Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)

2011/08/11

ESX vSwitch L2 Security

Filed under: it,security,virtualization — Tags: , , , , , , — iben @ 11:58

VMware vSphere ESX Host Virtual Switch Layer 2 Security Features

The virtual switch has the ability to enforce security policies to prevent virtual machines from impersonating other nodes on the network. There are three components to this feature. These should all be set to “REJECT” to enable the security feature.

•Promiscuous mode is disabled by default for all virtual machines. This prevents them from seeing unicast traffic to other nodes on the network.

•MAC address change lockdown prevents virtual machines from changing their own unicast addresses. This also prevents them from seeing unicast traffic to other nodes on the network, blocking a potential security vulnerability that is similar to but narrower than promiscuous mode.

•Forged transmit blocking, when you enable it, prevents virtual machines from sending traffic that appears to come from nodes on the network other than themselves.

Cisco Nexus 1000v Switch Layer 2 Security

MAC ACLs

MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/security_9mac_acls.html

Port Security

Port security lets you configure Layer 2 interfaces permitting inbound traffic from a restricted set of MAC addresses called secure MAC addresses. In addition, traffic from these MAC addresses is not allowed on another interface within the same VLAN. The number of MAC addresses that can be secured is configurable per interface.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/security_10port.html#wp1210839

DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers by doing the following:

•Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.

•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

•Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_12dhcpsnoop.html#wp1272686

Dynamic Address Resolution Protocol (ARP) Inspection (DAI)

DAI is used to validate ARP requests and responses as follows:

•Intercepts all ARP requests and responses on untrusted ports.

•Verifies that a packet has a valid IP-to-MAC address binding before updating the ARP cache or forwarding the packet.

•Drops invalid ARP packets.

DAI can determine the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a Dynamic Host Configuration Protocol (DHCP) snooping binding database. This database is built by DHCP snooping when it is enabled on the VLANs and on the device. It may also contain static entries that you have created.

If an ARP packet is received on a trusted interface, the device forwards the packet without any checks. On untrusted interfaces, the device forwards the packet only if it is valid.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_13arpinspect.html#wp1329252

IP Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches the IP and MAC address bindings of dynamic or static IP source entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.

You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:

•DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.

•IP traffic from static IP source entries that you have configured in the Cisco Nexus 1000V.

The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.

The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_14sourceguard.html#wp1096775

Reference Links

http://www.vmware.com/files/pdf/dmz-vsphere-nexus-wp.pdf

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMware.html#wp696333

Labels:


2011/01/05

Review of VMware View Optimization Guide Windows 7 pdf

Filed under: virtualization — Tags: , , , , , — iben @ 11:44

Just reviewed this guide and wanted to share.

Very helpful scripts are included with the adobe acrobat pdf which allow rapid customization and optimization of windows 7 desktops for VMware view.

A few tips:

  • open the pdf with the adobe acrobat reader app
  • you will find included 2 embedded files: commands.txt and ts.xml – save them to a shared folder
  • access the shared folder from the windows 7 template machine being configured
  • tweak your current user environment as you wish – it will be copied and set for use as the default user profile
  • change the folder options view to Disable “Hide extensions for Known file types” and click “Apply to Folders”
  • rename the commands.txt file to commands.bat (see notes below)
  • run the included commands.bat script from an “admin” command prompt or it won’t work right
  • take advantage of the new registry keys to denote current image version and author info
  • run ipconfig /release then shutdown the windows 7 template machine being configured
  • take a snapshot of the windows 7 template machine being configured

Customizing Linked-Clone Desktops with QuickPrep

Link to doc

http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf

Command.Bat listing

The contents of the commands.bat (aka commands.txt) file are listed here for your review. Review them and edit as needed for your environment.

rem  Setting Default HKCU values by loading and modifying the default user registry hive
reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /f
reg unload "hku\temp"
rem Making modifications to the HKLM hive
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /f
reg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f
rem Using Powershell to perform Windows Services modifications
Powershell Set-Service 'BDESVC' -startuptype "disabled"
Powershell Set-Service 'wbengine' -startuptype "disabled"
Powershell Set-Service 'DPS' -startuptype "disabled"
Powershell Set-Service 'UxSms' -startuptype "disabled"
Powershell Set-Service 'Defragsvc' -startuptype "disabled"
Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"
Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"
Powershell Set-Service 'iphlpsvc' -startuptype "disabled"
Powershell Set-Service 'MSiSCSI' -startuptype "disabled"
Powershell Set-Service 'swprv' -startuptype "disabled"
Powershell Set-Service 'CscService' -startuptype "disabled"
Powershell Set-Service 'SstpSvc' -startuptype "disabled"
Powershell Set-Service 'wscsvc' -startuptype "disabled"
Powershell Set-Service 'SSDPSRV' -startuptype "disabled"
Powershell Set-Service 'SysMain' -startuptype "disabled"
Powershell Set-Service 'TabletInputService' -startuptype "disabled"
Powershell Set-Service 'Themes' -startuptype "disabled"
Powershell Set-Service 'upnphost' -startuptype "disabled"
Powershell Set-Service 'VSS' -startuptype "disabled"
Powershell Set-Service 'SDRSVC' -startuptype "disabled"
Powershell Set-Service 'WinDefend' -startuptype "disabled"
Powershell Set-Service 'WerSvc' -startuptype "disabled"
Powershell Set-Service 'MpsSvc' -startuptype "disabled"
Powershell Set-Service 'ehRecvr' -startuptype "disabled"
Powershell Set-Service 'ehSched' -startuptype "disabled"
Powershell Set-Service 'WSearch' -startuptype "disabled"
Powershell Set-Service 'wuauserv' -startuptype "disabled"
Powershell Set-Service 'Wlansvc' -startuptype "disabled"
Powershell Set-Service 'WwanSvc' -startuptype "disabled"
rem Making miscellaneous modifications
bcdedit /set BOOTUX disabled
vssadmin delete shadows /All /Quiet
Powershell disable-computerrestore -drive c:\
netsh advfirewall set allprofiles state off
powercfg -H OFF
net stop "sysmain"
fsutil behavior set DisableLastAccess 1
rem Making modifications to Scheduled Tasks
schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disable
schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disable
schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable
rem  Setting Default HKCU values by loading and modifying the default user registry hivereg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /freg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /freg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /freg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /freg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /freg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /freg ADD "hku\temp\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /freg unload "hku\temp" rem Making modifications to the HKLM hive reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x100000 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /freg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f rem Using Powershell to perform Windows Services modificationsPowershell Set-Service 'BDESVC' -startuptype "disabled"Powershell Set-Service 'wbengine' -startuptype "disabled"Powershell Set-Service 'DPS' -startuptype "disabled"Powershell Set-Service 'UxSms' -startuptype "disabled"Powershell Set-Service 'Defragsvc' -startuptype "disabled"Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"Powershell Set-Service 'iphlpsvc' -startuptype "disabled"Powershell Set-Service 'MSiSCSI' -startuptype "disabled"Powershell Set-Service 'swprv' -startuptype "disabled"Powershell Set-Service 'CscService' -startuptype "disabled"Powershell Set-Service 'SstpSvc' -startuptype "disabled"Powershell Set-Service 'wscsvc' -startuptype "disabled"Powershell Set-Service 'SSDPSRV' -startuptype "disabled"Powershell Set-Service 'SysMain' -startuptype "disabled"Powershell Set-Service 'TabletInputService' -startuptype "disabled"Powershell Set-Service 'Themes' -startuptype "disabled"Powershell Set-Service 'upnphost' -startuptype "disabled"Powershell Set-Service 'VSS' -startuptype "disabled"Powershell Set-Service 'SDRSVC' -startuptype "disabled"Powershell Set-Service 'WinDefend' -startuptype "disabled"Powershell Set-Service 'WerSvc' -startuptype "disabled"Powershell Set-Service 'MpsSvc' -startuptype "disabled"Powershell Set-Service 'ehRecvr' -startuptype "disabled"Powershell Set-Service 'ehSched' -startuptype "disabled"Powershell Set-Service 'WSearch' -startuptype "disabled"Powershell Set-Service 'wuauserv' -startuptype "disabled"Powershell Set-Service 'Wlansvc' -startuptype "disabled"Powershell Set-Service 'WwanSvc' -startuptype "disabled" rem Making miscellaneous modificationsbcdedit /set BOOTUX disabledvssadmin delete shadows /All /QuietPowershell disable-computerrestore -drive c:\netsh advfirewall set allprofiles state offpowercfg -H OFFnet stop "sysmain"fsutil behavior set DisableLastAccess 1 rem Making modifications to Scheduled Tasksschtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disableschtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disableschtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disableschtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disableschtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disableschtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable

2010/11/13

VMware VAAI Certification Test Summary

Filed under: virtualization — Tags: , , , , , , , — iben @ 17:47

VMware VAAI Certification Test Summary

Based on the VMware VAAI Certification Guide Revision date: 20101011

This guide is intended for VMware partners who want to certify VAAI storage with ESX to claim compatibility in the VMware HCLs.

The vStorage API calls off load certain storage operations to the storage array and optimize the storage operation. They are the new application programming interfaces in the VMKernel. Using a small set of primitives or fundamental operations that can be issued to an array supporting these interfaces, ESX can improve the performance on certain storage operations such as cloning, snapshotting, mirroring, zeroing blocks, and replication.

You certify these offload operations with your storage arrays and use this certification to obtain a listing in the VMware compatibility guide:

  • Atomic Test and Set (ATS) also known as Hardware Assisted Locking: a mechanism to modify a disk sector to improve the performance of ESX updating metadata.
  • Full Copy: given a source range of LBAs, copies them into the given destination range of LBAs.
  • Block Zeroing or Write Same: zeroes out the given range of LBAs.

VAAI Certification Test Process List

  1. BlockZeroDiskTest
    1. This test verifies that when ESX uses the VAAI BlockZero primitive, an eager‐zeroed‐thick vmdk volume is created faster.
    2. The operation compares execution time with and without enabling the VAAI BlockZero primitive. The test passes only if the execution time with VAAI enabled is less than with VAAI disabled.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. IMPORTANT Do not run any extraneous workloads on the storage array under test during the first 30 minutes of this test to avoid the possibility of non‐constant workloads skewing the test times and causing a test failure.
    5. Estimated test time: 30 minutes
  2. BlockZeroRDMTests
    1. This test verifies that zeroing a vmdk volume on an RDM disk is performed correctly when ESX uses the VAAI BlockZero primitive. The test is run on both a non‐pass‐through RDM as well as a pass‐through RDM disk.
    2. The operation is conducted with and without enabling the VAAI BlockZero primitive. The test logs note the execution times with and without the VAAI BlockZero primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 5 minutes to 3 hours
  3. BlockZeroMultiOffloadTests
    1. This test verifies that simultaneous creation of virtual disks on a shared datastore from two ESX hosts with VAAI BlockZero primitive enabled functions properly.
    2. The operation is conducted with and without enabling the VAAI BlockZero primitive. The test logs note the execution times with and without the VAAI BlockZero primitive, but the time does not determine test passing or failing.
    3. This test is conducted with no I/O to the array under test.
    4. Estimated test time: 10‐20 minutes
  4. FullCopyDiskTest
    1. This test verifies that when ESX uses the VAAI FullCopy primitive, a vmdk volume clones faster.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times with and without the VAAI FullCopy primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 36 hours, with a majority of the time spent verifying cloned volume contents.
  5. FullCopyRDMTests
    1. This test verifies that cloning a vmdk volume to an RDM disk is done correctly when ESX host uses the VAAI FullCopy primitive. The test is run with both a non‐pass‐through RDM as well as a pass‐through RDM disk as the destination disk.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times with and without the VAAI FullCopy primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 18 hours, with a majority of the time spent verifying cloned volume contents.
  6. FullCopyCloneVMTests
    1. This test verifies that virtual machine cloning operations function properly with the VAAI FullCopy primitive enabled.
    2. The test clones a virtual machine to both the same datastore as the source virtual machine as well as to a different datastore.
    3. The operation compares execution time with and without enabling the VAAI FullCopy primitive. The test passes only if the execution time with VAAI enabled is less than with VAAI disabled.
