Installation (ESX): Difference between revisions

From vwiki
Jump to navigation Jump to search
m (Added "Password Complexity Disable")
m (→‎Build Numbers: Added v5.1 build)
 
(87 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Password Complexity Disable ==
== Build Notes ==
In order to be able to change a user (or root) password to one that breaches password complexity checking
* '''[[ESX3 Installation]]''' - Example, based on an old ESX v3 build guide
* '''[[ESX4i Installation]]''' - Example, bit brief in places
* [http://www.jam-software.com/heavyload/download.shtml HeavyLoad] - Load tester (stick it in a test VM, memory test doesn't really work as ESX page sharing kicks in)


# Disable PAM module
== Build Numbers ==
#* <code> esxcfg-auth --usepamqc -1 -1 -1 -1 -1 -1 </code>
ESX build numbers, note that installing subsequent patches, on top of one of the major releases below will increase the build number.
# Disable complexity checker
{|class="vwikitable"
#* <code> esxcfg-auth --usecrack -1 -1 -1 -1 -1 -1 </code>
|-  
# Change password
! ESX version  !! ESX    !! ESXi
# Re-enable PAM module
|-
#* <code> esxcfg-auth --usepamqc=-1 -1 -1 -1  8 8 </code>
| 3.5 Update 1  || 82663  ||  82664
|-
| 3.5 Update 2 || 110268 || 110271
|-
| 3.5 Update 3 || 123630 || 123629
|-
| 3.5 Update 4 ||colspan="2"| 153875
|-
| 3.5 Update 5 ||colspan="2"| 207095
|-
| 4.0  ||colspan="2"| 164009
|-
| 4.0 Update 1 ||colspan="2"| 208167
|-
| 4.0 Update 2 ||colspan="2"| 261974
|-
| 4.0 Update 3 ||colspan="2"| 398348
|-
| 4.0 Update 4 ||colspan="2"| 504850
|-
| 4.1 ||colspan="2"| 260247
|-
| 4.1 Update 1 ||colspan="2"| 348481
|-
| 4.1 Update 2  ||colspan="2"| 502767
|-
| 4.1 Update 3  ||colspan="2"| 800380
|-
| 5.0 ||colspan="2"| 469512
|-
| 5.0 Update 1  ||colspan="2"| 623860
|-
| 5.1 ||colspan="2"| 799733
|}


== HBA and SAN Operations ==
== USB Image ==
=== HBAnywhere Installation ===
If you're installing ESXi 4 then you don't need to do this, the installer will detect the USB stick and install to it.
# Download the Driver and Application kit for VMware from [http://www.emulex.com/downloads/emulex/cnas-and-hbas/drivers/vmware/fc-74040-pkg.html Emulex's website].
#* At time of writing the current version of package was <code>elxvmwarecorekit-esx35-4.0a45-1.i386.rpm</code>
# Copy the package to the server
#* EG <code> pscp -pw [password] elxvmwarecorekit-esx35-4.0a45-1.i386.rpm platadmn@dtcp-esxsvce01a:/home/platadmn</code>
# Install the package
#* EG <code> rpm -ivh elxvmwarecorekit-2.1a42-1.i386.rpm </code>


=== HBA Firmware Upgrade ===
'''Required software etc...'''
Requires HBAnywhere to be installed 1st, see [[#HBAnywhere Installation|HBAnywhere Installation]] for further info.
* '''''WinImage''''' - http://www.winimage.com/download.htm
# Download the correct firmware version from Emulex's website
* '''''DD''''' - http://www.chrysocome.net/dd
#* EG for [http://www.emulex.com/downloads/emulex/cnas-and-hbas/firmware-and-boot-code/lpe11002.html LPe11002's]
* '''''ESXi install ISO'''''
# Extract, and copy file to server
* '''''Disk Cloner''''', eg G4U - http://www.feyrer.de/g4u/
# Find adapter's WWPN's
** Ideally use a cloner that ignores the actual disk contents and does a block by block copy, anything that tries to interpret the disk image may not copy it faithfully
#* EG <code>/usr/sbin/hbanyware/hbacmd ListHBAs</code>
* You must be able to connect '''two''' image files remotely to your server, a disk cloner ''CD'' ISO, and the image ''USB'' ISO (hint: use the floppy drive).
# Download new firware version to each HBA
#* EG <code>/usr/sbin/hbanyware/hbacmd download 10:00:00:00:c9:82:97:9e zf280a4.all</code>


