Friday, January 15, 2016

Name That Cluster Time Again

The pool randomizes the order and tries, without too much effort, to block repeat votes. Obvious ballot stuffing will be disqualified but that doesn't mean you can't convince all of your coworkers to vote for your favorite. And you can vote for as many as you want, not just one!

Tuesday, August 18, 2015

vMA 6.0 esxcli thumbprint

By now everyone should be upgraded to the vMA 6.0 and you've got your ESXi hosts linked in through vifastpass. But now you get those stupid thumbprint error messages ala KB2108416.

Do not fear, the fix is simple ish.
  • gather together your esxi thumbprints. There's probably a one-liner that could do this, I found this 2012 virtuallyghetto link that'll hook it together: lamw saves the day again
  • ~> cd /usr/lib/vmware-vcli/apps/general
  • ~> ./credstore_admin.pl add --server <server name in vifp> --thumbprint <thumbprint>
Now,  something interesting happened after the first time I ran this command. The default credstore is /home/vi-admin/.vmware/credstore/vmacredentials.xml and I thought that there would be a new line in the xml with the thumbprint but there wasn't.. a new file is created in that directory called vicredentials.xml (version 1.1 vs version 1.0 in vmacredentials.xml) and has the host you just ran the credstore_admin script in <thumbprintEntry>.

So your next step can be to run credstore_admin.pl against all the ESXi hosts you have OR you can manually edit the vicredentials.xml file with all the info. Your choice. Use William's option 3 to gather the thumbprints and just add the credstore command to the for loop. Easy peasy.

If I was really smart I'd update /opt/vmware/vma/samples/perl/bulkAddServers.pl to get the thumbprint. Looks like it doesn't enter it...

Wednesday, September 17, 2014

VRTX R1-2401 ssh & https

If you are in your VRTX CMC https and hit the "Launch I/O Module GUI" button to the internal switch you are passed over to a http login page. HTTP. Not secure.

As my workaround, I ssh'ed to the CMC and "connect switch-1" to link into the VRTX switch.

From there, configuring secure settings for the switch is pretty easy although I didn't see the commands all in one place so here they are. slashslash is my comment, do not copy-paste this directly.

# show crypto key  // show default ssh keys
# configure // config mode
(config)# crypto key generate rsa  // regenerate ssh key
(config)# crypto key generate dsa  // regenerate ssh key
(config)# ip ssh server // enables ssh server service
(config)# crypto certificate 1 generate key-generate // generate https key
(config)# ip https certificate 1 // associate key with https
(config)# ip http secure-server // enables https server service
(config)# no ip telnet server // turn off telnet service
(config)# no ip http server // turn off http access
(config)# exit
# copy running-config startup-config // ALWAYS

Also best link for VRTX manuals from Dell Support guy here: Drink me

The "Launch I/O Module GUI" button isn't smart enough to pass on to https and since we've turned off http it'll just die. But you'll have the IP and should be able to figure it out from there.

Wednesday, June 4, 2014

VRTX R1-2401 Loading data from the device

Setting up Dell VRTX, I've got (hopefully) the right scoop on the ESXi side and setting up the SPERC8. What baffled me for a few minutes was the internal switch gui R1-2401. All I saw after logging in was "Loading data from the device".
OK, I'll wait.
...
?

Whatever my Safari settings are, they triggered the same message as IE6 did for this guy on another Dell PowerSwitch. -> Ye Old Dell Switch Question

Switched to Firefox and into the UI without issue. Next step will be turning that shit off (after changing default password...sheesh).

Tuesday, June 3, 2014

Port changes between ESXi 5.1u2 and 5.5u1

The following "firewall labels" have been added and are defaulted to open to all networks in ESXi 5.5u1 (unsure about 5.5 GA):
  • DHCPv6 (self explanatory)[tcp/udp 546 in 547 out]
  • cmmds (VSAN) [udp 12345,23451 in/out]*
  • rtd (VSAN) [tcp 2233 in/out]
  • ipfam (NSX) [udp 6999 in/out]
  • vsanvp (VSAN) [tcp 8080 in/out]
  • rabbitmqproxy (vFabric) [tcp 5671 out]
I was not able to turn off vsanvp (Cannot change the host configuration. Call "HostFirewallSystem.DisableRuleset" for object "firewallSystem-152" on vCenter Server "X" failed.) but I could restrict it to the local management subnet. Close enough.

While it's nice of VMware to have the one button "enable VSAN" in the webUI -- Keep the ports locked until I check that box. If ever.

* Hey! That's the combination to my luggage!


Wednesday, October 30, 2013

Top 6 features of Hyper-V 2012 R2...

