Blog Posts

"The Veeam Monitor Free Edition is an easy-to-use VMware monitoring solution designed to meet the day-to-day needs of VMware administrators who need real-time performance monitoring and alerting. Built from the ground up specifically for the virtual world, Veeam Monitor provides a bird’s-eye view of key performance metrics across your virtual ESXi infrastructure.

With Veeam Monitor, you can view real-time resource usage data for any virtual infrastructure object or collection of objects, as well as known infrastructure events, all on a single screen. This allows you to finally see your virtual infrastructure as a unified entity, not just a collection of isolated hosts and guests."

You can download your free copy here.

Posted by Gabriel Maciel

This problem applies to all ESX 3.5 U2 hosts but should not affect you running VMs. Suggested Workarounds:

For the Virtual Machines:

• Set DRS to manual


• Do not VMotion


• Do not power off or suspend your VMs


• If you have important VMs you need to turn on again: a. Create a quarantine host b. Set time on this host back c. Cold migrate the VM to the quarantine host d. Verify that your VM does not synchronize its time with that ESX host: Power the VM on, log into it and set the time manually


• You could also think about temporarily disconnecting the VM to power on from the Virtual Switch - this way you are certain that the VM will not be able to communicate with a DC while it’s out of time-synch

Note: Please take into account that if you change the time on the affected ESX host and VMware tools is configure to synchronize the guest with it, you may adversely affect your running services.

For the ESX Host:

• Log in as root on the target host


• Issue the following commands:
  
  a. service ntpd stop
  
  b. date -s 08/01/2008

Note: This can also be done using the VI Client (Configuration, Software, Time Configuration, Properties).

Further reading and sources for this article:

• VMware Knowledge Base


• VMware Communities


• ICT_Freak


• Leo's Ramblings

Posted by Gabriel Maciel

This is an interesting post Leo Raikhman wrote about the ESX / VC installation best practices:

I get asked this all the time: what is best practice installation procedure?

I don’t know that there is such a thing - every environment is slightly different but here’s my general outline for ESX 3.5 + VirtualCenter 2.5 attached to Fibre SANs.

Installing VirtualCenter 2.5:

• Install SQL 2005 + SQL Native Client
• Patch SQL 2005 to SP2 + associated updates
• Enable SQL clustering if relevant.
• Create SQL DB with SQL-authenticated user as db_owner for the msdb and newly created databases (for VMware VirtualCenter and VMware Update Manager)
• Create an ODBC connection with above information on targeted VC server
• Install VirtualCenter
• Add VirtualCenter server IP to Exchange Relay Access rulesets
• Configure VirtualCenter SMTP settings, alarm definitions and Message of the Day
• Copy/install sysprep/deployment tools files
• Create required customizations
• Create a datacenter object
• Create a cluster object
• Configure HA + advanced HA with VM HA monitoring
• Configure DRS + separation rules
• Install Update Manager - sync ESX host updates with VMware downstream servers
• Configure VirtualCenter certificates as per this article from the excellent VM/ETC

Read the full post here.

Posted by Gabriel Maciel

Here you have the best links and articles for the past week:

1. ESX Server Security Technical Implementation Guide via US Department of Defense
2. Why Virtualization Amplifies The Disconnect Between Security and IT Operations, And What You Can Do About It via Virtualization Security
3. Upgrading your Active Directory to Windows Server 2008 via Sander Berkouwer's Blog
4. Well, that's interesting news - now what? via Virtual Geek
5. Optimize My IT via VMware

Back in February I wrote a post about the VMware Tools and Utilities I use to administer our VMware environment. Now, via vmware-land.com we get the following list:

1-Putty - Telnet and SSH client for remotely connecting to the ESX service console
2-WinSCP and Veeam FastSCP - SCP clients for browsing ESX server file systems and transferring files to/from ESX hosts
3-VI3 SnapHunter and SnapAlert - Utilities that can report all running snapshots on ESX hosts including name, size and date. Can also automatically email reports and optionally commit snapshots
4-VI Scripted Backup Utility - A backup utility that is run from the Service Console that provides VMDK level backups of any VM on storage accessible by the host
5-MCS StorageView - A utility that displays all the logical partitions, operating system, capacity, free space and percent free of all virtual machines on ESX 3.x or Virtual Center 2.x
6-SSH Plug-in - A VI client plug-in that integrates an SSH console directly into the client
7-Storage VMotion Plug-in - A VI client plug-in that extends the client’s functionality by providing an integrated, graphical tool that can be used to invoke storage VMotion (SVMotion) operations
8-VMotion Info - A program that will collect Vendor, Model, CPU Types and the CPU feature bits from all hosts to check for VMotion compatibility
9-VMCdConnected - Scans all Virtual Machines and shows if they have a CD connected to it. After scanning the VM’s you can disconnect all the CD’s with a click of a button
10-VMware Converter – (Performs hot and cold conversions of physical and virtual servers to virtual machines. Also converts image formats

Enjoy!

Posted by Gabriel Maciel

There is a new web interface for the Patch and Update Releases for VMware that simplifies the selection and download of the patches. So far, it applies to the following products: ESX Server 2.0.2 to 3.5, ESX Server 3i and Virtual Center.

This is the link to the new page!

Posted by Gabriel Maciel

Here you have some of the links I came across recently and wanted to share in the Blog:

Veeam Backup
A groundbreaking disaster recovery solution for VMware Infrastructure 3 that combines backup and replication in one product.

Virtual Center 2.5 Passthrough Authentication via www.vinternals.com
"At last! VMware have finally added passthrough auth support in VC 2.5, although it is currently classed as experimental. This is something I have been waiting / asking about for quite some time. And even better, it's on by default! To use it, simply add -passthroughAuth -s vchostname to the end of the shortcut used to launch the VI 2.5 client."

Add multiple SCSI controllers to your VM to improve performance via www.yellow-bricks.com
"A couple of months ago at the Dutch VMug meeting Bouke-Jumé gave some good storage tips. This is one of them:
The LSI Bus Logic Controller / Driver has a standard queue depth of 256. Although it isn't possible to set this higher it is possible to add a second controller and when you make sure the SCSI ID of your disk corresponds to the SCSI card you will have another queue of 256. This can lead to improved performance for Database Servers, Files Servers and other I/O intensive VM's."

Dominic Rivera's Esx-AutoPatch.pl now supports ESX 3.5.0
"I've had a number of visitors write in to inquire about esx-autopatch.pl, and when I would update the script to support ESX 3.5.0. To be honest I didn't really plan to update the script since VMware's Update Manger seems to be doing an adequate job of filling that need. But if you need to get the patches installed at build time, or don't have Virtual Center at your disposal I still believe esx-autopatch.pl is the best answer out there."

Posted By Gabriel Maciel

Here are some best practices published by the VMware Security Blog for keeping your VMotion traffic secure:

1. The most important VMotion best practice is to isolate your VMotion activity from all production network traffic. The current design of VMotion assumes that the VMotion network is secure within a data center, certainly within a rack or set of adjacent racks. In a typical situation, servers in one or more co-located racks would each have one or two network cards dedicated for VMotion; these would be connected to a switch or VLAN that has no other endpoints connected.
Isolating VMotion takes away that most common of staging points for man-in-the-middle: some unpatched box anywhere on the production network that has already been taken over by malware. Indeed why any non-ESX box, compromised or not, would be on this network at all would be immediately in question. The researcher's assumption is that long-haul VMotion over wide area networks might become popular in the future. However, most companies today already use encrypted links for inter-datacenter traffic.

2. Tightly restrict access to VI administrative accounts and roles. With VMotion isolated, a virtual rogue presence is more plausible than a physical one, but even a compromised guest VM does not have a virtual NIC on the VMotion network, only on the production network. Therefore the rogue VM must be configured in VI to have a vNIC on the VMotion network.

3. Don't enable promiscuous mode on vswitches. Unlike a physical network card, someone who has taken over a guest VM cannot cannot configure a vNIC to be promiscuous. Another VI admin setting, promiscuous mode (off by default) is configured on the virtual switch port separately from a VM. Also, to manipulate rather than snoop, the proof-of-concept technique requires traffic actually route through the rogue VM, which would not occur naturally on the vswitch."
More Best practices for hardening your VMware Infrastructure environment can be found here.

More information about this article here.

Posted By Gabriel Maciel