=== EMCgrab Collection ===
'''Creating the USB image file'''
# Download correct verion from EMC's website
# Open up the ISO with WinImage
#* At time of writing the current version file was [ftp://ftp.emc.com/pub/emcgrab/ESX/Old_Releases/v1.1/ emcgrab_ESX_v1.1.tar]
# Extract the <code> INSTALL.TGZ </code> from the ISO
# Copy to server
# Uncompress <code> INSTALL.TGZ </code> and locate <code> .\INSTALL\usr\lib\vmware\installer\VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2 </code>
#* EG <code>pscp emcgrab_ESX_v1.1.tar platadmn@dtcp-esxsvce02a:/home/platadmn</code>
# Uncompress <code> VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2 </code> so that you have <code> VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd </code>
# Uncompress the file
# Create ISO image from DD image by using DD
#* EG <code>tar -xvf emcgrab_ESX_v1.1.tar</code>
#* <code> dd bs=1M if=VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd of=esx3.5ihp-usbimage.iso </code>
# Run grab (can take a few minutes, best done out of hours)
#* EG <code>./emcgrab.sh</code>
# Results can be found in <code>\emcgrab\outputs</code> folder


[[Category:VMware]]
'''Deploying the USB image file'''
# Attach your disk cloner image to your server and boot
# Once the  the server is booting to the CD ISO, attach the USB ISO
# List the avaialble disks
#* <code> list </code>
# Identify the image disk (which is 750MB) and the USB disk (which will be whatever size your USB key is)
# Copy the image to the USB key
#* <code> copydisk sd1 sd0 </code>
# Disconnect all images, reboot server, cross fingers
#* <code> reboot </code>
 
== VMware CLI ==
Especially if using ESX'''i''', you'll need to install the VMware CLI on any machine you want to access the ESX command line from.  Be aware that [http://www.activestate.com/activeperl/ ActivePerl] gets installed as well, so proceed with caution if you've already got Perl installed on the machine.
 
== Security Hardening ==
=== Service Console ===
Applicable to ESX only (not ESXi, as ESXi doesn't have a service console)
==== Disk Partitions ====
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data
 
part /boot --fstype ext3 --size 1024 --ondisk=sda --asprimary
part / --fstype ext3 --size 5120 --ondisk=sda --asprimary
part swap --size 2048 --ondisk=sda --asprimary
part /var --fstype ext3 --size 5120 --ondisk=sda
part /tmp --fstype ext3 --size 5120 --ondisk=sda
part /home --fstype ext3 --size 2048 --ondisk=sda
part None --fstype vmkcore --size 100 --ondisk sda
 
==== Local Accounts ====
===== Password Policy =====
No policy is implemented by default, if not using AD Integration then its sensible to apply a policy on the ESX, using the PAMQC module.  Its not particularly elegant.
 
===== Active Directory Integration =====
Because service console authentication is Unix-based, it cannot use Active Directory to define user accounts. However, it can use Active Directory to authenticate users by matching local passwd file account name with Active directory with appropriate support of SFU (Services For Unix).
 
See [http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/ Scott Lowe's blog] for further info
 
===== Sudo =====
It is possible to limit the enhanced privileges that a user can gain by using sudo.  This is most appropriate where there is a large number admins.  However, in such an environment there is likely to be a large number of ESX's, managing the config on ESX is a headache.
 
Example of possible sudo config (<code>/etc/sudoers</code>)
...
# Defaults specification
Defaults logfile=/var/log/sudolog
# User privilege specification
root    ALL=(ALL) ALL
User_Alias VI_JR_ADMINS=esxoper, esxoper2
User_Alias VI_ADMINS=esxadmin
Cmnd_Alias STOP=/usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/poweroff
Cmnd_Alias REBOOT=/usr/sbin/reboot
Cmnd_Alias KILL=/usr/bin/kill
Cmnd_Alias NTP=/usr/sbin/ntpdate, /sbin/hwclock
VI_JR_ADMINS ALL=STOP, REBOOT, KILL, NTP
VI_ADMINS ALL=(ALL) ALL
...
 
==== Logging ====
It is recommended to compress and increase the maximum log file size by modifying the configuration files in the <code>/etc/logrotate.d</code> directory and the <code>/etc/logrotate.conf</code> file.
 
For example, changing vmkwarning to be 2096k in size, and compressed...
[root@dtcp-esxsvce01b root]# more /etc/logrotate.d/vmkwarning
/var/log/vmkwarning{
    create 0600 root root
    missingok
    compress
    sharedscripts
    postrotate
    size 2096k
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
 
...and changing relevent part of <code>/etc/logrotate.conf</code> to allow compression...
...
# uncomment this if you want your log files compressed
compress
...
 
Finally, its worth redirecting sudo log activity to <code>/var/log/sudolog</code>, see above section on sudo.
 
==== Banners ====
There are three modes of direct management access to an ESX, web, ssh, and direct (local) console.
 
===== Web Access =====
Edit the html page <code>/usr/lib/vmware/hostd/docroot/index.html</code>
 
===== SSH =====
Edit the <code>/etc/ssh/sshd_config</code> file so that it knows to display a defined banner file during login...
Banner /etc/banner
 
Create the banner file with the appropriate contents.
 
===== Console =====
Prepend your banner to the <code>/etc/issue</code> file
 
=== ESX ===
==== Network Settings ====
 
{|class="vwikitable"
|-
! Setting                  !! Default !! Preferred !! Explanantion
|-
| '''Promiscuous Mode'''    || Reject  || Reject
|| Principally used in situations where you need to perform a network traffic (snif) capture.  Data from all ports propagates to all ports (VM Port group becomes a hub rather than a switch)
|-
| '''MAC address changes''' || Accept  || Reject
|| There are situations where allowing MAC Address Changes to Accept is required.  For example; legacy applications, clustered environments, and licensing. Legacy applications may require a specific MAC addresses to be used for the application. Microsoft Clusters utilize an artificial MAC address for all servers in the cluster
|-
| '''Forged Transmits'''    || Accept  || Reject
|| The setting affects traffic transmitted from a virtual machine. If this option is set to reject, the virtual switch compares the source MAC address being transmitted by the operating system with the effective MAC address for its virtual network adapter to see if they are the same. If the MAC addresses are different, the virtual switch drops the frame. The guest operating system will not detect that its virtual network adapter cannot send packets using the different MAC address. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject
|}
 
[[Category:ESX]]

Latest revision as of 11:14, 24 September 2012

Build Notes

  • ESX3 Installation - Example, based on an old ESX v3 build guide
  • ESX4i Installation - Example, bit brief in places
  • HeavyLoad - Load tester (stick it in a test VM, memory test doesn't really work as ESX page sharing kicks in)

Build Numbers

ESX build numbers, note that installing subsequent patches, on top of one of the major releases below will increase the build number.

ESX version ESX ESXi
3.5 Update 1 82663 82664
3.5 Update 2 110268 110271
3.5 Update 3 123630 123629
3.5 Update 4 153875
3.5 Update 5 207095
4.0 164009
4.0 Update 1 208167
4.0 Update 2 261974
4.0 Update 3 398348
4.0 Update 4 504850
4.1 260247
4.1 Update 1 348481
4.1 Update 2 502767
4.1 Update 3 800380
5.0 469512
5.0 Update 1 623860
5.1 799733

USB Image

If you're installing ESXi 4 then you don't need to do this, the installer will detect the USB stick and install to it.

Required software etc...

  • WinImage - http://www.winimage.com/download.htm
  • DD - http://www.chrysocome.net/dd
  • ESXi install ISO
  • Disk Cloner, eg G4U - http://www.feyrer.de/g4u/
    • Ideally use a cloner that ignores the actual disk contents and does a block by block copy, anything that tries to interpret the disk image may not copy it faithfully
  • You must be able to connect two image files remotely to your server, a disk cloner CD ISO, and the image USB ISO (hint: use the floppy drive).

Creating the USB image file

  1. Open up the ISO with WinImage
  2. Extract the INSTALL.TGZ from the ISO
  3. Uncompress INSTALL.TGZ and locate .\INSTALL\usr\lib\vmware\installer\VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2
  4. Uncompress VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2 so that you have VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd
  5. Create ISO image from DD image by using DD
    • dd bs=1M if=VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd of=esx3.5ihp-usbimage.iso

Deploying the USB image file

  1. Attach your disk cloner image to your server and boot
  2. Once the the server is booting to the CD ISO, attach the USB ISO
  3. List the avaialble disks
    • list
  4. Identify the image disk (which is 750MB) and the USB disk (which will be whatever size your USB key is)
  5. Copy the image to the USB key
    • copydisk sd1 sd0
  6. Disconnect all images, reboot server, cross fingers
    • reboot

VMware CLI

Especially if using ESXi, you'll need to install the VMware CLI on any machine you want to access the ESX command line from. Be aware that ActivePerl gets installed as well, so proceed with caution if you've already got Perl installed on the machine.

Security Hardening

Service Console

Applicable to ESX only (not ESXi, as ESXi doesn't have a service console)

Disk Partitions

Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data

part /boot --fstype ext3 --size 1024 --ondisk=sda --asprimary
part / --fstype ext3 --size 5120 --ondisk=sda --asprimary
part swap --size 2048 --ondisk=sda --asprimary
part /var --fstype ext3 --size 5120 --ondisk=sda
part /tmp --fstype ext3 --size 5120 --ondisk=sda
part /home --fstype ext3 --size 2048 --ondisk=sda
part None --fstype vmkcore --size 100 --ondisk sda

Local Accounts

Password Policy

No policy is implemented by default, if not using AD Integration then its sensible to apply a policy on the ESX, using the PAMQC module. Its not particularly elegant.

Active Directory Integration

Because service console authentication is Unix-based, it cannot use Active Directory to define user accounts. However, it can use Active Directory to authenticate users by matching local passwd file account name with Active directory with appropriate support of SFU (Services For Unix).

See Scott Lowe's blog for further info

Sudo

It is possible to limit the enhanced privileges that a user can gain by using sudo. This is most appropriate where there is a large number admins. However, in such an environment there is likely to be a large number of ESX's, managing the config on ESX is a headache.

Example of possible sudo config (/etc/sudoers)

...
# Defaults specification
Defaults logfile=/var/log/sudolog

# User privilege specification
root    ALL=(ALL) ALL
User_Alias VI_JR_ADMINS=esxoper, esxoper2
User_Alias VI_ADMINS=esxadmin

Cmnd_Alias STOP=/usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/poweroff 
Cmnd_Alias REBOOT=/usr/sbin/reboot
Cmnd_Alias KILL=/usr/bin/kill 
Cmnd_Alias NTP=/usr/sbin/ntpdate, /sbin/hwclock 

VI_JR_ADMINS ALL=STOP, REBOOT, KILL, NTP
VI_ADMINS ALL=(ALL) ALL
...

Logging

It is recommended to compress and increase the maximum log file size by modifying the configuration files in the /etc/logrotate.d directory and the /etc/logrotate.conf file.

For example, changing vmkwarning to be 2096k in size, and compressed...

[root@dtcp-esxsvce01b root]# more /etc/logrotate.d/vmkwarning
/var/log/vmkwarning{
    create 0600 root root
    missingok
    compress
    sharedscripts
    postrotate
    size 2096k
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

...and changing relevent part of /etc/logrotate.conf to allow compression...

...
# uncomment this if you want your log files compressed
compress

...

Finally, its worth redirecting sudo log activity to /var/log/sudolog, see above section on sudo.

Banners

There are three modes of direct management access to an ESX, web, ssh, and direct (local) console.

Web Access

Edit the html page /usr/lib/vmware/hostd/docroot/index.html

SSH

Edit the /etc/ssh/sshd_config file so that it knows to display a defined banner file during login...

Banner /etc/banner

Create the banner file with the appropriate contents.

Console

Prepend your banner to the /etc/issue file

ESX

Network Settings

Setting Default Preferred Explanantion
Promiscuous Mode Reject Reject Principally used in situations where you need to perform a network traffic (snif) capture. Data from all ports propagates to all ports (VM Port group becomes a hub rather than a switch)
MAC address changes Accept Reject There are situations where allowing MAC Address Changes to Accept is required. For example; legacy applications, clustered environments, and licensing. Legacy applications may require a specific MAC addresses to be used for the application. Microsoft Clusters utilize an artificial MAC address for all servers in the cluster
Forged Transmits Accept Reject The setting affects traffic transmitted from a virtual machine. If this option is set to reject, the virtual switch compares the source MAC address being transmitted by the operating system with the effective MAC address for its virtual network adapter to see if they are the same. If the MAC addresses are different, the virtual switch drops the frame. The guest operating system will not detect that its virtual network adapter cannot send packets using the different MAC address. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject