August 2010

You are currently browsing the monthly archive for August 2010.

DV7706: View Composer Technical Deep Dive and Best Practices

Tuesday, August 31, 2010 in Virtualization by slowe | 4 comments

This is a liveblog of VMworld 2010 session DV7706, titled “View Composer Technical Deep Dive and Best Practices,” in Moscone West 2004. The presenter(s) are Jeff Whitman and Jim Yanik, both with VMware.

We start out the session with a quick review of some limitations. View Composer has a limit of eight ESX/ESXi hosts in a cluster. This is a VMFS limit involving the number of hosts that are accessing a read-only file at the same time. I wonder if VAAI hardware-assisted locking will affect this limit. As for the total number of VMs, you are limited by the usual suspects—HA failover time, vMotion time to put a host in maintenance most, HA limits, etc.

View Composer is installed as a service on the vCenter Server computer. You can connect View Manager to the View Composer service inside the View Manager configuration dialog box. The presenters do recommend using the fully qualified domain name (FQDN) when configuring the connection between the View Manager and the View Composer service on a vCenter Server instance.

The start of every linked clone is the parent VM. Follow the usual best practices for building the parent VM as included in the documentation from VMware. I couldn’t record any of their recommendations because they didn’t leave on the screen long enough.

The parent VM needs a snapshot before you can create linked clones. Be sure to shut down the VM so that memory state isn’t included. View 4.5 has a new checkbox that allows you to show incompatible images; this was added as a way to help administrators troubleshoot potential problems with incorrectly-taken snapshots. (As an example, a snapshot taken while the VM is running would be incompatible.)

Linked clones can be stored on local or shared storage. You can have multiple linked clones per storage pool, and replica and linked clones can be on the same datastore or different datastores. This is new to View 4.5 and it allows you to store the replica on SSD/EFD for maximum performance but place the linked clone on slower-performing storage. Be aware that this is a potential single point of failure.

View terminology appears to be changing again; what was once the user data disk is now called the persistent disk. In my opinion, VMware needs to settle into some consistent terminology.

Some datastore recommendations include using similarly-sized datastores so that View can load balance the linked clones across the datastores (using round robin) fairly evenly. The number of VMs per datastore is really driven by IOPS; best practices run around “50-64 or maybe 128″ (exact verbiage from the presentation).

Quick definition: A replica consists of a clone of the parent VM plus the selected snapshot. Replicas are thin provisioned. Persistent disks (aka user data disks) are also thin provisioned. View 4.5 also introduces a “disposable” or temporary disk that allows View 4.5 to destroy the temporary disk and reclaim that space on a regular basis. The presenters think that the temporary disk is destroyed every time the user logs off. How does it handle the Windows swapfile then? Finally, View 4.5 also stored the Windows machine password in a separate “internal disk” that simplifies the process of refreshing linked clones when they are member of an Active Directory domain.

The presenter next walks through a comparison of storage utilization both without and with linked clones. It’s a comparison that most people have seen multiple times, nothing terribly new or surprising here.

QuickPrep is included with View Composer, and 4.5 also includes Sysprep. You should use Sysprep only in those instances where you specifically need a new SID; in most cases, having a unique SID isn’t as big of a deal as many people suspect that it is. Sysprep is a lot slower than QuickPrep, so be aware. The selection of QuickPrep/Sysprep on a pool is permanent for the life of that pool; you can’t switch it later.

VDMAdmin.exe is a tool provided with View Manager; it was necessary with previous versions of View to attach/detach user data disks. Persistent disks (the equivalent in View 4.5) can be managed directly inside the View Manager GUI. You can also script the interaction with the persistent disks for greater automation.

The speakers just confirmed, as I already knew, that centralized profile management is not included in VMware View 4.5.

Some troubleshooting tips:

  • All machines have same name and hang on customization – typically caused by a missing agent.
  • If customization fails, check the QuickPrep domain setup in View Manager, Also be sure user has permissions to add and remove computers in Active Directory.
  • DNS, DNS, DNS—name reoslution is critical!
  • Be sure that you have adequate host resources for large refresh or recompose operations.
  • Use View Manager to manipulate View desktops, not vCenter!
  • Don’t use static IP addressing in the parent VM.
  • Use SVIConfig to help troubleshoot View database issues.

