Friday, January 12, 2018

VMware Spectre and Meltdown Information

Recently the most talk about security measurement against the two discovered vulnerabilities has raised a lot of talks. This all started and revealed by Google Project Zero.

I have also recently shared advice from VMware support and KBs to our Singapore VMUG users during our event yesterday.

Below is a summary of questions and the approach you should be doing for patching your VMware environment.

Details on Spectre and Meltdown


Side Notes

  • ESXi is only affected by Spectre and all patches for ESXi 5.5. and above has been released.
  • ESXi is NOT affected by Meltdown as it does not have untrusted user access.


FAQ

  1. We heard that the patches affect performance. Will these patches from VMware affect the performance of hypervisor?
    Patches from ESXi have no measurable performance impact. But guest level patching might have. Guest OS vendor is the right contact to comment on this. E.g. from Microsoft.
  2. Other than patching ESXi and OS is there other things to take note?VM hardware must be upgraded in order for the patches to work. Virtual Hardware Version 9 is a minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715) due to MSR bit been exposed in this version. Hardware version 11 is best recommended as PCID on CPU is exposed in this version.
  3. I am running vCenter on Windows, do I need to patch vCenter?
    Yes, please download the latest patches together with ESXi for your vCenter. Follow the same upgrade process as per upgrading.
  4. How will VM that is running Windows XP, 2003, Windows 2000 and legacy OS be impacted?
    OS vendors should provide the patches. In this case, Microsoft does not provide the patches for legacy OS, there will be no solution.
  5. Do I need to install BIOS patch from server vendor if I have applied ESXi patches?
    Yes, it is best to apply server vendor BIOS patches if available as server vendor might provide additional components specific to their server hardware.
    Follow Server vendor BIOS update. ESXi patches has been retracted following Intel 's instruction.
  6. What if I have applied server BIOS patches do I still apply VMware ESXi patches?
    ESXi will only push microcode on the hardware if it is older.
    No more ESXi patches.
  7. I am using server custom ESXi ISO but it is not updated, can I apply the patches from VMware?
    Yes, you can apply these patches to custom ISO. Please check with your hardware vendors for any special change they might have.
    No more ESXi patches.
  8. How do I know if my CPU has an updated microcode from Intel?
    Please check https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr.

Refer to security advisories 

  1. https://www.vmware.com/security/advisories/VMSA-2018-0004.html supersede https://www.vmware.com/security/advisories/VMSA-2018-0002.html

Additional materials

Update 15th Jan 2018

ESXi patches update has been removed. Only vCenter update applies. Follow KB update.

Update 13th Jan 2018

Following Intel's update, please follow https://kb.vmware.com/s/article/52345 for Intel Haswell and Broadwell processors

 


Tuesday, December 26, 2017

App Volumes Connection

Recently done a few Horizon Proof of Concept and encounter a connection issue with App Volumes.
Here is how I resolve the error message from App Volume agent "Virtualization is disabled".

Do note that this is based on version 2.12.

This error message encounter when your App Volumes agent is not able to communicate with App Volumes Manager.

During installation for the agent and manager, you can choose whether secure or not connection. You MUST choose the same type of connection. However if you have done this incorrectly, this is the problem that is often the problem.

Here will show you how you can first confirm the type of the connection are the same between the manager and agent, and change it if it is not.

Agent
To check if the SSL is enabled on the agent, head over to the VM that has agent installed, follow the instruction stated here.

Manager
For App Volumes manager, this is not as straightforward.
Refer to this document.

If you want to disable the secure connection, make sure you have the text paste in the file as documented above.

If you are using a self-signed certificate in a default installation and want to enable secure connection after installation on HTTP, you can follow this KB.

Tuesday, October 17, 2017

ESXi 6.5 U1 Host Client Login Issue

Today I did a fresh installation of ESXi 6.5 U1. During the installation, set up the root password.

After everything is working with IP address assigned, DNS and gateway, we started to try to access using the Host Client using IE 11.

Encounter this message "cannot complete login due to an incorrect user name or password". Thought that might have entered the wrong password. Type in a notepad and copy and paste. Same error message encountered on both servers.

Did some search but never encounter anyone having the same issue other than old post found on ESXi 6.0 with the old vSphere Client. Decide to try out one of the method.

Head right down to both server and use the DCUI and select Change Password option. Use back the same password.  Walah! Host Client works now.

Very strange behaviour. Apparently during installation seems like the host client didnt register the password.

Hope this help for those encountering the same issue.

Tuesday, October 10, 2017

VMware ROBO License

Recently there was some discussion over licensing in Facebook vExpert group.

One of the users questioned about licensing 3 hosts, each placed at one location. He wants to be able to do a snapshot and monitor the health of the ESXi host. He intends to add a fourth host in future. He was also told by the account executive that vSphere Essential cannot meet this requirement.

Let me explain some of the information which might be not clear enough.

vSphere Essential and Essential Plus kit is a bundle that comes with vCenter Server Essential (which is not available for sale) and vSphere Essential/Essential Plus licensing. ]vCenter Server Essential can only manage up to three ESXi servers. The vSphere Essential kit allows you to license up to 3 hosts or 6 CPUs whichever come first. But you cannot license more than 3 hosts even if each only has 1 CPU. This is because vCenter Essential can only manage up to 3 ESXi hosts. Also, the licensing would not allow you to manage using a vCenter Server Standard edition.

