vSphere

Configuring DPM in vSphere 6

Manish Jha

What is vSphere Distributed Power Management (DPM)

Consolidation of physical servers into virtual machines that share host physical resources can result in significant reductions in the costs associated with hardware maintenance and power consumption.

vSphere Distributed Power Management provides additional power savings by dynamically consolidating workloads even further during periods of low resource utilization. Virtual machines are migrated onto fewer hosts and the unneeded ESX hosts are powered off. 

When a virtual machine is idle (after business hours) and Esxi host utilization is very low, vCenter suspends the server to save power and, when the workload warrants additional resources, resumes it. VMware DPM is an optional feature of VMware Distributed Resource Scheduler (DRS).

How does DPM actually work?

When you enable DPM on a cluster, the vCenter Server can suspend an Esxi host when during period of low utilization, but bringing back that Esxi host back in business when resource demand increases can only be done by another Esxi host .Read More

Esxi Host Power Management Policies in vSphere 6

Manish Jha

One of the advantages which virtualization brought with itself was “POWER SAVINGS” as it enabled administrators to consolidate workloads on fewer number of physical servers and thus save some power and reduce carbon footprint in the datacenter. Sunny Dua rightly mentioned in his blog that “Even before you start realizing the other benefits of virtualization, power bills is the first Opex savings which makes that return on investment on virtualization speak for itself”

Esxi can take advantage of several power management features that the host hardware provides to adjust the trade-off between performance and power use. One obvious question that comes in mind that if I can save more power by using the BIOS features and the hypervisor features to throttle down the CPU frequency, then why should not I go for it?

The answer for this is  “selecting a high-performance policy provides more absolute performance, but at lower efficiency (performance per watt).Read More

VCAP6-DCV Deploy Objective 4.1

Manish Jha

Objective 4.1 of VCAP6-Deploy exam covers following topics:

  • Configure a HA Cluster to Meet Resource and Availability Requirements
  • Configure Custom Isolation Response Settings
  • Configure VM Component Protection (VMCP)
  • Configure HA Redundant Settings:
    • Management Network
    • Datastore Heartbeats
    • Network Partitions
  • Configure HA related Alarms and Analyze a HA Cluster
  • Configure Fault Tolerance for Single/Multi-vCPU Virtual Machines

We will have a look on these topics one by one

                             Configure a HA Cluster to Meet Resource and Available Requirements

vSphere HA provides high availability for virtual machines by pooling the virtual machines and the hosts they reside on into a cluster. Hosts in the cluster are monitored and in the event of a failure, the virtual machines on a failed host are restarted on alternate hosts. When HA is configured on a cluster, an election process takes place and master/slave host is determined via election.

The host which is elected as master host communicates with vCenter and monitors the state of all protected VMs and other hosts in the cluster.Read More

VCAP6-DCV Deploy Objective 8.1

Manish Jha

Objective 8.1 of VCAP6-Deploy exam covers following topics:

  • Add/Edit/Remove Users on an ESXi Host
  • Configure vCenter Roles and Permissions
  • Configure and Manage Active Directory Integration
  • Analyze Logs for Security-Related Messages
  • Enable and Configure an ESXi Pass-Phrase
  • Disable the Managed Object Browser (MOB) to reduce attack surface

We will have a look on these topics one by one

                                            Add/Edit/Remove Users on an ESXi Host

The default built-in accounts that are baked with a new Esxi installation are:

  • root user: Each Esxi host has a single root user with an admin role. This account can be used for local administration and used to connect to vCenter.
  • vpxuser: vCenter Server uses this account when interacting with the hosts. vCenter Server has Administrator privileges on the host that it manages. The vCenter Server administrator can perform most of the same tasks on the host as the root user, however, he cannot directly create, delete, or edit local users and groups for hosts.
Read More

Password Policy for vSphere 6.0 Hosts

Manish Jha

A complex password is a firstmost requirement for any system that simply uses username/password (no RSA, 2Factor authentication kinda thing) for authentication. For a windows or unix/linux based systems, system administrators used to push complex password requirements via AD/LDAP.

A complex password ensures that system is least vulnerable to any unauthorized attempt to login to your system and vSphere is no different than any other system in this regard. 

With release of vSphere 6, VMware enahnced their password policy and enforced to use more complex passwords with Esxi hosts and SSO. Esxi host enforces password requirements for direct access from the DCUI, Esxi Shell, SSH and vSphere web Client.  

ESXi uses the pam_passwdqc.so plug-in to set the password policy/rules. ESXi doesn’t place any complexity restrictions on the root account’s password. However, non-root accounts will be subject to the default rules defined in pam_passwdqc.so.

