VMware

Testing TCP Network Firewall Ports from ESXi

As we all transition to ESXi there are certain activities that we need to figure out a new way of doing. One item that comes up in new deployments is making sure that all of the ESXi –> firewall rules are defined correctly.

I do not believe that there is a way to do this from the SDK so its off to Tech Support Mode. Unfortunately there is no telnet, netcat, or other network tool that I typically use.

Python to the rescue:

#!/bin/env python
import sys
import os
from socket import *
 
def usage():
    print "USAGE: %s <host> <port>" % (sys.argv[0],)
    sys.exit(1)
 
# Check the # of parameters
if not len(sys.argv) == 3:
    usage()
 
# Check that the host and the port are appropriate.
try:
    host = sys.argv[1]
    port = int(sys.argv[2])
except:
    usage()
 
print "Attempting a TCP connection to host '%s' on port '%s'.\n" % (host, port)
try:
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))
except Exception, e:
    print "Connection Failed: %s." % (e,)
else:
    print "Connection successful."

Python can also send UDP packets fairly easily, but since there is no connection the only way to tell if the traffic worked is to monitor it on in the network or on the destination side. As a result it is just as easy to do the operation that requires the port and if it fails, set up the traffic monitor.

Using PowerCLI to Uninstall vCenter Extensions

After finishing a CapacityIQ evaluation we wanted to uninstall the plug-in from vCenter. VMware KB article 1025360 shows how to do this, but it requires the Managed Object Browser. Per the security hardening guide we disabled the mob so this solution would not work as given. PowerCLI to the rescue.

Here are the steps given in the original article and how they translate into PowerCLI.

#1.In a web browser, navigate to http://<vcenter server name or IP>/mob.
#Where <vcenter server name or IP> is the name of your vCenter Server or its IP address.
Connect-VIServer vcenter001
 
#2.Click Content. 
#3.Click ExtensionManager. 
$em = Get-View ExtensionManager
 
#4.Select and copy the name of the plug-in you want to remove from the list of values under Properties. 
$em.ExtensionList | ft -Property Key
 
#5.Click UnregisterExtension. A new window appears. 
#6.Paste the name of the plug-in and click Invoke Method. This removes the plug-in.
$em.UnregisterExtension("extension key name")
 
#7.Close the window. 
#8.Refresh the Managed Object Type:ManagedObjectReference:ExtensionManager window to verify if the plug-in is removed successfully.
# Note that we need to refresh the data before listing the plugins
$em.UpdateViewData()
$em.ExtensionList | ft -Property Key
 
# Log out
Disconnect-VIServer

VMware PowerCLI 4.1.1 Cmdlets by Noun

Generated using this post.

Noun Verbs
AdvancedSetting Get,New,Remove,Set
AlarmAction Get,New,Remove
AlarmActionTrigger Get,New,Remove
AlarmDefinition Get,Set
Annotation Get,Set
CDDrive Get,New,Remove,Set
Cluster Get,Move,New,Remove,Set
CustomAttribute Get,New,Remove,Set
CustomField New,Remove,Set
Datacenter Get,Move,New,Remove,Set
Datastore Get,New,Remove,Set
DatastoreItem Copy
DrsRecommendation Apply,Get
DrsRule Get,New,Remove,Set
ErrorReport Get
EsxCli Get
EsxTop Get
FloppyDrive Get,New,Remove,Set
Folder Get,Move,New,Remove,Set
HAPrimaryVMHost Get
HardDisk Copy,Get,New,Remove,Set
Inventory Get,Move,Remove
IScsiHbaTarget Get,New,Remove,Set
Log Get
LogType Get
NetworkAdapter Get,New,Remove,Set
NicTeamingPolicy Get,Set
OSCustomizationNicMapping Get,New,Remove,Set
OSCustomizationSpec Get,New,Remove,Set
PassthroughDevice Add,Get,Remove
PowerCLIConfiguration Get,Set
PowerCLIVersion Get
ResourcePool Get,Move,New,Remove,Set
ScsiController Get,New,Set
ScsiLun Get,Set
ScsiLunPath Get,Set
Snapshot Get,New,Remove,Set
Stat Get
StatInterval Get,New,Remove,Set
StatType Get
Task Get,Stop,Wait
Template Get,Move,New,Remove,Set
Tools Dismount,Mount,Update,Wait
UsbDevice Get,Remove
VApp Export,Get,Import,New,Remove,Set,Start,Stop
VICredentialStoreItem Get,New,Remove
VIEvent Get
View Get
VIObjectByVIView Get
VIPermission Get,New,Remove,Set
VIPrivilege Get
VIProperty New,Remove
VIRole Get,New,Remove,Set
VirtualPortGroup Get,New,Remove,Set
VirtualSwitch Get,New,Remove,Set
VIServer Connect,Disconnect
VM Get,Move,New,Remove,Restart,Set,Start,Stop,Suspend
VMGuest Get,Restart,Shutdown,Suspend
VMGuestFile Copy
VMGuestNetworkInterface Get,Set
VMGuestRoute Get,New,Remove
VMHost Add,Get,Move,Remove,Restart,Set,Start,Stop,Suspend
VMHostAccount Get,New,Remove,Set
VMHostAdvancedConfiguration Get,Set
VMHostAvailableTimeZone Get
VMHostDiagnosticPartition Get,Set
VMHostDisk Get
VMHostDiskPartition Format,Get
VMHostFirewallDefaultPolicy Get,Set
VMHostFirewallException Get,Set
VMHostFirmware Get,Set
VMHostHba Get,Set
VMHostModule Get,Set
VMHostNetwork Get,Set
VMHostNetworkAdapter Get,New,Remove,Set
VmHostNtpServer Add,Get,Remove
VMHostPatch Get,Install
VMHostProfile Apply,Export,Get,Import,New,Remove,Set
VMHostProfileCompliance Test
VMHostRoute Get,New,Remove,Set
VMHostService Get,Restart,Set,Start,Stop
VMHostSnmp Get,Set,Test
VMHostStartPolicy Get,Set
VMHostStorage Get,Set
VMHostSysLogServer Get,Set
VMQuestion Get,Set
VMResourceConfiguration Get,Set
VMScript Invoke
VMStartPolicy Get,Set

