have certainly upped the ante..
Apparently its not a re-branding of VSA (which was not particularly popular) VSAN is a new way to make use of HOST mounted storage whether it be SSDs or HDDs and create a data store accross 8 Hosts (8 hosts being the present maximum)
This solution is quite appealing for some of what I do on a day to day basis, but I have yet to see how VMware will license it or which suite (if any it will fall into)
If you want a really great overview of all the new features and changes I would recommend reading the following blog post at WahlNetwork
Also VMware have the following PDF
vSphere Basics: Correctly decommissioning a vSphere Datastore
You’d be surprised how many times I see datastore that’s just been un-presented from hosts rather than decommissioned correctly – in one notable case I saw a distributed switch crippled for a whole cluster because the datastore in question was being used to store the VDS configuration.
This is the process that I follow to ensure datastores are decommissioned without any issues – they need to comply with these requirements
- No virtual machine resides on the datastore
- The datastore is not part of a Datastore Cluster
- The datastore is not managed by storage DRS
- Storage I/O control is disabled for this datastore
- The datastore is not used for vSphere HA heartbeat (more…)
Installing VMware vSphere Update Manager Download Service and publishing via IIS
The vSphere UMDS provides a way to download patches for VMware servers that have an air-gap, or for some reason aren’t allowed to go out to the internet themselves – in my case a security policy prevented a DMZ vCenter Server from connecting to the internet directly. The solution is to use UMDS to download the updates to a 2nd server that was hosted in the DMZ and then update the vCenter Server from there. It also can save on bandwidth if you’re running multiple vCenter Servers, which again was the case (though bandwidth isn’t really a constraint). (more…)
Changing ESXi root passwords the smart way (via PowerCLI)
If you work in company with strict password compliance rules, for example under SOX, you might well have to change administrator passwords every month. Doing this on any more than a few hosts is tedious work – even on two hosts it seems like a waste of time logging on the host via SSH (or even enabling it first) before changing the password. Then we also need to audit the change, there’s no point making it for compliance reasons if we can’t then prove we did it! (more…)