ESXi 4.0 Security

By stu | January 18, 2010

I’ve been wanting to put up a post on ESXi security for some time now, and 2 recent posts have kicked me into action – this one from Scott Lowe about setting the root password on ESX and this announcement about the vSphere blogging contest :D . So have your caffeinated beverages and pizzas at the ready, we might be here a while!

Strangely, and disappointingly might I add, there is no vSphere 4 Security Hardening Guide available currently (UPDATE: A draft version has now been published – I’d like to think the release had something to do with this post, but in reality I’m sure it is merely a coincidence!) – the only published security guidance we have from VMware is the old one for VI 3.5 and the Security section in the ESXi Configuration Guide. While this situation sends a negative message to security types who may wonder if this lack of documentation is indicative of VMware’s approach to security (vSphere has been out for nearly 9 months now), when it comes to ESXi 4 not a lot has changed so most of the ESXi parts in the old 3.5 document apply equally to ESXi 4 and are covered in the ESXi Config Guide anyway. Before anyone flames me about that comment, I don’t believe VMware has a weak stance with regards to security and I am NOT one of the aforementioned security types – I have had to deal with them however, so I am speaking from experience.
Read More »

Posted in Uncategorized | Comments closed

Useful Linux VM Tweaks, Part 1

By stu | January 13, 2010

I’ve called this Part 1 because as I mess around more with Linux VM’s I have no doubt there will be more posts like this one. Don’t expect anything earth shattering in them either… this is all easily obtainable info, it wouldn’t surprise me if I get comments suggesting better ways to do what I have done (and I encourage such comments so I can learn!).

For this first installment, I’m going to cover a very small customisation I make to the startup scripts on my Linux template machine, which is currently based on Ubuntu 8.04.3 JeOS edition.

At this point in time, I basically only make 2 small changes. First, to save me from having to login and run ifconfig to find out what IP address the VM has, I modify /etc/issue to display the IP address above the login prompt. The other thing that really bothers me is the PC speaker beep. Yes I know you can disable this by adding an option to the .vmx file, but I would rather do it within the VM so I (or other people) can deploy via OVF and get a consistent result without needing to modify .vmx files. So I remove the module that is responsible for enabling the PC speaker.

So here is what I add just above the exit 0 line of /etc/rc.local

# Clear screen
clear

# Build /etc/issue
HEADER="Ubuntu 8.04.3 LTS \l"
KERNEL=`uname -sr`
IP=`ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`
echo "$HEADER :: $KERNEL :: $IP" > /etc/issue
echo >> /etc/issue

# kill pc speaker
rmmod pcspkr

Which produces the following nice looking screen, ready for me to SSH into the box

If you have any similar favourite small tweaks for Linux VM’s, please share them in the comments!

Posted in Uncategorized | Comments closed

Get Only ESXi 4 Updates in VUM 4

By stu | January 7, 2010

One of the (many) things that bugs me about VMware Update Manager is the fact that I can’t specify to only pull down ESXi updates. I doubt there are many large enterprises that will run both fat and thin ESX in production for any length of time, I know I wouldn’t. And sure it’s “only” metadata if I never actually scan an ESX host, but it pollutes the VUM interface with millions of entries for fat ESX that I will never care about. So maybe I’m a little bit OCD about stuff like that, but there you go. Luckily I can do something about it though, via the use of a custom patch source and a little XML hacking.
Read More »

Posted in Uncategorized | Comments closed

First Patches of 2010 Released – VC 4 U1 / ESXi Bug Slain!

By stu | January 7, 2010

I don’t normally post about patch releases, but this one is important because it fixes the issue described in my post Why You Shouldn’t Update vCenter If Using ESXi… Yet!.

This means that after applying the patch to ESXi 4, you can go right ahead with upgrading to vCenter 4.0 Update 1 without fear of disconnected hosts – go grab it now!

Posted in Uncategorized | Comments closed

2010 – Time For Some Action!

By stu | December 31, 2009

Another year has flown by, and all in all it’s been a pretty good year for me. I’ve co-authored a book, became one of the inaugural 300 vExperts, turned some acquaintances in the community into friends, met some cool people, done some pretty interesting stuff at work and travelled to some nice places (Australia, Belgium, France, Germany, Hungary, Japan, Singapore, USA – and here I was thinking I didn’t do much travel in 2009!).

But when I look back at 2009 one thing stands out to me – talking. A _lot_ of talking. But not much action. Which is fine, but if 2010 continues in this way then it will be a very frustrating year indeed.

We’ve talked the whole Cloud thing to death, we now need to bring it to life by actually implementing it. Sure it’s not 100% ready for every conceivable use case, but <insert your favourite analogy along the lines of “the journey of 1000 miles begins with the first step” here>. We’ve had a lot of innovative thoughts and conversations, but what’s the fucking point of innovation without implementation? That’s right, there is no point. Innovation without implementation is not innovation at all.

So in keeping with my classification of 2009 as being a year of thinking and talking, and calling out 2010 as a year for doing, I’m going to get a head start and leave it at that for this post.

I hope you’ve enjoyed reading my blog in 2009 as much as I’ve enjoyed writing it, and thankyou for doing so and especially for all the emails and comments – if not for that it wouldn’t be worthwhile.

Have a safe and happy New Year celebration (for those whole celebrate New Year’s Eve on December 31st), see you on the other side (errrr, of the decade that is!).

Posted in Uncategorized | Comments closed

Why You Shouldn’t Update vCenter If Using ESXi… Yet!

By stu | December 13, 2009

UPDATE A patch that resolves this issue has now been released – read more about it here.

Although I did enjoy a brief moment of smugness when the HP related ESX 4 Update 1 problems arose, it was cut short by another issue effecting vCenter 4.0 Update 1 and ESXi.

VMware haven’t povided much information about the cause of the problem thus far, there is simply a disclaimer on the Support & Downloads page saying not to apply vCenter 4.0 Update 1 if ESXi hosts are being managed, and pointing to a KB article that doesn’t go into much depth. So allow me to elaborate on the cause of the problem, so we can all be a little more enlightened.

The problem boils down to the way updates are performed on ESXi, and are a side of effect of it’s non-reliance upon a local disk based filesystem. Basically, anytime a piece of non-OS software is updated on ESXi, it is done so via a 64MB ramdisk. Such updates could be for the VC agent, the HA agent, or even 3rd party modules such as PowerPath or the Nexus 1000V.
Read More »

Posted in Uncategorized | Comments closed

Offline for a few weeks…

By stu | November 18, 2009

Yes i know, it’s been a while since my last post anyway :P .

In a few days I’ll be heading back to my hometown of Sydney (via Tokyo – I love Japan) for a few weeks, so the internets will be a little less ranty for a little while. And unfortunately, I’ll be missing the next London VMUG which is on November 24th :(

I’m looking forward to catching up with a bunch of people, including me ol’ china Jeff of Cloud Pimps. If I can convince him to get some green on his site, who knows what may happen to vinternals in the new year…

See y’all in a few weeks!

Posted in Uncategorized | Comments closed

  • I wrote a book! Well, some of it…