How to create custom firewall rules on ESXi 5.0

While studying for the VCAP5-DCD I was working on Objective 7.2 that covers the built in firewall for ESXi 5.0. I needed to be comfortable with creating custom rules on the host firewall. At first I figured well there must be a ESXCLI command that I can just use to add and remove these rules much like other tasks. Well there certainly is a ESXCLI Firewall command but it does not go as far as allowing you to create and remove the rules from the firewall. The command is more about turning on and off already defined rules and refreshing the rule set.

The rule list is kept in an XML file located here – /etc/vmware/firewall/service.xml

The first thing that you should do is create a backup copy of this file to protect yourself from any mistakes. Then you are going to need to change the permissions on the file to allow you to edit the file. You can do this with CHMOD or WinSCP if that is easier for you.

Once you have changed the permissions you should edit the file with a plain text editor, use what is available and you are comfortable with. The most common options available for me usually are VI or WinSCP again. I tend to lean towards the second one because its easier for me. Once you open the service.xml file you will see a rule list something like the one listed below. The two sections at the end in bold are an example that I placed in for my practice.

<ConfigRoot>
<service id=’0000′>
<id>serviceName</id>
<rule id = ‘0000’>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>80</port>
</rule>
<rule id=’0001′>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>
<begin>1020</begin>
<end>1050</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>

<service id=”0050″>
    <id>suhr1</id>
    <rule id=’0000′>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>src</porttype>
      <port>2100</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
<service id=”0051″>
    <id>suhr2</id>
    <rule id=’0000′>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>2000</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>

</ConfigRoot>

Simply create your new rule(s) by following the same format that is shown above or in the file. Once completed save the file and then you will need to enable the new rule set.

To refresh the rules and make them take effect you need to use the following command. Now is the time for the ESXCLI command line fun that you have been waiting for.

# esxcli network firewall refresh

Now that you have refreshed the rules you should have a look and make sure they are showing up and there are a couple of ways to accomplish this.

The first way to check is to fire up the vSphere client and select the host that you modified the rules on. Go to the configuration tab and then security profile option under the software section. You can see from the image below that I created two different rules one incoming and one outgoing rule.

The second way to verify that your new rules are showing up is to use the command line and ESXCLI. You need to use the command listed below to display the rule set.

# esxcli network firewall rule set list

One thing that I came across while researching different ways to add rules  was there a lot of discussion on how to make the rules persist after a host reboot.  If you use this method you should do some testing, but in my home lab using this method the rules did persist host reboots.  I used the method listed in the follow VMware KB.

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

How to upgrade to VMFS 5 on VMware and VMFS 5 facts

I wrote this last year but never published, working on clearing out some old posts. Along with the long list of other features added to vSphere 5, VMware has included a new version of VMFS. The upgrade in VMFS brings us to version 5 of the file system.

The main focus of VMware while creating VMFS seems to be making it easier to manage storage in virtual environments. In VMFS-5 the number of storage related objects that need to be managed by an VMware administrator are far less. For example you can now use larger and fewer datastores, because the scaling limits of VMFS-5 have been increased.

 

VMFS-5 New Features

  • Unified 1MB File Block Size. Past versions of VMFS used 1,2,4 or 8MB file blocks. The larger block sizes would allow you to create files larger than 256GB. There is now just one block size in VMFS-5 allowing you to create up to 2TB VMDK files using the 1MB file blocks.
  • Larger Datastores. In previous versions of VMFS, the largest datastore size without extents was 2TB-512 bytes. With VMFS-5 this limit has been increased to 64TB.
  • Smaller Sub-Block. VMFS-5 introduces a smaller sub-block. The new size is now 8KB rather than the old 64KB size from previous versions. Now a small file less than 8KB but larger than 1KB in size will only consume 8KB rather than 64KB. This will reduce the disk space being consumed by these small files.
  • Small File Support. Support for files less than or equal to 1KB, now use the file descriptor location in the metadata for storage rather than file blocks. If they grow above 1KB, these files will then start to use the new 8KB sub blocks. The net result is a reduction in space consumed by small files.
  • Increased File Count. VMFS-5 now allows support for more than 100,000 files. In VMFS-3 the limit was 30,000 files.
  • ATS Enhancement. ATS is now used all through VMFS-5 for file locking. ATS (Atomic Test & Set) is a Hardware Acceleration primitive, and is part of the VAAI (vSphere Storage APIs for Array Integration). This improves the file locking performance over previous versions of VMFS.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

