Difference between revisions of "Installation (ESX)"

Jump to navigation Jump to search

Installation (ESX) (view source)

Revision as of 11:14, 24 September 2012

1,504 bytes added ,  11:14, 24 September 2012
m
→‎Build Numbers: Added v5.1 build
(Added "Build Notes")
m (→‎Build Numbers: Added v5.1 build)
 
(84 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{TOC limit|3}}
== Build Notes ==
* '''[[ESX3 Installation]]''' - Example, based on an old ESX v3 build guide
* '''[[ESX4i Installation]]''' - Example, bit brief in places
* [http://www.jam-software.com/heavyload/download.shtml HeavyLoad] - Load tester (stick it in a test VM, memory test doesn't really work as ESX page sharing kicks in)
 
== Build Numbers ==
ESX build numbers, note that installing subsequent patches, on top of one of the major releases below will increase the build number.
{|class="vwikitable"
|-
! ESX version  !! ESX    !! ESXi
|-
| 3.5 Update 1  || 82663  ||  82664
|-
| 3.5 Update 2 || 110268 || 110271
|-
| 3.5 Update 3 || 123630 || 123629
|-
| 3.5 Update 4 ||colspan="2"| 153875
|-
| 3.5 Update 5 ||colspan="2"| 207095
|-
| 4.0  ||colspan="2"| 164009
|-
| 4.0 Update 1 ||colspan="2"| 208167
|-
| 4.0 Update 2 ||colspan="2"| 261974
|-
| 4.0 Update 3 ||colspan="2"| 398348
|-
| 4.0 Update 4 ||colspan="2"| 504850
|-
| 4.1 ||colspan="2"| 260247
|-
| 4.1 Update 1  ||colspan="2"| 348481
|-
| 4.1 Update 2  ||colspan="2"| 502767
|-
| 4.1 Update 3 ||colspan="2"| 800380
|-
| 5.0 ||colspan="2"| 469512
|-
| 5.0 Update 1  ||colspan="2"| 623860
|-
| 5.1 ||colspan="2"| 799733
|}
 
== USB Image ==
If you're installing ESXi 4 then you don't need to do this, the installer will detect the USB stick and install to it.
 
'''Required software etc...'''
* '''''WinImage''''' - http://www.winimage.com/download.htm
* '''''DD''''' - http://www.chrysocome.net/dd
* '''''ESXi install ISO'''''
* '''''Disk Cloner''''', eg G4U - http://www.feyrer.de/g4u/
** Ideally use a cloner that ignores the actual disk contents and does a block by block copy, anything that tries to interpret the disk image may not copy it faithfully
* You must be able to connect '''two''' image files remotely to your server, a disk cloner ''CD'' ISO, and the image ''USB'' ISO (hint: use the floppy drive).
 
'''Creating the USB image file'''
# Open up the ISO with WinImage
# Extract the <code> INSTALL.TGZ </code> from the ISO
# Uncompress <code> INSTALL.TGZ </code> and locate <code> .\INSTALL\usr\lib\vmware\installer\VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2 </code>
# Uncompress <code> VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd.bz2 </code> so that you have <code> VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd </code>
# Create ISO image from DD image by using DD
#* <code> dd bs=1M if=VMware-VMvisor-big-3.5.0_Update_4-153875.i386.dd of=esx3.5ihp-usbimage.iso </code>
 
'''Deploying the USB image file'''
# Attach your disk cloner image to your server and boot
# Once the  the server is booting to the CD ISO, attach the USB ISO
# List the avaialble disks
#* <code> list </code>
# Identify the image disk (which is 750MB) and the USB disk (which will be whatever size your USB key is)
# Copy the image to the USB key
#* <code> copydisk sd1 sd0 </code>
# Disconnect all images, reboot server, cross fingers
#* <code> reboot </code>
 
== VMware CLI ==
Especially if using ESX'''i''', you'll need to install the VMware CLI on any machine you want to access the ESX command line from.  Be aware that [http://www.activestate.com/activeperl/ ActivePerl] gets installed as well, so proceed with caution if you've already got Perl installed on the machine.