In previous release of vSphere, Esxi host password complexity changes were made by editing the /etc/pam.d/passwdRead More

Customize SSH and Esxi Shell Settings for Increased Security

Manish Jha

The ESXi Shell provides access to maintenance commands and other configuration options. Esxi shell and SSH comes in handy when there are certain tasks that can’t be done through the Web Client or other remote management tools. 

Enabling local and remote shell access on Esxi hosts

Login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile Services and click Edit

serv-1.PNG

We can enable/dsable below services and also can change their start up method:

  • Direct Console UI
  • ESXi Shell
  • SSH

serv-2.PNG

Enabling SSH or local shell through the DCUI.

Go to the console of the host. Press F2 and enter esxi host credentials.

Select Troubleshooting Options and hit Enter on each service you want to enable/disable.

serv-3.PNG

Configuring the Timeout For the ESXi Shell

By default the timeout setting for the ESXi shell is set to disabled. The shell timeout setting allows you to specify how long an inactive session is left open.Read More

Enable and Configure ESXi Host Lockdown Mode

Manish Jha

To enhance the security measures in a virtualized environment, it is often advisable to limit direct access to Esxi hosts and this is when lockdown mode concept comes into picture. Lockdown mode is used on Esxi hosts in order to improve security of the hosts which are centrally managed by vCenter server.

When the lockdown mode is enabled, the host is managed using the vSphere Client connected to the managing vCenter Server, VMware PowerCLI, or VMware vSphere Command-Line Interface (vCLI). The only difference is that access is authenticated through the vCenter Server instead of using a local account on the ESXi host.

When the lockdown mode is enabled, access to the host through SSH is unavailable except to configured exception users.

Lockdown mode in vSphere 6.0

With vSphere 6.0, VMware introduced a couple of new concepts into lockdown mode as listed below

  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users

Lets understand about these concepts one by one.Read More

Configure SSL Timeouts on Esxi Host

Manish Jha

To authenticate against vCenter SSO, solution users uses certificates to establish a secure connection. A solution user presents the certificate to vCenter SSO in 3 cases:

  • When solution user authenticates against sso for very first time.
  • After a reboot, and
  • After a timeout has elapsed.

The timeout value can be set from the Web Client. The default value for this is 2592000 seconds (30 days). To change the default value, login to vSphere Web Client and navigate to  Administration > Single Sign-On > Configuration > Policies > Token Policy.

esxcert-11.PNG

On few blogs I read the following steps for configuring ssl timeouts. 

We can configure SSL timeouts for ESXi by editing a configuration file on the ESXi host.

Timeout periods can be set for 2 types of idle connections:

1: The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESXi.

2: The Handshake Timeout setting applies to connections that have not completed the SSL handshake process on port 443 of ESXi.Read More

Enable/Disable certificate checking on Esxi Host

Manish Jha

The data that travels between clients and ESXi hosts is encrypted to ensure that the transactions are private and authenticated. The SSL is used to create a secure connection between the clients, ESXi hosts, and/or the vCenter Server.  SSL uses TCP/IP and allows SSL-enabled ESXi hosts and/or vCenter Server to authenticate with SSL-enabled clients. 

When an ESXi host or vCenter Server is installed, the installation includes SSL certificates. These preinstalled, auto generated certificates are not from an official certificate authority (CA), but they can be used to establish an initial connection.

The vCenter Server uses an SSL certificate when adding ESXi hosts and to connect to managed ESXi hosts whose passwords are stored in the vCenter Server database. After an authenticated encrypted connection is established, a smaller session key is encrypted and exchanged using public and private key pairs.

This shared session key is then used to encrypt and decrypt the data between client and server.Read More

Backup and Restore Resource Pool Configurations

Manish Jha

When DRS is disabled on a cluster, it removes all the resource pools that are part of the cluster and the resource pool hierarchy and affinity rules are not re-established when DRS is turned back on. 

Now if you really want to disable DRS (for any maintenance activity) and want to save yourself from the pain of re-creating resource pools and configuring share/limits etc, you can take backup of resource pools and and restore it later post completing the maintenance and enabling DRS again.

In my lab I created a resource pool named “RP-Edge” and placed one VM in this resource pool.

rpbkp-0.PNG

When you disable DRS on a cluster, vSphere gives you an opportunity to save the resource pool tree in a file which can be used later to restore the resource pool hierarchy.

Just click on yes on the warning window presented.

rpbkp-1

save the file on your local PC.

rpbkp-2

At this point, the resource pool is gone and the Win-DR-Test VM is out of the resource pool.… Read More