Tag Archives: esxi

VCAP-DCA Study notes – 6.1 vSphere Log Files

Knowledge

  • Identify vCenter Server log file names and locations
  • Identify ESX/ESXi log files names and locations
  • Identify tools used to view vSphere log files

Skills and Abilities

  • Generate vCenter Server and ESX/ESXi log bundles
  • Use vicfg‐syslog to configure centralized logging on ESX/ESXi Hosts
  • Test centralized logging configuration
  • Configure the vMA appliance as a log host
  • Use vilogger to enable/disable log collection on the vMA appliance
  • Use vilogger to configure log rotation and retention
  • Analyze log entries to obtain configuration information
  • Analyze log entries to identify and resolve issues

Tools & learning resources

I’m covering the troubleshooting objectives last while preparing for the VCAP-DCA – it seems like the logical thing to do. Learn all the material then play with it, break it, fix it, recreate it etc. Practice makes perfect! I’ve been using the Trainsignal’s Troubleshooting for vSphere course but the official VMware Troubleshooting course has been getting good feedback.

vCenter log files

Located in;

  • %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\Logs (W2k3)
  • C:\ProgramData\VMware\VMware VirtualCenter\Logs (W2k8)

Available logs;

  • sms.log                                   Storage Management Service
  • vpxd-xxxx.log                        vCenter logs
    • vpxd-xxxx.log.gz are archived logs. You have to unzip them to see contents.

You can change the logging level (which defaults to ‘normal’) by going to vCenter Server Settings -> Logging Options. This VMwareKB describes how to enable trivia logging in vCenter (even if vCenter isn’t running) although this may have a performance impact and should only be used temporarily while diagnosing issues.

There are numerous ways to do this; Continue reading VCAP-DCA Study notes – 6.1 vSphere Log Files

VCAP-DCA Study notes 7.1 – Secure ESX/ESXi hosts

Security is a large topic and one you could spend a lifetime mastering. The blueprint isn’t too helpful in clarifying what level of detail you’re expected to know for this as the ESX/ESXi configuration guides cover issues not in the ‘skills and abilities’ section. More in depth still is the vSphere Hardening Guide. I guess the main thing is to focus on practical issues as the VCAP-DCA is a practical exam – knowing that the VMkernel uses memory hardening is no use in an exam if it can’t be configured or tweaked! Some of this section seems to have been added for the sake of it – how often will an admin need to modify the SSL timeouts? I could only fine one KB article about it!

Knowledge

  • Identify configuration files related to network security
  • Identify virtual switch security characteristics

Skills and Abilities

  • Add/Edit Remove users/groups on an ESX Host
  • Customize SSH settings for increased security
  • Enable/Disable certificate checking
  • Generate ESX Host certificates
  • Enable ESXi lockdown mode
  • Replace default certificate with CA‐signed certificate
  • Configure SSL timeouts
  • Secure ESX Web Proxy
  • Enable strong passwords and configure password policies
  • Identify methods for hardening virtual machines
  • Analyze logs for security‐related messages

Virtual switch security characteristics

vSwitch security (layer2) settings (can be overridden at portgroup level);

  • Promiscuous mode – needed for packet sniffing, vShield Zones (and virtual ESX hosts). Disabled by default.
  • MAC address changes –affects inbound traffic. May need to be enabled if you’re using MS load balancing in Unicast mode, or the iSCSI software initiator with certain storage arrays. Enabled by default.
  • Forged transmits – affects outbound traffic. Enabled by default.

Other network security measures (IPSec, VLANs, PVLANs etc) are dealt with in section 2, Networking.

Host security

Customise SSH settings (ESX only)
  • Edit /etc/ssh/sshd.conf and set ‘PermitRootLogin’ to YES (default is NO). See VMwareKB for a list of other settings you can adjust (including the available ciphers).
  • You can use PKI to authenticate using SSH without being prompted for a password. This is a standard Linux procedure – for step by step instructions see VMwareKB1002866.
  • By default only SSH server is enabled. Configuration -> Security Profile to enable SSHClient, or use ‘esxcfg-firewall –e SSHClient’.
    image

Continue reading VCAP-DCA Study notes 7.1 – Secure ESX/ESXi hosts

VCAP-DCA Study notes–9.2 Plan and execute scripted ESX builds

The blueprint for this section seems to refer mainly to ESX but I’ve described both ESX and ESXi on the assumption the lab environment used for the exams will move to v4.1 sooner rather than later.

NOTE: Weasel is VMware’s scripted installer. It’s similar to Kickstart as used with Linux, but not identical.

A summary for a scripted install;

  • Decide on the bootloader source
  • Configure a media repository to hold your source files and scripts
  • Create an install script (either from scratch or from a previously built host)
  • Perform the scripted install

Use cases for scripted installations

Reasons to use a scripted install;

  • Reduce deployment time
  • Ensure consistency, reduce human error
  • Remove need for local media (when using PXE boot. Very useful for blade and remote environments)
  • Delegate installations to junior staff who don’t know how to configure ESX

Along with knowing why you might use a scripted install in the first place you should consider the various types of scripted install and when to use each one. Factors to consider;

  • Maintainability. Over time you’ll want to update your install for new releases of ESX, patches, post install steps etc. While a custom CD has the least dependencies it’s harder to maintain compared to a network media repository.
  • Dependencies. I created an NFS based install only to find that most of the time the host’s physical networking hasn’t been completed when we want to build the OS, rendering this method useless. I had to convert it to a custom CD instead which was mounted via ILO (it was a blade environment). Another example is USB flash – it’s easier than CD to amend/update but may not be as useful for remote installs.
  • Continue reading VCAP-DCA Study notes–9.2 Plan and execute scripted ESX builds