Adjusting Console OS RAM via rCLI

In order to facilitate my ability to configure all aspects of an ESX host automatically, I wanted to adjust the amount of memory that is assigned to the COS without having to use VI Client. The perl below is the result of that effort.

As always, I am not responsible for any damage caused to your infrastructure, I recommend you put your host in maintenance mode and move all VMs off of it before attempting any significant action upon it (there should be little risk involved with this script though…). The change will not take effect until you reboot the host (which can be accomplished with the hostops.pl sample script provided as a part of the Perl Toolkit).

Read moreAdjusting Console OS RAM via rCLI

vSwitch security policies

Update 2009-2-22: Yet again, I updated the script, this time just to simplify and shorten the code using the “normal” method of updating values in objects retrieved from the SDK (rather than creating a whole new object and copying values, the script now updates the object retrieved, then uses that to update).

Update 2009-01-02: I have updated the script again, this time using the standard “vihost” so that you can connect to vCenter and change a host’s switches, as opposed to just connecting to the ESX host directly. I have also started using the _default_ parameter, which means that it is no longer necessary to specify the “–vswitch” option, but rather it is the last option on the line (just like all the other VMware provided scripts).

Update 2008-12-30: I have updated the script so that it defaults to turning all options off without having to specify them. This makes it easier to use (thanks to Glenn for this idea…).

I haven’t posted in a while, but it’s not because I haven’t been busy. The bulk of my recent work has been in automating the droll configuration items for an ESX server. With the exception of hardening the COS, pretty much everything can be setup/configured remotely via the SDK or rCLI. If you can change or set something via the Virtual Infrastructure Client, then you can set it via the SDK.

I am no POSH coder (just ask Glenn…), but I do know some perl, so using the VI Perl Toolkit, I’ve been able to script most of the configuration items that I need to do for an ESX server. This post is the first in what I hope will be a line that will hopefully contain scripts on configuring most aspects of an ESX host remotely.

I set all of our vSwitches to have Promiscuous Mode, Forged Transmits and MAC changes disabled, and so far there are no port groups that override this setting, thus giving me at least a little sense of security for certain aspects of my virtual networking.

Read morevSwitch security policies

VMworld 2008

Sunday, Andrew and I depart for five days of geekin it up goodness.  We will try and post updates through the conference.  I figure we’re going to take notes anyways what’s the difference?  If you want to follow us on twitter we’re http://twitter.com/glnsize, and http://twitter.com/acsulli.

I plan on spending most of my time talking to fellow admins.  I need to gauge what we’re doing in respect to the industry… After the small talk, you’ll probably find me in anything that has the words; PowerShell, Tech Preview, NetApp, Cisco, Exchange, or Active Directory… oh and Beer!

My schedule:

Tuesday:

10:00 -11:00 — EA2372   —  Virtualizing Big Applications” – Performance Considerations” 
11:00 -12:00 — KN Cisco —  Designing the Next Generation Data Center – Cisco and VMware
13:00 -14:00 — AD2764  — Managing VMware with PowerShell
14:30 -15:30 — TA1402   —  Introduction to Storage VMotion
16:00 -17:00 — TA2421  —  DRS Technical Overview and Best Practices

Wednesday:

09:30 -11:30 — Lab05    —  VMware Infrastructure  – Security Hardening & Best Practices(VMware VirtualCenter ” VMware ESX & VMware ESXi”)
11:30 -12:30 — PO1861  — VMTN Community Experts
13:00 -14:00 — TA1405  — VMotion Technical Deep Dive
15:00 -16:00 — TA2275  — Tech Preview:  VMware Infrastructure Virtual Networking Future Directions
16:00 -17:00 — TA2377  — Performance Roundtable hosted by the Chief Performance Architect

Thursday:

09:30 -11:30 — Lab09    —  Scripting VMware Infrastructure: Automating, Integrating, and Extending VI
13:00 -14:00 — TA2213 — VMware Infrastructure 3 Storage:  iSCSI Implementation and Best Practices
14:00 -15:00 — VD2345 — Going Deep on Capturing Applications using ThinApp

Provisioning server for VM’s

Andrew and I recently reorganized our VI at work.  One of the key changes was the concept of datacenters via function… Without getting to far into it. One of the functions we identified, a stand alone resource pool to deploy all VM’s from.   We’re referring to it as our provisioning cluster.  Basically whenever we get a request for a new VM.  The VM is deployed there and then VMotioned to it’s appropriate resource pool only after everything is verified, and documented.