You can’t use Storage vMotion with linked clones; it’s not supported.

What’s the best way to handle Patch Tuesday? You can manually apply the patches, test, snapshot, and then recompose. You can also use automatic updates, test, power down and snapshot, and then recompose. Finally, if you are using a third-party agent, remove the agent before snapshotting and recomposing (you don’t want the agent included in the linked clones).

What about antivirus? The traditional method was to install the A/V engine and update definitions only; you would use a recompose to roll out a new engine. You could also not use A/V. Because linked clones are disposable, the impact of not using A/V isn’t as great as you might initially think. With vSphere 4.1 you could use vShield Endpoint, which is an extension of the VMsafe APIs that allow the A/V vendors to completely pull their agents out of the guest VMs.

When planning for business continuity, don’t forget to plan for the View Manager database. For DR, be sure to replicate the View Server and install View Composer on the DR vCenter Server.

That’s it!

Tags: , , ,

VMworld 2010 Keynote, Day 2

Tuesday, August 31, 2010 in Virtualization by slowe | No comments

I’m going to try to liveblog the VMworld 2010 keynote this morning. Hopefully I’ll be able to keep up with the pace, and hopefully the site won’t melt down from additional traffic. Check back regularly and I’ll update this post as the keynote progresses.

As usual, the general session is opening with a video. This time, it’s a mock documentary discussing “What is the cloud?” The video compares “cloud computing” to pizza. The next reference is to The Matrix, where the narrator of the documentary goes to visit the Oracle and is told his mind is a dumb terminal. Pretty funny!

After the video concludes, VMware Chief Marketing Officer Rick Jackson takes the stage. He shares a few interesting statistics: VMworld 2004 was the first conference with about 1400 guests. Last year, there were about 12,500 guests. This year, now in its seventh year, with about 85 countries represented, there are approximately 17,000 attendees this year. Wow—this is a huge increase over last year! Of those, 4,000 new attendees (first time to the VMworld conference). Fifty-five people have attended every single conference; they are the Alumni Elite.

Rick next discussed the hybrid cloud architecture used to power VMworld 2010. The conference uses two data centers on the East Coast along with a private cloud infrastructure here on site.

Next Rick transitions into a discussion of the phases of virtualization. First there’s IT Production, and that gives customers cost savings. Next comes business production, where “applications run better virtualized”. Rick says that most VMware customers are currently in the business production phase. The third phase is business agility, driven by IT agility and enabled by operational savings and efficiency. This is IT as a Service (ITaaS). Rick stressed the “open” nature of VMware’s solutions, harps on VMware’s broad hardware support. He announces that OVF (Open Virtualization Format) is now an ANSI standard. He also reminds the attendees that VMware is working on standardizing the vCloud API as an open standard.

Rick next introduces Paul Maritz, who comes out on stage to take over the presentation. Paul spends a few minutes discussing the breadth of VMware’s adoption across industries and across geographies. He then transitions into a discussion of the role of the virtualization layer, it’s central role in innovation (and being the focus of innovation), it’s impact on operations, resource allocation, and the consumption of infrastructure. As he moves into the discussion of virtual data centers, it’s pretty clear (to me, at least) where he’s headed—he’s laying some foundations and defining some terms for a product announcement, and wants to be sure that the audience is at the same place he is in their thought processes.

After a lengthy discussion of the three layers that need innovation—new infrastructure, new application platform, and new end user access—he now moves out of the theoretical into the practical by inviting Steve Herrod, VMware’s CTO, out onto the stage.

Steve starts out with a discussion of vSphere and the vSphere 4.1 release. He reviews a few maximums and covers some basic functionality like vMotion, and reminds the audience of increases in the performance of technologies like vMotion (faster individual vMotion migrations and more concurrent vMotion migrations). Steve also discusses the solution to the “noisy neighbor” problem where individual VMs take up too many resources; the fix, of course, is Storage I/O Control and Network I/O Control. He also discusses the vStorage APIs for Array Integration (VAAI). As most readers of this site probably already know, VAAI allows the hypervisor to offload storage operations onto the storage arrays themselves.

Steve Herrod announces the acquisition of Integrien by VMware for their proactive analytics functionality. The product looks quite interesting, but I’m unclear how Integrien will integrate with existing products like AppSense.

Steve moves through a discussion of producers, consumers, their different needs, SLAs, service catalogs (App Stores), “pay as you go” models, and virtual data centers. The focus is on the gap between producers who provision hardware and consumers who request services. And finally, after all the build-up, Herrod announces VMware vCloud Director (aka Project Redwood). VMware sees vCD as the enabling technology that helps address the disconnect between producers and consumers, and enables companies to create virtual data centers.

To help address security in the virtual data center, VMware announces VMware vShield Endpoint, VMware vShield App, and VMware vShield Edge. These products provide offloaded virus protection, hypervisor-level firewalling, and a “traditional” stateful firewall, respectively. It will be interesting to see how these products play with VMware’s security partners. Competitor or partner now?

Unfortunately, I have to now leave the General Session to prepare for my 11AM session on EMC Virtual Storage with VMware vSphere. If you’re attending, please feel free to tweet (use the hashtag #TA8101) or blog during the session. See you there!

Tags: , ,

VMworld Announcements, Day 1

Monday, August 30, 2010 in Networking, Security, Storage, Virtualization by slowe | 1 comment

A flurry of virtualization-related product announcements flew into my Inbox today, thoroughly disrupting the empty Inbox I’d cultivated before the show. Anyway, I thought readers might be interested in some of the announcements, so here they are:

  • Akorri announced they’ve achieved VMware Ready status with their BalancePoint product. If you’re at VMworld and want to talk to Akorri, stop by booth 1331.
  • Similarly, Avere Systems has also been awarded VMware Ready status for its FXT 2700 appliance. Avere is also at VMworld in San Francisco, but I don’t have their booth number available to me.
  • Start-up company DeskStream has launched a product called Dynamic Virtual Desktop (yes, the acronym is DVD). It’s a “Desktop as a Service” product, according to their information. No word on whether DeskStream is at the VMworld conference. Follow this link for the full launch announcement.
  • Yet another company, CompuWare, has gotten VMware Ready status for CompuWare Vantage. As with DeskStream, I don’t have any indication as to whether CompuWare is at the VMworld conference.
  • I continue to be impressed by security startup HyTrust. Their latest announcement, HyTrust Cloud Control, brings strong authentication, role-based access control, and integration between HyTrust Appliance and VMware vCloud Director.
  • BLADE has announced VMready 3.0 with Virtual Vision, which allows physical networks to “see” virtual machines as they migrate (or are migrated) around the data center. At first glance, it kind of sounds like Arista’s VM Tracer, but I have a meeting with BLADE later this week and intend to find out more about the product. I’ll post more after that meeting.
  • EMC’s RSA division is also announcing the RSA Solution for Cloud Security and Compliance. This solution integrates technologies from Archer into a solution that is intended to help customers have greater confidence that their environments are properly secured and audited according to standards and policies. The full press release is also available here.

I think that’s about it for now. More VMworld 2010 coverage to come, so stay tuned!

Tags: , , , , , ,

TA8037: vApps, OVF, and Advanced VM Templates

Monday, August 30, 2010 in Virtualization by slowe | No comments

I managed to score a seat in the vApps/OVF/Advanced VM Templates session. Unfortunately, I arrived late, so I don’t know the presenter’s names (apparently the location of the session was changed from the time I put it on my calendar to today).

The OVF XML descriptor file contains package meta-data and has 10 core sections for describing virtual hardware, EULA, product information, upgrade instructions, etc. The actual software in an OVF is installed in one more more virtual disks, and any public specified virtual disk format is supported. OVF also supports signing, compression, and internationalization.

The presenters showed a quick demonstration of deploying an OVF template using the vSphere Client. (They showed off deploying the SugarCRM vApp.) In particular, they pointed out the product information, version, size, description, etc., stored in the OVF XML meta-data, and mentioned that this can help users avoid downloading the wrong virtual appliance. The presenters also showed deployment options in the OVF XML; this allows the vendor to show recommended configurations for evaluation, production, enterprise, etc.; this is all driven by the vendors and is all stored in the OVF XML package descriptor.

The presenters showed IP address allocation parameters using data stored in the OVF. This functionality simplifies the configuration of the virtual appliance or vApp.

vApps have power commands just like VMs, but they contain multiple VMs. Even though vApps contain multiple VMs, when deploying a vApp via OVF, it doesn’t ask you questions about multiple VMs or such. In general, this is handled by the author of the OVF XML package descriptor for the vApp. In the Inventory view, a vApp can be expanded to show the individual VMs contained within the vApp.

