Posted by Brian on Sep 8, 2010 in Tools, Troubleshooting, VMware, vSphere | View Comments
This is something that we get on a regular basis from the security team. When doing their regular security scans for compliance and vulnerabilities I always get a long list of ESX hosts. The scans normally come back and complain about an OpenSSH x11 vulnerability or an OpenSSH Memory and Buffer Overflow.
These seem to be False positives from the tool being used to scan the hosts. We always make sure that we have installed the necessary updates related to OpenSSH as VMware releases them. But the tool always comes back with these issues. It seems to stem from the fact that the tool looks at OpenSSH in generic terms and assumes that all vendors implement it in the same way. From the documents listed below VMware indicates that since ESX 3.x VMware no longer included the x11 packages with their products. I would recommend that you make sure you are up to date on your patches and if the scans still come back dirty that you should discuss this results with the Application vendor that created the scanning tool. You might find out that this is common and they are just false positives.
Links:
VMware ESX Server and Security Issues in OpenSSH
Security Response: SSH Version Installed with ESX Server May Be Vulnerable
read more
Posted by Brian on Aug 31, 2010 in Cloud, VMware, VMworld, vCloud, vShield, vSphere | View Comments
Today at VMworld 2010 VMware announces the new family of vShield products. The new products to this family are vShield Endpoint, vShield App and vShield Edge. Each product has been designed for a few core functions that are helping to facilitate and secure the IT as a Service model that VMware is promoting with its new vCloud Director solution. These security related products are going to secure, make management easier and help move down the patch to a cloud infrastructure.
I will try and provide some more details about each product below gathering any details that are available as of today. In the image below are some of the concerns that VMware is address based on what Enterprises have been telling them.
vShield Endpoint – vShield Endpoint provides on-host antivirus and malware protection that reduces performance latency and eliminates the need to maintain individual security agents in each and every virtual machine, helping to simplify security administration while minimizing the risk of malware infections. Datasheet
vShield App -VMware vShield App protects applications in the virtual datacenter from network-based threats. vShield App gives organizations the ability to create and manage business-relevant policies that adapt to dynamic cloud environments. It also provides deep visibility into network communications between virtual machines and granular enforcement through security groups. Datasheet
vShield Edge – vShield Edge is a network gateway solution that protects the edges of the virtual datacenter with DCHP, network address translation (NAT), firewalling, load balancing, site-to-site VPN, port group isolation and other capabilities that help organizations maintain proper segmentation between different organizational units. Datasheet
vShield Manager – Included with all vShield products, vShield Manager provides a central point of control for managing, deploying, reporting, logging and integrating third-party security services. Working in conjunction with vCenter Server, vShield Manager also enables role-based access control and administrative delegation as part of a unified framework for managing virtualization security.
vShield Zones – VMware vShield Zones, included with vSphere, provides basic protection from network-based threats in virtual datacenters, with application firewalling and policy management based on administrator-defined zones, using basic traffic information such as the source IP address, the destination port, and so on.
Here is a quote from a VMware product release.
Enterprise Partner Extranets – vShield lets enterprises extend their networks and application resources to branch offices, home offices and business partner sites through site-to-site VPN services that offer simplified provisioning, streamline administrative tasks and improve scalability. All traffic between sites is encrypted using IPsec to maintain the confidentiality and integrity of all site-to-site communications.
vShield Product Family Brochure
read more
Posted by Brian on Aug 3, 2010 in VMware, vCenter Server, vSphere | View Comments
I will start this post off with the standard snapshot warning. Just a reminder that Snapshots are not backups, they are only a change log of the original virtual disk. You should not count on them as a backup. There are a number of different reasons that you might use a snapshot for. One of my most used reasons would be for a software upgrade I would use the snapshot to allow for an easy rollback to the machine state prior to the upgrade. If you have some other reasons leave a comment to share with others.
- The maximum supported amount in a chain is 32. However, VMware recommends that you use only 2-3 snapshots in a chain.
- Use no single snapshot for more than 24-72 hours.
-
- This prevents snapshots from growing so large as to cause issues when deleting/committing them to the original virtual machine disks. Take the snapshot, make the changes to the virtual machine, and delete/commit the snapshot as soon as you have verified the proper working state of the virtual machine.