= Build Notes =
== Security Hardening ==
== Security Hardening ==
=== Service Console ===
=== Service Console ===
Applicable to ESX only (not ESXi, as ESXi doesn't have a service console)
==== Disk Partitions ====
==== Disk Partitions ====
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data
Line 46: Line 123:
  ...
  ...


==== Logging ====
It is recommended to compress and increase the maximum log file size by modifying the configuration files in the <code>/etc/logrotate.d</code> directory and the <code>/etc/logrotate.conf</code> file.


= Procedures =
For example, changing vmkwarning to be 2096k in size, and compressed...
== Password Complexity Override ==
[root@dtcp-esxsvce01b root]# more /etc/logrotate.d/vmkwarning
In order to be able to change a user (or root) password to one that breaches password complexity checking
/var/log/vmkwarning{
    create 0600 root root
    missingok
    compress
    sharedscripts
    postrotate
    size 2096k
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}


# Disable PAM module
...and changing relevent part of <code>/etc/logrotate.conf</code> to allow compression...
#* <code> esxcfg-auth --usepamqc -1 -1 -1 -1 -1 -1 </code>
...
# Disable complexity checker
# uncomment this if you want your log files compressed
#* <code> esxcfg-auth --usecrack -1 -1 -1 -1 -1 -1 </code>
compress
# Change password
# Re-enable PAM module
  ...
#* <code> esxcfg-auth --usepamqc=-1 -1 -1 -1 8 8 </code>


== HBA and SAN Operations ==
Finally, its worth redirecting sudo log activity to <code>/var/log/sudolog</code>, see above section on sudo.
=== HBAnywhere Installation ===
# Download the Driver and Application kit for VMware from [http://www.emulex.com/downloads/emulex/cnas-and-hbas/drivers/vmware/fc-74040-pkg.html Emulex's website].
#* At time of writing the current version of package was <code>elxvmwarecorekit-esx35-4.0a45-1.i386.rpm</code>
# Copy the package to the server
#* EG <code> pscp -pw [password] elxvmwarecorekit-esx35-4.0a45-1.i386.rpm platadmn@dtcp-esxsvce01a:/home/platadmn</code>
# Install the package
#* EG <code> rpm -ivh elxvmwarecorekit-2.1a42-1.i386.rpm </code>


=== HBA Firmware Upgrade ===
==== Banners ====
Requires HBAnywhere to be installed 1st, see [[#HBAnywhere Installation|HBAnywhere Installation]] for further info.
There are three modes of direct management access to an ESX, web, ssh, and direct (local) console.
# Download the correct firmware version from Emulex's website
#* EG for [http://www.emulex.com/downloads/emulex/cnas-and-hbas/firmware-and-boot-code/lpe11002.html LPe11002's]
# Extract, and copy file to server
# Find adapter's WWPN's
#* EG <code>/usr/sbin/hbanyware/hbacmd ListHBAs</code>
# Download new firware version to each HBA
#* EG <code>/usr/sbin/hbanyware/hbacmd download 10:00:00:00:c9:82:97:9e zf280a4.all</code>


=== EMCgrab Collection ===
===== Web Access =====
# Download correct verion from EMC's website
Edit the html page <code>/usr/lib/vmware/hostd/docroot/index.html</code>
#* At time of writing the current version file was [ftp://ftp.emc.com/pub/emcgrab/ESX/Old_Releases/v1.1/ emcgrab_ESX_v1.1.tar]
# Copy to server
#* EG <code>pscp emcgrab_ESX_v1.1.tar platadmn@dtcp-esxsvce02a:/home/platadmn</code>
# Uncompress the file
#* EG <code>tar -xvf emcgrab_ESX_v1.1.tar</code>
# Run grab (can take a few minutes, best done out of hours)
#* EG <code>./emcgrab.sh</code>
# Results can be found in <code>\emcgrab\outputs</code> folder


= Troubleshooting =
===== SSH =====
== Vmkernel Log Analysis ==
Edit the <code>/etc/ssh/sshd_config</code> file so that it knows to display a defined banner file during login...
=== Storage Monitor Log Entries ===
Banner /etc/banner


