Installation (ESX): Difference between revisions
(Added "Vmkernel Log Analysis") |
(Added "Build Notes") |
||
Line 1: | Line 1: | ||
{{TOC limit|3}} | |||
= Build Notes = | |||
== Security Hardening == | |||
=== Service Console === | |||
==== Disk Partitions ==== | |||
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data | |||
part /boot --fstype ext3 --size 1024 --ondisk=sda --asprimary | |||
part / --fstype ext3 --size 5120 --ondisk=sda --asprimary | |||
part swap --size 2048 --ondisk=sda --asprimary | |||
part /var --fstype ext3 --size 5120 --ondisk=sda | |||
part /tmp --fstype ext3 --size 5120 --ondisk=sda | |||
part /home --fstype ext3 --size 2048 --ondisk=sda | |||
part None --fstype vmkcore --size 100 --ondisk sda | |||
==== Local Accounts ==== | |||
===== Password Policy ===== | |||
No policy is implemented by default, if not using AD Integration then its sensible to apply a policy on the ESX, using the PAMQC module. Its not particularly elegant. | |||
===== Active Directory Integration ===== | |||
Because service console authentication is Unix-based, it cannot use Active Directory to define user accounts. However, it can use Active Directory to authenticate users by matching local passwd file account name with Active directory with appropriate support of SFU (Services For Unix). | |||
See [http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/ Scott Lowe's blog] for further info | |||
===== Sudo ===== | |||
It is possible to limit the enhanced privileges that a user can gain by using sudo. This is most appropriate where there is a large number admins. However, in such an environment there is likely to be a large number of ESX's, managing the config on ESX is a headache. | |||
Example of possible sudo config (<code>/etc/sudoers</code>) | |||
... | |||
# Defaults specification | |||
Defaults logfile=/var/log/sudolog | |||
# User privilege specification | |||
root ALL=(ALL) ALL | |||
User_Alias VI_JR_ADMINS=esxoper, esxoper2 | |||
User_Alias VI_ADMINS=esxadmin | |||
Cmnd_Alias STOP=/usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/poweroff | |||
Cmnd_Alias REBOOT=/usr/sbin/reboot | |||
Cmnd_Alias KILL=/usr/bin/kill | |||
Cmnd_Alias NTP=/usr/sbin/ntpdate, /sbin/hwclock | |||
VI_JR_ADMINS ALL=STOP, REBOOT, KILL, NTP | |||
VI_ADMINS ALL=(ALL) ALL | |||
... | |||
= Procedures = | |||
== Password Complexity Override == | == Password Complexity Override == | ||
In order to be able to change a user (or root) password to one that breaches password complexity checking | In order to be able to change a user (or root) password to one that breaches password complexity checking | ||
Line 40: | Line 89: | ||
# Results can be found in <code>\emcgrab\outputs</code> folder | # Results can be found in <code>\emcgrab\outputs</code> folder | ||
= Troubleshooting = | |||
== Vmkernel Log Analysis == | == Vmkernel Log Analysis == | ||
=== Storage Monitor Log Entries === | === Storage Monitor Log Entries === |
Revision as of 12:24, 13 October 2009
Build Notes
Security Hardening
Service Console
Disk Partitions
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data
part /boot --fstype ext3 --size 1024 --ondisk=sda --asprimary part / --fstype ext3 --size 5120 --ondisk=sda --asprimary part swap --size 2048 --ondisk=sda --asprimary part /var --fstype ext3 --size 5120 --ondisk=sda part /tmp --fstype ext3 --size 5120 --ondisk=sda part /home --fstype ext3 --size 2048 --ondisk=sda part None --fstype vmkcore --size 100 --ondisk sda
Local Accounts
Password Policy
No policy is implemented by default, if not using AD Integration then its sensible to apply a policy on the ESX, using the PAMQC module. Its not particularly elegant.
Active Directory Integration
Because service console authentication is Unix-based, it cannot use Active Directory to define user accounts. However, it can use Active Directory to authenticate users by matching local passwd file account name with Active directory with appropriate support of SFU (Services For Unix).
See Scott Lowe's blog for further info
Sudo
It is possible to limit the enhanced privileges that a user can gain by using sudo. This is most appropriate where there is a large number admins. However, in such an environment there is likely to be a large number of ESX's, managing the config on ESX is a headache.
Example of possible sudo config (/etc/sudoers
)
... # Defaults specification Defaults logfile=/var/log/sudolog # User privilege specification root ALL=(ALL) ALL User_Alias VI_JR_ADMINS=esxoper, esxoper2 User_Alias VI_ADMINS=esxadmin Cmnd_Alias STOP=/usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/poweroff Cmnd_Alias REBOOT=/usr/sbin/reboot Cmnd_Alias KILL=/usr/bin/kill Cmnd_Alias NTP=/usr/sbin/ntpdate, /sbin/hwclock VI_JR_ADMINS ALL=STOP, REBOOT, KILL, NTP VI_ADMINS ALL=(ALL) ALL ...
