Category Archives: VMWare

Changing password complexity ESX(i) 4

Posted on by
Reply

Some have noticed that the password requirements for ESXi 4.0 logins have become more stringent. In some cases, it may be desirable to edit those settings to make the password standards for ESXi 4.0 either stronger or weaker. Password requirements for ESXi are controlled by the file /etc/pam.d/common-password. Changes to this file will take effect immediately and will not require a reboot. The sticky bit for the file is enabled, so changes will be backed up into the system configuration backup file for the host. As this is not a supported changed, caution is advised and a system backup is recommended before making changes.

By default the common-password file will contain the following text and it is the min option (min=a1,a2,a3,a4,a5) that will control password complexity.

#%PAM-1.0
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

a1 is the password length for passwords that contain one character class. The character classes are lower case characters, upper cases characters, digits and other characters. a2 is the password length for passwords that contain 2 character classes. a3 is used for password phrases. a4 and a5 is the password length required when using 3 or 4 character classes. It should be noted that the first and last character of the password will not count towards the character class count. So the password of ‘Password’ will only have 1 character class, while the password of ‘PassWord’ will have 2.

Note: the values for a1 to a5 must be equal or smaller than the prior value, so min=8,7,7,6,5 will be valid, but min=7,8,9,8,7 will not be. If min=7,8,9,8,7 were used, the error ‘User name or password has an invalid format’ would be generated even if you used a single class password will a length of 7 or more characters.

Sample changes to password complexity

1) To reduce the minimum password length to 6 characters, set min=6,6,6,6,6. As noted above, the values used for a1 to a5 must not be larger than the prior value.

2) To disable the use of one or two class passwords, set min=disabled,disabled,8,8,6. Note that this setting, password of ‘Password1′ would not be valid as the character class count would only be one. A password of ‘pAssw0rd’ would have a class count of 3 and thus be acceptable with a length of 8.

3) To turn off the enforcing of strong passwords, use the enforce option. Valid values for the option are none, users and everyone. So if the common-password file is changed to the below, then a single character password will be allowed regardless of the settings for the min option.

#%PAM-1.0
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6 enforce=none
password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

Source: vm-help.com

ESXi 4 Enable SSH

Posted on by
Reply

ESXi 40 does ship with the ability to run SSH, but this is disabled by default (and is not supported). If you just need to access the console of ESXi, then you only need to perform steps 1 – 3.

1) At the console of the ESXi host, press ALT-F1 to access the console window.
2) Enter unsupported in the console and then press Enter. You will not see the text you type in.
3) If you typed in unsupported correctly, you will see the Tech Support Mode warning and a password prompt. Enter the password for the root login.
4) You should then see the prompt of ~ #. Edit the file inetd.conf (enter the command vi /etc/inetd.conf).
5) Find the lines that begins with #ssh and remove the #. Then save the file. If you’re new to using vi, then move the cursor down to #ssh line and then press the Insert key. Move the cursor over one space and then hit backspace to delete the #. Then press ESC and type in :wq to save the file and exit vi. If you make a mistake, you can press the ESC key and then type it :q! to quit vi without saving the file. Note: there are two lines for SSH with ESXi 4.0 now – one for regular IP and the other for IPv6. You should the line appropriate to the protocol you’ll use to access your host.
6) Once you’ve closed the vi editor, you can either restart the host or restart the inetd process. To restart inetd run ps | grep inetd to determine the process ID for the inetd process. The output of the command will be something like 1299 1299 busybox inetd, and the process ID is 1299. Then run kill -HUP
(kill -HUP 1299 in this example) and you’ll then be able to access the host via SSH.

Tip – with some applications like WinSCP, the default encryption cipher used is AES. If you change that to Blowfish you will likely see significantly faster transfers.

Changing the port for SSH

To change the port for SSH, edit the file /etc/services and change the SSH port listed in the file. Save the file and repeat step 6 above.

Enable Telnet

The steps are the same as with SSH, but you’ll remove the # from the 2 telnet entries in /etc/inetd.conf. Enabling telnet is not recommended if security is a concern.

You can also download an oem.tgz file which will enable SSH (and FTP). Copy the file to a datastore with the VI client and then to bootbank with the command cp /vmfs/volumes//oem.tgz /bootbank/oem.tgz and then reboot.

Enable SSH access for a non-root account

Use the following process to enable SSH access for a non-root account
1) Access SSH or the console with a root account.
2) Create a new account with the command useradd -M -d/ . This will set the home directory to / instead of requiring a /home directory.
3) Use the command passwd to set the password for your new login.
4) Edit the passwd file with vi /etc/passwd. For the entry for your new account, change the /bin/sh part to /bin/ash. Save the file and exit. See the example for the test1 user below.

root:x:0:0:Administrator:/:/bin/ash
nobody:x:99:99:Nobody:/:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/:/sbin/nologin
dcui:x:100:100:DCUI User:/:/sbin/nologin
daemon:x:2:2:daemon:/:/sbin/nologin
vimuser:x:12:20:vimuser:/sbin:/sbin/nologin
test1:x:500:500:Linux User,,,:/:/bin/ash

You should now be able to connect with SSH using this new account.