Next the presenters discussed creating a vApp from scratch. To create a new vApp, you just right-click on a host and select Create New vApp. Then you just drag existing VMs into/onto the new vApp. Once the new vApp is created, you can populate additional information like product name, product version, VM startup order, timing sequences, and shutdown actions. The presenter showed shutting down a vApp so that we could see how the shutdown order was enforced.

You can also export a vApp as an OVF template. This is a simple command from within the vSphere Client, and it exports the VMDKs and creates the XML descriptor file.

We also saw how to add vApp information to existing VMs without creating a vApp.

The presenters now moved into a discussion of VM templates and how VM templates can be enhanced and extended with vApp properties. There are two primary roles when it comes to templates: the author, who creates it once, validates it, and certifies it, but this occurs rarely. The user, on the other hand, uses these templates frequently to deploy new VMs.

Behind the scenes during a “normal” VM template deployment, it first makes a clone of the existing template. Then it powers it on and installs an agent into the guest OS. The agent is responsible for modifying the guest OS according to the customization specification settings selected during the deployment process. At the end, the new VM is powered off and the deployment is done.

To avoid some of the common limitations of the “normal” way of deploying VM templates, we can incorporate vApp functionality. In the vApp style of deployment, the author is responsible for creating and providing the agent that will customize the guest OS. This might be a shell script or a PowerCLI script. This agent or tool then responds based on parameters passed to it based on information supplied by the user during the deployment process. (Refer back to the description of vApp deployment.) This makes the authoring process harder (but this occurs rarely) and makes the deployment process easier (this occurs more often).

The presenters next moved into a demonstration of using vApp properties and OVF to enhance standard VM template deployment.

The VMware OVF Tool 2.0 is available with Fusion 3.1 and Workstation 7.1 or can be downloaded from http://www.vmware.com/go/ovf. OVF Tool can convert OVF to OVA and a variety of other tasks. Another tool is called vAppRun, which integrates with OVFTool and lets you work with vApps and OVF Properties while using Fusion and Workstation. It can be downloaded from http://labs.vmware.com/flings/vapprun. The presenters showed a demo of using OVF Tool to deploy OVF templates. They also showed using OVF Tool to deploy from Workstation to vSphere, and finally they demonstrated a more complex deployment like SugarCRM. This showed how to deploy complex vApps from the command line using OVF Tool. (Pretty cool, in my opinion, even if it did include a very long and very complex command line instruction.)

VMware Studio 2.1 is a free application that can help in the creation of virtual appliances/vApps and supports full OVF 1.1 support and integration. It’s available from http://www.vmware.com/go/studio.

After this the session wrapped up and went into a question-and-answer session.

SUMMARY: I like the continued development of OVF and vApps, but I’m not so sure just how useful the idea of using vApp/OVF technologies for VM template deployment will actually be. The primary roadblock is the fact that the author would have to create the customization agent. Otherwise, OVF Tool looks quite handy and is very likely something I will be exploring in more detail.

Tags: , , ,

Technology Short Take #2

Saturday, August 28, 2010 in Networking, Security, Storage, Virtualization by slowe | 4 comments

Welcome to Technology Short Take #2, a collection of links, thoughts, ideas, and items pertaining to data center technologies—virtualization, networking, storage, and security. I hope you find something useful or interesting!

