Installation (ESX)
Build Notes
- ESX3 Installation - Example, based on an old ESX v3 build guide
- ESX4i Installation - Example, bit brief in places
- HeavyLoad - Load tester (stick it in a test VM, memory test doesn't really work as ESX page sharing kicks in)
Build Numbers
ESX build numbers, note that installing subsequent patches, on top of one of the major releases below will increase the build number.
| ESX version | ESX | ESXi |
|---|---|---|
| 3.5 Update 1 | 82663 | 82664 |
| 3.5 Update 2 | 110268 | 110271 |
| 3.5 Update 3 | 123630 | 123629 |
| 3.5 Update 4 | 153875 | |
| 3.5 Update 5 | 207095 | |
| 4.0 | 164009 | |
| 4.0 Update 1 | 208167 | |
| 4.0 Update 2 | 261974 | |
| 4.0 Update 3 | 398348 | |
| 4.0 Update 4 | 504850 | |
| 4.1 | 260247 | |
| 4.1 Update 1 | 348481 | |
| 4.1 Update 2 | 502767 | |
| 4.1 Update 3 | 800380 | |
| 5.0 | 469512 | |
| 5.0 Update 1 | 623860 | |
| 5.1 | 799733 | |
USB Image
If you're installing ESXi 4 then you don't need to do this, the installer will detect the USB stick and install to it.
Required software etc...
- WinImage - http://www.winimage.com/download.htm
- DD - http://www.chrysocome.net/dd
- ESXi install ISO
- Disk Cloner, eg G4U - http://www.feyrer.de/g4u/
- Ideally use a cloner that ignores the actual disk contents and does a block by block copy, anything that tries to interpret the disk image may not copy it faithfully
- You must be able to connect two image files remotely to your server, a disk cloner CD ISO, and the image USB ISO (hint: use the floppy drive).
Creating the USB image file
- Open up the ISO with WinImage
- Extract the
INSTALL.TGZfrom the ISO - Uncompress
INSTALL.TGZand locate.\INSTALL\usr\lib\vmware\installer\VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2 - Uncompress
VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2so that you haveVMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd - Create ISO image from DD image by using DD
dd bs=1M if=VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd of=esx3.5ihp-usbimage.iso
Deploying the USB image file
- Attach your disk cloner image to your server and boot
- Once the the server is booting to the CD ISO, attach the USB ISO
- List the avaialble disks
list
- Identify the image disk (which is 750MB) and the USB disk (which will be whatever size your USB key is)
- Copy the image to the USB key
copydisk sd1 sd0
- Disconnect all images, reboot server, cross fingers
reboot
VMware CLI
Especially if using ESXi, you'll need to install the VMware CLI on any machine you want to access the ESX command line from. Be aware that ActivePerl gets installed as well, so proceed with caution if you've already got Perl installed on the machine.
Security Hardening
Service Console
Applicable to ESX only (not ESXi, as ESXi doesn't have a service console)
Disk Partitions
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data
part /boot --fstype ext3 --size 1024 --ondisk=sda --asprimary part / --fstype ext3 --size 5120 --ondisk=sda --asprimary part swap --size 2048 --ondisk=sda --asprimary part /var --fstype ext3 --size 5120 --ondisk=sda part /tmp --fstype ext3 --size 5120 --ondisk=sda part /home --fstype ext3 --size 2048 --ondisk=sda part None --fstype vmkcore --size 100 --ondisk sda
Local Accounts
Password Policy
No policy is implemented by default, if not using AD Integration then its sensible to apply a policy on the ESX, using the PAMQC module. Its not particularly elegant.
Active Directory Integration
Because service console authentication is Unix-based, it cannot use Active Directory to define user accounts. However, it can use Active Directory to authenticate users by matching local passwd file account name with Active directory with appropriate support of SFU (Services For Unix).
See Scott Lowe's blog for further info
Sudo
It is possible to limit the enhanced privileges that a user can gain by using sudo. This is most appropriate where there is a large number admins. However, in such an environment there is likely to be a large number of ESX's, managing the config on ESX is a headache.
Example of possible sudo config (/etc/sudoers)
... # Defaults specification Defaults logfile=/var/log/sudolog # User privilege specification root ALL=(ALL) ALL User_Alias VI_JR_ADMINS=esxoper, esxoper2 User_Alias VI_ADMINS=esxadmin Cmnd_Alias STOP=/usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/poweroff Cmnd_Alias REBOOT=/usr/sbin/reboot Cmnd_Alias KILL=/usr/bin/kill Cmnd_Alias NTP=/usr/sbin/ntpdate, /sbin/hwclock VI_JR_ADMINS ALL=STOP, REBOOT, KILL, NTP VI_ADMINS ALL=(ALL) ALL ...
Logging
It is recommended to compress and increase the maximum log file size by modifying the configuration files in the /etc/logrotate.d directory and the /etc/logrotate.conf file.
For example, changing vmkwarning to be 2096k in size, and compressed...
[root@dtcp-esxsvce01b root]# more /etc/logrotate.d/vmkwarning
/var/log/vmkwarning{
create 0600 root root
missingok
compress
sharedscripts
postrotate
size 2096k
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
...and changing relevent part of /etc/logrotate.conf to allow compression...
... # uncomment this if you want your log files compressed compress ...
Finally, its worth redirecting sudo log activity to /var/log/sudolog, see above section on sudo.
Banners
There are three modes of direct management access to an ESX, web, ssh, and direct (local) console.
Web Access
Edit the html page /usr/lib/vmware/hostd/docroot/index.html
SSH
Edit the /etc/ssh/sshd_config file so that it knows to display a defined banner file during login...
Banner /etc/banner
Create the banner file with the appropriate contents.
Console
Prepend your banner to the /etc/issue file
ESX
Network Settings
| Setting | Default | Preferred | Explanantion |
|---|---|---|---|
| Promiscuous Mode | Reject | Reject | Principally used in situations where you need to perform a network traffic (snif) capture. Data from all ports propagates to all ports (VM Port group becomes a hub rather than a switch) |
| MAC address changes | Accept | Reject | There are situations where allowing MAC Address Changes to Accept is required. For example; legacy applications, clustered environments, and licensing. Legacy applications may require a specific MAC addresses to be used for the application. Microsoft Clusters utilize an artificial MAC address for all servers in the cluster |
| Forged Transmits | Accept | Reject | The setting affects traffic transmitted from a virtual machine. If this option is set to reject, the virtual switch compares the source MAC address being transmitted by the operating system with the effective MAC address for its virtual network adapter to see if they are the same. If the MAC addresses are different, the virtual switch drops the frame. The guest operating system will not detect that its virtual network adapter cannot send packets using the different MAC address. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject |