Virtualization Security Roundtable

Would like to help spread the word about the Virtualization Security Roundtable it will take place this Thursday January 15 at 230 EST.
Security topics are outlined in the linked article. I would have to say this is a topic that I really want to master.
We consult with many financial institutions and being quicker on this subject would help me answer some of the objections to VMware. Not only to have the right answer but also be able to solve common problems.

Like always I will not be available for the call this week, but I will put in on my calendar so I can go ahead and listen to it every other week.

Education and Virtualization – Oh, the Possibilities

Saw this article the other day. Really good to see the Alma Mater take a plunge into Virtualization. I spent four and half years starting my IT career at USC working while I was studying.
I think amazing things could be done in education with virtualization. That isn’t just Virtual Desktops for computer labs, although that is a good one. Imagine being able to learn programming in a windows environment you could build up and tear down and build up again in an hour?
I remember getting warnings from root for leaving a process running (on accident) on the Unix system for a couple days. Separate virtual machines running linux would be awesome for this.
It has been almost 10 years since I finished at the University. I wonder what ways virtualization is making learning easier. I bet students are coming out now knowing almost all of what it took me the last few years to squire on the job.

Possibilities:
1. Virtual Desktops
2. Dedicated VM’s to learn server OS
3. Research into Malware/Spyware and other Security issues
4. Computer Engineering
5. Application Development and Testing
6. Ease deployment of Apps for teaching.

I am not a huge visionary, I bet there is tons of other ways… Any thoughts?

Fibre or Ethernet Saturation – Which comes First?

I was thinking about how far I can scale a VI3 Enviroment yesterday. I started to think, and that can be dangerous.
What will saturate first? The Fibre network or the Ethernet network?
So in my envisioned setup it would have dual quad core processors so if I can still do math that is 8 cores. If I might fit 4 x 1vCPU virtuals per core, I could theorize 32 VM’s per host? Now lets say I bought 2 of those quad port NICs for each host, so to be simple there is 8 network ports per host. Finally, lets say I have 2 single port HBA’s connecting to the fibre and I am lucking enough for it to be 4gb all the way to the SAN.
We have 2 Cisco 48 port 3560 GigE switches for the ESX hosts to access and 2 24 port Brocade Fibre Switches. So I scale my ESX hosts to fill the Cisco switches and it tops out at 11. I will use 11 ports on each Brocade, the Storage Processors use 4 more ports.
So what fills up first?
– Fibre
– Ethernet
– Disk IO

Practically my bet would be on Memory, but lets say memory can go as high as we need.

Another snag is CPU resources, to generate enough network traffic to kill that many GigE Nics I would think the CPU’s would pin out first?

I really wish I had a good lab with lots of vendor equipment I could test and try to break. That would be fun for me.

ESX Commands – esxcfg-configcheck

The ESX Quick reference has information on this command.

I didn’t find any posts in the VMware Communities or the Knowledge base with any reference to this command. From what I can cypher it checks the settings of the /etc/vmware/esx.conf . I wonder if it does any more or less.

http://screencast.com/t/flViWgGth3

So really, does anyone know the insides of this command?

Review the Year – 2008

Recap of what happened in 2008 to a virtualization consultant/engineer guy.

  • Started the year as a Senior Network Engineer, by the end of January finished a 2.5.x upgrade to 3.0.1. Later found out the client upgraded to 3.5 a little while after I finished.
  • Beggining of March I was transferred/promoted to Senior Technical Advisor. At some point, I was renamed a Senior Technical Engineer but it was the same job doing internal infrastructure support, running our hosted Virtual Machine environment, and doing VMware pre-sales and implementation.
  • Do to shake ups in our company, I was then made a Senior Technical Consultant, which included more SE work for the general operation of our company (SMB Tech Support). So one day I can be designing a Virtual Infrastructure and then quoting a 1GB memory upgrade for a HP desktop.
  • As a consultant I was able to run some Capacity Assessments. Maybe it will lead to some projects for 2009.

So professionally this year I had four different jobs and/or titles and at least five different bosses.

The blog started as a joke between me and a co-worker. I thought of a name for a sweet 2 man vmware shop. Two VCP’s and a truck was born. During the fall I posted small comments and helps that I come across. Maybe once or twice a week (sometimes less). I have had fun trying out new software, researching esxcfg- commands, and making comments on cool things other bloggers have posted.

GNS3- Graphical Network Simulator – New Release

GNS3 is a excellent tool that uses dynamips to simulate routers running real Cisco IOS. You must have rights on your CCO account to download the IOS. It also includes the PIX emulator so you can check out your PIX/ASA configs.

Only piece missing is the switch simulators. You can combine GNS3 with VMware Workstation to build entire lab environments. I have one friend that has most of his voice lab for CCIE built using VMware and GNS3. Good stuff. 
Runs in Windows/Linux/OSX.

Veeam Monitor Free

I love Free Stuff

I thought I would at least make a mention of this newly free product from Veeam. I use FastSCP all the time, and recommend it to people whenever I can. So this will hopefully be just as awesome.
At first the download was super slow. Now I am getting 1.11 MB/s. Much better.

Update:
Thanks to VeeamMeUp for recognizing the blog. Always happy to share software I like or might like.

Central Syslog Host for ESX – Syslog-ng

Someone may have already written all this, but oh well.

1. Install something free like Ubuntu Server.

2. I use Ubuntu because I like Debian and apt-get. So run:

#apt-get install syslog-ng

Running Syslog-ng gives you more than the standard syslog daemon.

3. Configure syslog-ng to recieve udp logs.

root@hoth:/# cd /etc/syslog-ng/
root@hoth:/etc/syslog-ng# vi syslog-ng.conf

side note: learn VI

Add this after the main source section:

source s_remote {
udp();
};

After the destinations:

destination df_remote { file(“/var/log/remote.$HOST”); };

The $HOST will sort the logs by IP of the server.

And finally add this to the end of the syslog-ng.conf file:

log {
source(s_remote);
destination(df_remote);
};

Now Restart the syslog-ng service

root@hoth:/etc/syslog-ng# service syslog-ng restart

4. Make changes to the ESX syslog config. Thanks to Tooms.dk I have been using syslog-ng so much I needed to find the commands for standard syslog.

1. In the /etc/syslog.conf file add this line “*.* @172.16.0.202” without the ” and change the ip number to your syslog servers ip

2. Restart the syslog service with the command “service syslog restart”

3. Open the ESX server firewall with this command “esxcfg-firewall -o 514,udp,out,syslog” to allow syslog outgoing trafic

4. Tell the ESX firewall to reload the config with this command “esxcfg-firewall -l”

Now you can tail -r /var/log/remote.10.10.10.2 (or whatever your IP is).

ESX Commands – esxcfg-boot

What in the world does this command do?

esxcfg-boot
esxcfg-boot
-h –help
-q –query bootvmkmod
-p –update-pci
-b –update-boot
-d –rootdev UUID=
-a –kernelappend
-r –refresh-initrd
-g –regenerate-grub
Queries cannot be combined with each other or other options. Passing -p or -d enables -b even if it is not passed explicitly. -b implies -g plus a new initrd creation. -b and -r are incompatible, but -g and -r can be combined.


Here is some output from my lab:
[root@esxlab2 root]# esxcfg-boot -q boot
272 0:*; UUID=96c048d7-ee1d-4455-b6a5-801bfbaabbdc /vmlinuz-2.4.21-7.ELvmnix /initrd-2.4.21-57.ELvmnix.img

[root@esxlab2 root]# esxcfg-boot -q vmkmod vmklinuxmptscsi_2xx.oe1000.olvmdrivervmfs3etherswitchshapertcpipcosShadow.omigrationnfsclientdeltadiskvmfs2

I am picturing these commands to be much like kernel options, modprobe and bootloader settings you would set up when you compile your kernel in Linux. Most hardcore linux guys would let you know you are a real man when you recompile your own kernel. In VMware, I would be hesitant to mess with any of this unless I broke something. Then again, with all of my VM’s on the SAN, if I bombed out an ESX host this bad, I would take 20 minutes to rebuild it.

Then I noticed from the B2V Guide that I would make use of this when I changed my queue depth on my hba’s. Which I have done before. I followed this note on the forums.

What other device driver options beside the hba will you every change?
Here is some things I found:
More HBA problems
And even more queue depth fun
And this list could be longer, just searching VMware Community.
I would guess that the reason we don’t jack with the drivers with ESX and the hardware is becuase of the very good compatibility list. You don’t just run ESX 3.5 on anything (at least not for production).

ESX Commands – esxcfg-auth

Following my alphabetical method of learning.

esxcfg-auth
usage: esxcfg-auth [options]

options:
–enablemd5 Enable MD5 password storage
–disablemd5 Disable MD5 password storage
–enableshadow Enable Shadow password storage
–disableshadow Disable Shadow password storage
–enablenis Enable NIS Authentication
–disablenis Disable NIS Authentication
–nisdomain=domain Set the NIS domain
–nisserver=server Set the NIS server
–enableldap Enable LDAP User Management
–disableldap Disable LDAP User Management
–enableldapauth Enable LDAP Authentication
–disableldapauth Disable LDAP Authentication
–ldapserver=server Set the LDAP Server
–ldapbasedn=basedn Set the base DN for the LDAP server
–enableldaptls Enable TLS connections for LDAP
–disableldaptls Disable TLS connections for LDAP
–enablekrb5 Enable Kererbos Authentication
–disablekrb5 Disable Kererbos Authentication
–krb5realm=domain Set the Kerberos Realm
–krb5kdc=server Set the Kebreros Key Distribution Center
–krb5adminserver=server
Set the Kerberos Admin Server
–enablead Enable Active Directory Authentication
–disablead Disable Active Directory Authentication
–addomain=domain Set the Active Directory Domain
–addc=server Set the Active Directory Domain Controller
–usepamqc=values Enable the pam_passwdqc module
–usecrack=values Enable the pam_cracklib module
–enablecache Enables caching of login credentials
–disablecache Disables caching of login credentials
–passmaxdays=days Set the maximum number of days a password remains valid.
–passmindays=days Set the minimum number of days a password remains valid.
–passwarnage=days Set the number of days a warning is given before a
password expires.
–maxfailedlogins=count
Sets the maximum number of login failures before the
account is locked out, setting to 0 will disable this
-p, –probe Print the settings to the console
-v, –verbose Enable verbose logging
-h, –help show this help message and exit

For more actual usage I would defer to one of the most useful vm blogs around from Scott Lowe. The common usage for most of us daily users would be to enable active directory authentication on the ESX. So your team of admins can get in and do work in certain situations. Now when your team is one (still looking for that other VCP, hopefully he passes the test this week) or two this is not a huge requirement.
Additional authentication requirements can be set here depending on your environments reqs. I would generally let clients know this is available but have not had anyone demand to have the maxfailedlogsin set to 5 or something.