Procedures
Password Complexity Override
In order to be able to change a user (or root) password to one that breaches password complexity checking
- Disable PAM module
esxcfg-auth --usepamqc -1 -1 -1 -1 -1 -1
- Disable complexity checker
esxcfg-auth --usecrack -1 -1 -1 -1 -1 -1
- Change password
- Re-enable PAM module
esxcfg-auth --usepamqc=-1 -1 -1 -1 8 8
HBA and SAN Operations
HBAnywhere Installation
- Download the Driver and Application kit for VMware from Emulex's website.
- At time of writing the current version of package was
elxvmwarecorekit-esx35-4.0a45-1.i386.rpm
- At time of writing the current version of package was
- Copy the package to the server
- EG
pscp -pw [password] elxvmwarecorekit-esx35-4.0a45-1.i386.rpm platadmn@dtcp-esxsvce01a:/home/platadmn
- EG
- Install the package
- EG
rpm -ivh elxvmwarecorekit-2.1a42-1.i386.rpm
- EG
HBA Firmware Upgrade
Requires HBAnywhere to be installed 1st, see HBAnywhere Installation for further info.
- Download the correct firmware version from Emulex's website
- EG for LPe11002's
- Extract, and copy file to server
- Find adapter's WWPN's
- EG
/usr/sbin/hbanyware/hbacmd ListHBAs
- EG
- Download new firware version to each HBA
- EG
/usr/sbin/hbanyware/hbacmd download 10:00:00:00:c9:82:97:9e zf280a4.all
- EG
EMCgrab Collection
- Download correct verion from EMC's website
- At time of writing the current version file was emcgrab_ESX_v1.1.tar
- Copy to server
- EG
pscp emcgrab_ESX_v1.1.tar platadmn@dtcp-esxsvce02a:/home/platadmn
- EG
- Uncompress the file
- EG
tar -xvf emcgrab_ESX_v1.1.tar
- EG
- Run grab (can take a few minutes, best done out of hours)
- EG
./emcgrab.sh
- EG
- Results can be found in
\emcgrab\outputs
folder
Troubleshooting
Vmkernel Log Analysis
Storage Monitor Log Entries
How to decode the following type of entries...
Sep 3 15:15:14 tfukesxent1 vmkernel: 85:01:23:01.532 cpu4:2264)StorageMonitor: 196: vmhba1:2:0:0 status = 2/0 0x6 0x2a 0x1 Sep 3 15:15:32 tfukesxent1 vmkernel: 85:01:23:19.391 cpu4:2253)StorageMonitor: 196: vmhba1:3:9:0 status = 2/0 0x6 0x2a 0x1
The status message consists of the follow four decimal and hex blocks...
Device Status / Host Status | Sense Key | Additional Sense Code | Additional Sense Code Qualifier |
Where the ESX Device and SAN host status' mean...
Decimal | Device Status | Host Status |
---|---|---|
0 | No Errors | Host_OK |
1 | Host No_Connect | |
2 | Check Condition | Host_Busy_Busy |
3 | Host_Timeout | |
4 | Host_Bad_Target | |
5 | Host_Abort | |
6 | Host_Parity | |
7 | Host_Error | |
8 | Device Busy | Host_Reset |
9 | Host_Bad_INTR | |
10 | Host_PassThrough | |
11 | Host_Soft_Error | |
24 | Reservation Conflict |
Where the Sense Key mean...
Hex | Sense Key |
---|---|
0x0 | No Sense Information |
0x1 | Last command completed but used error correction |
0x2 | Unit Not Ready |
0x3 | Medium Error |
0x4 | Hardware Error |
0x5 | ILLEGAL_REQUEST (Passive SP) |
0x6 | LUN Reset |
0x7 | Data_Protect - Access to data is blocked |
0x8 | Blank_Check - Reached an unexpected region |
0xa | Copy_Aborted |
0xb | Aborted_Command - Target aborted command |
0xc | Comparison for SEARCH DATA unsuccessful |
0xd | Volume_Overflow - Medium is full |
0xe | Source and Data on Medium do not agree |
The Additional Sense Code and Additional Sense Code Qualifier mean
Hex | Sense Code |
---|---|
0x4 | Unit Not Ready |
0x3 | Unit Not Ready - Manual Intervention Required |
0x2 | Unit Not Ready - Initializing Command Required |
0x29 | Device Power on or SCSI Reset |