Disable SSH access for the root account

If you have created non-root accounts for SSH access you can also disable root access via SSH. Edit the /etc/inetd.conf file using the initial process on this page and add the option -w after the -i option. The line in inetd.conf will appear similar to the below.

ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -w -K60

One you have made the change, save the file and run the kill -HUP command to restart the inetd process. You will now be able to login with a non-root account, but will get access denied if you use a root account. Once you have established a SSH session with your non-root account you can issue the command su – to switch to the root account.

Source : vm-help.com

Unable to Mount ISOs to VMs after vSphere 4.1 Upgrade

Posted on by
Reply

Some people are experiencing issues mounting ISO files to VMs after performing a vSphere 4.0 to 4.1 upgrade.  Symptom includes receiving the error message “The remote device on VMNAME connected to PathToISOFile is disconnected.”  after attempting to mount an ISO file from within the vSphere client.  This issue appears to be a client incompatibility issue related to co-existance of vSphere Client 4.0 and 4.1 on the same machine.  To resolve the issue:

  1. Uninstall vSphere Client 4.0
  2. Uninstall vSphere Host Update Utility 4.0 (if it is installed)
  3. Uninstall vSphere Client 4.1.
  4. Reinstall vSphere Client 4.1.
  5. Attempt to reconnect an ISO file to a VM using the vSphere Client.

I was experiencing this same issue and following the above steps cleared it up.  Hope this helps other people out there.

Source : Jargon Technology

Installing VMWare Tools in SLES CLI

Posted on by
Reply

In the VMWare Infrastructure Client select VM -> Install/Upgrade VMware Tools

In the CLI type the following

mkdir /media/cdrom
mount /dev/cdrom /media/cdrom
rpm -Uhv /media/cdrom/VMwareTools-3.5.0-{version}.i386.rpm
SuSEconfig
vmware-config-tools.pl ( If you’re getting gcc error’s check this post )
/etc/init.d/network stop
rmmod pcnet32
rmmod vmxnet
depmod -ae
modprobe vmxnet
/etc/init.d/network start

Done

Install VMWare Tools under SLES 11 SP1

Posted on by
3

After installing SLES 11 SP1 under VMWare I wanted to install the VMWare Tools.
After the install you’ll have to run vmware-config-tools.pl

Running that gave me the following error.

None of the prebuilt vmmemctl modules for VMware Tools is suitable for your running kernel. Do you want this program to try to build the vmmemctl module for your system (you need to have a C compiler installed on your system)? [yes]

Solution: Press Y to continue the install process.

Missing Compiler Program

If the config.pl script cannot find a C compiler program on your system, one of the following messages appears:

* Unable to find the ‘gcc’ program.

Solution: Run the yast2 -i gcc command to install the packages needed to build the kernel modules.

* Setup is unable to find the ‘gcc’ program on your machine. Please make sure it is installed. Do you want to specify the location of this program by hand? [yes]

Solution: Provide the complete name of a binary ‘gcc’ file.

1. Press Y to continue. The following message appears: What is the location of the ‘gcc’ program on your machine?
2. Enter the complete name of the binary ‘gcc’ file. If you do not provide the complete name, the following message appears: The answer “ is invalid. It must be the complete name of a binary file.

Locating and Installing the C Header Files

If the script cannot locate the C header files in the default directory, /lib/modules/ /build/include, the following message appears:

What is the location of the directory of C header files that match your running kernel?

Solution: In a terminal window, run the yast2 -i kernel-source command to install the C header files on your system.
After the script detects the header files, it will use them to build the kernel modules.

EVC incompatible hardware

Posted on by
Reply

I have two DL385 G5 HP servers with quad core AMD processors. When I edit the settings for the cluster the servers show as “Incompatible Hardware” for EVC.
This hardware should be compatible so I started some research.Then I found this on the internet.

I just enabled the No-Execute Page-Protection on the advanced CPU settings and the hosts are no longer incompatible.

Using esxtop to identify storage performance issues

Posted on by
Reply

The esxtop utility can be used to measure how much I/O is moving across various devices. The esxtop utility is interactive. As such, pressing certain keys changes the view.

Configuring monitoring using esxtop

To monitor storage performance per HBA:

  1. Start esxtop by typing esxtop at the command line.
  2. Press d to switch to disk view (HBA mode).
  3. Press f to modify the fields that are displayed.
  4. Press b, c, d, e, h, and j to toggle the fields and press Enter.
  5. Press s, then 2 to alter the update time to every 2 seconds and press Enter.
  6. See Analyzing esxtop columns for a description of relevant columns.

To monitor storage performance per LUN:

Note: This option is only available in ESX 3.5 and later.

  1. Start esxtop by typing esxtop from the command line.
  2. Press u to switch to disk view (LUN mode).
  3. Press f to modify the fields that are displayed.
  4. Press b, c, f, and h to toggle the fields and press Enter.
  5. Press s, then 2 to alter the update time to every 2 seconds and press Enter.
  6. See Analyzing esxtop columns for a description of relevant columns.