- Be especially diligent with snapshot use on high-transaction virtual machines such as email and database servers. These snapshots can very quickly grow in size, filling datastore space. Commit snapshots on these virtual machines as soon as you have verified the proper working state of the process you are testing.|
- If using a third party product that takes advantage of snapshots (such as virtual machine backup software), regularly monitor systems configured for backups to ensure that no snapshots remain active for extensive periods of time.
-
- Snapshots should only be present for the duration of the backup process.
- Snapshots taken by third party software (called via API) may not show up in the vCenter Snapshot Manager. Routinely check for snapshots via the command-line.
- An excessive number of snapshots in a chain or snapshots large in size may cause decreased virtual machine and host performance.
You can find some more details from VMware on troubleshooting snapshots here.
read more
Posted by Brian on Jul 29, 2010 in VMware, vSphere | View Comments
Sure this nothing earth shattering but it’s just something simple that can make your life easier. With a web browser and some links that I will provide below you can view some of the vSphere configuration files and messages from logs. This is probably the fastest way to get a view into your host with out having to SSH into the server or use another method. This method works for both vSphere 4.0 and 4.1 hosts and it works on both ESX and ESXi hosts.
You can view the VMware vSphere Configuration files from a browser using a link formatted like the following. https://hostname/host From that link you will need to authenticate to your host and then will be able to view a list of files from the host. In the list of files presented with be configuration files and some logs.
There is another page viewable with a web browser that will show you log messages from your ESX or ESXi host. Use the following syntax for the link. https://hostname/host/messages
read more
Posted by Brian on Jul 28, 2010 in VMUG | View Comments
I would like to say a Big Thanks to everyone that attended today and a special thanks to our sponsor Compellent. Compellent gave a nice presentation about their technology and what they have accomplished in their 5 years since they released the first product. I will give a short break down of the different presentations today and if we are able to get the slide decks from the presenters we will publish them over on the Chicago VMUG blog.
In our first presentation of the day Chris Fox of VMware was in and gave an overview of the new features of vSphere 4.1. There were discussions about SIOC (Storage IO Control), NIOC (Network IO Control), VAAI the API’s for array integration were some of the most talked about features. It was also discussed that VMware ESX 4.1 classic will be the last release of the ESX flavor of Hypervisor. Sometime in 2011 there is expected to be the next major release of vSphere and it will only be available in ESXi flavor.
In the second session of the day Russ Taddiken of Compellent talked to us about their storage virtualization technology. Russ gave a presentation that explained many of the features that make Compellent a strong competitor in the storage market. He spoke about Storage Auto Tiering that has been a feature in their product for about 5 years. Some of the other points that stood out to me was CoPilot their support organization and the Portable Volume feature. With portable volume it allows for the initial data replication to be placed on an encrypted USB disk that can be shipped to a remote site that might have a slow link. You will then only have to replicate the changes rather then the entire amount. Russ also mentioned that Compellent will be in the 2nd round of Vendors that will be supporting VMware VAAI API for storage functions.
In the last session of the day Mark from VMware spent time to talk about migrating your ESX infrastructure to ESXi. He covered the different ways to convert your hosts over to VMware ESXi. There was discussion around some of the reasons for the VMware’s decision to move in the ESXi direction. An estimated 80% of patches that VMware released for the ESX classic version were related to the console (COS) due to it’s Linux base that it was built on. With ESXi the COS was removed and the amount of patching required is greatly reduced. VMware is also working in the direction of building the ability to have a stateless hypervisor. Mark spent some time showing some of the commands that are the vCLI versions of the console commands that many are used to using.
We had a pretty nice showing for this meeting and hope that our community continues to grow. We had a couple of higher profile members from the VMware community show up to the meeting. David Davis from Train Signal was in attendance at the meeting. David has created a large number for training videos from Train Signal as well as for his blog VMwareVideos.com. Thanks again to David and the Train Signal team for providing several copies of their VMware vSphere training videos that we were able to give away to our members. Also in attendance today was Justin Lauer of EMC and a vSpecialist from Chad Sakac’s vArmy Team. I’ve knowing Justin for a bit now and it’s always great to chat with him, his involvement in our VMUG community will help many.
Update: We have posted a few of the slide decks from the presentations today here.
Took a couple of quick photos with an iPhone today as I forgot my camera but will do a better job in the future.
read more
