Category Archives: VMware

HOWTO Secure iSCSI Luns Between VMware ESXi 5.1 and NetApp Storage with Bidirectional CHAP

29 Friday Nov 2013

Posted by in iSCSI, Security, VMware

Leave a comment

Tags

, ,

This document demonstrates how to configure iSCSI bidirectional CHAP between ESXi 5.1 Update 1 and NetApp storage. There were to many screen captures for a regular post so I created the pdf below.

Versions in use for this document:
1) VMware vSphere vCenter 5.1 Update 1c Web Client
2) VMware ESXi 5.1 Update 1
a. Note: The ESXi software iSCSI initiator will be used for this document
3) NetApp Data ONTAP 7.3.7P3 (this also works with Data ONTAP version 8x)

The HOWTO is here: Bidirectional CHAP with vSphere 5.1u1c.pdf

When a VMware Tools Upgrade Goes Bad – Fixing NICs

27 Wednesday Nov 2013

Posted by in VMware, Windows

Leave a comment

Tags

,

Scenario: you upgrade VMware tools on one of your VMs and your IP address will not maintain a static configuration. It reverts back to a Microsoft APIPA address (169.254.0.1 – 169.254.255.254). It’s Sunday at 9:00 PM, the outage window is closing and now you are angry.

Solution: you have to clean out all references to current and previous NICs in the registry. This post tells you how to do this for Windows 2008R2 x64. Make sure you have a local administrator account and know the password before you start. You don’t want to lock yourself out of the VM should something go haywire.

Note: Make sure your VM hardware is set to a version compatible with your version of vSphere. For this post, I’m set to version 9 (for 5.1 U1c). You can run into issues related to buggy hardware mismatches.

1) Remove the NIC and reboot the VM.
a) Right-click the VM > Edit Settings > select the NIC and click Remove > OK.

2) Delete the Interfaces and Adapters from the Registry.
a) Click Start > Run and enter regedt32 and press enter.
b) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces
c) Expand Interfaces and delete all entries (delete folders from the left pane).
d) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Adapters
e) Expand Adapters and delete all entries (delete folders from the left pane).
f) Close the registry editor and reboot the VM.

3) Add the VMXNET3 NIC back to the VM.
a) Right-click the VM > Edit Settings > click Add > select Ethernet Adapter and click Next.
b) On the Network Connection page, select the VMXNET3 adapter type, select the network you want to connect to and most importantly, DESELECT connect at power on, and then click Next > Finish > OK.
c) Reboot the VM. Don’t skip this reboot.

4) Configure your IP address.
a) Login to the VM. Click Start > Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Setting.
b) Right-click the NIC > Properties > select IPv4 and click Properties.
c) Enter your IP, mask, gateway, dns and click OK > OK.
d) Right-click the VM > Edit Settings > select the NIC and in the upper right, click both Connect at power on and Connected, then click OK.
e) The NIC will connect and you should have a clean network configuration.
f) Open a cmd prompt and enter ipconfig -all to verify. Ping other hosts to test.

Display the iSCSI Initiator Node Name or IQN from the command line.

01 Sunday Sep 2013

Posted by in HP, iSCSI, Linux, NetApp, NetBSD, Solaris, VMware, Windows

1 Comment

Tags

At some point you will be asked by a Storage Engineer for your system’s iSCSI Initiator Node Name or your iqn. This list shows you how to get your local iSCSI initiator name or iqn from the command line. This assumes the iSCSI service is installed, enabled and running. If you have a different way or want to add an OS or platform to this list simply leave a comment and I’ll add it.

AIX:
> smitty iscsi
select > iSCSI Protocol Device
select > Change / Show Characteristics of an iSCSI Protocol Device

FreeBSD (v10 and newer. Thanks to Edward Tomasz Napierala for this update):
> iscsictl -v  (only after you have established a session with your array)

HP-UX:
> iscsiutil -l

Linux:
> cat /etc/iscsi/initiatorname.iscsi

NetApp Data ONTAP: (this is a target iqn not a host iqn)
7-Mode:
> iscsi nodename

Cluster Mode from the clustershell:
> vserver iscsi show

NetBSD: (please make this easier NetBSD developers! How about an iscsictl list_initiators command?)
> iscsictl add_send_target -a <hostname or IP of your target/storage)
Added Send Target 1
> iscsictl refresh_targets
OK
> iscsictl list_targets
1: iqn.1992-08.com.netapp:sn.84167939
2: 10.1.0.25:3260,1000
> iscsictl login -P 2
Created Session 2, Connection 1
> iscsictl list_sessions
Session 2: Target iqn.1992-08.com.netapp:sn.84167939

On the NetApp filer find the initiator:
netapp01> iscsi initiator show
Initiators connected:
TSIH  TPGroup  Initiator/ISID/IGroup
4    1000   nbsd611.lab.slice2.com (iqn.1994-04.org.netbsd:iscsi.nbsd611.lab.slice2.com:0 / 40:00:01:37:00:00 / )