To monitor storage performance per virtual machine:

Note: This option is only available in ESX 3.5 and later.

  1. Start esxtop by typing esxtop at the command line.
  2. Type v to switch to disk view (virtual machine mode).
  3. Press f to modify the fields that are displayed.
  4. Press b, d, e, h, and j to toggle the fields and press Enter.
  5. Press s, then 2 to alter the update time to every 2 seconds and press Enter.
  6. See Analyzing esxtop columns for a description of relevant columns.

Analyzing esxtop columns

The following table lists the relevant columns and a brief description of these values.

Column Description
CMDS/s This is the number of IOPS (Input/Output Operations Per Second) being sent to or coming from the device or virtual machine being monitored
DAVG/cmd This is the average response time in milliseconds per command being sent to the device
KAVG/cmd This is the amount of time the command spends in the VMkernel
GAVG/cmd This is the response time as it is perceived by the guest operating system. This number is calculated with the formula: DAVG + KAVG = GAVG

These columns are for both reads and writes, whereas xAVG/rd is for reads and xAVG/wr is for writes. The combined value of these columns is the best way to monitor performance, but high read or write response time it may indicate that the read or write cache is disabled on the array.   All arrays perform differently, but DAVG/cmd, KAVG/cmd, and GAVG/cmd should not exceed than 10 milliseconds (ms). These values should not exceed 20/30 ms for a sustained period of time.

Note: ESX 3.0.x cannot monitor individual LUNs or virtual machines. Many inactive LUNS on the HBA can lower the average of DAVG/cmd, KAVG/cmd, and GAVG/cmd.    These values are also visible from the VirtualCenter performance charts. For more information, see Performance Charts in the Basic System Administration Guide.   If you experience high latency times, look at the switches (either FC or TCP) and the SAN for errors that may indicate a delay in commands being sent to and acknowledged from the SAN. This includes the array’s ability to process IO’s from a spindle count aspect, or the array’s ability to handle the load being presented to it.   If the response time goes over 5000 ms (or 5 seconds), SCSI aborts occur in the logs. If a command is sent to an array and is not acknowledged within 5000 ms, the command is aborted. Abort messages and other SCSI errors can be seen on the following logs:

  • ESX – /var/log/vmkernel
  • ESXi – /var/log/messages

The type of logs you see on those files depend on your Advanced Options SCSI.Log* or SCSI.Print*. You can find the value of these options in Host > Configuration > Advanced Settings > SCSI > SCSI.Log* or SCSI.Print*.

Source : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008205

VirtualCenter Passthrough Authentication

Posted on by
1

Tired of login in into the Virtual Center Client?  Try this…

A very useful, yet very undocumented feature of the Virtual Infrastructure Client is that it can be configured to automatically pass your Active Directory credentials without you typing them in. To use: create a shortcut to the Virtual Infrastructure Client, then right-click on it and edit the shortcut properties. You’ll need to pass the program two arguments when calling it like so:

C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe” -passthroughAuth -s vc.yourdomain.com

Where “vc.yourdomain.com” is replaced with the DNS name for your VirtualCenter server.

Disk.UseLunReset and/or Disk.UseDeviceReset

Posted on by
1

Another setting often overlooked is Disk.UseLunReset and/or Disk.UseDeviceReset. ESX defaults to Disk.UseLunReset=1 and Disk.UseDeviceReset=1. This means that when a SCSI bus is reset all SCSI reservations are cleared, not for a specific LUN but for the complete device. This is useful when one uses local storage, but within a VMware environment most companies utilize a SAN and you don’t want to disrupt the entire SAN when it’s not necesarry. You can set this via the commandline, powershell and via VirtualCenter:

  1. VirtualCenter -> Configuration Tab -> Advanced Settings -> Disk -> Disk.UseLunReset=1 , Disk.UseDeviceReset=0
  2. Get-VMHost | Set-VMHostAdvancedConfiguration -Name Disk.UseDeviceReset -Value 0
  3. Commandline -> esxcfg-advcfg -s 1 /Disk/UseLunReset
    Commandline -> esxcfg-advcfg -s 0 /Disk/UseDeviceReset

Source : http://www.yellow-bricks.com/2008/07/21/queuedepth-and-whats-next/

Interpreting esxtop Statistics

Posted on by
1

Table of Contents
Section 1. Introduction
Section 2. CPU
Section 2.1 Worlds and Groups
Section 2.2 Global Statistics
Section 2.3 World Statistics
Section 3. Memory
Section 3.1 Machine Memory and Guest Physical Memory
Section 3.2 Global Statistics
Section 3.3 Group Statistics
Section 4 Disk
Section 4.1 Adapter, Device, VM screens
Section 4.2 Disk Statistics
Section 4.2.1 I/O Throughput Statistics
Section 4.2.2 Latency Statistics
Section 4.2.3 Queue Statistics
Section 4.2.4 Error Statistics
Section 4.2.5 PAE Statistics
Section 4.2.6 Split Statistics
Section 4.3 Batch Mode Output
Section 5 Network
Section 5.1 Port
Section 5.2 Port Statistics
Section 6. Interrupt
Section 7. Batch Mode Continue reading