How to backup ESX and ESXi host configurations

When it comes to protecting your virtual environment there are many things to consider. You need to have backups of your virtual machines and don’t forget about your host configurations.

How to back up your ESXi configuration

There are many reasons that you would want to back up your ESXi configuration, of which the two main ones would be before upgrading to a new versions or for DR reasons.

If you are going to be upgrading an existing ESXi host to ESXi 5 you should backup your host configuration before proceeding. With vSphere 5 upgrades there is no option to roll back like there was with vSphere 4 upgrades. This means that a failed upgrade would require you to install ESXi 4.x and restore the configuration.

To backup an ESXi host you will need the vCLI installed on a server or you can also use the vMA.

# vicfg-cfgbackup –server ESXi_host_ip –-username username –-password password –-s backup_filename

 

How to restore your ESXi configuration

Another really nice thing about ESXi is that it’s just as easy to restore your backed up configuration as it was to grab the backup. Simple install a clean version of ESXi matching the version that the backup was taken from. Connect to the host using vCLI or your vMA appliance as issue the restore command shown below.

# vicfg-cfgbackup –server ESXi_host_ip –-username username –-password password –-r backup_filename

How to back up your ESX configuration

There is not one command to back up an ESX hosts configuration unfortunately.

To accomplish this you will need to back up the following items in a manual fashion.

  • Back up local VMFS files system – templates, VMs * .iso files
  • Back up any custom scripts
  • Back up your .vmx files
  • Back up the files in /etc/passwd, /etc/groups, /etc/shadow and /etc/gshadow directories. The /etc/shadow and /etc/gshadow files might not be present on all installations.

 

How to restore your ESX configuration

If you need to roll back from a failed upgrade or recover from a disaster and need to restore your host follow this short process. First you will need to install ESX 4.x the version level that you were running at the time you backed up your files.

Once you have ESX 4.x installed and running at its previous level you can now restore the files you backed up earlier. This can be done many ways but a couple of simple ways would be to use winSCP or Veeam FastSCP, both are free and easy to use.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

vSphere ESXi 5 upgrade or install how to steps

This something that I wrote last year during the vSphere 5.0 beta and I had intended on using it with another project. After holding it for a longtime I finally decided to publish it here. There will be some other related content coming soon.

With the release of vSphere 5, VMware has entered the era of ESXi only hypervisors. This has been promised by VMware for the last couple of years, so it should be of no surprise to anyone. The ESXi platform has under gone a big coming of age journey since its first release. With each new version and update the ESXi platform has narrowed the feature gap that had previously existed with its brother ESX classic.

With this release VMware’s type 1 hypervisor has entered its fifth generation and in this book we are going to assume that you have a base level of experience. We will not be holding your hand showing each step of a base installation. We will be talking about topics that concern admins on important projects, daily tasks and showing you how to accomplish some of the new features in vSphere 5.

Upgrade considerations and dependencies

With any VMware related upgrade there are numerous items that should be considered when planning to move to the next release. Whether you’re going to be upgrading using existing hardware or purchasing new servers. You need to spend the time to examine the parts of your servers and validate they are supported by the release of vSphere that you plan on using. This can be done by using the VMware HCG or Hardware Compatibility Guide also commonly referred to as the HCL.

