TheVMinator's Posts

ok thanks again - much appreciated.
OK thanks again.
OK thanks again.
great input - thanks again.
Unfortunately don't have permissions to try it - can anyone else verify if this works?
It's been a while but if I remember correctly in the case of an environment with Fibre Channel LUNs and/or NFS volumes I think I do remember some cases where the datastore filled up and the LUN/v... See more...
It's been a while but if I remember correctly in the case of an environment with Fibre Channel LUNs and/or NFS volumes I think I do remember some cases where the datastore filled up and the LUN/volume went offline as a result.  Not sure if that was the fault of ESXi or of the array itself, and I  can't give you 100% accurate description of the exact conditions but I think I've seen it.
Edward, Thanks again.  Helpful clarification.  The article you write was very helpful in describing the architecture of ESXi and why gaining control underneath the VM would be near impossible.... See more...
Edward, Thanks again.  Helpful clarification.  The article you write was very helpful in describing the architecture of ESXi and why gaining control underneath the VM would be near impossible.  And it seems being not a security expert - (you can correct me here) - in the case of flip feng shui, the caveat is that you don't actually need to escape the VM.  A successful flip feng shui attack seems to be making certain types of physical servers with the right kind of physical RAM and running a hypervisor cough up memory contents outside of what is supposed to be dedicated to the VM, and allow that VM to read memory contents potentially belonging to another VM. Obviously this creates some problems  - such as that without gaining control of the neighboring VM, the odds that I'm going to by chance force physical RAM contents that actually have something valuable (a username / password, sensitive data) in a format that is usable would be extremely small. At the same time someone could argue that the confidentiality of data running in a VM had been compromised, even though noone actually "escaped" and took programmatic control of the ESXi hypervisor or of a vmm process on another vm. So would you consider flip feng shui actually to be classified as a "VM Escape" or as another kind of attack?  It does seem to follow a different method than the process you referred to but if successful could still represent a compromise in security of an adjacent VM. Would you say the same that there are no published accounts of a successful flip feng shui on ESXi?
Edward, Thanks for the links.  Great input as always.  Great article on vmescape.com - also your article was great here as well.  Totally agree that this is the wrong issue to worry about.  Ho... See more...
Edward, Thanks for the links.  Great input as always.  Great article on vmescape.com - also your article was great here as well.  Totally agree that this is the wrong issue to worry about.  However for those of us helping FUD-bound colleagues.... Although Mike's article was very good on this - if it has never happened on ESXi even internally at VMware, I wish he would come out and say "VM escape has never happened on ESXi" and make it clear. He says "Is there a risk? Of course" Also - the VMware security advisory says this: VMSA-2017-0006 "ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host." For those of us trying to help FUD-bound colleagues - If a FUD-bound CISO looking for a problem with VMware reading the security advisory, it would give ammunition to the argument that ESXi is vulnerable to VM escape.  It would have been more helpful for Mike to clarify like this: "Even though VMware says that this critical vulnerability may allow a guest to execute code on the host [including ESXi], that this has only been done on Workstation and noone has ever done it on ESXi even within VMware's internal labs / testing" Is there a reason he isn't saying it that emphatically?   Also it seems the most recent successful VM escape on workstation was flip feng shui (correct me if wrong) https://www.vusec.net/projects/flip-feng-shui/ and would be helpful to explain in more specific technical detail why even though this exploit was done on workstation and a critical patch released by VMware for ESXi, that it could not and has not ever been executed on ESXi. Thoughts?
I guess my question is – in windows you don't have to add a new virtual desk to increase the size of an existing partition. You just expand the virtual disk in VMware, then expand the partition i... See more...
I guess my question is – in windows you don't have to add a new virtual desk to increase the size of an existing partition. You just expand the virtual disk in VMware, then expand the partition in windows. is it possible to do anything like this in oracle Linux? Or do you have to add another virtual disk if you are going to expand a partition?
I'm out of free space on my Oracle Linux 6 VM with only one hard disk.  Is it possible to obtain more space in Oracle Linux by expanding the size of existing virtual disk?  Or do I need to add an... See more...
