VCAP5-DCA Objective 8.1 – Execute VMware Cmdlets and customize scripts using PowerCLI

28/10/2012

Objectives

  • Install and configure vSphere PowerCLI
  • Install and configure Update Manager PowerShell Library
  • Use basic and advanced Cmdlets to manage VMs and ESXi Hosts
  • Use Web Service Access Cmdlets
  • Use Datastore and Inventory Providers
  • Given a sample script, modify the script to perform a given action

Install and configure vSphere PowerCLI

Official Documentation:
vSphere Power CLI User’s Guide 5.0, Chapter 3 “Installing vSphere PowerCLI”, page 15.

Summary:
vSphere Power CLI User’s Guide 5.0, Chapter 2 “vSphere PowerCLI System Requirements” presents an overview of the supported Operating Systems, required software and supported VMware environments.

Windows versions starting from XP SP2 are supported. To run vSphere PowerCLI, you need:

  • .NET 2.0 SP1
  • Windows PowerShell 1.0/2.0

Most VMware environments are supported.

vSphere PowerCLI can be downloaded from: http://www.vmware.com/go/powercli

Installation is straightforward. If the PowerShell Execution Policy on your machine is set incorrectly, a warning message appears before finalizing the vSphere PowerCLI installation. Ignore it and continue with the installation.

For security reasons, Windows PowerShell supports an execution policy feature. It determines whether scripts are allowed to run and whether they must be digitally signed. By default, the execution policy is set to Restricted, which is the most secure policy. If you want to run scripts or load configuration files, you can change the execution policy by using the Set-ExecutionPolicy cmdlet.
Start the vSPhere PowerCLI console and type:

Set-ExecutionPolicy RemoteSigned

Other references:

  • A

Read the rest of this entry »

Advertisements

VCAP5-DCA Objective 7.2 – Configure and Maintain the ESXi firewall

25/10/2012

Objectives

  • Enable/Disable pre-configured services
  • Configure service behaviour automation
  • Open/Close ports in the firewall
  • Create a custom service
  • Set firewall security level

Enable/Disable pre-configured services

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 37.

Summary:
An ESXi host has a group of preconfigured services, which can be found via: Configuration, Software, Security Profile, Services Section.

Figure 1 – ESXi Services

Behaviour can be changed by selecting a service and choosing “Options”.
Services can be stopped or (re)started and the “Startup Policy” can be adjusted.

Figure 2 – Service Options

The default and recommended Startup Policy is “Start automatically if any ports are open, and stop when all ports are closed”.
If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks. In other words, service behaviour depends on the firewall settings.

Policy “Start and stop with host” means: The service starts shortly after the host starts and closes shortly before the host shuts down.

Policy “Start and stop manually”: The host preserves the user-determined service settings, regardless of whether ports are open or not. This setting is preserved after rebooting a host.

Important NOTE: ESXi firewall automates when rule sets are enabled or disabled based on the service Startup policy. When a service starts, its corresponding rule set is enabled. When a service stops, the rule set is disabled.

Other references:

  • A

Configure service behaviour automation

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 38.

Summary:
See previous one.

Other references:

  • A

Open/Close ports in the firewall

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 34.

Summary:
An overview of the ESXI firewall configuration can be found via: Configuration, Software, Security Profile, Firewall Section.

Figure 3 – Firewall overview

After selecting a Service or Client, you can adjust the Firewall settings and depending on the Service, the Service Options become available (see previous section).

Figure 4

You can specify which networks are allowed to connect to each service that is running on the host.

You can use the vSphere Client or the command line to update the Allowed IP list for a service. By default, all IP addresses are allowed.

Other references:

  • A

Create a custom service

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Rule Set Configuration Files”, page 34.

Summary:
The firewall rule set definitions are stored on the ESXi host in the folder: /etc/vmware/firewall.

The default file is service.xml. Depending on your configuration, additional rule sets can be found. E.g.: Adding an ESXi host to an HA enabled Cluster adds the fdm.xml rule set.

The vSphere Security Guide contains detailed information how to create a new configuration file.

Tip: you can create a new ruleset by copying an existing rule set and start editing. If you are familiar with the vi editor, stay on the ESXI host, otherwise use WinSCP to copy back-and-forth to your favourite Management station.

After adding a service, you need to refresh the firewall settings. On the ESXi host, use the following command:

# esxcli network firewall refresh

Other references:

Set firewall security level

???

Summary:
The following esxcli command shows some important ESXi firewall settings:

# esxcli network firewall get
   Default Action: DROP
   Enabled: true
   Loaded: true
#

For troubleshooting purposes, you can temporarily disable the firewall with this command:

# esxcli network firewall set --enabled false
# esxcli network firewall get
   Default Action: DROP
   Enabled: false
   Loaded: true
#

The default policy can also be adjusted from DROP to PASS (Not a good idea) with:

# esxcli network firewall set --default-action true
# esxcli network firewall get
   Default Action: PASS
   Enabled: true
   Loaded: true
#

You can also completely shut down the firewall:

# esxcli network firewall unload
# esxcli network firewall get
   Default Action: PASS
   Enabled: true
   Loaded: false
#

Figure 5- Firewall Unloaded

Other references:

  • A

VCAP5-DCA Objective 9.2 – Install ESXi hosts using Auto Deploy

13/10/2012

Objectives

  • Install the Auto Deploy Server
  • Utilize Auto Deploy cmdlets to deploy ESXi hosts
  • Configure Bulk Licensing
  • Provision/Re-provision ESXi hosts using Auto Deploy
  • Configure an Auto Deploy reference host

To start with, the official and some other useful documentation on this objective:

Probably useful, but not in the official Curriculum:

  • vSphere Auto Deploy Gui 5.0

A few words on this Objective. Imho Auto Deploy is a though subject you cannot learn by reading manuals, tutorials and blog posts. You should really play a lot in a home lab or test environment to get a good understanding on the architecture of Auto Deploy and the components. The vSphere Installation and Setup Guide presents a lot of information, but is a bit overwhelming. In my case, I have followed these steps:

Figure 1 – Auto Deploy Overview (Graphic provided by VMware)

Read the rest of this entry »


VCAP5-DCA Objective 9.1 – Install ESXi hosts with custom settings

12/10/2012

Objectives

  • Create/Edit Image Profiles
  • Install/uninstall custom drivers
  • Configure advanced bootloader options
  • Configure kernel options
  • Given a scenario, determine when to customize a configuration

Create/Edit Image Profiles

Official Documentation:
vSphere Installation and Setup Guide, Chapter 6 “Using vSphere ESXi Image Builder CLI”,  page 123.

Summary:
The Image Builder CLI, is a set of PowerCLI Cmdlets that allows you to create and maintain custom ESXi images used to deploy hosts in your vSphere 5.0 environments.

The Image Builder creates Custom Image Profiles that can be exported to:

  • ISO images;
  • Offline depot (ZIP file), to be used by vSphere Update Manager or by the esxcli software vib command.

Figure 1 (Source: VMware)

The Concepts of Image Builder are explained in vSphere Installation and Setup Guide , Chapter 6, “Using vSphere ESXI Image Builder CLI”, page 123.

Read the rest of this entry »


VCAP5-DCA Objective 7.1 – Secure ESXi hosts

10/10/2012

Objectives

  • Add/Edit Remove users/groups on an ESXi host
  • Customize SSH settings for increased security
  • Enable/Disable certificate checking
  • Generate ESXi host certificates
  • Enable ESXi lockdown mode
  • Replace default certificate with CA-signed certificate
  • Configure SSL timeouts
  • Configure vSphere Authentication Proxy
  • Enable strong passwords and configure password policies
  • Identify methods for hardening virtual machines
  • Analyze logs for security-related messages
  • Manage Active Directory integration

Last Update: 24-12-2012

Add/Edit Remove users/groups on an ESXi host

Official Documentation:
vSphere Virtual Machine Administration, Chapter 4 “Authentication and User Management”, Section “Managing vSphere Users / Groups”, page 42.

Summary:
When a vSphere Client or vCenter Server user connects to ESXi, a connection is established with the VMware Host Agent process. The process uses the user names and passwords for authentication.

ESXi authenticates users accessing hosts using the vSphere Client or SDK. The default installation of ESXi uses a local password database for authentication.

ESXi uses the Pluggable Authentication Modules (PAM) structure for authentication when users access the ESXi host using the vSphere Client. The PAM configuration for VMware services is located in /etc/pam.d/system-auth-generic, which stores paths to authentication modules. Changes to this configuration affect all host services.

ESXi users fall into two categories:

  • Authorized vCenter Server users
  • Direct-access Users

VMware recommends these Best practices:

  • Do not create a user named ALL. Privileges associated with the name ALL might not be available to all users in some situations.
  • Use a directory service or vCenter Server to centralize access control, rather than defining users on individual hosts.
  • Choose a local Windows user or group to have the Administrator role in vCenter Server.
  • Because of the confusion that duplicate naming can cause, check the vCenter Server user list before you create ESXi host users to avoid duplicating names. To check for vCenter Server users, review the Windows domain list.

Important Note: By default, some versions of the Windows operating system include the NT AUTHORITY\INTERACTIVE user in the Administrators group. When the NT AUTHORITY\INTERACTIVE user is in the Administrators group, all users you create on the vCenter Server system have the Administrator privilege. To avoid this, remove the NT AUTHORITY\INTERACTIVE user from the  Administrators group on the Windows system where you run vCenter Server.

Remember:

  • You can assign a Role to  User or Group;
  • A role is a set of Privileges;
  • Roles are assigned to Objects;
  • Permission = User/Group + Role;
  • Permissions are inherited (flows down the tree)
  • Apply Permissions on the level where it is needed

To Add or Edit Local Users and Groups:

  • With the vSphere Client, connect to an ESXi host (not the vCenter Server)
  • Select the Host object
  • Go to Tab “Local Users & Groups”
  • Now you can Add, Remove or Edit a User or Group

Figure 1

Read the rest of this entry »