The release of vSphere 5 offers most of the same paths for upgrading, but also offers some not possible in the past. To make this easy to digest we have created Figure 1.0 that covers the upgrade paths and if they are possible with ESXi 5. Each of these methods will be expanded upon within the sections of this chapter.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

Walk through of new vSphere 5 web client interface


In this post I will cover the new Web Interface that is available in vCenter 5 that was announced this past Tuesday. This is something that should be welcomed by non Windows users. With growing number of admins using Apple computers these days they have been long waiting for a way to manage their vSphere environment without having a Windows VM running also. The vCenter Web Interface is a Flex based console that is not fully featured yet but does offer many of the things you would need on a daily basis.

You definitely will not be using it to setup hosts and networks and that type of setup & configuration work. But you can create VMs and other daily functions as well as look at performance charts.

To get started point your browser to your vCenter server using a link similar to below. If you pint straight to the vCenter without the port and trailing string you will get a page similar to what your used to seeing in the past. It will allow you to download the regular vSphere Client and will also have a link to the web client.

Below you can see the login screen for the Web Client, nothing earth shattering from this view. Only thing to point out is at the bottom of the screen there is a download link for the Client Integration Plug-in. This is necessary to view the console of a VM through the web client. So download and install to get all of the functions opened up to you.

Manage a Virtual Machine with Web Client

The image below shows the summary view of a virtual machine. Its got pretty much all of the same details were used to seeing in the thick client. You get power status and details about VM hardware and storage. From this view you can control the power of the VM and edit its settings like in the past. At the end of this section I have included images of all the options located in the menu for a VM.

 

 From the next image we can see that the Monitor section includes sections for Tasks, Events, Performance and Alarms. These are all things you should be used to seeing also and are easily accessible in the Web Client also. I was pretty impressed with the performance chart options that are available with this being the first attempt by VMware. They have had practice by  using the Flex client model for View manager and vCloud director now.

The last section of the VM menu is resource management. You can have a look at the familiar looking CPU and Memory bar charts that we use in the regular client.

The group of images below show the menu options that are available to you when managing a virtual machine. You have the normal power options. Under configuration you can edit settings and upgrade Tools and virtual hardware. The Inventory menu allows you to Migrate or Clone. And the Snapshot menu give you the normal options you would expect.

 

Migrate a Virtual Machine with Web Client

This is a really nice feature to have available in the web client. This is something that in the past you would have had to fire up the full vSphere client to do. All the normal options seem to be available for this process.

 

 Edit VM properties in Web Client

This section is pretty straight forward and you can see form the two images below that all of the normal options are available to you in the Web Client. You can edit and add virtual hardware to you VMs.

This second image shows the normal VM Options that you can edit also.

Creating a Virtual Machine with Web Client

I’m not sure how much I will use this to start, but its pretty awesome that this feature is there at the beginning. You can create a VM from the Web Client, using all the same choices that you would normally.

Simple screen that allows you to name your virtual machine and select the folder location in the datacenter.

The next image shows you the ability to select the resources that it will run on. For example you can choose a host or cluster to place the VM on to start.

The next screen shows you available storage options. The Web Client provides you with plenty of detail to make educated decisions.

This section allows you to choose from available Virtual Machine hardware versions. It also explains the options for both so people can make educated decisions.

Next up in the process is to choose the guest operating system.

The last screen before the review allows you to adjust any of the virtual hardware that you want in your VM. There are plenty of options here and at first look I don’t see anything missing from the regular client.

ESXi 5 Host management from Web Client

From the image below you can see the summary screen that shows information about a ESXi host. All the normal details appear to be here and are presented in a easy to consume manor. From the right side of the screen you can see recent tasks and running tasks to keep an eye on what is happening in your environment.

The image below shows the monitoring screen so that you can view Tasks, Events, Alarms and Performance data on the vSphere host. This is also really nice to have in the Web Client so that you can see what is going on.

 

Cluster views form vSphere Web Client

The next image is the Cluster Summary view from the Web Client. These are not much different form the host views, they just present you with higher level details.

This image shows you cluster services to be able to view DRS information within the cluster. You can see History, Faults and Recommendations form this area.