I'm out of free space on my Oracle Linux 6 VM with only one hard disk.  Is it possible to obtain more space in Oracle Linux by expanding the size of existing virtual disk?  Or do I need to add an additional virtual disk, then extend the existing partition on to the newly added virtual disk?
I've read of a successful VM Escape on VMware Workstation - and that ESXi had a patch released in response to it: https://threatpost.com/vm-escape-earns-hackers-105k-at-pwn2own/124397/ ... See more...
I've read of a successful VM Escape on VMware Workstation - and that ESXi had a patch released in response to it: https://threatpost.com/vm-escape-earns-hackers-105k-at-pwn2own/124397/ However, are there any documented sucessful VM Escape attacks on ESXi as opposed to workstation?   There is a patch against it - but has anyone ever actually done it on ESXi?
Nick_Andreev That's well said - thanks.  So the risk management here is really balancing the risk of running out of space at the array level, vs. running out of space at the volume level.  Runnin... See more...
Nick_Andreev That's well said - thanks.  So the risk management here is really balancing the risk of running out of space at the array level, vs. running out of space at the volume level.  Running out of space at the volume level is still a risk of course - since that datastore could go offline, vms could be corrupted, etc.  However running out of space at the array level is a risk with much greater impact and severity if it eventuates. So what you are saying is accept the risk of an individual volume running out of space and don't accept the risk of the whole array running out of space. In this environment capacity planning related to tracking growth of volumes is rather immature, so it would be just a matter of ramping up our trending/forecasting/monitoring of volume/datastore growth as much as possible.
I'm using VMware on NetApp NFS All flash FAS where there is an option to autogrow volumes instead of creating a new volume and VMware datastore when I run out of space.  Traditionaly I've bee... See more...
I'm using VMware on NetApp NFS All flash FAS where there is an option to autogrow volumes instead of creating a new volume and VMware datastore when I run out of space.  Traditionaly I've been using a standard 4TB datastore size. Is it better to keep a standard datastore size of 4TB and create new volumes when I run out of space or should I use Autogrow and let volumes become different sizes as autogrow grows them?
Does anyone have experience vetting vRA vs HP's CMP "Cloud Service Automation" how do they compare and what is your experience? Thanks!
What are the things I need to have in place in the virtualization layer of my environment in order to deploy the latest version of vRA? -Do I need to have all distributred switches or can I use ... See more...
What are the things I need to have in place in the virtualization layer of my environment in order to deploy the latest version of vRA? -Do I need to have all distributred switches or can I use standard switches? -Do I need to be using datastore clusters or can I use individual datastores not in clusters? -Are there any other specific things that need to be in place in vSphere for vRA to work? Thanks!
OK thanks - it's erroring out though: Get-View : Cannot bind parameter 'Id'. Cannot convert the "VMware.Vim.DatastoreHostMount" value of type "VMware.Vim.DatastoreHostMount" to type "VMwar... See more...
OK thanks - it's erroring out though: Get-View : Cannot bind parameter 'Id'. Cannot convert the "VMware.Vim.DatastoreHostMount" value of type "VMware.Vim.DatastoreHostMount" to type "VMware.Vim.ManagedObjectReference". At C:\scripts\vmware_remove_datastores.ps1:22 char:25 +     $esx = Get-View -Id $_.ExtensionData.host[0] +                         ~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : InvalidArgument: (:) [Get-View], ParameterBindingExce    ption     + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.V    iCore.Cmdlets.Commands.DotNetInterop.GetVIView Any ideas?  I'm sure it is getting the datastore OK and passing it down the pipe but it looks like $_.Extensiondata.host[0] isn't returning a result...
NFS
Is there a way to import a list of datastores and then for each datastore, find all host profiles that specify that this datastore should be mounted, and automatically update the host profile to ... See more...
Is there a way to import a list of datastores and then for each datastore, find all host profiles that specify that this datastore should be mounted, and automatically update the host profile to NOT require that datastore to be mounted to the hosts it is applied to?
Is there a way to import a list of datastores that need to be unmounted from all hosts that have them mounted, then find each host that has that datstore mounted and unmount the datastore from al... See more...
Is there a way to import a list of datastores that need to be unmounted from all hosts that have them mounted, then find each host that has that datstore mounted and unmount the datastore from all hosts?
thanks all much appreciated!