Linux
Mass upgrade of VMware Tools in Linux guests
Jan 7th
Installing and/or upgrading VMware tools has always been a bit more complicated for Linux guests than for Windows guests. After the installation of the package binaries, the vmware-config-tools.pl script must be run to configure the tools for your environment. This script has to be run from the console, which is a pain when you’ve got more then just one or two Linux VMs. And may the good Lord help you if the modules aren’t suitable for your running kernel and you don’t have a compiler (or the C header files for your running kernel) already installed.
When VMware added the Automatic Tools Upgrade …
The situation certainly improved, but it is by no means a fool proof solution. In my experience, it doesn’t work 100% of the time for Linux guests (though this *could* be due to the heavy modification I’ve done in my distro). And furthermore, what if you want to automatically upgrade 100’s of Linux guests, not just one? Or what if you’ve already got a deployment tool that you’d like to use to push the tools out? (Kind of tough when the script needs to be run directly in the console)
So, I looked to see if there was a way to improve the situation. First, I needed to find a way to run vmware-config-tools.pl remotely in an automated fashion. And by the way, it’s not that you can’t run this script remotely via SSH because you can. The problem is that when you do so, you immediately get following question …
It looks like you are trying to run this program in a remote session. This program will temporarily shut down your network connection, so you should only run it from a local console session. Are you SURE you want to continue?
Unfortunately, to run vmware-config-tools.pl remotely, we need to include the –d flag so that the script will automatically select the default answers to all of the questions for us. And the problem is, the default answer to this question is “no.”
So I looked through the vmware-config-tools.pl and I found that it’s really only checking to see if the SSH_CONNECTION environment variable is set. Well, that’s easy … simply executing vmware-config-tools.pl in a different shell allows us to side step this.
Next I just created a simple bash script that gets pushed out to the /tmp directory along with the vmware tools installation package (also pushed to the /tmp directory) and gets executed remotely by my deployment tools (which for me are are just more bash scripts, but this should work with any enterprise deployment tool). Here’s the simple script I used for my guests …
#!/bin/bash
RPM=`ls /tmp | grep VMwareTools`
rpm -e VMwareTools
echo "Old VMwareTools removed" > /tmp/vmware_tools_upgrade.logrpm -i /tmp/$RPM
echo "$RPM installed" > /tmp/vmware_tools_upgrade.logsh -l root -c /usr/bin/vmware-config-tools.pl -d
echo "vmware-config-tools.pl -d executed" >> /tmp/vmware_tools_upgrade.logservice vmware-tools restart
echo "vmware-tools restarted" >> /tmp/vmware_tools_upgrade.logservice network restart
echo "network restarted" >> /tmp/vmware_tools_upgrade.logexit
This is obviously a very basic script and could easily be enhanced with better logging and error handling. Also, for Debian distros, such as Ubuntu, you’d need to modify this script to handle the tar.gz installation package … unless, of course, you’ve modified your distro to handle RPMs (as I have).
The good news is that, at least for my environment:
- This works 100% of the time and a restart of the VMs is not necessary.
- I no longer have to upgrade many guests by hand.
However keep in mind, there is still a network outage during the upgrade (usually just about a minute or two), so be sure to continue using a maintenance window for your upgrades.
The E.T.D.F. Series – Setting up the Network and Dedicated Remote Access (Part 3)
Jun 8th
- OK, we are *almost* done getting our network set up properly for VDI, but we’ve got a few more things to do. Specifically, we need to address:
- Handling our external, Internet facing, dynamic IP address.
- DHCP and DNS
- External VPN access
Dynamic External IP
Most ISP’s (not all) provide a single, dynamic IP address for consumer grade service (i.e. home use). But when we’re trying to connect to our virtual desktops from somewhere out on the public Internet, how do we know which IP address to connect to?
Generally speaking, connecting to an IP address is bad practice because it’s inflexible. Instead, we should connect to a Fully Qualified Domain Name (FQDN). OK fine, so we’ll set up a DNS entry and use a FQDN to connect to our desktops. But what happens when our dynamic IP address changes and the DNS entry is still mapped to the old IP address?