    4. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    5. IMPORTANT Do not run any extraneous workloads on the storage array under test during the first 30 minutes of this test to avoid the possibility of non‐constant workloads skewing the test times and causing a test failure.
    6. Estimated test time: 1 hour
  7. FullCopyCloneVMRDMTests
    1. This test verifies that virtual machine cloning operation from a non‐pass‐through RDM LUN to a pass‐through RDM LUN functions properly with the VAAI FullCopy primitive enabled.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times with and without the VAAI FullCopy primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 32 minutes
  8. FullCopyMultiOffloadTests
    1. This test verifies that the VAAI feature improves concurrent Full Copy from two ESX hosts.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times, but the time does not determine test passing or failing.
    3. This test is conducted with no I/O to the array under test.
    4. Estimated test time: 20 minutes
  9. ATSFileOpTests
    1. This test verifies that when ESX enables the VAAI ATS primitive, the file create, delete, read and write operations perform faster with simultaneous access to the LUN from two ESX hosts.
    2. The operation compares execution time with and without enabling the VAAI ATS primitive. The test passes only if the execution time with VAAI enabled is less than with VAAI disabled.
    3. This test is conducted with no I/O to the array under test.
    4. IMPORTANT Do not run any extraneous workloads on the storage array under test during the first 30 minutes of this test to avoid the possibility of non‐constant workloads skewing the test times and causing a test failure.
    5. Estimated test time: 12‐20 minutes
  10. ATSMultiLengthFileTests
    1. This test verifies that when ESX hosts use the VAAI ATS primitive, simultaneous file modifications from two ESX hosts function properly.
    2. The operation compares execution time with and without enabling the VAAI ATS primitive. The operation is conducted with and without enabling the VAAI ATS primitive. The test logs note the execution times, but the time does not determine test passing or failing.
    3. This test is conducted with no I/O to the array under test.
    4. Estimated test time: 3‐10 minutes
  11. ATSReserveTests
    1. This test verifies that when ESX hosts use the VAAI ATS primitive, file locking and unlocking modifications from two ESX hosts function properly.
    2. This test is conducted with no I/O to the array under test.
    3. Estimated test time: 3‐5 minutes

2010/10/28

VAAI – Netapp

Filed under: virtualization — Tags: , , , , , — iben @ 15:21

New NetApp Virtual Storage Console 2.0 (VSC) integrates with VMware vSphere vStorage APIs for Array Integration (VAAI). VAAI provides additional interfaces to enable advanced capabilities developed by VMware vSphere workflows to integrate advanced storage capabilities from NetApp and other vendors.

http://media.netapp.com/documents/wp-7106.pdf

VSC consists of three distinct capabilities:

  • Storage Console is the foundation capability, providing storage discovery, health monitoring, capacity management, and storage configuration according to best practices.
  • Provisioning and Cloning (formerly NetApp Rapid Cloning Utility) provides end-to-end datastore management-provisioning, resizing, and deletion-and rapid, space-efficient VM server and desktop cloning, patching, and updating utilizing NetApp FlexClone technology.
  • Backup and Recovery (formerly NetApp SnapManager for Virtual Infrastructure) automates data protection processes by enabling VMware admins to centrally manage backup and recovery of datastores and VMs without impacting guest performance, and to rapidly recover from backups at any level of granularity-datastore, VM, VMDK, or guest file.

Provisioning and Cloning

The provisioning and cloning capability of VSC 2.0 includes all the capabilities of previous versions of RCU, including the ability to efficiently clone new virtual machines from a baseline using NetApp FlexClone technology, manage and secure storage paths, configure deduplication and thin provisioining for storage efficiency, and resize datastores.

Another significant feature is the ability to redeploy existing virtual machines to bring them up to date with the latest patches and so on. Working from a baseline virtual machine that contains the same OS and applications as your deployed virtual machines plus the desired updates, this feature allows you to quickly reconstruct your existing VMDK files while keeping the unique configuration files for each VM intact. You can also choose to maintain current customization settings or apply new settings.

baselines_902x646.jpg

Figure – Redeploying your existing virtual machines from an updated baseline.

HyTrust Appliance 2.1 Available

Filed under: virtualization — Tags: , , , , , , , , , , , , — iben @ 14:36

HyTrust recently celebrated its 3-year birthday.  HyTrust was founded in October 2007 to bring secure access control and policy to virtual infrastructure, enabling wider adoption of virtualization throughout the enterprise — exactly the same focus that we have today.

It’s amazing to see what we have achieved in the last three years: great enterprise customers; solid partnerships with the major players in virtualization (VMware, Cisco, RSA, Intel and Symantec); numerous accolades, including Best of Show at VMworld; and, of course, several significant releases of HyTrust Appliance…

So we’re excited to let you know that HyTrust Appliance 2.1 is now generally available. It is chock-full of exciting new enterprise features, including protection for the control of Cisco Nexus 1000V, application-level high availability, and smart card support.  As always, we have also made 2.1 available in the Community Edition form, which can be downloaded for free here: 
http://info.hytrust.com/appliance.html

New HyTrust Appliance Capabilities At a Glance

  • Support for VMware vSphere 4.1
  • Integrated access control, policy and audit logging for Cisco Nexus 1000V CLI management (NX-OS command set)
  • Support for complex, multi-domain Active Directory environments
  • Single sign-on via Windows pass-through authentication with smart card integration
  • New ESX hardening templates including VMware Hardening Guide 4.0 and (Sarbanes Oxley) SOX hardening template
  • Application-level high availability (in addition to VMware HA/FT and federation)

If you would like to take a look at the new functionality, we have recorded demos of the new version available for your viewing pleasure.
http://info.hytrust.com/recorded_product_demo.html

For those of you currently evaluating HyTrust Appliance, we’d like to extend an added incentive to make your purchase in Q4: for a limited time, HyTrust is offering a free “jump-start” professional services package to help you get up and running quickly. Contact sales (sales@hytrust.com) for more information.

2010/09/09

VMworld 2010 Fun Facts

Filed under: Uncategorized — Tags: , — iben @ 20:46
  • VMworld.com set an all time high with 21,000 unique visitors on August 30
  • Over 29,000 tweets on VMworld over 5 days
  • 5,670 attendees came through registration during the first 3 hours of the show on Monday August 30
  • 21,643 pieces of candy consumed at the VMworld Roadside Stop (How many M&Ms in a bag?)
  • 101,470 sodas and 4,852 coffees consumed over 4 days (How many beers?)
  • In 1 day 4,954 granola bars, 3,500 bags trail mix consumed!
  • 718 people who enjoyed the Bungee and Hamster Ball activities at the VMworld Party (I missed this fun.)
  • Just under 11 miles of CAT 5 cable used for the Labs
  • 13,188 attendees used the WiFi (does this mean unique MAC addresses?)
  • 160 VMware spokespeople trained on ITaaS story  (What are the qualifications of a “Spokesperson”?)
  • Announced six products, services and two acquisitions globally (Integrien and TriCipher)
  • LabCloud delivered 15,344 labs compared to 4,500 labs in 2009
  • Delivered Over 21,000 lab hours
  • Deployed a total of 145,097 VMs
  • Every hour LabCloud was creating and destroying approximately 4,000 Virtual Machines

2010/03/30

Using Cryptographic Hashes to verify file download integrity

Filed under: virtualization — Tags: , , , , , , , , , , — iben @ 10:58

The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm.