VMware PowerCLI 4.1 Cmdlets Summarized by Noun

Here is the list of VMware PowerCLI cmdlets ordered by noun. I find this easier to use when I am trying to write scripts. You can locate what items you want to work with and then see the action you can take. This post contains the code used to generate the list.

Noun Verbs
Annotation Get,Set
CDDrive Get,New,Remove,Set
Cluster Get,Move,New,Remove,Set
CustomAttribute Get,New,Remove,Set
CustomField New,Remove,Set
Datacenter Get,Move,New,Remove,Set
Datastore Get,New,Remove,Set
DatastoreItem Copy
DrsRecommendation Apply,Get
DrsRule Get,New,Remove,Set
ErrorReport Get
FloppyDrive Get,New,Remove,Set
Folder Get,Move,New,Remove,Set
HardDisk Copy,Get,New,Remove,Set
Inventory Get,Move,Remove
IScsiHbaTarget Get,New,Remove,Set
Log Get
LogType Get
NetworkAdapter Get,New,Remove,Set
NicTeamingPolicy Get,Set
OSCustomizationNicMapping Get,New,Remove,Set
OSCustomizationSpec Get,New,Remove,Set
PassthroughDevice Add,Get,Remove
PowerCLIConfiguration Get,Set
PowerCLIVersion Get
ResourcePool Get,Move,New,Remove,Set
ScsiLun Get,Set
ScsiLunPath Get,Set
Snapshot Get,New,Remove,Set
Stat Get
StatInterval Get,New,Remove,Set
StatType Get
Task Get,Stop,Wait
Template Get,Move,New,Remove,Set
Tools Dismount,Mount,Update
UsbDevice Get,Remove
VApp Export,Get,Import,New,Remove,Set,Start,Stop
VICredentialStoreItem Get,New,Remove
VIEvent Get
View Get
VIObjectByVIView Get
VIPermission Get,New,Remove,Set
VIPrivilege Get
VIProperty New,Remove
VIRole Get,New,Remove,Set
VirtualPortGroup Get,New,Remove,Set
VirtualSwitch Get,New,Remove,Set
VIServer Connect,Disconnect
VM Get,Move,New,Remove,Restart,Set,Start,Stop,Suspend
VMGuest Get,Restart,Shutdown,Suspend
VMGuestFile Copy
VMGuestNetworkInterface Get,Set
VMGuestRoute Get,New,Remove,Set
VMHost Add,Get,Move,Remove,Restart,Set,Start,Stop,Suspend
VMHostAccount Get,New,Remove,Set
VMHostAdvancedConfiguration Get,Set
VMHostAvailableTimeZone Get
VMHostDiagnosticPartition Get,Set
VMHostFirewallDefaultPolicy Get,Set
VMHostFirewallException Get,Set
VMHostFirmware Get,Set
VMHostHba Get,Set
VMHostModule Get,Set
VMHostNetwork Get,Set
VMHostNetworkAdapter Get,New,Remove,Set
VmHostNtpServer Add,Get,Remove
VMHostPatch Get,Install
VMHostProfile Apply,Export,Get,Import,New,Remove,Set
VMHostProfileCompliance Test
VMHostRoute Get,New,Remove,Set
VMHostService Get,Restart,Set,Start,Stop
VMHostSnmp Get,Set,Test
VMHostStartPolicy Get,Set
VMHostStorage Get,Set
VMHostSysLogServer Get,Set
VMQuestion Get,Set
VMResourceConfiguration Get,Set
VMScript Invoke
VMStartPolicy Get,Set

Quick and dirty PowerPath/VE output parser

Here is a quick and dirty PowerShell script to parse the output of the rpowermt command used to manage PowerPath/VE on ESX (for EMC arrays). I wrote the code quickly to solve a particular problem, but if I get requests I could extend it to parse the rest of the output and do so in a little more robust fashion.

Why do this? I am in the middle of migrations between frames and I needed an easy way to determine what needed moved when the storage admin said move all LUNs from CLARiiON XXXX to the new LUNs on YYYY – and make sure to move LUN 41 to LUN 88.

By parsing the output of rpowermt I could more easily determine the ID of the LUNs they indicated and map that to the extent properties of my datastores to determine what needed to move.

Two step usage:

  1. rpowermt host=esx001 display dev=all > esx001_lundata.txt
  2. $lunInfo = .\SimplePowerVeParse esx001_lundata.txt

Alternate ways of accomplishing the same thing:

  1. The Storage Viewer plugin from EMC would be helpful in determining this from the GUI, but due to political reasons this is not yet deployed in production.
  2. I originally wanted to try and talk to the CIM provider for PowerPath, but quickly found that the Get-WSManInstance¬†cmdlet’s authentication assumptions were very Windows centric.

The script (more…)

Recovering from lockdown mode, a corrupt vCenter, and no DCUI

One of the worst case scenarios when securing an ESXi host is disabling the DCUI, enabling lockdown mode, and then losing vCenter for some reason. If your vCenter database is corrupt then you have lost the ability to manage the host. The official answer at this point is to rebuild the host. While I hope you have an automated build process that would make this easy, there is at least one other option to recover your system.

DISCLAIMER: This is not supported or endorsed by VMware. The steps below assume that you have experience with Linux system administration. The official solution is to rebuild your host.

A quick refresher on lockdown mode: When you enable lockdown mode the system removes the permissions for all of the standard users except the vpxuser account which is what vCenter uses to manage the system.

Here are the steps to be able to manage your system again:

  1. Shut the host down. Yes, that means a hard crash for the host and any running VMs.
  2. Reset the password for the vpxuser account to a known value. Here is  an article from Bernhard Bock on doing it for root. The details in the instructions might vary slightly from your environment, but should be enough to get someone experienced with *nix pointed in the right direction. Use this process to reset the vpxuser account instead of the root account.
  3. Add the host into your vCenter inventory using the vpxuser account.
  4. The following steps may not be necessary, but if you are going to run with lockdown mode disabled from now on I would do them just in case the system does not clean up everything properly on a host add.
    1. Enable lockdown mode
    2. Disable lockdown mode

If you see issues with this process or have other ideas on how to recover the host in this situation please add a comment or send me an email so I can update the post.

VMware PowerShell Get-VIHumanReadablePath

An example of how to get the human readable path of an object in the VMware SDK. This is using PowerShell and requires that PowerCLI be installed, but should be easily converted to other languages.

Function Get-VIHumanReadablePath
{
    param
    (
        $target
    )
 
    try
    {
        if ($target.GetType().BaseType -ne [VMware.Vim.ManagedEntity])
        {
            $target = $target | Get-View -ErrorAction SilentlyContinue
        }
    }
    catch
    {
        $target = $null
    }
 
    if (!$target)
    {
        throw "Get-VIHumanReadablePath: Could not get the Managed Entity representation of -target"
    }
 
    $path = $target.Name
    while ($target.Parent)
    {
        $target = Get-View $target.Parent  
        $path = $target.Name + "/" + $path           
    }
 
    $path
}

Example usage

Get-VIHumanReadablePath (Get-Folder Linux)
Get-VIHumanReadablePath (Get-VM LinuxTemp01)
Get-VIHumanReadablePath (Get-VM LinuxTemp01 | Get-View)
Get-VIHumanReadablePath (Get-ResourcePool Prod)
Get-VIHumanReadablePath (Get-VM LinuxTemp01 | Get-ResourcePool)
Get-VIHumanReadablePath (Get-VMHost esx001.local)

VMware Update Manager: Different non-critical host updates for Nexus

I have 5 difference vCenter servers installed over various timeframes and I am seeing different counts for the Non-Critical Host Updates across them. After some digging it appears that this is due to the Nexus 1000v updates.

We have not deployed the Nexus to production yet so this was a little confusing for me. It appears that when Update Manager is installed it downloaded the patches for the Nexus 1000v, but they are not included in the updates that are downloaded because we have none running in the environment and Update Manager was not configured to download them.

For consistency across my environments I have enabled the custom patch download source for Cisco. The URL ends in csco-main-index.xml. This does not change functionality for our deployment, but it quiets the gnawing thought that we are applying different patches to our environments.