What we need is an external Dynamic DNS (aka DDNS) service which will allow us to programmatically update our IP address whenever it changes. There are a number of both free and paid-for DNS providers out there that can deliver DDNS services. Personally, I use EditDNS (www.editdns.net). They have a ton of functionality and they’ve been rock solid for the past few years I’ve been using their services, so I’m quite happy with them.
Now, many home use routers these days have the capability to update a DDNS provider. But in my experience, the functionality is somewhat limited. What if, for example, I want aaron.sweemer.com and desktop.sweemer.com to be dynamic entries and www.sweemer.com to be a static entry, pointing to my blog server hosted somewhere else? In reality, I’ve got about 20 FQDN’s that I need to be dynamically updated and about 100 that I want static. So instead, I created a script that will:
- Query my external IP address (check this out, a free tool from Whatismyip.com)
- Compare the result of the query with the IP obtained from the previous query
- If the IP is the same, or contains something other than an IP (e.g. HTTP error), the scirpt exits.
- If the IP is different, the script updates my DDNS entries via the EditDNS API, then updates a log file documenting the change, and finally adds the new IP to the last line of a file called previous_ips.
If you’d like to use the script I wrote, you’ll first need to do the following:
- If don’t already have one, set up an account with EditDNS and make sure you have properly configured the domain name(s) you own.
- Verify your linux distro has lynx (a command line, text only, www client)
- Verify your linux distro has curl (a tool to transfer data using HTTP)
- Create a directory (anywhere you have rwx access is fine) for the script and its files to live
- In this directory, create a text file called editdns.sh. Paste the content (below) into it.
- Replace XXXXXXXX with your EditDNS password.
- Make editdns.sh executable (chmod +x /path/to/editdns/editdns.sh)
- Create another text file called records and, one per line, enter the FQDN’s of the DDNS entries you wanted updated (e.g. mydesktop.mydomain.com)
- Add the editdns.sh script to your crontab to run at regular intervals (e.g. mine runs every five minutes and the entry in cron looks like this: */5 * * * * cd /usr/local/editdns; ./editdns.sh)
And here’s a copy of the actual script …
#!/bin/bash
EDITDNSPASS=”XXXXXXXX”
LYNX=`which lynx`
TIME=`date`
CIP=`curl -s http://www.whatismyip.com/automation/n09230945.asp | awk –re-interval ‘$1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/ {print}’`
PIP=`tail -1 ./previous_ips`if [ "$CIP" != "$PIP" && –n "$CIP" ]; then
cat ./records | while read FQDN; do
$LYNX -source “http://DynDNS.EditDNS.net/api/dynLinux.php?p=$EDITDNSPASS&r=$FQDN”
done
echo “IP Change! New IP is $CIP. Editdns.net was updated at $TIME.” >> ./editdns.log
echo $CIP >> ./previous_ips
else
exit 0
fi
If you have any issues or questions, feel free to email me. Also, keep in mind, this a quick and dirty script that accomplishes what I want it to accomplish. Feel free to make it more robust (e.g. error handling or better logging) to suit your needs.
DNS and DHCP
It’s quite possible you’ll want to skip this section and opt for setting up DHCP and DNS via Microsoft’s built in DHCP and DNS services that come out of the box with their server products. To properly set up VMware View, we’ll need to set up Active Directory anyway, and quite frankly, it’s far easier to set up a Microsoft server with DHCP and DNS than it is to set up a Linux server. So feel free to skip this section and leverage Microsoft for these services. If, however, you’re a gluten for punishment then by all means, read on.
Let’s first start with DNS. Here too we need Dynamic DNS because as we’re handing out IP addresses via DHCP, we want our DNS server to properly reflect current information as IP addresses change. So, if you don’t already have bind9 (the DNS server), go ahead and install it (sudo apt-get install bind9 should work on Ubuntu / Debian distros).