  • The release of FLARE 30 and DART 6 by EMC (formally announced last week) introduces some new concepts and new functionality. Matt Hensley recently did a write-up on some of the new functionality in this post on virtual provisioning, storage pools, and FLARE 30. It’s worth a read if you aren’t already familiar with these technologies and need a primer.
  • If you are looking for the definitive guide on connectivity between various VMware vSphere components and the TCP/UDP ports required, you need only look here. Great information!
  • Here’s a great guide from Cisco on deployment options when deploying 10 Gigabit Ethernet on VMware vSphere 4.0 with the Nexus 1000V or the VMware vNetwork Distributed Switch. I’ve read through it, but I’ve added it to my list of documents to go back and study more carefully; there’s lots of useful information in here.
  • Way back in March Dave Convery posted this article on limitations with VMware vShield Zones. While re-reading that article today, I noted in the comments that the Nexus 1000V has a feature called Virtual Service Domains that help address some of the limitations of vShield Zones (at that time). As pointed out in the comments, this makes vShield Zones usable in two NIC scenarios such as with Cisco UCS. If anyone has any additional links on Virtual Service Domains, please share them in the comments. This is a topic that I think needs some additional attention.
  • This article is a good breakdown of the differences in storage identifiers between ESX 3.x and ESX 4.1.
  • Jeff Woolsey at Microsoft finally wraps up his series of articles on Hyper-V Dynamic Memory with Part 6. I’ve been reading this series pretty faithfully as Jeff systematically lays out the various ways in which memory is handled in a virtualization scenario, and I’ve been consistently struck by the impression that Jeff was working really hard to distinguish what Microsoft was doing with Hyper-V from what VMware does with ESX/ESXi. In the end, though, I can’t help but see all the similarities between the two. Dynamic Memory allocates additional memory to a VM as it needs it (much the same way ESX/ESXi does by allocating memory only as requested by the VM) and reclaims free pages from the VMs (just like ESX/ESXi reclaims idle pages via idle page reclamation). When under memory pressure, Hyper-V might force the guests to page out to disk; ESX/ESXi’s memory balloon driver achieves the same effect. What’s missing, obviously, is that with Hyper-V the hypervisor itself won’t swap pages out to disk (ESX/ESXi will do this under extreme circumstances). Am I missing something, or is Microsoft’s Dynamic Memory a lot more like VMware’s memory management technologies than Microsoft wants to admit? Feel free to enlighten me (courteously and with full disclosure) in the comments if I’m missing something.
  • Via Geert Verbist’s site, I found this article on application consistent quiescing via VMware’s VSS integration in VMware Tools. (For more information on VSS support within VMware Tools, check out my liveblog from Partner Exchange earlier this year.) This is good to hear, but what’s still not clear is whether the application consistent snapshots will truncate transaction logs. If anyone has more information, speak up in the comments.
  • I think I pointed this out a week or two ago on Twitter, but I thought I’d mention here at well. If you ever need to help decode which WWPNs map to which ports on an EMC CLARiiON array, this article is quite helpful. Anyone have matching articles for EMC Symmetrix, NetApp, HP, HDS, or other arrays?
  • With the formal announcement by VMware that vSphere 4.1 will be the last major release that includes ESX, ESXi is naturally getting much more attention. With that, there’s been a flurry of ESXi-related articles:
    Using vMA As Your ESXi Syslog Server
    The Migration From ESX to ESXi is Happening: Moving Configurations, Part 1
    The Migration from ESX to ESXi is Happening: Moving Configurations, Part II
    My VMware ESXi Installation Checklist
    Virtually Ghetto: ESXi 4.1 – Major Security Issue (also documented here in the VMware KB)
    ESXi 4.1 – Major Security Issue – The Sequel and the Workaround
    ESXi 4.1 Active Directory Integration
  • If you’re into Cisco UCS but like Hyper-V instead of VMware vSphere, Cisco has a white paper on Cisco UCS with Hyper-V for delivery of virtualized Exchange 2010.
  • I’m a command-line junkie, so I liked this article on how to put an ESX host into maintenance mode from the CLI.
  • For those seeking to get up to speed on the Nexus 7000 switches, “Fryguy” posted some training documents on his site. I haven’t read them (yet), but they’re on my list of documents to read (a list that grows ever longer…)

I guess that will do it for this time around. I hope that you’ve found something useful and, as always, feel free to add more useful links or tidbits in the comments. Thanks for reading!

Tags: , , , , , , , , ,

Twitter Follow-Up: How to Manage a Default Route?

Wednesday, August 25, 2010 in Networking by slowe | 8 comments

I posted a tweet earlier today that asked this question:

If I shouldn’t use “ip default-network” because it’s classful, then should I redistribute a static default route?

What prompted this question was some work I was doing earlier today in preparation for my CCNA exam. I had a five-site hub-and-spoke network in GNS3 running EIGRP, with lightweight OpenBSD VMs attached behind each router so that I could test end-to-end connectivity (i.e., ping a host behind one router from a host behind another router). This configuration is working fine.

