From the editors Virtual Desk

Security is something that we all care about but may take for granted when it comes to our virtual infrastructure. While our security team may have secured the physical environment and the perimeter of the network the lack of integration and visibility in the virtual environment often means that this part goes on as normal without any additional security. From a security standpoint it is generally accepted that a defence in depth methodology is usually a great way to minimize the attack surface for internal or external breaches and the virtual environment provides an excellent opportunity to embrace this and provide a much greater depth of security for your environment.

 

In keeping with our weekly trend of looking at a particular technology that can assist you with your virtual infrastructure this week our featured product is the vShield family of technologies. Rather than a replacement for your existing solutions vShield provides many additional benefits to work in conjunction with your existing security solution to make your virtual infrastructure even more secure and easy to manage that your physical infrastructure.

 

In addition to this, we are also featuring a section from this week onwards regarding standardising on ESXi and how we can assist you with this process. ESXi is the future of the VMware hypervisor and provides many benefits over the traditional ESX hypervisor including a much smaller footprint providing a code base that requires fewer patches and therefore decreases downtime and increases reliability.

 

I hope that you find all of this information useful as we try and provide as much information as possible for you each week.

 

Take care until next time

 

Neil Isserow (Newsletter Editor), Paul James

Queensland TAM

 

Featured Product

VMware vShield

Secure your Cloud with Virtualization-aware Security

 

Strengthen your application and data security, improve visibility and control and accelerate IT compliance efforts across the entire organization with virtualization-aware protection for virtual datacenters and cloud environments from the VMware vShield family of security solutions.

Learn more about vShield Security:

VMware vShield App: Application protection against network-based threats

VMware vShield Edge: Network security for the perimeter

VMware vShield Endpoint: Offloaded and streamlined anti-virus

VMware vShield Zones: Basic protection from network-based threats

VMware vShield Manager: Complete security management

 

Secure the Cloud with VMware vShield

Achieve Better-than-Physical Security: Adaptive security travels with virtual machines as they migrate from host to host providing secure support for virtual machines in dynamic cloud environments. Applications run efficiently while maintaining trust and network segmentation of users and sensitive data.

Improve and Simplify Security Management in a Single Framework: A single comprehensive framework secures virtual datacenters and cloud environments at all levels—host, network, application, data and endpoint, in a management framework that integrates with VMware vCenter™ Server.

Reduce Complexity and Eliminate Bottlenecks:Reduce the complexity of endpoint, application and edge network security by consolidating your security infrastructure and eliminating the “sprawl” associated with software agents, security policies, dedicated security appliances and “air gapped” solutions with VMware vShield.

Improve Visibility and Accelerate Compliance: Leverage the unique introspection capabilities of VMware vShield and the VMware vSphere platform to help identify hard-to-detect problems precisely and efficiently while controlling file integrity monitoring, rootkit protection, and data leak prevention.

Leverage Existing Security Solutions: vShield works seamlessly with existing enterprise IT security measures through REST APIs. Get customized integration of vShield capabilities into third-party security solutions, including existing antivirus and anti-malware solutions.

 

 

ESXi Convergence

It is Time to migrate from ESX to ESXi
VMware vSphere 4.1 is the last release to support both the ESX and ESXi hypervisor architectures. Future vSphere releases will only support the ESXi architecture. VMware recommends that:

  1. New deployments of vSphere 4.x are done on ESXi
  2. Existing ESX deployments of vSphere 4.x or older are migrated to the ESXi

ESXi is VMware’s next-generation bare metal hypervisor that delivers industry-leading performance and scalability while setting a new bar for reliability, security and management efficiency
Like its predecessor ESX, ESXi is a “bare-metal” hypervisor, meaning it installs directly on top of the physical server and partitions it into multiple virtual machines that can run simultaneously, sharing the physical resources of the underlying server. VMware introduced ESXi in 2007 to continue delivering the industry-leading performance and scalability of ESX while setting a new bar for reliability, security and hypervisor management efficiency. ESXi is available with any edition of VMware vSphere and supports all vSphere features and use cases. ESXi is VMware’s recommended deployment option for installations of vSphere 4.x.

VMware ESXi the thinnest, most advanced hypervisor architecture. It is the only hypervisor purpose-built for virtualization that runs independently from a general purpose operating system like Linux or Windows
With the ESXi hypervisor architecture VMware eliminated the Service Console, a management partition based on a Linux OS that is part of ESX and is used to perform local management tasks such as executing scripts or installing third party agents. This means that the ESXi architecture is reduced to just the core virtualization kernel, aka. VMkernel, making its code base extremely compact and small ESX (less than 100MB vs. ESX 2GB). The ESXi hypervisor is installed or upgraded as an image – like a BIOS or firmware – providing administrators with a thoroughly-tested bundle that can be effortlessly rolled back to a previous version if necessary. All the management functionalities that in ESX required the use of the Service Console, with ESXi can still be implemented in more efficient way through built-in services, APIs and remote management tools.

By migrating existing ESX deployments to ESXi, customers will drastically improve the reliability, security and efficiency of their virtual environments while continuing to take advantage of the full power of vSphere
Thanks to its ultra thin architecture with less than 100MB of code base disk footprint, ESXi delivers the industry-leading performance and scalability of ESX with the several additional benefits:

Improved Reliability and Security – with fewer lines of code and independence from general purpose OS, ESXi drastically reduces the risk of bugs or security vulnerabilities and makes it easier to secure your hypervisor layer

Streamlined Deployment and Configuration - ESXi has far fewer configuration items than ESX, greatly simplifying deployment and configuration and making it easier to maintain consistency.

Higher Management Efficiency - The API-based partner integration model of ESXi eliminates the need to install and manage third party management agents. You can automate routine tasks by leveraging remote command line scripting environments such as vCLI or PowerCLI.

Simplified Hypervisor Patching and Updating - Due to its smaller size and fewer components, ESXi requires far fewer patches than ESX, shortening service windows and reducing security vulnerabilities.

Complete set of management capabilities – With vSphere 4.1, VMware added significant enhancements to ESXi and the core tools used to manage it. Most notably: AD integration, support offor scripted and PXE installations, support for boot from SAN, Tech Support Mode for host troubleshooting and diagnostic and many others. These features make ESXi an even more complete, robust and powerful foundation for virtual environments and cloud computing

 

Latest news and reviews

VMware Support Insider: New Mind Map - Troubleshooting vSphere Network Issues

Today the Support Insider brings you another new Mind Map we expect  to be popular— vSphere Troubleshooting Network Issues!

These new, Flash-embedded PDFs are clickable so that you can expand sections and drill down to the problem you may be experiencing. We’re also trying to make them a little easier on the eyes.  Let us know what you think of the new look.

If you recall, a Resolution Path is a collection of KB articles sequenced in a specific order to resolve a specific issue. Since many steps are repeated for different problems, we create separate articles for those steps and reuse them as needed.

Today’s Mind Map details our Resolution Paths for vSphere Network issues.

 

Business Critical Applications: Yes, Oracle is supported on VMware

Oracle is supported on VMware– apps and databases, both single instance and RAC. And plenty of customers have been virtualizing their Oracle workloads on VMware with confidence.  In case you’ve heard confusing opinions, let’s just review some facts.

From Oracle
Oracle’s support policy toward virtualization with VMware is accessible to subscribers of MyOracleSupport - Document ID #249212.1 which you can access here if you have a login. You can also read the actual Oracle support policy reproduced in Chad’s blog. In Nov 2010, Oracle added support for RAC on VMware which demonstrates Oracle’s continued commitment to provide customers with increasing flexibility and choice.


From VMware
In the past, some customers were concerned about a couple of apparent limitations in the Oracle support policy.  Specifically,
1.    Oracle has not certified any of its products on VMware
2.    Support is provided when the problem “can be demonstrated to not be as a result of running on VMware” and the fact that Oracle reserves the right to require reproduction of the problem on physical environments.
However, Oracle does not certify down to the infrastructure level (such as your Cisco switch or your Dell blade) so if you are running a certified OS on VMware, the situation is no different than running a certified OS on a blade server.  In the physical world, if Oracle support suspects that an issue is caused by your underlying hardware then you can be requested to reproduce on another host. And that is no different from the stance on virtualization with VMware.

While most customers understand these nuances, even those who had lingering concerns have been assured with the new VMware policy for Oracle support.  With this policy, VMware is providing an absolute commitment to support customers virtualizing Oracle on VMware vSphere.  If required, VMware will take ownership of the support request and ensure rapid resolution, in collaboration with the Oracle support organization as needed. Since VMware’s customers virtualize all types of Tier1 applications, there is no question that providing a seamless support experience is an area of expertise for VMware.

 

The Console: VMware Welcomes Team Mozy

Today it is my pleasure to announce that VMware has hired the team and acquired assets behind EMC’s Mozy cloud-based data protection service.  VMware will operate the Mozy service on behalf of EMC without interruption.  However, the strategic relevance of today’s news is what this group brings to VMware.  Over the past 5 years, Mozy has built one of the best examples of a globally distributed, large-scale cloud offering. We believe that, by being directly engaged with the delivery of such a service, VMware will further ramp our own cloud-related learning and accelerate new IP, scale, and capabilities into the products that we provide to our customers and public cloud partners.

 

VMwareTV: VMware vCenter Operations -- Video Tutorial

VMware vCenter Operations -- Video Tutorial

Visit bit.ly - Kit Colbert, lead engineer on vCenter Operations, gives an in-depth overview of the vCenter Operations Standard edition.

 

VMware Security Blog: vSphere 4.1 Security Hardening Guide released

VMware would like to announce the availability of the final release of the vSphere 4.1 Security Hardening Guide.  The Introduction section describes the scope, structure, recommendation levels, and other aspects of the guide in more detail.  Please read this section first before diving into the rest of the guide, as it provides important context.

Although this version of the guide can be considered as "final" and appropriate for use in production environments, we recognize that there is always room for improvement.  We will continue to welcome comments and corrections on this guide, and we will publish updated versions of the guide from time to time as feedback is accumulated.  This feedback of course will also be incorporated into the hardening guide for future releases of vSphere.

The vSphere 4.1 Security Hardening Guide has been posted to the VMware Communities in the "Security and Compliance” area, in the Documents tab.  Please provide feedback in the Comments area.

 

ESXi Chronicles: Is your environment secure?

My friends over at the VMware Security Blog posted an article yesterday that the Security Hardening Guide for vSphere 4.1 has been released. Coiincidentally Richard Garsthagen posted an articleabout all the ESX/ESXi hosts he found directly attached to the internet, I guess you could say that that goes against every best practice out there. But that is not entirely the reason for this article. I wanted to point out an excellent script by William Lam that assesses your environment based on the recommendations made in the Security Hardening Guide and produces a nice report with a scoring card.

 

das.failuredetection time and the isolation response

I had a discussion on the VMTN forums about this last week and the question basically was, what should my das.failuredetection time be set to when the isolation response is set to “Shut down”.

Lets first explain what the das.failuredetectiontime is, I described it on our book as follows:

 

Mythbusters: ESX/ESXi caching I/O?

We had a discussion internally about ESX/ESXi caching I/Os. In particular this discussion was around caching of writes  as a customer was concerned about consistency of their data. I fully understand that they are concerned and I know in the past some vendors were doing write caching however VMware does not do this for obvious reasons. Although performance is important it is worthless when your data is corrupt / inconsistent. Of course I looked around for  data to back this claim up and bust this myth once and for all. I found a KB article that acknowledges this and have a quote from one of our VMFS engineers.

 

vSphere + VNX = Integrated. HOWTO.

The posts that are done with integrated demonstrations are quite popular – these are useful for customers, EMC partners, and EMCers themselves.

The vSpecialist and VNX teams (big shout out to vSpecialist Joel Sprouse) worked together to create a tight, 15 minute demonstration that shows the highlights of the current VMware/EMC integration capabilities in the VNX platform which are all provided at no additional cost.  It covers:

 

OpSource Cloud Experience — Introduction

OpSource Cloud is an enterprise-class Infrastructure-as-a-Service cloud backed by the reliability and performance of VMware vSphere.  It’s a bulletproof environment that is suitable for virtually any workload, offering a 100% uptime SLA and guaranteed sub-millisecond network latency.  This infrastructure cloud runs on the latest release of vSphere and also offers the ability to import and export ESX virtual machines in OVF format for easy transfer of workloads from your own VMware private cloud.

 

OpSource Cloud Experience — Connecting

In the previous post, you saw an overview of the OpSource Cloud, a VMware vSphere-backed public IaaS cloud.  Today we take a look at connecting to virtual machine instances for managing and consuming services.

OpSource networking is based on Cisco switches and security; cloud users have various options for configuring access for management or public services.  When new virtual machines are instantiated, they are assigned private IP addresses and cannot be accessed from the Internet directly.  This is a good thing for security, but how does an administrator manage workloads in the cloud?

 

OpSource Cloud Experience — Networking

So far in this series on the OpSource Cloud, you’ve seen how to get started and how to manage workloads securely over the Internet.  Now let’s look at connectivity and performance between the cloud virtual machines.

Layer 2 Networking

If you are a vSphere administrator, it may come as a surprise to find out that some public clouds do not permit layer 2 connectivity between virtual machines.  Actually, you may be even more surprised to learn that it is very typical for your VMs to be instantiated on completely different subnets.  That means that all data must flow through another device on the network — an Ethernet bridge or IP router, filtering traffic — even if two virtual machines are on the same IP subnet.

 

The SRM 4.0 Book is Free

It’s the end of my financial year, and I’ve in the last couple of months started writing a new version of the SRM book. So its with great pleasure that I can now announce that the PDF version of the SRM 4.0 book will free to download from this date. You can still order a hard-copy of the book from LULU if you so wish at cost price. Of course you welcome to make your own donation to UNICEF should you wish.

I will start totting up how much money I raised in total for UNICEF, and will make a donation within the next couple of days.

 

 

Using DSquery to Find LDAP Paths – vCO

When you are configuring vCO, one of the requisite steps is to configure LDAP. While vCO has some pretty nifty search buttons, you can still get this info and more using DSquery.

Here’s a few examples:

Find a Specific Group

PS C:\> DSquery OU -name "ProVMware Users"
"OU=ProVMware Users,DC=provmware,DC=local"

 

Virtualisation 101 – VMware Update Manager (VUM)

Update Manager is VMware’s patching product, and is used for updating ESX/ESXi hosts, virtual appliances and guest machines.  It is a companion product to vCenter and installed via the vCenter Installer.  In smaller deployments VUM would be installed on the vCenter server, but in larger environments could be run as a dedicated server.

The application can run scheduled download of patches from VMware and Shavlik (for Microsoft updates) and store them in a local repository.   Patches can also be imported from ZIP files, or via an intermediary machine running Update Manager Download Service (UMDS).

 

VMware vSphere 4.1 HA and DRS Technical Deepdive - Available for the Kindle Now

The VMware vSphere 4.1 HA and DRS Technical Deepdive is available as an eBook for the Kindle now. So if you buy it once, you can read it everywhere. The price of the Kindle version is even lower (only $ 7.50) than the paperback  which was already a good bargain. In fact it's the cheapest and most cool vSphere book on the market. So hop over to Amazon.com and get your Kindle version of the VMware vSphere 4.1 HA and DRS Technical Deepdive written by the famous authors Frank Denneman and Duncan Epping.

 

Automatic VLAN change in VMware View

Some of my colleagues over at VMware US, Scott Jobe (Desktop Specialist) and Josh Spencer (Sr. Systems Engineer), teamed up to address the need to automatically assign VM’s to a particular VLAN in VMware View during refresh or recompose cycles.

When the Parent VM is configured administrators need to assign a VLAN or Port Group. This VLAN will follow the cloned (full-clones or linked-clones) virtual desktops whenever they are created, refreshed or recomposed.

Administrators are able to manually move the desktops to various VLAN’s. It is also possible to automate VLAN change through PowerShell scripting after the desktop is created. However, none of these methods allow the newly assigned VLAN to survive a refresh or recompose operation.

 

HDS and VAAI Integration

On day 1 of Hitachi Data Systems Geek Day 2.0, we met with Michael Heffernan, Global Product Manager – Virtualization.  You might know him as @virtualheff on Twitter.  I was pleased to listen to Heff as he discussed HDS integration with VMware vSphere vStorage API for Array Integration (VAAI for short and most easily pronounced “vee·double-ehh·eye”).  For those who aren’t aware, VMware introduced VAAI with the GA release of vSphere 4.1 on July 13th of last year.  In short, VAAI allows the burden of certain storage related tasks to be offloaded from the ESX/ESXi hypervisor to the storage array.  Generally speaking, the advantages touted are performance improvement of intrinsic tasks and increased scalability of the storage array. HDS is one of a few storage vendors who supported VAAI integration on the July launch date and in February of this year, theyannounced VAAI support with their VSP (see also Hu Yoshida’s writing on the announcement).

 

 

VMware Knowledge Base Weekly Digest: New Articles Published for week ending 4/1/11

VMware Capacity Planner
The Capacity Planner 2.8 dashboard does not display the Logical Drive information (1036304)
VMware ESX
Changes to columns displayed in the vSphere Client do not persist after restarting the client (1030614)
Troubleshooting mode boots into the older version after upgrading and shows the error: Signature mismatch between vmkctl & VMkernel (1033276)
Virtual machine fails to power on after migrating to ESX/ESXi 3.5 (1035794)
Using the partedUtil command line utility on ESX and ESXi (1036609)
Reloading a vmx file without removing the Virtual machine from inventory (1026043)
Intel 82578DM Gigabit Ethernet device is not compatible with ESX/ESXi hosts (1035726)
VMware ESXi
Installing ESXi fails with the error: Disk error 51, AX=4280, Drive 9F (1026588)
Installing ESXi 4.1 fails with the error: Total number of sectors not a multiple of sectors per track! (1029670)
Disabling hostd and vpxa output to /var/log/messages in ESXi (1030672)
Installing or upgrading VMware Tools in ESXi 4.1 fails with the error: Call "VirtualMachine.MountToolsInstaller" for object "<vm name>" failed on vCenter Server "<vc name> (1036131)
Unable to add permissions to an Active Directory user on an ESXi 4.1 host joined to an Active Directory domain (1036554)
Identify a PCI device in ESX/ESXi 4.x and compare it with the VMware HCL list (1031534)
Reverting to a previous version of ESXi after a failed upgrade (1033604)
Refreshing port state information for a vNetwork Distributed Virtual Switch (1034326)
Increasing the width of the device field in esxtop to show the complete NAA ID (1035989)
Scanning ESX/ESXi hosts using Agent Pre-Upgrade Checker fails with the error: Connection Failed (1036848)
VMware Service Manager
Last updated date is incorrect on a CI that was updated by a Update CMDB task in a request workflow (1035946)
You are unable to make the Action Time field on a task screen as a required field (1036091)
Cannot delete reports from the recycle bin in report designer (1036461)
After upgrading to VMware Service Manager 9.x, the customized reports with Joins fail to run (1036737)
When changing language of the system through the server console, you receive the error: Error Copying Titles (1036917)
VMware vCenter Configuration Manager
Unable to discover vCenter properties from vCenter Configuration Manager running remote PowerShell command as a vCenter Configuration Manager job (1036281)
Compliance rule does not save or execute in vCenter Configuration Manager (1036283)
VMware vCenter Converter Standalone
V2V conversion fails when using Paravirtual SCSI Controller (1036719)
Enabling Logging in to Helper Virtual Machine During Conversion of Powered-On Linux Sources with Converter Standalone 4.3.x (1036746)
VMware vCenter Lab Manager
Deploying a configuration in vCenter Lab Manager times out while gathering the requirements for virtual machines (1025673)
When deploying Lab Manager Live Link, you see the error: Deploy time network fenced mode selection must be on either none or on all physical networks (1030722)
Adding a physical network object in Lab Manager fails with the error: Physical network already exists (network name) Use unique name. (1032483)
Lab Manager hosts disconnect from ESX but not from vCenter Server (1035418)
VMware vCenter Operations Standard
Collecting diagnostic information for VMware vCenter Operations Standard (1036655)
VMware vCenter Server
vpxd logs are not generated in the vCenter Server logs folder (1032606)
vCenter Server reports an incorrect console memory for a host that was upgraded from ESX/ESXi 4.0 to 4.1 (1036750)
Sysprep does not starting the customization for Windows 7 or 2008 virtual machine with error: A fatal error occurred while trying to Sysprep the machine (1026639)
Setting user privileges to allow users to create virtual machines in vCenter Server 4.x (1027743)
Migration options for a virtual machine are greyed out though vMotion is licensed (1029926)
vSphere Client stops responding when trying to view custom performance charts (1030983)
vCenter Server search, plug-ins, and performance charts do not work (1031849)
Licensing vCenter Server 4.x fails with the error: Cannot complete the license assignment operation (1035951)
VMware vCenter Site Recovery Manager
Running the vCenter Site Recovery Manager dns_update script fails with the error: \VMware\VMware was unexpected at this time." (1036097)
Running the Site Recovery Manager dns_update script fails with the error: Can't spawn c:\windows\system32\cmd.exe ... Bad file descriptor (1036140)
Using Windows remote server administration tools to run dns_update from the Site Recover Manager server (1036141)
VMware vCloud Connector
Collecting diagnostic information for vCloud Connector 1.0.x (1036378)
VMware vCloud Director
When customizing using vCloud Director, the RHEL guest operating system does not honor the DHCP_HOSTNAME entry (1034933)
Accessing the vCloud Director user interface fails with the error: Cannot open connection - Too many open files (1036219)
VMware View Manager
Single Sign On does not work over PCoIP when connecting to a Vista Desktop (1019466)
Information on Disk Partition alignment on VMware View 4.5 desktops (1031462)
Overview of VMware View USB redirection (1036200)
VMware VirtualCenter
vCenter Server 4.x and VirtualCenter 2.5 show active paths in Stand By state (1032761)
VMware vShield Endpoint
Preparing ESXi Embedded host with vShield Endpoint and Trend Micro Deep Security you receive error: DVFilter: 3516: DVFilter is not enabled due to missing license (1033252)
VMware Workstation
Updated version of vmrun for VMware Workstation 6.5.x addresses security issue CVE-2011-1126 (1035509)