The default configuration for bind9 is to act as a caching server, so the first thing we need to do is configure our DNS to forward all unknown DNS requests to another DNS server. These should be provided to you from your ISP. Edit the forwarders {} section of your named.conf.options file (usually located in /etc/bind/) to look like this …
asweemer@cincylab-rtr1:/etc/bind$ more named.conf.options
options {
directory “/var/cache/bind”;forwarders {
1.2.3.4;
5.6.7.8;
};auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Obviously, you’ll need to change 1.2.3.4 and 5.6.7.8 to the IP addresses given to you by your ISP.
Next, we need to modify our master named.conf to allow dynamic updates to DNS. Add the following entry to the bottom of your named.conf file.
controls {
inet 127.0.0.1 allow {127.0.0.1; 192.168.9.25; 10.10.7.1; 10.10.7.2; } keys {“rndc-key”;};
};
This tells the DNS server to allow updates from the IP address located between the {}. Notice the first three IP addresses are local IP addresses. The fourth IP address is a slave DNS server, which I have yet to set up. The rndc-key is the default key generated during installation of bind9 and it’s used to authorize the updating of DNS records. If you’re using Ubuntu, then you’ll likely find the key in the file /etc/bind/rndc.key …
asweemer@cincylab-rtr1:/etc/bind$ sudo cat rndc.key
key “rndc-key” {
algorithm hmac-md5;
secret “QZ5jOmcr/OW3nzksR5q0Hw==”;
};
asweemer@cincylab-rtr1:/etc/bind$
Note the file is a text file named rndc.key, and the actual key is called rndc-key located within the text file.
OK, next we need to define our zones in the named.conf.local file. For each domain you’re using (probably just one), you’ll need two entries: one for the domain and one for the reverse lookup of the domain. I have two domains I’ll be updating, so my named.conf.local file looks like this …
asweemer@cincylab-rtr1:/etc/bind$ cat named.conf.local
//
// Do any local configuration here
//include “/etc/bind/rndc.key”;
zone “mydomain.com” {
type master;
file “/etc/bind/zones/mydomain.com.db”;
allow-update { key “rndc-key”; };
allow-transfer {10.10.7/24; };
};zone “7.10.10.in-addr.arpa” {
type master;
file “/etc/bind/zones/rev.7.10.10.in-addr.arpa”;
allow-update { key “rndc-key”; };
allow-transfer {10.10.7/24; };
};zone “dmz.mydomain.com” {
type master;
file “/etc/bind/zones/dmz.mydomain.com.db”;
allow-update { key “rndc-key”; };
allow-transfer {192.168.9/24; };
};zone “9.168.192.in-addr.arpa” {
type master;
file “/etc/bind/zones/rev.9.168.192.in-addr.arpa”;
allow-update { key “rndc-key”; };
allow-transfer {192.168.9/24; };
};
A couple points to note here:
- I created a subdirectory called “zones” under /etc/bind/ where I put all my zone files. This isn’t the default location, and in addition, this isn’t necessary as the zone files can be located anywhere you’d like. But be aware the configuration file above reflects the location of my files.
- Notice the include “/etc/bind/rndc.key” on the first line and the all-update directive within each zone definition? This should be self explanatory at this point.
- The allow-transfer directive within each zone definition explicitly limits zone transfers (copy) to the IP(s) defined. This is an important security feature since, by default, DNS allows transfers to anyone, and the info contained within a DNS zone file can really give hackers visibility into your network.
Now we need to create the zone files we just defined above, which will contain our actual DNS records. Here is the zone file for our dmz.mydomain.com …
asweemer@cincylab-rtr1:/etc/bind/zones$ cat dmz.mydomain.com.db
$TTL 3600 ; 1 hour
dmz.mydomain.com IN SOA master.dmz.mydomain.com. root.master.dmz.mydomain.com. (
2009060514 ; serial
86400 ; refresh (1 day)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
3600 ; minimum (1 hour)
)
NS master.dmz.mydomain.com.
NS slave.dmz.mydomain.com.
A 192.168.9.25
MX 10 mail.dmz.mydomain.com.
MX 20 mail-spool.dmz.mydomain.com.
computer-1 A 192.168.9.247
TXT “317bf41a2c5b70fd9ca4e283d364dcddd5″
computer-2 A 192.168.9.250
TXT “00cf6242f693ebbf1d545159548e44ab81″
computer-3 A 192.168.9.243
TXT “31a0cb7e096a96c63dc998d2db3be6e450″
mail A 192.168.9.25
mail-spool A 192.168.9.26
master A 192.168.9.25
www CNAME master
A couple important things to point out here:
- The entries for computer-1, 2 and 3 are dynamic entries there were generated by the DHCP server. The TXT record that follows these entries is a unique identifier which is also generated by the DHCP server and is used to ensure it won’t overwrite existing DNS records that were generated by another process/server.
- You’ll obviously need to change the domain names and IP addresses to match your environment.
- If you haven’t worked with bind9 before, this file probably looks pretty cryptic to you. If so, I would recommend taking a look at http://www.zytrax.com/books/dns/ch8/soa.html, which gives a pretty good overview of the SOA (defined in the first part of the file). The balance of the file (i.e. the record definitions) is pretty straight forward.
The reverse zone should look like this …
asweemer@cincylab-rtr1:/etc/bind/zones$ more rev.9.168.192.in-addr.arpa
$ORIGIN 9.168.192.IN-ADDR.ARPA.
$TTL 1h;
IN SOA master.dmz.mydomain.com. root.master.dmz.mydomain.com. (
2009060501 ;
1d ;
1d ;
4w ;
1h ;
)
IN NS master.dmz.mydomain.com.
IN NS slave.dmz.mydomain.com.
25 IN PTR master.dmz.mydomain.com.
26 IN PTR slave.dmz.mydomain.com.
I mixed it up just a bit in this file to point out a few different ways to configure a zone file. In this file, notice the following differences:
- The $ORIGIN directive sets the domain name to be appended to any unqualified records. If the $ORIGIN directive doesn’t exist (as it doesn’t in the first config file), then it is implicitly defined by the zone name.
- The time variables can be defined with d (day), w (week), h (hour), etc.
That’s about it for DNS. Once you’ve got your bind9 server configured, restart your bind9 server (sudo /etc/init.d/bind9 restart). And of course, be sure to test your configurations by using the standard DNS tools (e.g. dig, nslookup). If you get errors, pay careful attention to your local syslog file (probably located at /var/log/syslog) as that’s where DNS and DHCP errors typically write their error messages.
OK, next up is configuring our DHCP server. And once again, this post is starting to get way to long, so it looks like I’ll need a fourth and (hopefully) final post to this section.
The E.T.D.F. Series — Setting up the Network and Dedicated Remote Access (Part 2)
Jun 2nd
I got up early to get some work done before driving down to KY to work with a customer on their VDI pilot. As I was preparing for the meeting, I thought to myself, “wow with my studies for the VCDX admin exam, and the recently launch of vSphere, I haven’t done a whole lot of VDI recently.” And then BAM! It hit me like a ton of bricks. I haven’t completed the E.T.D.F series I started almost 6 months ago! If this blog has done anything for me, it has made me painfully aware of my numerous character flaws. <sniffle><tear><sniffle>
Anyway, not that anyone is following along anymore, and purely in the interest of self improvement, I’m determined to finish what I’ve started (both for this series and my VCDX study notes series). So without further delay, here is the second part of the networking section (here is part one). And for your convenience, here again is the Visio diagram of my lab.
Router / Firewall (cincylab-rtr1)
In my environment, the vast majority of all relevant network configurations are on cincylab-rtr1, which is really an old Gateway PC that I had lying around with a single 2.2GHz processor and 1Gig of RAM and a single 100Mbps NIC. I installed Ubuntu server 8.04.1 (kernel 2.6.24-19-server) on it and made it the gateway between my lab and the DMZ (aka, my home network).
The first thing I needed to do was get the basic networking on the server set up. I have three networks in my house …
- An external DMZ, VLAN 192 (aka, my home network)
- An internal “production” network, VLAN 10. I put the word production in bunny ears because nothing is *really* production … it’s all just a lab. But I try to protect this network a little more than the next.
- An internal “lab” network. This is where I can really have fun!
Configuring the Interface(s)
The server only has one NIC and I was too lazy (and cheap) to go buy a new one. But it’s a 1GigE card, which is plenty for my environment. And it’s a snap to configure …
root@cincylab-rtr1:/etc/network# more interfaces
auto lo
iface lo inet loopback
auto vlan10
auto vlan192
auto vlan10:1iface vlan192 inet static
address 192.168.9.25
netmask 255.255.255.0
gateway 192.168.9.1
mtu 1500
vlan_raw_device eth1iface vlan10 inet static
address 10.10.7.1
netmask 255.255.255.0
broadcast 10.10.7.255
network 10.10.7.0
mtu 1500
vlan_raw_device eth1iface vlan10:1 inet static
address 10.0.1.1
netmask 255.255.255.0
broadcast 10.0.1.255
network 10.0.1.0
mtu 1500
vlan_raw_device eth1
root@cincylab-rtr1:/etc/network#
Turn on Routing
Now that the interfaces are configured, we need to turn on routing. In Linux, this can be accomplished a couple different ways. The easies, IMHO, is to simply edit the /etc/sysctl.conf file and set net.ipv4.ip_forward=1. You could also add echo 1 > /proc/sys/net/ipv4/ip_forward to your /etc/rc.local file. Either way should turn on IPv4 routing on your server.
Configure NAT and PAT (Port Address Translation)
Once routing is turned on, we need to set up Network Address translation and Port Address Translation. This needs to be done for two reasons.
- My lab networks need outside access to the Internet and they have private IP addresses.
- My server has a single IP address in the DMZ, which needs to serve as the gateway IP for multiple internal IP’s and TCP/UDP ports. As an example, I want all traffic arriving on 192.168.9.25, TCP port 8080 to be forwarded to the internal IP 10.10.8.51 port 80. And more specifically, here’s what I want available to the outside world …
- 192.168.9.25:8080 –> 10.10.7.51:80
- 192.168.9.25:8181 –> 10.10.7.51:443
- 192.168.9.25:8282 –> 10.10.7.50:80
- 192.168.9.25:8383 –> 10.10.7.50:443
OK, so how do we do this? We need configure iptables. An iptables tutorial is out of scope for this post, but if you’d like to learn more about Linux IP tables, I personally like this one: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html.
To set up iptables, I’ve created a file called fw_rules in /usr/local/bin and made it executable (chmod +x /usr/local/bin/fw_rules). Here is what the file looks like.
root@cincylab-rtr1:/usr/local/bin# cat fw_rules
#!/bin/bash
iptables -t nat -F
iptables -t filter -Fiptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8080 -j DNAT –to 10.10.7.51:80
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8181 -j DNAT –to 10.10.7.51:443
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8282 -j DNAT –to 10.10.7.50:80
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8383 -j DNAT –to 10.10.7.50:443
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPTroot@cincylab-rtr1:/usr/local/bin#
To make these changes persistent across reboots, you’ll need to add /usr/local/bin/fw_rules to your /etc/rc.local file.
Now, for all you linux experts out there looking at this file, you’re probably saying “uh, that’s a pretty insecure firewall you got there!.” And you’d be right 
Remember, this is merely an internal firewall/router which is protected by a much more secure, Internet facing, Cisco ASA (thanks again to the local Cisco team!!). It’s also this Cisco that forwards outside connections on specific ports (not 8080, 8181, and 8282, for additional security) to IP 192.168.9.25. And because of this, my goal for this server isn’t to protect, but to separate my lab networks from my home network, and proxy the connections between them.
What’s Next?
We’ve configured our networks, turned on routing and configured NAT / PAT on our server. What next? Three things:
- Because my external IP is dynamic, we need to set up a script that will periodically check to see if our external IP has changed and, if so, update our dynamic DNS service.
- Configure DHCP and DNS.
- Set up external VPN access.
Step three is actually optional because when we’re done, we’ll be able to tunnel via SSL to our desktop. And from our desktop, we’ll have full access to the local LAN. But sometimes full remote access via VPN is nice without being forced to first “hop” to another desktop. So, I’ll include my VPN configuration as well.
But for now, it looks like I’m going to need have a part three of this “setting up the network and dedicated remote access” section, because I need to get on the road down to KY. But if you’re interested, look for part three later today. I’m almost done with it and will try to finish it during my lunch break.
The Virtualization Capability of Your Processor is Already in Use.
Jun 1st
I haven’t had much exposure to KVM yet, so over the weekend I decided to check it out on my laptop. After playing around with it a bit, I needed to power on an instance of VMware Workstation, and the following error popped up on my screen …
The virtualization capability of your processor is already in use. Disable any other running hypervisors before running VMware Workstation.
Well that makes sense. So I uninstalled KVM and the issue was resolved … or so I thought. This morning as I powered on another instance of VMware Workstation, I got the same error again. Hmmmm. That was a bit more confusing because, to my knowledge, KVM was completely removed from my system. Again, so I thought. But a quick look at the currently loaded kernel modules revealed both the kvm_intel and the kvm modules.
As it turns out, when you remove KVM via apt-get (meaning, this *could* be a debian / ubuntu issue, not sure if other package managers do the same thing), it doesn’t actually completely remove itself. The kvm and kvm_intel modules not only remain, but they continue to get loaded upon startup. When I removed the modules, my VMware Workstation powered on without issue.
So then, that voice inside of my head — the one I should NEVER listen to — said “I wonder what happens when you load the KVM modules after you’ve powered on your VM?” I *knew* it could only lead to bad things, but I couldn’t help myself. Guess what? Not only did VMware Workstation completely freeze, but now I can’t power on my VM, no matter what I try. Grrrr. I swear, someday I’ll be a news headline that reads … An eyewitness confirms his last words were, “I wonder what this button does?”
Anyway, if you get this error, simply check for the kvm modules (lsmod | grep kvm should do the trick). Simply removing the modules will fix the issue.
Scripted ESX Installation: Reconfiguring COS Networking with Kickstart
May 27th
Frequently customers have specific NICs (like onboard NICs) that they’d like assigned to the COS, leaving the other NICs for VM traffic. This is difficult, however, when using our automated kickstart deployment scripts as there is no way to explicitly define the vmnic assigned to the COS. And to make matters worse, the VMkernel is not yet available to us during the %post section of the kickstart script, which makes COS networking configuration difficult! Recently I had a customer who was getting frustrated because …
- They would “rack and stack” a physical server and wire up their NICs accordingly (i.e. onboard NICs on the management VLAN, remaining NICs on production VLANs)
- PXE boot the server
- When kickstart completed, they’d lose connection to the COS.
This happens because during installation, ESX just assigns vmnic0 to the lowest PCI number, and then assigns vmnic0 to the COS. And this is often not the NIC the admin wants used for their COS. Of course, they could go back after the fact and reconfigure the COS networking, but this kind of defeats the purpose of a completely hands-free, automated deployment.
Here is one possible solution to the problem. Below is a script I wrote to append to the %post section of a kickstart file. Obviously, you’ll need to make modifications for your environment.
|
## This script should be appended to the %post section of an ESX kickstart file. %post
cat > /tmp/esx_post_install.sh << EOF ## If your kickstart file has vmportgroup=1, you *might* want to uncomment the /usr/sbin/esxcfg-vswitch -A “VMkernel” vSwitch0 ## You’ll need to find which physical NICs you want assigned to your COS. From
/usr/sbin/esxcfg-nics -l | awk ‘\$0 ~ /search term/ {print \$1}’ | xargs –n 1 /usr/sbin/esxcfg-vswitch vSwitch0 –L ## Note: if you want to test the line above from the command-line, you’ll need ## Replace the x.x.x.x after -i with the IP address and after -n with the ## Replace the x.x.x.x after -i with the IP address and after -n with the subnet ## Replace x.x.x.x with the default gateway for the COS in both of the next two lines. mv /etc/rc.d/rc.local.save /etc/rc.d/rc.local
chmod +x /tmp/esx_post_install.sh cat >> /etc/rc.d/rc.local << EOF |
As an example, in my environment I have server with 4 NICs and by default, ESX assigns vmnic0, which is mapped to PCI 02:00.00, to the service console. However, what is actually physically wired to my management network is vmnic3, which is mapped to PCI 02:03.00. In the script above, I simply searched for the number 3 (i.e. replaced search term with 3) and now my scripted ESX installation works properly.