 The last screen that I have shown here gives you Resource management details for the cluster. You can view whats happening cluster wide on CPU, Memory, Storage and utilization details.

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

Facts about VMware vSphere 5 License changes

In case you were sleeping today VMware announced vSphere 5 and all of its 150 plus glorious new features. I’ve been lucky enough to be using it for sometime in the Beta program and its really a big step forward. There are tons of new features that people have been waiting for.

But with all of the new stuff it seams a licensing change has kind of put a cloud over the shinny new features. Along with the new version VMware has change the licensing model that vSphere 5 will use, moving towards a vRAM pooled model that I will attempt to explain further. Now for some organizations this will be great and for others it will add additional cost.

There has been a lot of banter on twitter today about the licenses changes and in the VMware forums. I am holding back making a decision until I can digest this further. But from what it looks like is building a scaled up design model would be more expensive with the new licensing model.

Here is some highlights from the vSphere 5 license white paper that VMware release. You can download the full paper here.

 vSphere 5.0 will be licensed on a per-processor basis with a vRAM entitlement. Each vSphere 5.0 CPU license will entitle the
purchaser to a specific amount of vRAM, or memory configured to virtual machines. The vRAM entitlement can be pooled across
a vSphere environment to enable a true cloud or utility based IT consumption model. Just like VMware technology offers
customers an evolutionary path from the traditional datacenter to cloud infrastructure, the vSphere 5.0 licensing model allows
customers to evolve to a cloud-like “pay for consumption” model without disrupting established purchasing, deployment and license management practices and processes.

 

You will still be buying your licenses based on sockets but there is now the vRAM amount to factor in.

Licensing Unit: Per Processor (CPU)
vSphere 5.0 is still licensed on a per-processor basis, allowing customers to continue leveraging established purchasing,
deployment and license-management processes.

So what is a vRAM Entitlement
We have introduced vRAM, a transferable, virtualization-based entitlement to offer customers the greatest flexibility for vSphere configuration and usage. vRAM is defined as the virtual memory configured to virtual machines. When a virtual machine is created, it is configured with a certain amount of virtual memory (vRAM) available to the virtual machine. Depending on the edition, each vSphere 5.0-CPU license provides a certain vRAM capacity entitlement. When the virtual machine is powered on, the vRAM configured for that virtual machine counts against the total vRAM
entitled to the user. There are no restrictions on how vRAM capacity can be distributed among virtual machines: a customer can configure many small virtual machines or one large virtual machine. The entitled vRAM is a fungible resource configured to meet customer workload requirements.

What is Pooled vRAM Capacity in vSphere 5?
An important feature of the new licensing model is the concept of pooling the vRAM capacity entitlements for all processor licenses (see Figure 1). The vRAM entitlements of vSphere CPU licenses are pooled—that is, aggregated—across all CPU licenses managed by a VMware vCenter instance (or multiple linked VMware vCenter instances) to form a total available vRAM capacity (pooled vRAM capacity). If workloads on one server are not using their full vRAM entitlement, the excess capacity can be used by other virtual machines within the VMware vCenter instance. At any given point in time, the vRAM capacity consumed by all powered-on virtual machines within a pool must be equal or lower than the pooled vRAM capacity.

How would I monitor the Pooled vRAM Capacity
Available and consumed vRAM capacity can be monitored and managed using the licensing-management module of VMware vCenter Server. Customers can create reports and set up alerts to obtain automated notification of when the level of vRAM consumption surpasses a specified level of the available pooled capacity.

So if I run out of Pool vRAM how would I increase the Pooled vRAM Capacity
If necessary, the easiest way to expand pooled vRAM capacity is to add more vSphere CPU licenses of the same edition to the vRAM pool. Alternatively, customers can upgrade all CPU licenses in the vRAM pool to a vSphere edition with a higher base vRAM entitlement.

Some Licensing Examples

 vSphere 5 License pricing

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More
Page 2 of 1012345...10...Last »