Securing virtual machines in a virtualized environment is equally important as securing physical servers. In this post we will learn a few techniques for hardening a virtual machine security. Although its not possible to cover everything in a single post. 

1: Remove Unnecessary Hardware Devices

If you have work inside a datacenter, you might have noticed none of the physical servers are equipped with CD RM/Floppy drive. This is done intentionally so that no one can use these removeable devices to perfor actions for which they are not authorized to.

Virtual machines are no different than physical servers and its equally important to make sure external devices are attached to a VM when its actually needed and as soon as work is completed, make sure to dismount/remove any Floppy drives or CD-ROM drives.

Force a VM to boot into Bios and disable any Serial ports, Parallel ports or Floppy disk controller.  … Read More

Objective 4.3 of VCAP6-Deploy exam covers following topics:

• Analyze and resolve DRS/HA faults
• Troubleshoot DRS/HA configuration issues
• Troubleshoot Virtual SAN/HA interoperability
• Resolve vMotion and storage vMotion issues
• Troubleshoot VMware Fault Tolerance

We will discuss each topic one by one.

                                             Analyze and resolve DRS/HA faults

DRS faults can be viewed from Web Client by selecting Cluster > Monitor > vSphere DRS > Faults

HA issues can be viewed from Web Client by selecting Cluster > Monitor > vSphere HA > Configuration issue

Also if you look into issues tab, it will tell you HA and DRS issues collelctively. 

Common DRS Faults are :

• Virtual Machine is Pinned: When DRS can’t move a VM because DRS is disabled on the VM.
• Virtual Machine Not Compatible with ANY Host: Fault occurs when DRS can’t find a host that can run the VM. This might mean that there are not enough physical compute resources or disk available to satisfy the VM’s requirements.

Objective 6.2 of VCAP6-Deploy exam covers following topics:

• Adjust Virtual Machine properties according to a deployment plan:
  • Network configurations
  • CPU configurations
  • Storage configurations
• Troubleshoot Virtual Machine performance issues based on application workload
• Modify Transparent Page Sharing and large memory page settings
• Optimize a Virtual Machine for latency sensitive workloads
• Configure Flash Read Cache reservations

We will discuss these topics one by one

                             Adjust Virtual Machine properties according to a deployment plan

This topic could mean a lot of things. A lot of  information on this topic can be found in vSphere 6 Resource Management Guide. We will start with networking topic.

Networking Configurations

Esxi networking features provide communication between virtual machines on the same host, between virtual machines on different hosts, and between other virtual and physical machines. Virtual machines are equipped with vNIC’s and the type of vNIC is dependent on guest os chosen at the time of VM creation.… Read More

Objective 6.1 of VCAP6-Deploy exam covers following topics:

• Configure esxtop / resxtop custom profiles
• Evaluate use cases for and apply esxtop / resxtop Interactive, Batch and Replay modes
• Use esxtop / resxtop to collect performance data
• Given esxtop / resxtop output, identify relative performance data for capacity planning purposes

Before starting discussing on these topics, I want to cover a few basics of vSphere Management Assistant (vMA) as we will be using it for performing few tasks listed in this objective.

What is vSphere Management Assistant (vMA)?

The vSphere Management Assistant (vMA) is a virtual machine that includes prepackaged software such as a Linux distribution, the vSphere command‐line interface, and the vSphere SDK for Perl. Basically it is the missing service console for ESXi. But it’s more than that too.

This allows administrators to run scripts or agents that interact with ESX/ESXi and vCenter Server systems without having to explicitly authenticate each time.… Read More

Objective 5.4 of VCAP6-Deploy exam covers following topics:

• Create a Global User
• Create a Content Library
• Subscribe to a Content Library
• Configure a Content Library for space efficiency
• Synchronize a subscribed Content Library

                                                             Create a Global User

vSphere objects inherit permissions from a parent object in the hierarchy. Content libraries work in the context of a single vCenter Server instance. However, content libraries are not direct children of a vCenter Server system from an inventory perspective. The direct parent for content libraries is the global root.