Vendors provide a sha-1 hash for software downloads. This enables you to verify that your downloaded files are unaltered from the original.

To confirm file integrity, use an sha-1 utility on your computer to calculate your own hash for files downloaded from the VMware web site.

If your calculated hash matches the message digest we provide, you are assured that the file was downloaded intact.

sha-1 utilities are available for Windows and Linux and Mac. Most UNIX installations provide a sha1sum command for sha-1 hashes. You may need a newer linux kernel to calculate the checksums for larger files.

The File Checksum Integrity Verifier (FCIV) can be used on Windows based products to verify sha-1 values. Please see http://support.microsoft.com/kb/841290 for details on FCIV.

Mac OS X: How to Verify a SHA-1 Digest http://support.apple.com/kb/HT1652

Instructions on checking an sha-1 checksum on a Mac:
In Finder, browse to /Applications/Utilities.
Double-click on the Terminal icon. A Terminal window will appear.
In the Terminal window, type: “openssl sha1 ” (sha1 followed by a space).
Drag the downloaded file from the Finder into the Terminal window.
Click in the Terminal window, press the Return key, and compare the checksum displayed to the screen to the one on the vendor’s download page.

From TechNet

Windows Server 2008 R2 Standard, Enterprise, Datacenter, and Web (x64) – DVD (English)
File Name: en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
Size: 2,858 (MB)
Date Published (UTC): 8/31/2009 10:22:24 AM
Last Updated (UTC): 1/11/2010 4:31:40 PM
SHA1: A548D6743129F2A02C907D2758773A1F6BB1BCD7
 ISO/CRC: 8F94460B

About MD5

MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found also to be vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable; specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity.

US-CERT says MD5 “should be considered cryptographically broken and unsuitable for further use,”and most U.S. government applications now require the SHA-2 family of hash functions.

VMware Data Recovery

Filed under: virtualization — Tags: , , , , , , — iben @ 10:49

VMware Data Recovery (CD ISO)
Released 11/19/09 | Version 1.1 | Size 418 MB | Binary (.iso)
Deploy VMware Data Recovery virtual appliance plus management components.
SHA1SUM 44dc0cd0c3e774d4912412b51dabeadf28d959b9

2010/03/26

Host Profiles N1KV VDS

Filed under: virtualization — Tags: , , , , , , , , , , , — iben @ 06:21

Background to Using Host Profiles

The vDS UI also allows a phased migration of vmnics from vSS to vDS without disruption to an operational environment. VMs can be migrated from a vSS to a vDS on the fly so long as the vDS and vSS have connectivity to the same network at the same time and the origin Port Group on the vSS and destination DV Port Group on the vDS are configured to the same VLAN.

Host Profiles provide a way to migrate multiple hosts at one time. Host Profiles use a golden profile from a migrated host to propagate a configuration to a number of other hosts.

When applying a Host Profile to a host, the host must be in Maintenance Mode. This requires VMs to be either powered down or migrated to another host.

Host Profiles are most appropriate for new installations of similarly configured hosts (i.e. same number of vmnics, same vmnic to physical switch configuration, no active VMS).

The table below summarizes the deployment situations and suggested methods for migration from vSS to vDS. Note: These are suggestions only; both methods will work within the guidelines mentioned above.

Summary of Migration Methods

Table 1 – Summary of vSS to vDS Migration Methods

DeploymentSituation SuggestedMethod Details
New servers, same vmnic config, no active VMs vDS UI + HP Migrate first host with vDS UI. Take host profile and apply to remaining hosts
<5 Existing Servers, no active VMs vDS UI Small number of servers. Can use host profiles, but possibly easier to continue with vDS UI
>5 Existing servers, same vmnic configs, no active VMs vDS UI + HP Larger number of servers with similar vmnic configuration. No active VMs so can enter maintenance mode and use Host Profiles
Existing Servers, active/operational VMs vDS UI Cannot use Maintenance Mode as VMs active. Phased vmnic migration suggested to ensurecontinuity of VM communications
 Existing Servers, dissimilar vmnic configurations vDS UI Enables per host tailoring of vmnic to dvUplink PortGroup mapping
Ongoing Compliance Checking HP Non-disruptively check network settings are compliant with approved “golden” configuration

Note: vDS UI = Use vDS UI; HP = use Host Profiles; vDS + HP = use vDS UI to deploy first host and Host Profiles for remaining hosts.

Applying NIC Teaming Policies to DV Port Groups With a vSS, NIC teaming policies are defined on the virtual switch with an optional override on each Port Group definition.  With vDS, NIC teaming policies are only defined on the DV Port Groups and apply to dvUplinks, not vmnics.  The vmnics are mapped to the dvUplinks on a per host basis.  This enables each host to have a different vmnic to physical host configuration and yet use the same NIC teaming policy over all hosts spanned by the vDS.

Monitoring Hash vmnic Selection in NIC Teams

The esxtop command from the ESX console can reveal the physical NIC (vmnic) used by virtual port or VM within a NIC team.

Use esxtop to see the following information:

  • PORT-ID represents an internal port number on the virtual switch
  • USED-BY column shows what that port number is used by (e.g. VMkernel, VM, etc)
  • TEAM-PNIC column shows what physical nic (vmnic) is being used for traffic from that virtual port (the result of the hash within the NIC team)
  • The remaining columns indicate the Receive and Transmit traffic rates on those ports.

To use esxtop, type esxtop from the ESX console and then type n.

A list of commands for the ESX command line interface is published in Chapter 6 of the ESX 4.0 Configuration Guide (available at http://www.vmware.com/support/pubs/). To control console output to one page at a time by adding the | more suffix to the commands. For example:
esxcfg-vswitch –l | more

 Reference: http://vmware.com/files/pdf/vsphere-vnetwork-ds-migration-configuration-wp.pdf 

(See page 8)

2010/03/18

How to create a virtual appliance (OVF/OVA)

Filed under: virtualization — Tags: , , , , , , , , — iben @ 16:08

How to create a virtual appliance 

Background:

The Open Virtualization Format (OVF) specification is a standard being developed within the Distributed Management Task Force (DMTF) association to promote an open, secure, portable, efficient, and extensible format for the packaging and distribution of software to be run in virtual machines.

For use within an organization, Level 1 or Level 2 compatibility may be good enough, since the OVF package is distributed within a controlled environment where specific purchasing decisions of hardware or virtualization platforms can ensure consistency of the underlying feature set for the OVF.

Level 1. Only runs on a particular virtualization product and/or CPU architecture and/or virtual hardware selection. This would typically be due to the OVF containing suspended virtual machines or snapshots of powered on virtual machines, including the current run-time state of the CPU and real or emulated devices. Such state ties the OVF to a very specific virtualization and hardware platform.

Notes:

  Virtual machines created from OVF sources with SCSI LSI Logic disk controller might not start up after conversion to an ESX destination 
OVF sources with LSI Logic disk controllers might fail to boot when imported to an ESX destination. This is because Converter Standalone might change the controller type to Bus Logic instead of preserving the source controller type. 
Workaround: Using VI client, edit the settings of the imported virtual machine to change the controller type from Bus Logic back to LSI Logic. This will enable the virtual machine to boot.


While exporting a virtual machine from an ESX 3.5 host to OVF “folder of files” format by using Converter Standalone, the vNICs are forcibly changed from their native type 
While exporting a virtual machine source from an ESX 3.5 host to the OVF “folder of files” format, Converter Standalone changes the source vNICs from their native type (vmxnet, vlance, or e1000) to either PCNet32 (vlance) or E1000 (e1000). This might result in an unexpected lack of network connectivity when the OVF is imported. 
Workaround: Edit the 
.vmx file to manually modify the vNIC type after importing the virtual appliance. 


NOTE: VMXNET3 is recommended for all vSphere Virtual Machine Guests.

How to Make a Portable Virtual Appliance

You can export a virtual machine to a virtual appliance, making it available to other users to import into their inventories. The resulting virtual appliance is an OVF 1.0 appliance and contains one virtual machine. OVF Virtual Appliances contain many files that are typically compressed into an archive that can be put on removable media or downloaded from a server. This file much be decompressed prior to being imported and is more cumbersome to use. Consider using OVA for internal enterprise use.

OVA is also available – this format is a single file that is easier to distribute within an organization. The OVA format is not simply a tar. It places certain restrictions on the ordering and naming of files. These rules ensure that OVA archives are easy to stream – a tool or hypervisor does not need to download an entire OVA first and then unpack it.

You cannot select a virtual appliance destination for physical machine sources or virtual appliance sources.

The OVF created as a result of this conversion is not compatible with Workstation 6.5.x, nor with Converter 3.0.3.

Install Converter Standalone in Windows

You can install Converter Standalone onto a physical or a virtual machine. The Local setup installs the Converter Standalone server, Converter Standalone agent, and Converter Standalone client for local use. For remote access, you can create a Client-server installation. With remote access you can create and manage conversion tasks remotely.
When you install the Converter Standalone agent and the Converter Standalone server, the local machine becomes a server for conversions, which you can manage remotely. When you use the local machine with the Converter Standalone client, you can convert the full range of machine types.

Start the Wizard for a Conversion

The Conversion wizard helps you specify your source machine, the destination for the machine, and to select the machine’s settings.
  1. Start the VMware vCenter Converter Standalone application.
  2. Click Convert Machine in the application menu.
The Specify Source page introduces the conversion process: Specify Source, Specify Destination, View/Edit Options, and Ready to Complete.

What to do next

You can now select the source machine type to convert.

Select a Source to Convert

You can select from several source options for the type of machine to convert. If you are converting a virtual machine that runs on a VMware DRS cluster that vCenter Server manages, set VMware DRS Power Management (DPM) to manual to avoid DPM powering off the ESX hosts used by Converter Standalone. When the conversion process completes, restore DPM to its original settings. For information about how to change DPM settings, see the Resource Management Guide.
  • Select a VMware Infrastructure Virtual Machine Source
    You can convert a virtual machine that resides on an ESX host or ESX host that vCenter Server manages.

What to do next

You can now select the destination for your new virtual machine.

Select a Destination for the New Virtual Machine

Prerequisites

The source virtual machine must be powered off.

Procedure

  1. On the Destination page, select Virtual Appliance from the drop-down menu.
  2. In the Virtual appliance details pane, type the virtual appliance name in the Name text box.
  3. Click Browse to select a destination location.
    The destination folder can be local or a remote machine shared over the network.
  4. (Optional) If you are connected to a remote Converter Standalone server, click Connect as and provide the user credentials to be used when connecting to the destination machine.
    You must manually type the path to the destination.
  5. Select the Distribution format from the drop-down menu.
    You can create virtual appliance packages that contain monolithic compressed .vmdk files only. You can store the resulting files in an .ovf folder or place them in a single .ova tarred file.
  6. Click Next to customize the virtual appliance.

You selected to export a virtual machine to a virtual appliance.

What to do next

On the View/Edit Options page, you can make more precise settings to the conversion task.

Then begin the conversion. Once conversion is complete you can move the OVA file to a location where it can be accessed by an administrator with privileges to create virtual machines on the VMware vCenter Server.

Use vCenter to import a virtual machine from OVF/OVA

Start the Deploy OVF Template Wizard
You deploy an OVF template with the Deploy OVF Template wizard.

Procedure

Select File > Deploy OVF Template

On the Source page, you can specify to deploy an OVF template from a file or from a URL.

  • Deploy from a File
    You can deploy from a file that is either a OVF (.ovf file) or a OVA (.ova file) format. The OVF format is optimal for a web server or image library and deploys from a set of files. The OVA format is optimal for deploying from physical media and is packaged in a single file.
  • Deploy from a URL
    You may deploy the OVF template from a URL.
Older Posts »

Powered by WordPress