Then I decided I’d take this setup and hide it behind a Vyatta VM performing NAT and see if I could connect it to the rest of my home network. The Vyatta stuff works fine, but now I’m faced with the prospect of configuring this self-contained little environment with a default route that points to the Vyatta. The Vyatta, in turn, points to the physical firewall protecting the home network from the nasty Internet. This configuration doesn’t seem at all too far-fetched from a realistic deployment where an enterprise network would need a default route out to the Internet, presumably through a firewall performing network address translation.

So what’s the best way to do it? I’ve read a couple of articles (older ones, since that’s all that seems to be available) saying that the ip default-network shouldn’t be used because it’s classful. To be honest, I’m not sure I fully understand the behavior of that command anyway, but if I’m not supposed to use that then do I just set a static route and redistribute that into EIGRP for distribution to the rest of the routers?

Sorry, I’m still learning here…

Tags: ,

My Book Project Has Been Canceled

Wednesday, August 25, 2010 in Virtualization by slowe | 11 comments

Over the last couple months I’ve been working on a revision to Mastering VMware vSphere 4 that incorporated new content for the VMware vSphere 4.1 release. Unfortunately, due to production timelines and some other constraints, Sybex has decided not to proceed with this revision. Bummer! I understand the publisher’s reasons for not proceeding with the project, but it is a shame nevertheless.

I like to try to stay positive, though, so here are some upsides:

  • I have more time to spend with my family. That’s always a good thing!
  • I have more time to work on my professional certifications, which had taken a back seat to the writing.
  • I have more time to blog, which (hopefully) you agree is a good thing too!

However, with the closing of that door, who knows what other doors might open?

Tags: , , ,

Some Pre-VMworld Product Announcements

Tuesday, August 24, 2010 in Storage, Virtualization by slowe | 1 comment

There were several new product announcements that hit the wire today. I don’t have time to go in-depth on any of these, but I did want to point them out very briefly. If time permits, I’ll try to provide a bit more detail in the near future.

  • VKernel today announced their new Capacity Management Suite 2.0, which is a bundling of existing VKernel products along with new integration points between the products. CMS rolls together VKernel’s capacity analysis, inventory, VM optimization, and chargeback tools into a single product, and more tightly integrates them. I had the opportunity (thank you VKernel!) to get a preview of CMS 2.0 last week, and it’s pretty nice. There are lots of little touches here and there to help make easier to find the specific information you need to see. For more information, see VKernel’s web site.
  • Arista Networks today announced Arista VM Tracer (read the full press release). Doug Gourlay of Arista has been showing me previews of some of the functionality of VM Tracer. It’s a different approach than Cisco has taken to providing a greater level of integration between virtualization and networking. No less valid, but certainly different. VM Tracer provides visibility into the virtualization environment from the physical network, making it easier to see which VMs are on which ESX/ESXi host, where these hosts are connected, what the current status of the VM is (i.e., is it in the middle of a vMotion event, or is it protected by Fault Tolerance). It will be interesting to see how Arista moves forward from here.
  • EMC also announced Unified Storage today (read the full press release). Many of the technologies that are included in this announcement were discussed at EMC World earlier this year, including Sub-LUN FAST, FAST Cache, Block Data Compression, full support for VMware’s vStorage APIs for Array Integration (VAAI), and Unisphere, the single management interface for the Unified Storage line. However, also in this announcement today were a few new items: native FCoE support for the Unified storage systems; new, less expensive 100GB and 200GB Enterprise Flash Drives (EFDs); and new models of Celerra gateways, the VG2 and VG8, which boast significantly improved performance over earlier models. All in all, there’s quite a bit of stuff in today’s announcement.
  • FalconStor announced Network Storage Server (NSS) SAN Accelerator for VMware View this morning. This one just popped in my inbox this morning, so I haven’t even had time to dive into and understand what exactly they’re announcing. It appears to be a solution intended to leverage high-performance flash with low-cost SATA drives and geared specifically for virtual desktop infrastructure (VDI) deployments. The product page for this product doesn’t offer too much more information.

That’s all I have for now. If anyone has additional information they’d like to share about these announcements, please speak up in the comments. As always, if you are a vendor, you must provide full disclosure. This is not to discount your comments—everyone’s comments are valuable—but simply to provide the readers with some context of why you’re saying what you’re saying. Thanks!