This means that if you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and so on, but does not apply to the content libraries that you see and operate with in this vCenter Server instance. 

To allow a user to manage a content library and its items, an administrator can assign the Content Library Administrator role to that user as a global permission.… Read More

Objective 5.3 of VCAP6-Deploy exam covers following topics:

• Generate vSphere log bundles
• Configure and test centralized logging
• Analyze log entries to obtain configuration information
• Analyze log entries to identify and resolve issues
• Configure logging levels for vSphere

                                                        Generate vSphere log bundles

There are various ways to view/generate log bundles of Esxi host and vCenter server. We will look at all of them one by one. I will start with Esxi host logs first.

1: From the DCUI 

2: Esxi host Web Browser: https://esxi_fqdn_or_ip/host

3: C# client : Connect directly to Esxi host and from home menu click on system logs

From the drop-down menu, select the log and entry you want to view.

4: Web Client : Login to vSphere Web Client and select a vcenter server from inventory and navigate to Monitor > System Logs and click on Export System Logs and select an Esxi host from the list. Optionally you can include vCenter server and web client logs as well alongwith host logs. … Read More

Objective 5.2 of VCAP6-Deploy exam covers following topics:

• Use Profile Editor to edit and / or disable policies
• Create and apply host profiles
• Use Host Profiles to deploy vDS
• Use Host Profiles to deploy vStorage policies
• Import / Export Host Profiles
• Manage Answer Files
• Configure stateful caching and installation for host deployment

                                            Use Profile Editor to Edit and/or Disable Policies

I am not going to cover basics of host profile as I have already wrote an article on what is host profile and what it does. 

Host Profiles can be managed via vSphere Web Client. To edit an existing Host Profile login to vSphere Web Client and navigate to Policies and Profiles > Host Profiles and select an existing profile and right click on it and select Edit Settings.

From here you can add/remove individual configuration items as per your requirements.

                                                          Create and apply host profiles

To create a new Host Profile login to Web Client and and navigate to Policies and Profiles > Host Profiles and click on green (+) botton to add a new profile. … Read More

Objective 5.1 of VCAP6-Deploy exam covers following topics:

• Install and configure vSphere PowerCLI
• Use basic and advanced PowerCLI Cmdlets to manage a vSphere deployment
• Analyze a sample script, then modify the script to perform a given action
• Use PowerCLI to configure and administer Auto Deploy (including Image Builder)
• Create a report from a PowerCLI script

Lets walk through each topic one by one.

                                           Install and configure vSphere PowerCLI

Installation of PowerCLI is pretty straight forward. Just run the installer and hit Next..Next.

Once the installation is completed, we will need to set the Execution Policy prior to executing any command via PowerCLI. 

Set the Execution Policy by running comamnd: Set-ExecutionPolicy RemoteSigned

Current execution policy can be checked by running command: Get-ExecutionPolicy

             Use basic and advanced PowerCLI Cmdlets to manage a vSphere deployment

It is not possible to show all PowerCLI commands here as the list is very long. … Read More

By default when you enable DRS on a cluster, the automation level selected at cluster level is applicable on all VM’s that resides in that cluster. But if you wish then you can configure the automation level per VM to satisfy your environment requirements.

Remember: The more individual changes you make, the more management overhead you add, as well as potentially reducing the effectiveness of DRS.

There 3 automation levels which we have with DRS is:

• Manual: vCenter will only recommend moving resources.
• Partially Automated : When a VM is created or powered on, vCenter will automatically place the VM on to a best host so as to maintain clutser balance. Once the VM is powered on, vCenter will present migration recommendation to vSphere administrator to approve when a cluster imbalance occurs.
• Fully Automated: In this mode, vCenter take full control of initial placement and VM migrations and do not provide any recommendation to administrator to approve.