Check out the site here for comparison including ROBO licenses.

vSphere ROBO office comes in packs of 25 VMs. It has 2 editions namely, Standard and Advanced. Just check out the comparison above. You might find 25 VMs is quite a number, however, you are allowed to split the license to a smaller amount via the license portal. Meaning, you can deploy the vSphere ROBO license to multiple remote sites up to a maximum of 25 VMs per site which is declared as ROBO.

In this way, customers do not need to spend buying vSphere Essential/Essential plus which is the cheapest kit available, for a remote site. This helps many customers save on cost with vSphere ROBO licensing.

Hope this explains and give you a better understand how vSphere ROBO licensing is applicable and how to use it.


Tuesday, October 3, 2017

VMware vSAN 2017 Specialist

There are two specialist certifications release by VMware, namely vRealize Operations and vSAN.

Recently I took the attempt for vSAN Specialist Exam. Before we go into it, let see what is the requirement to take this exam.

You need to have a valid VCP 6.x on any track. No course requirement but the vSAN Deploy and Manage is recommended.

There is only a Digital Badge when you passed the exam and there is no certification for this exam.  The exam code is 2VB-601: VMware Specialist: vSAN 6.x Exam.

Do check out the exam guide. However, the guide does not indicate the exam time and the number of questions. Total questions were 60 from what I encounter and the time is similar to VCP about 240 mins. Cost for me is SGD363 (this might differ for other countries).

You are required to know everyone on vSAN from 6.0 to the latest now 6.6. Everything in these versions will be tested. It will be good to understand the concept and fundamentals of the technology as well all the features that have released since.

Personally, I felt that the exam is not too easy or was it too tough to fail. It really targets at someone who has an understanding of vSAN to a certain level. If you are merely just reading feature functions and not knowing how vSAN really works, then this exam will be tough for you.

Once you passed, you will receive a notice the very next day with your Digital Badge like mine.

Good luck to those attempting.

Wednesday, September 20, 2017

vRealize Suite Lifecycle Manager 1.0

Something got a release note today known as vRealize Suite Lifecycle Manager 1.0.  What is this software about?

VMware has a bundle known as vCloud Suite.  Just a breakdown what is in vCloud Suite/
vCloud Suite is a comprises of two things: vRealize Suite + vSphere Enterprise Plus.

vRealize Suite (depending on Editions) will consist of some or all of the below:
  • vRealize Automation
  • vRealize Business
  • vRealize Operations Manager
  • vRealize Log Insight

vSphere (depending on edition) will consist of some or all of the below:
  • vCenter Standard (purchase separately)
  • ESXi
  • vSphere Replication
  • vSphere Data Protection (last major edition)
  • vSphere Big Data Extension

Looking at the above, you start to see that installing and managing the upgrade will be a big tedious process.  Lots of planning and double and triple check the compatibility matrix.

So here comes vRealize Suite Lifecycle Manager.  This handles the deployment and patching the vRealize Suite components that you own.  For your Day 0 to Day 2 tasks which can relieve admins a ton of work. Assuming that the infrastructure; vSphere, vSAN, NSX is already deployed.

Check out this blog on vRSLCM. Go to download it here.

Tuesday, September 19, 2017

Questions on vSphere Enterprise Edition

Recently, I get a lot of questions regarding vSphere Enterprise Edition and some confusion around it.

The reason of these questions because VMware announced the end of availability (EOA) of vSphere Enterprise Edition on 9th Feb.  What this means that if you want to purchase vSphere Enterprise, this will no longer be available, you are left with only 3 options; vSphere Standard, vSphere Enterprise Plus or vSphere with Operations Management Enterprise Plus (vSOM) (excluding all those small kits e.g. vSphere Essentials, etc.).

What will happen to vSphere Enterprise in terms of support?
Support will still be valid until March 2020 as long support and maintenance is still valid.

Can I upgrade/downgrade my existing vSphere Enterprise to a valid edition?
You can only upgrade but not downgrade.  In this case, you can only move up to vSphere Enterprise Plus or vSphere with Operations Management Enterprise Plus (vSOM).

Am currently on vSphere 6.0 Enterprise or below, can I still upgrade to 6.5 since there is not Enterprise Edition?
Yes, you can still upgrade your license in the license portal as long you are on valid subscription.  What you will get is vSphere 6.5 Enterprise Edition.  Although this edition is not sold, for existing customer that perform an upgrade, they will still see this edition.

Moving forward if I purchase new vSphere, it will be of a different edition, can I mix them in the same cluster?
You can mix different editions of vSphere in the same cluster. However, the lowest edition features will be used.  It is always strongly recommended to have the same edition in the same cluster to avoid losing features or have issues due to mixed of editions.

VMware Spectre and Meltdown Information

Recently the most talk about security measurement against the two discovered vulnerabilities has raised a lot of talks. This all started an...