How to decode the following type of entries...
Create the banner file with the appropriate contents.
Sep  3 15:15:14 tfukesxent1 vmkernel: 85:01:23:01.532 cpu4:2264)StorageMonitor: 196: vmhba1:2:0:0 status = 2/0 0x6 0x2a 0x1
Sep  3 15:15:32 tfukesxent1 vmkernel: 85:01:23:19.391 cpu4:2253)StorageMonitor: 196: vmhba1:3:9:0 status = 2/0 0x6 0x2a 0x1


The status message consists of the follow four decimal and hex blocks...
===== Console =====
{| cellpadding="4" cellspacing="0" border="1"
Prepend your banner to the <code>/etc/issue</code> file
|-
|''Device Status'' / ''Host Status'' || ''Sense Key'' || ''Additional Sense Code'' || ''Additional Sense Code Qualifier''
|}
 
Where the ESX Device and SAN host status' mean...
{| cellpadding="4" cellspacing="0" border="1"
|-
! Decimal !! Device Status        !! Host Status
|-
| 0      || No Errors            || Host_OK
|-
| 1      ||                      || Host No_Connect
|-
| 2      || Check Condition      || Host_Busy_Busy
|-
| 3      ||                      || Host_Timeout
|-
| 4      ||                      || Host_Bad_Target
|-
| 5      ||                      || Host_Abort
|-
| 6      ||                      || Host_Parity
|-
| 7      ||                      || Host_Error
|-
| 8      || Device Busy          || Host_Reset
|-
| 9      ||                      || Host_Bad_INTR
|-
| 10      ||                      || Host_PassThrough
|-
| 11      ||                      || Host_Soft_Error
|-
| 24      || Reservation Conflict || 
|}


Where the Sense Key mean...
=== ESX ===
{| cellpadding="4" cellspacing="0" border="1"
==== Network Settings ====
|-
! Hex !! Sense Key
|-
| 0x0 || No Sense Information
|-
| 0x1 || Last command completed but used error correction
|-
| 0x2 || Unit Not Ready
|-
| 0x3 || Medium Error
|-
| 0x4 || Hardware Error
|-
| 0x5 || ILLEGAL_REQUEST (Passive SP)
|-
| 0x6 || LUN Reset
|-
| 0x7 || Data_Protect - Access to data is blocked
|-
| 0x8 || Blank_Check - Reached an unexpected region
|-
| 0xa || Copy_Aborted
|-
| 0xb || Aborted_Command - Target aborted command
|-
| 0xc || Comparison for SEARCH DATA unsuccessful
|-
| 0xd || Volume_Overflow - Medium is full
|-
| 0xe || Source and Data on Medium do not agree
|}


The Additional Sense Code and Additional Sense Code Qualifier mean
{|class="vwikitable"
{| cellpadding="4" cellspacing="0" border="1"
|-
! Hex !! Sense Code
|-
|-
| 0x4 || Unit Not Ready
! Setting                  !! Default !! Preferred !! Explanantion
|-
|-
| 0x3 || Unit Not Ready - Manual Intervention Required
| '''Promiscuous Mode'''    || Reject  || Reject
|| Principally used in situations where you need to perform a network traffic (snif) capture.  Data from all ports propagates to all ports (VM Port group becomes a hub rather than a switch)
|-
|-
| 0x2 || Unit Not Ready - Initializing Command Required
| '''MAC address changes''' || Accept  || Reject
|| There are situations where allowing MAC Address Changes to Accept is required.  For example; legacy applications, clustered environments, and licensing. Legacy applications may require a specific MAC addresses to be used for the application. Microsoft Clusters utilize an artificial MAC address for all servers in the cluster
|-
|-
| 0x29 || Device Power on or SCSI Reset
| '''Forged Transmits'''    || Accept  || Reject
|| The setting affects traffic transmitted from a virtual machine. If this option is set to reject, the virtual switch compares the source MAC address being transmitted by the operating system with the effective MAC address for its virtual network adapter to see if they are the same. If the MAC addresses are different, the virtual switch drops the frame. The guest operating system will not detect that its virtual network adapter cannot send packets using the different MAC address. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject
|}
|}


[[Category:VMware]]
[[Category:ESX]]
Retrieved from ‘https://vwiki.co.uk/index.php?title=Special:MobileDiff/400...2155

Navigation menu