Managing required Snapins

I’m often hesitant to rely on snap-ins in my production scripts.  My fear is that a Jr Sysad will grab the script and attempt to run it.   Without the required Snap-ins the script will fail, and that failure will be “my fault”.  I solved this little problem by adding the following to any scripts that requires snap-ins.

write-Host “Loading required PSSnapins…”
# Load the PSCX if they are not already loaded…
if (!(Get-PSSnapin | ?{$_.name -eq “pscx”})){Add-PSSnapin pscx -ErrorAction Stop}

Now when the script fails I can at least point at the error, and say “what do you mean you don’t know why it’s not working, it’s right there!”

Thank you aleksandar !
Talk about doing it the hard way, all I had to do was add the “#requires” header to the first line of my scripts.

#requires -pssnapin pscx

Gotta love PowerShell every time you think you solved a problem, someone points out a feature of the parser that handles it natively!

~Glenn

Simplify Get-VIServer

BSonPOSH took almost all the pain out of logging into Virtual Infrastructure with his get-credentials script.  That was still too much typing for me.  Every time I turned around I had timeout of my VC session.  My solution a small function added to my profile.

################### Start VMWARE ##################################

# Load Admin credentials
# Modified from http://bsonposh.com/archives/338

$creds = New-Object System.Management.Automation.PsCredential(“DomainUser-adm”, `
(Get-Content “$env:homesharescriptsmycreds.txt” | ConvertTo-SecureString)

# Load Vmware

IF (!(Get-PSSnapin | ?{$_.name -eq “VMware.VimAutomation.Core”}
{
Add-PSSnapin VMware.VimAutomation.Core
}

# Add VMware Community Extentions
# Requires Powershell V2
Add-Module “$env:homesharescriptsVMWareExtenstions.psm1”

Function Get-VC([string]$VCServer = “DefaultVCServer”)
{
Get-VIServer -Server $VCServer -Credentials $creds | Out-Null
}

Set-Alias GVC Get-VC

################### End VMWARE ####################################

Now when I want to connect to my primary VC Server I type.

PS > . GVC
that’s dot space GCV…

NOTE:  As far as how secure is this solution?  Well, my password is stored in a file.  That file cannot be interpreted by anyone other then me (similar to EFS).  Additionally I know some would mock globally loading $creds. However, I work on an isolated network, and my execution policy is set to ALLSigned.  I acknowledge that there is still a risk, but it’s one I can live with.

~Glenn

UPDATE:  VMware has changed the get-viserver cmdlet to connect-viserver more to come…

Command Line Licensing

I discovered that if you set the license server incorrectly, or if it can’t contact the license server, then ESX/VirtualCenter won’t let you change it. ESX seems to want to contact the old server before it will let you change to a new one.

Anyway, by modifying the /etc/vmware/license.cfg file, you can change the license server to what it should be (or just set it to an empty string and use VI Client). After modification, restart the management service:

Podcast Junky

Hi, my name is Glenn and I am a Podcast junky.  My addiction reached the point that my wife gave me an IPOD Shuffle specifically for my podcast’s.  I consume between 15 – 20 hours of content a week!  Sounds like a lot I know, but here’s my secret…

I have kids whom I love dearly, but the little buggers took all my study time.  About a year ago I found a couple of techcast and started subscribing… I listen to them whenever I’m in my car, or doing chores around the house.  That my friend is how I stay up to date.  Today I got the latest scoop on ThinApp while I did the dishes.  If you haven’t discovered these little gems check them out who knows you might learn something.

Some of my current subscriptions: 
http://www.cstechcast.com/
http://www.mindofroot.com/
http://powerscripting.net
http://www.runasradio.com/
http://www.grc.com/securitynow.htm

And this little gem I just found TODAY!
http://blogs.vmware.com/vmtn/podcasts/index.html

~Glenn

Remediate this host…

You’re going to update my what?