Below is the configuration of my server before I redeployed with kickstart. The line in red is the NIC I want assigned to the COS. The lines in black are what ESX assigns the COS by default.
|
BEFORE (without %post section)
PortGroup Name VLAN ID Used Ports Uplinks |
Now, here is the same output after I redeployed the server with my modifications to the %post section of the kickstart file. The scripted deployment of ESX now properly assigns vmnic3 to my service console.
|
AFTER (with %post section)
[root@vesx7 root]# esxcfg-nics -l
[root@vesx7 root]# esxcfg-vswitch -l
PortGroup Name VLAN ID Used Ports Uplinks |
I hope this was helpful. Let me know if you have any questions.
Well, I’d better sign off and start packing because I leave for Omaha, NE in a few hours.
The E.T.D.F. Series — Setting up the Network and Dedicated Remote Access (Part 1)
Mar 17th
Wow! I can’t believe it’s been almost two months since my last post! Sorry for my extended absence. I’ve been super busy with VMware events, customer presentations and meetings … oh yeah, and there was a nice ski trip to Vail too. Time flies when you’re having fun
Over the past few weeks, with the little spare time I had, I actually completed my conversion to a virtual desktop. So now, my corporate VMware desktop is 100% in a VM, always on and "lives" on the virtual infrastructure in my home lab. And with my shiny new AT&T 3G wireless laptop card, I can access it anytime, anywhere (though admittedly, this is a last resort).
You might have guessed by the title, for this post I’ll focus on my network setup. I stress the word “my” because when I first started to write this section almost a month ago, I had a lot of trouble trying to address all possible network configurations (or at least, a good majority of them). Finally I gave up, realizing this was an impossible task. There are just way too many options. So, I’m simply going to document my network. If you have VDI network configuration questions that aren’t answered in this section, email me directly (aaron at sweemer dot com) and I’ll be happy to help out.
I think the best place to start would be showing you a high level diagram of my network (click the graphic to see the full image).
As you’re reviewing the diagram, here are a couple things to keep in mind:
- All IP addresses have been changed and domain names have been removed for security purposes. Hostnames, however, remain unchanged.
- You do not need to have a similar setup. In fact, you can have as little as a single physical server with local storage. You might not be able to get the full benefits that a fully loaded virtual infrastructure can provide (e.g. VMotion, DRS, HA). But if you’re just looking to test out virtual desktops with VMware View, you can certainly go with a slimmed down environment.
- The configuration of the physical servers (cincylab-esx1, 2 and 3) as well as the iSCSI SAN (cincylab-ts1) will be addressed in the next section.
- The ISP router is a fairly unintelligent device which I’ve configured to simply forward all network traffic to cincylab-rtr1. As such, I won’t address the configuration here.
I love Visio diagrams, they make everything look so pretty and shiny! What does this actually look like? Here’s a photo of my lab …
Notice the PC on the right (cincylab-rtr1)? That’s an old Gateway I had lying around, which has a single 2.2GHz processor, 1Gig of RAM and a single 100Mbps NIC. I installed Ubuntu server 8.04.1 (kernel 2.6.24-19-server) on it and made it the gateway between my lab and the DMZ (aka, my home network). It’s on this PC that I route between VLANs, terminate external VPN connections and run my DHCP server. Additionally, it’s where I run scripts that continually scan for changes to my public IP address and when necessary, automatically updates my dynamic DNS provider.
Since this post is getting long, I decided to break this section into two parts. In part two, I’ll walk through the all the configurations of cincylab-rtr1 and cincylab-sw1. And before you say anything … no, it won’t be another two months before I post part two
VMware Infrastructure Client on Ubuntu … an Update
Feb 2nd
I finally got the VMware Infrastructure Client running directly on my Ubuntu Linux. I use the word running, because I’m not prepared to use the word working just yet. Though the application seems fairly stable and most feature / functionality I’ve tested thus has worked, I’ve already found two bugs, one of which will hang your entire terminal. And believe me, I’ve only just begun to test, so who knows how many more bugs I’ll find?
But until today, I couldn’t even get the client to launch and I haven’t been able to find anyone else that has been able to do so either. So I’m going to consider this a minor success and a step in the right direction. But just to be clear, I would NOT advise you start managing your environment with the VIC on wine just yet!
OK, here’s the proceedure I used get this running.
- My environment (I haven’t yet tried this proceedure on any other combination of Linux and Wine):
- ubuntu 8.10 (kernel 2.6.27-11)
- wine-1.1.14
- Download and install the latest version of winetricks.
- Run winetricks and select ONLY the following options: dotnet20, ie6 and winxp. Now, for future reference, I believe the bugs I’ve already found can be cured with a few more options. But, one step at a time. I also know that a couple options will crash the application.
- Download and install the VMware Infrastructure Client. You can get this by going to http://<ip of your vCenter server>.
- Here’s the critical part, you need to modify your vCenter (or ESX) server to accept both HTTP and HTTPS. By defult, vCenter and ESX will accept HTTP requests, but they are immediately redirected to HTTPS. And currently, this will break the VIC on wine. Do NOT do this on a production vCenter server!! To modify your vCenter server, do the following:
- On your vCenter server, go to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter
- Copy proxy.xml to proxy.xml.bak
- Open proxy.xml with a text editor
- Find the lines with httpsWithRedirect and replace with httpAndHttps
- Restart the “VMware VirtualCenter Server” Service
- Back on your linux workstation, go to ~/.wine/drive_c/Program Files/VMware/Infrastructure/Virtual Infrastructure Client/Launcher/
- Execute wine VpxClient.exe and you should see the following:
- Make sure you put an http:// in front of the IP or DNS name of your vCenter server. Otherwise, it will try to connect via HTTPS and again, this is currently problematic.
- That should do it.
OK, here are the bugs that I’ve found so far (other than SSL, which I’ve already mentioned):
- Using the right click menu will freeze your screen about 50% of the time. When it freezes, you’ll have to connect to another TTY, find the process and kill it. But the alternative menus seem to work. For example, if you right click on a host and click “New Virtual Machine … ” your screen will likely freeze. However, if instead you click the “New Virtual Machine” link on the Summary tab, the New Virtual Machine Wizard will properly launch.
- The New Virtual Machine Wizard will not advance past the Virtual Disk Capacity step. It produces the error “The disk capacity entered was not a properly formatted number or was out of range …” It gives this same error no matter what value I enter. Actually, simply clicking Cancel will produce the error. Weird.
- The Getting Started tab correctly renders the proper HTML, but the viewing area is about 100 x 100 pixels and not adjustable. (This is nothing more than an annoyance).
- You can create a folder in a datastore, but you can’t delete one. Deleting files on a datastore seems to work fine.
Most of the navigation (other than the right click menu I mentioned above), seems to work well. VMotion worked fine. Configuring HA and DRS worked fine. Performance stats rendered fine. But I’ve got a lot more to test and I’ll update again with my test results as I progress.
Thanks to Dan Kegel (www.kegel.com) and Jeff Warnica (don’t know his website/blog) for your help and pointing me in the right direction!
Here are a few more screenshots of the client in action. Click on each image for the full scale picture.
Performance stats, and completed VMotion (in Recent Tasks at bottom)
Datastore browser
The PSOD (Penguin Screen of Death)
Jan 11th
It’s no secret that I’m a big Linux fan. And us Linux weenies frequently like to point and snicker whenever we see the infamous BSOD or any other Microsoft flaw we stumble across. But in the spirit of fairness, I thought I’d share this picture I took on a recent flight …
Evidently, the entertainment systems on Delta airlines are powered by Linux (very cool). BUT, on this particular flight, my screen — and only my screen — was in a never ending reboot!! That made for a fun 4 hour flight and I can tell you was NOT happy with the Penguin at the and of that trip. Of course, I think it’s funny now, so I thought I’d share.