Well done with the theory.  I started to organize all our templates through VIC, but quickly relied we have a ton of them!  Win2k, Win2k3, Win2k8, RELH4, Solaris 10… all or which have x86/x64 variants for each of our licensed options… Standard, Enterprise, Datacenter… etc.  Did I mention all I did for a month was build templates.  Anyways they where everywhere, and I was not looking forward to this.  Then I read this post From Hal’s blog, and quickly realized that with was something worth scripting.  The version I used at work looked like

Get-Template | get-view | % {$_.MarkAsVirtualMachine((get-cluster "pool1" | Get-ResourcePool | get-view).MoRef, (get-VMHost "ESX1.localdomain.local" | get-view).MoRef); $_.MarkAsTemplate()}

but that kids is not what I would call production ready.  That’s what I love about PowerShell I had a one time task… boom one line!  Took 15 min to find/move all of the templates we had in our env.   As I was added this script to our internal Wiki it occured to me someone could probably build on this the same way I built on Hal’s post.  So here is a slightly more polished version.

~Glenn

Where in !@#%* does the text on tty11 come from?

You know the text I’m talking about…when you walk up to an ESX host and it has the hostname and IP address along with instructions to “press ALT-F1 to open the ESX Server Console, press ALT-F11 to return to this screen”.

Yeah, that text. Where does it come from? It’s not a typical tty…it has a screen saver (if you let it be for a while it’ll go blank). I can’t figure out for the life of me where it’s started, or where it get’s it’s data from…well I found some things…but not where the obviously non-dynamic (text other than ip address, hostname) data comes from.

The point of my looking for how it get’s that data is because we recently changed the IP addresses of all our ESX hosts. The console (and consequentially webAccess) were on a public LAN. For security reasons, we didn’t want this, so we put them on a private LAN. Nothing difficult…took care of the entire process from VI Client (add new console interface, set as primary, remove old console interface). I even went to the trouble (ok, I might have OCD) of physically standing in front of the box and moving the new vswif1 so that it’s named vswif0, just because it was irritating me.

Read moreWhere in !@#%* does the text on tty11 come from?

Simplify Get-VIServer

BSonPOSH took almost all the pain out of logging into Virtual Infrastructure with his get-credentials script.  That was still too much typing for me.  Every time I turned around I had timeout of my VC session.  My solution a small function added to my profile.

################### Start VMWARE ##################################

# Load Admin credentials
# Modified from http://bsonposh.com/archives/338

$creds = New-Object System.Management.Automation.PsCredential(“DomainUser-adm”, `
(Get-Content “$env:homesharescriptsmycreds.txt” | ConvertTo-SecureString)

# Load Vmware

IF (!(Get-PSSnapin | ?{$_.name -eq “VMware.VimAutomation.Core”}
{
Add-PSSnapin VMware.VimAutomation.Core
}

# Add VMware Community Extentions
# Requires Powershell V2
Add-Module “$env:homesharescriptsVMWareExtenstions.psm1”

Function Get-VC([string]$VCServer = “DefaultVCServer”)
{
Get-VIServer -Server $VCServer -Credentials $creds | Out-Null
}

Set-Alias GVC Get-VC

################### End VMWARE ####################################

Now when I want to connect to my primary VC Server I type.

PS > . GVC
that’s dot space GCV…

NOTE:  As far as how secure is this solution?  Well, my password is stored in a file.  That file cannot be interpreted by anyone other then me (similar to EFS).  Additionally I know some would mock globally loading $creds. However, I work on an isolated network, and my execution policy is set to ALLSigned.  I acknowledge that there is still a risk, but it’s one I can live with.

~Glenn

UPDATE:  VMware has changed the get-viserver cmdlet to connect-viserver more to come…

Command Line Licensing

I discovered that if you set the license server incorrectly, or if it can’t contact the license server, then ESX/VirtualCenter won’t let you change it. ESX seems to want to contact the old server before it will let you change to a new one.

Anyway, by modifying the /etc/vmware/license.cfg file, you can change the license server to what it should be (or just set it to an empty string and use VI Client). After modification, restart the management service:

Remediate this host…

You’re going to update my what?

With the release of ESX 3.5 and VirtualCenter Server 2.5, VMware also released Update Manager. Update Manager is a neat concept…download Windows, windows programs (e.g. firefox, adobe reader, etc), RHEL, and ESX (3.5 only) updates to the update host, then let VirtualCenter Server apply the updates. I can see where the ESX updates would be valuable, however I think any IT department big enough to support a large number of Windows VMs is already going to have a method of deploying updates (i.e., SMS, or whatever you windows admins use). Same for linux shops. So those updates, in my opinion, aren’t as valuable to the enterprise. I do see where small-to-medium businesses, especially those with a very small IT department, would want the advantage of having updates deployed to all VMs via a product they’ve already purchased (ESX) rather than having to buy another MS product (SMS, etc).

ESX is different however. Previously, there was no VMware product (to my knowledge) that allowed for automated update of the ESX hosts. There were some fantastic utilities that were published by the community, but there was no VMware product.

Well, that has changed. Once the Update Manager is installed, you simply tell it to update it’s database and download the updates.

Or is it so simple… What if you are not connected to the internet? What if you are on an isolated network? Well, VMware has what’s called the Update Manager Download Service.

Read moreRemediate this host…