With the release of ESX 3.5 and VirtualCenter Server 2.5, VMware also released Update Manager. Update Manager is a neat concept…download Windows, windows programs (e.g. firefox, adobe reader, etc), RHEL, and ESX (3.5 only) updates to the update host, then let VirtualCenter Server apply the updates. I can see where the ESX updates would be valuable, however I think any IT department big enough to support a large number of Windows VMs is already going to have a method of deploying updates (i.e., SMS, or whatever you windows admins use). Same for linux shops. So those updates, in my opinion, aren’t as valuable to the enterprise. I do see where small-to-medium businesses, especially those with a very small IT department, would want the advantage of having updates deployed to all VMs via a product they’ve already purchased (ESX) rather than having to buy another MS product (SMS, etc).

ESX is different however. Previously, there was no VMware product (to my knowledge) that allowed for automated update of the ESX hosts. There were some fantastic utilities that were published by the community, but there was no VMware product.

Well, that has changed. Once the Update Manager is installed, you simply tell it to update it’s database and download the updates.

Or is it so simple… What if you are not connected to the internet? What if you are on an isolated network? Well, VMware has what’s called the Update Manager Download Service.

Read moreRemediate this host…

No wireless networks detected…

I use VMware server on my computers at home. Both of my current systems run Fedora 8, kernel 2.6.25.6-27. I say this because on my laptop I couldn’t configure a VM to use bridged network mode when wlan0 was the only active interface.

After a lot of googling, I came across this post. The post is almost entirely in german, however there is an abbreviated version somewhere in the middle in english.

Normally, I wouldn’t go any further than posting a link, however while I was reviewing some links on my del.icio.us account, I clicked the above, and discovered that the site has a tremendous number of errors. This is bad. It usually means that the site is not well maintained and not long for the internet.

Additionally, the patch that’s posted is slightly out of date. So, I’ve created an updated patch, and I’m going to post some instructions in english here.

Read moreNo wireless networks detected…

sudo, let me log you doing something stupid

Allow me to step on my security soap box for a moment. I’ve seen in many places around the internet where bloggers will recommend, and explain how, to enable root to login to the console via ssh. I can not tell you enough how bad this is. An attacker no longer needs to guess two passwords to gain root access to the system, but, rather, only one. It is much, much more secure to disallow root access.

Access to the console operating system of ESX should be limited to the absolute minimum. Only users who absolutely need it, and know what they’re doing, should be able to login. From the console, the user has access to all of the configuration and datafiles for virtual machines. With the built-in tools provided by VMware, administrators can mount vmdk files and gain read/write access to a virtual machine’s hard drive. Additionally, because nearly all aspects of the virtual networking configuration can be changed from the console operating system, anyone with access can gain the ability to see all network traffic traveling to and from virtual machines.

Ok, less words, more action…

Read moresudo, let me log you doing something stupid

Ugh, Active Directory…oh, and ESX integration

I am, by no stretch of the imagination, a windows administrator.  However, I do know a good thing when I see it.  I don’t care for a good number of things Microsoft does (Internet Explorer….), however AD is one of the best things they’ve done, well ever.

Not only can I utilize AD logins for web apps (of any language…php, python, perl, etc), but ESX’s console operating system plays quite nicely with AD as well.

VMware has published a document about how to get it working here.  However, it’s quite easy:

Read moreUgh, Active Directory…oh, and ESX integration

-whatif, I don’t use it…

Thank you PowerShell team, thank you quest!!! 

Long story short, I tapped the up arrow one too many times.  Had I not tacked on a last second -whatif. I would have reset the password on 20,000+ user accounts.   OUCH!

Tack it on early and often!  No matter how comfortable you may be.  The truth is PowerShell is so damn powerful it must be treated with great respect, and a small amount of fear.  Mistakes here can REALY mess stuff up.  The PowerShell team gave us the tools to cover our butts, use them!

~Glenn