Solaris 11:
> iscsiadm list initiator-node

VMware ESXi 5.1:
ESXi console:
Get the devices first:
> esxcfg-scsidevs -a | grep iSCSI
Then get the iqn (in this case vmhba33 is the iSCSI device)
> vmkiscsi-tool -I -l vmhba33

esxcli:
> esxcli -s <esxihostname or ip> -u root iscsi adapter get -A vmhba33

Windows:
c:\iscsicli.exe

Free VMware Class – Security Principles in Virtualized Data Centers

09 Thursday May 2013

Posted by in Security, VMware

Leave a comment

Tags

,

Overview:
In this free eLearning course you will review security requirements and learn how to secure the virtualized datacenter environment as well as explain cloud security features and concepts.
Outline:

•  In the first module, Security in a Virtualized Data Center, we will describe security principles and identify unique security considerations in virtualized data center environments.
•  In the Platform Hardening module we will describe VMware vSphere® security and present some vSphere hardening examples.
•  In the Security Compliance and Governance module we will describe compliance, common standards, common compliance controls, VMware compliance example with PCI, and examine VMware compliance solutions.
•  In the Security Use Cases in Virtualized Data Centers module we will explain how to protect business-critical applications in virtualized environments and how to secure VMware View virtual desktop infrastructure deployments.
•  In the Private Cloud Security module we will define cloud computing, examine private cloud architecture, and examine security considerations in private clouds.
•  In the last module, the Ecosystem Enablement and APIs, we will describe the vCloud Ecosystem Framework, introduce the relevant APIs, along with the VMware Ready program that Technology Alliance Partners use to access the APIs. Finally, we will show some examples of partner integrations.

Register here:
http://mylearn.vmware.com/mgrReg/courses.cfm?ui=www_edu&a=det&id_course=172855

Adding a new local disk to ESXi and formatting with VMFS

20 Wednesday Mar 2013

Posted by in ESXi, VMware

1 Comment

Tags

,

Need to add a disk to an ESXi 5x server and format as VMFS? Here is how you do it from the ESXi CLI. Enable ssh on the ESXi host in vCenter and login as root via xterm or putty. This was done on an HP DL360.

1) Find your disks.

> ls /vmfs/devices/disks/
-or
> esxcfg-scsidevs -c

The new disk is: mpx.vmhba1:C0:T1:L0

2) Create a partition.

> fdisk /vmfs/devices/disks/mpx.vmhba1:C0:T1:L0
Select: m
Select: l
Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
Select: p
Partition number (1-4): 1
First cylinder (1-8920, default 1): Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-8920, default 8920): Using default value 8920

Command (m for help): p

Disk /vmfs/devices/disks/mpx.vmhba1:C0:T1:L0: 73.3 GB, 73372631040 bytes
255 heads, 63 sectors/track, 8920 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks  Id System
/vmfs/devices/disks/mpx.vmhba1:C0:T1:L0p1             1      8920  71649868+  83  Linux

Command (m for help): w
The partition table has been altered!

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): l

0 Empty                             1c Hidden W95 FAT32 (LBA)     a5 FreeBSD
1 FAT12                              1e Hidden W95 FAT16 (LBA)     a6 OpenBSD
4 FAT16 <32M                 3c Part.Magic recovery                 a8 Darwin UFS
5 Extended                        41 PPC PReP Boot                         a9 NetBSD
6 FAT16                              42 SFS                                             ab Darwin boot
7 HPFS/NTFS                   63 GNU HURD or SysV               b7 BSDI fs
a OS/2 Boot Manager      80 Old Minix                                 b8 BSDI swap
b Win95 FAT32                 81 Minix / old Linux                    be Solaris boot
c Win95 FAT32 (LBA)      82 Linux swap                              eb BeOS fs
e Win95 FAT16 (LBA)      83 Linux                                         ee EFI GPT
f Win95 Ext’d (LBA)         84 OS/2 hidden C: drive             ef EFI (FAT-12/16/32)
11 Hidden FAT12                85 Linux extended                        f0 Linux/PA-RISC boot
12 Compaq diagnostics      86 NTFS volume set                    f2 DOS secondary
14 Hidden FAT16 <32M    87 NTFS volume set                    fd Linux raid autodetect
16 Hidden FAT16                8e Linux LVM                               fb VMFS
17 Hidden HPFS/NTFS     9f BSD/OS                                     fc VMKcore
1b Hidden Win95 FAT32   a0 Thinkpad hibernation

Hex code (type L to list codes): fb
Changed system type of partition 1 to fb (VMFS)

Command (m for help): w
The partition table has been altered!

3) Create the filesystem.

> vmkfstools -C vmfs5 -b 1m -S <new datastore name here> /vmfs/devices/disks/mpx.vmhba1:C0:T1:L0:1

VMFS5 file system creation is deprecated on a BIOS/MBR partition on device ‘mpx.vmhba1:C0:T1:L0:1’
Checking if remote hosts are using this device as a valid file system. This may take a few seconds…
Creating vmfs5 file system on “mpx.vmhba1:C0:T1:L0:1” with blockSize 1048576 and volume label “Datastore name”.
Successfully created new volume: 512bee4b-d5bd5128-568e-0015174b0172

4) Done.

Using Virtual Ethernet Adapters in Promiscuous Mode on Linux

20 Wednesday Mar 2013

Posted by in Linux, Security, VMware

Leave a comment

Tags

, ,

VMware does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user has permission to make that setting change. This follows the standard Linux practice that only root can put a network interface into promiscuous mode. See this VMware KB for details.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=287