...that the vSphere Admin thought were already there.

I'm not getting into a feature debate. Too much marketing on either side. Yes, VMware's licensing is complicated. AGREED.
What I'm talking about here is when I go through the "New Features" articles of Hyper-V 2012 R2 and see things that I ASSUMED WERE THERE FROM DAY ONE. Day one being ~2008. ESXi 3.5 came out in ~2007.
However, day one from Hyper-V didn't have "live migration" just "quick <cough power off cough> migration" so maybe I was expecting too much from VMware's competition out the gate.
Anyway, here's my list:

6) PXE Boot. Your Hyper-V hypervisor is now going to get out of the way of your virtual network adapter. Move out of the way. Available in ESX since probably the beginning or close to it as the generic virtual ethernet is Intel e1000 in ESX(i) and the VM traffic stack is separated from the management stack. Restricted to Gen2 VMs.

5) Online virtual HDD resizing. This feature in ESX(i) has been saving my butt since ESX(i) 3.5 (or 4.0, but I'm pretty sure 3.5). Windows Server introduced live resizing of the boot partition in Server 2008, 2003 you could only live resize non-boot partitions (shutdown, gparted, start). This was a function that the Windows Server team that got it right. Awesome feature. Because Hyper-V Gen1 VMs are IDE, you couldn't use this OS feature. Unbelievable. Oh, the fine print on the Hyper-V shrink HDD is that is has to be unpartitioned. That's reasonable. Restricted to Gen2 VMs.

5b) Clarification in that Gen1 VM boot partitions were restricted to being IDE. Other added disks could be SCSI (although I'm not sure if live resizing was available. Looks like no).

4) Live Migrate from Hyper-V 2012 server to 2012 R2. AKA, non-disruptive vMotion onto latest version. This is one-way onto 2012 R2, no clusters of different versions for any period of time. This has been available since at least ESX 3.5 circa 2007, probably before.

3) Clone a running VM. Available since at least ESX 3.5 with VMware. Again.

2) Virtual SCSI HDD boot disk. What? You mean Hyper-V guests have been running on virtual IDE? Yuck. Restricted to Gen2 VMs.

1) "VM Direct Connect" aka Virtual Console! You know that thing that happens when you screw up the network mask or IP and lock yourself out. Or maybe you had a security breach and want to keep the machine running without it being on the network. Well now you can! Introduced in the first version of VMware's hypervisor circa 2001 now coming to Hyper-V 2012 R2.

0) Restricted to Gen2 VMs. This is Windows Server 2012 and Windows 8 only. ONLY. Though if you're using the Hyper-V equivalent of vCenter (VMM) it can't see Gen2 VMs. Doh!

Other bits:

- Dynamic memory of Linux. If you set this too low you will break your Linux VM (see FYI).
- SMB over RDMA (RoCE). Shared memory between physical servers. Like HPC infiniband solutions. While a very cool idea I think most Hyper-V deployments won't be shucking the dollars for this architecture.
- NVGRE is cool. At least Ivan thinks so.

vCSA 5.1u1b Login Timeouts

Had an interesting thing happen in an environment. Not sure which knob I tweaked did the actual fix so I thought I would point out the problem and all three modifications.
  • vCSA pointing directly to a Windows 2008 R2 AD DC/GC.
  • SysAdmins add a Windows 2012 AD DC/GC into the domain.
  • Timeouts on vSphere logins suddenly start: "The command has timed out as the remote server is taking too long to respond."
Frequently with the C# client but also with the web client. There are so many chatty logs that damned if I wasn't going to be able to figure out what was going on by log checking. Trial and error was the quickest way to a solution.

Fix 1) We have a main *.domain.com and a *.ad.domain.com. Turns out that while my primary DNS servers and hostname for the VM at hostname.domain.com was all well and good, some part of ldap  (/var/log/ldapmessages) was trying to contact hostname.ad.domain.com which did not have an A record. A record created in subdomain.

Fix 2) Swapped URL from port 636 (LDAPS) to 3269 (Secure Global Catalog). Same 2008 AD DC.

Fix 3) Bumped client timeout from default 30 seconds to 60 seconds.

Now, if you look at the readme for 5.1u1b it states pretty close to the top of the page that they've fixed timeout issues. Har. It was probably the LDAPS to SGC port change that fixed the issue, so if you are reading this I would start there.

Also, while you're looking through the readme files, look at 5.1u1c. How many items are fixed? 1.
How many known issues are there? 99. How many of those known issues are listed as new? 2/99.  Make your own choice if you want to update to 5.1u1c or just wait for an upgrade that actually does something.