Tags: , , , ,

Windows 7, Microsoft Security Essentials, and Proxy Servers

Monday, August 23, 2010 in Microsoft, Security by slowe | 12 comments

On the recommendation of a number of Twitter users, I decided to install Microsoft Security Essentials (MSE) on a couple of laptops running 64-bit Windows 7. These laptops are used by my kids for their school work (they are home-schooled), and I just wanted to make sure that the laptops don’t get infected with some nasty bug. More than a few Twitter users recommended MSE, so I figured it couldn’t be all bad, right?

The install was quick and painless. And that’s where the fun started. MSE wanted to do an update immediately; OK, that’s fine. The problem is, it won’t connect. I use a Squid proxy server to control outbound web access, so I figured that somewhere was a setting that told MSE to use a proxy server. There’s nothing within MSE itself. Could it be that I had forgotten to configure Internet Explorer? I did make Firefox the default browser, after all. Nope, a quick check shows that the Internet Explorer settings are configured for the right outbound proxy as well. Both Internet Explorer and Firefox are working fine, so I know it’s not the network, the proxy, or the firewall. It must be MSE itself.

Google turns up the first part of the puzzle; even though your proxy support might be configured correctly for Internet Explorer (and thus most of the rest of Windows), MSE won’t take those settings. Instead, you have to use netsh, like this:

netsh winhttp import proxy source=ie

Unfortunately, in its efforts to be “helpful,” Windows 7 won’t allow you to run that command without elevated privileges. All you get when you try is a nondescript error message that vaguely implies that you don’t have permission. However, instead of being able to elevate that one command (a la sudo in the UNIX/Linux/BSD world), you have to run the entire command prompt with administrative privileges, like explained here (and probably countless other places on the ‘Net).

Once you get a command prompt running with administrative credentials, then you can run the netsh command and it will successfully import the IE proxy configuration. Once the IE proxy configuration is successfully imported, then MSE will fetch updates from the Internet and function properly. Wasn’t that fun?

This little episode brings up a couple questions/thoughts:

  1. Why in the world wouldn’t MSE use IE’s proxy configuration? Most of the rest of Windows does.
  2. Even if Microsoft wanted MSE to have its own proxy settings, why force users down a rathole of command prompts and administrative privileges? Why not put it in the GUI?
  3. Windows 7 has made great strides in making Windows more secure, but does this enhanced security posture come at the price of decreased flexibility for the power user?
  4. If so, does Microsoft even care? After all, the default settings are probably fine for most users.

Anyway, there you have it. If you use a proxy server on your network and you also want to use MSE, you’ll need to use netsh (with administrative privileges) to configure your proxy settings properly.

Tags: , , ,

New User’s Guide to Configuring VMware ESXi Networking via CLI

Monday, August 23, 2010 in Networking, Virtualization by slowe | 3 comments

This is one article in a series of articles focused toward new users. Some other New User’s Guide articles include:

This particular article is a follow-up of sorts to the first article listed above. While that article focused on virtual networking with VMware ESX, this article focuses on virtual networking with VMware ESXi. Given that VMware’s stated focus is on VMware ESXi moving forward, I thought this article would be helpful and timely.

For new users who are seeking a thorough explanation of how VMware ESX/ESXi networking functions, I’ll recommend a series of articles by Ken Cline titled The Great vSwitch Debate. Ken goes into a great level of detail. Go read that, then you can come back here.

All of the commands presented in this article were testing using VMware vSphere 4.1. The environment consisted of hosts running VMware ESXi 4.1 being managed by VMware vCenter Server 4.1. For CLI access, I used the vSphere Management Assistant (vMA) virtual appliance, deployed via OVF.

The majority of all the networking configuration you will need to perform on VMware ESXi boils down to just a few commands:

  • vicfg-vswitch: You will use this command to manipulate virtual switches (vSwitches) and port groups.
  • vicfg-vmknic: You will use this command to create, modify, or delete VMkernel NICs on the VMware ESXi hosts.
  • vicfg-nics: You will use this command to view (and potentially manipulate) the physical network interface cards (NICs) in a VMware ESXi host.

The tasks that you’ll actually perform using this commands are pretty straightforward:

  1. Creating, configuring, and deleting vSwitches
  2. Creating, configuring, and deleting port groups
  3. Creating, configuring, and deleting VMkernel NICs

I’ll start with a few prerequisites that are necessary due to the fact that you are using a remote CLI to access the VMware ESXi hosts.

