I won’t attempt to provide a feature rundown or tell you why vSphere 4.1 is the greatest thing since sliced bread. It appears to be a solid release, but I’ll leave that analysis to the experts…Instead I want to talk about the vSphere hypervisor (previously ESXi).
Why the name change? Simple what was previously mis-branded as a separate technology is really the hypervisors core. Previously in ESX3.5, ESXi was a separate technology, but as of vSphere 4 they have had a unified core. In-fact the product we like to think about as vSphere 4.0/4.1 is really just a vSphere hypervisor with a special management VM! This is important, the only difference is the console which is nothing more than a VM!
So why the distinction, Why now? VMware is playing it’s hand this round because that special VM is going bye, bye. The Next release of vSphere will not have a service console.. PAINIC…. RUN IN CIRCLES THE ZOMBIES ARE COMMING!!!
Don’t Panic, Personally I applaud the move. Over the past year and a half I’ve heard every argument against the console less hypervisor, but honestly I chalk it all up to people fear change. There are a couple thousand admins who have invested a lot of time mastering vSphere, and VMware is about to change the whole game on them. These guys/gals bring up several arguments against the console less hypervisor, I’ll attempt to offer my counter argument to these points.
Q. No 3rd Party agents.
A. It has been public knowledge that the console was going away, and as of vSphere 4.0 VMware shipped a new management appliance vMA. One of the intended uses of this appliance was to install 3rd party agents. So you see we do still have 3rd Party agents they just need to be rewritten. In most cases this will result in a better product. Unfortunately, the vast majority of 3rd party software, could better be described as a really complex perl script running over ssh!
Q. Hardware monitors/plug-in
A. Part of the original ESXi 3.5 release was the introduction of a rudimentary CIM provider. This provider has been fully expanded , and made extensible. While it is a change from the traditional agent based monitors CIM does fill in this gap.
Q. Automating common tasks.
A. As of vSphere 4.1 Tech Support Mode supports SSH, but you should really be using either PowerCLI or the vCLI! While it is true that are still a couple of things that can only be done via the console. I’m confident VMware will fix those gaps before putting the console out to pasture.
A. So this is the big one, and my personal pet peeve. I’ve heard security experts bash the vSphere hypervisor claiming it was insecure. I just don’t understand this stance, admittedly I’m no security expert. I only work with the federal government in some of the most secure data centers in the world, but what do I know…
Let’s break this down shall we… The only difference is a VM. Admittedly this VM has special connections into the vmkernal, but it’s still just a VM. How exactly does the inclusion of a VM make the hypervisor more secure? In my opinion the exclusion of this VM instantly increased the security posture of most organizations. The reason for this simple, it was hard to properly harden the console. Alternatively it was all too easy to open a critical security hole, and expose ones infrastructure with the console.
Yes you still have to do several things to really lock down the console less hypervisor, but it’s not nearly the feat the console once was. In fact it’s simple;
1. Modify the Proxy.xml (turning off all unneeded web services, and make everything use https).
2. Enable Lockdown mode.
3. Physical security.
That’s it folks, that’s all it takes to secure the hypervisor. There are a couple hundred other little things necessary to design a secure infrastructure, but as you can see the hypervisor is easy! In fact I’m so confident in this I’m willing to hold a Bobby Flay style throw down. If you have the means to provide a pair of internet facing vSphere hosts. I’ll secure the console less hypervisor, we’ll get TexiWill to harden the legacy console based hypervisor, and then we’ll release the IP’s to the world. Have at it, folks I bet the console less hypervisor holds up at least as long as the legacy hypervisor!
Why so brash? Well it will take an exploit to get in to the console less hypervisor, and any exploit will also be present in the legacy hypervisor. The console less vSphere hypervisor without access to the physical host or vCenter there is simply no other way in. Remember this isn’t Linux or BSD or UNIX… it’s vSphere it’s practicality firmware, and the whole point was to remove all that crap that weaken the security , and stability to begin with!
I really want to put this to bed! Let’s develop the to do list for VMware. The 10-20 things they need to fix before they can finally kill the console. Then let’s collectively shut up about it. It’s going to happen, and complaining with arbitrary little gripes… or demanding NDA meetings with engineers isn’t going to stop any of it. The Task at hand is simple, weed out the crap, and focus on what needs to be fixed in vSphere v.Next.
If we missed something let us know in the comments.