As you can see from the list above, all the commands you’re going to use are the vicfg-* commands. All of these commands have some standard parameters they require in addition to the task-specific parameters. To make things a bit simpler for you, I’ll recommend that you set persistent values (persistent for the current vMA session, at least) to simplify the commands later. Here are the values I recommend you establish:

  • First, set the value of the VI_SERVER variable to be the fully qualified domain name of the vCenter Server computer. Use the bash export command to set this variable, like this:
     
    export VI_SERVER=vcenter-server.domain.com
     
    Setting this variable now means that none of the vicfg-* commands will need to have this parameter specified. Since it’s likely that you’ll consistently work with one specific instance of vCenter Server, then this is a pretty safe variable to set.
  • In the absence of using Active Directory integration (which is a far cleaner choice, but one which we’ll reserve for a future article), set the VI_USERNAME variable to the name of the user account you’ll use to authenticate against vCenter Server. Again, use the export command as outlined in the previous bullet.

Now that you have some basics established, I’ll move on to creating, configuring, and deleting vSwitches.

Creating, Configuring, and Deleting vSwitches

You’ll use the vicfg-vswitch command for the majority of these tasks. Unless I specifically indicate otherwise, all the commands, parameters, and arguments are case-sensitive. For all these vicfg-* commands, you will get prompted for the password to the user account you defined when you set the value of the VI_USERNAME variable.

To create a vSwitch, use this command:

vicfg-vswitch -h <ESXi hostname> -a <vSwitch Name>

To link a physical NIC to a vSwitch—which is necessary in order for the vSwitch to pass traffic onto the physical network or to receive traffic from the physical network—use this command:

vicfg-vswitch -h <ESXi hostname> -L <Physical NIC> <vSwitch Name>

In the event you don’t have information on the physical NICs, you can use this command to list the physical NICs:

vicfg-nics -h <ESXi hostname> -l (lowercase L)

Conversely, if you need to unlink (remove) a physical NIC from a vSwitch, use this command:

vicfg-vswitch -h <ESXi hostname> -U <Physical NIC> <vSwitch Name>

To change the Maximum Transmission Unit (MTU) size on a vSwitch, use this command:

vicfg-vswitch -h <ESXi hostname> -m <MTU size> <vSwitch Name>

To delete a vSwitch, use this command:

vicfg-vswitch -h <ESXi hostname> -d <vSwitch Name>

Creating, Configuring, and Deleting Port Groups

As with virtual switches, the vicfg-vswitch is the command you will use to work with port groups. Once again, unless I specifically indicate otherwise, all the commands, parameters, and arguments are case-sensitive.

To create a port group, use this command:

vicfg-vswitch -h <ESXi hostname> -A <Port Group Name> <vSwitch Name>

To set the VLAN ID for a port group, use this command:

vicfg-vswitch -h <ESXi hostname> -v <VLAN ID> -p <Port Group Name> <vSwitch Name>

To delete a port group, use this command:

vicfg-vswitch -h <ESXi hostname> -D <Port Group Name> <vSwitch Name>

To view the current list of vSwitches, port groups, and uplinks, use this command:

vicfg-vswitch -h <ESXi hostname> -l (lowercase L)

Creating, Configuring, and Deleting VMkernel NICs

To work with ESXi’s VMkernel NICs, you’ll primarily use the vicfg-vmknic command. As in the previous sections, all commands are case-sensitive unless I specifically indicate otherwise, and all commands assume you’ve defined the VI_SERVER and VI_USERNAME variables.

To create a new VMkernel NIC, use this command:

vicfg-vmknic -h <ESXi hostname> -a -i <VMkernel NIC IP address> -n <Subnet mask> <Port group>

To delete a VMkernel NIC, use this command:

vicfg-vmknic -h <ESXi hostname> -d <Port group>

To enable vMotion on an already-created VMkernel NIC:

vicfg-vmknic -h <ESXi hostname> -E <Port group>

There are more networking-related tasks that you can perform from the CLI, but for a new user these commands should handle the lion’s share of all the networking configuration. Good luck with your ESXi environment!

Tags: , , , ,

« Older entries