Change default Image and Container location in Docker [CentOS 7]

When you start trying out docker it’s very normal that we don’t care about the default storage directory that docker will use to store images and containers. You may have to hit the panic button when Docker starts to occupy an enormous amount of space as you do more experiments with Docker. So now is the time to put troubleshooting cap on to figure out how to change the default location of docker. After wading through a number of sites and forums, I couldn’t figure out the steps to change the default directory of Docker images and containers on CentOS 7 host. This post provides instructions specific to CentOS 7. (It should work on RHEL 7 as well). For Debian, I could find a lot of documentation and “How to” articles posted on the Internet but there was not many for CentOS 7.  

Before attempting to change the default storage location of Docker, we must obtain some important information,

  • Default storage location used by Docker
  • Storage driver used by Docker
  • New storage space where the containers and images are going to reside

The default location of Docker is /var/lib/docker all existing images and containers are stored here. If you have any containers running, stop all and make sure no containers are running and then run the following command to determine the storage driver used by Docker. (You will find out later in the post why you want to make a note of it)

# docker info

In the output, look for Storage Driver and make a note of it. In my host it is devicemapper. Next step is to stop Docker service.

# sudo systemctl stop docker

Creating a Drop-In file

Next step is to create a Drop-In file “docker.conf” at  /etc/systemd/system/docker.service.d by default, docker.service.d folder will not be present. So you will have to create it. 

# sudo mkdir /etc/systemd/system/docker.service.d
# sudo touch /etc/systemd/system/docker.service.d/docker.conf 

The reason to create Drop-In file is that we want Docker service to override specific parameters mentioned in docker.conf file with that of the default service file located at /lib/systemd/system/docker.service. If you want to dive deep into Drop-In, read system.unit documentation.

Define the new storage location

Now open docker.conf and add the following, 

# sudo vi /etc/systemd/system/docker.service.d/docker.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --graph="/mnt/new_volume" --storage-driver=devicemapper 
Save and exit VI editor, new_volume is the new storage location and devicemapper is the storage driver. If your storage driver is different, type the value you have noted down earlier. More detailed information on various storage drives is available in Docker official documentationNow you can reload service daemon and start docker service. This will change the storage location for new images and containers.  
# sudo systemctl daemon-reload 
# sudo systemctl start docker

To confirm if all went well,  run # docker info to check the Docker root directory. It will be changed to /mnt/new_volume


What to do if you have existing containers and images?

If you want the existing containers and images to be migrated to the new location, don’t reload the service daemon and start the docker service, right after modifying docker.conf, move the existing data in /var/lib/docker to the new location. And create a symlink. 

Continue reading “Change default Image and Container location in Docker [CentOS 7]”

Docker and firewalld mess in CentOS 7

I am very new to Docker and recently used Docker for the first time to test a pre-developed container. Prior to that, I never used Docker but was waiting for a chance which would involve Docker in one of my projects. I selected CentOS 7 as the operating system to run Docker since the integration of Docker in Linux does not involve using tools like Cygwin in Windows. Another reason to use CentOS is that I had a CentOS VM readily available which is neatly configured with certain tools and network. The problem is that there was no clear documentation available to make sure firewalld never messes with Docker.
T he container that I am using presents a webpage and that is the primary function of it. I was able to access the page and login. The webpage has a function to upload files, but it was not accepting file uploads that I am trying to test. It took me quite long to figure out firewalld is the culprit which is preventing this from happening.
With CentOS 7 release, we get firewalld to configure firewalls instead of the ip tables. Actually, firewalld is kind of an abstraction above ip tables. Installation documentation in Docker website does not even give a hint on what the ip table should look like, however while researching I found one of the old Docker version installation document i.e. v1.6 does hint on the conflict between Docker and firewalld. It says,
CentOS-7 introduced firewalld, which is a wrapper around iptables and can conflict with Docker. 

When firewalld is started or restarted it will remove the DOCKER chain from iptables, preventing Docker from working properly.

When using Systemd, firewalld is started before Docker, but if you start or restart firewalld after Docker, you will have to restart the Docker daemon.

Well, this really did not help to solve the problem. Following are the errors that you must be seeing in your server after typing

# systemctl status firewalld

ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE’ failed: iptables: No chain/target/match by that name.

ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).

And similar error pointing to different chains in the firewall like FORWARD, PREROUTING, OUTPUT etc. What this means is that docker is not allowed network address translation and others. The firewall is blocking specific network requests is clearly evident from these errors. There are two fixes available for this issue,

Disable firewalld and use ip tables or let docker0 have unrestricted access by modifying firewalld rules. I elected to disable firewalld to save time and to make sure it never intervenes with my work in future.  Procedure to modify firewall to allow docker0 unrestricted access can be found here. (Note: this is an untested recommendation).

Now to disable firewalld, follow the below procedure.

# systemctl stop firewalld
# systemctl disable firewalld

The first command stops firewalld and the second one removes firewalld from startup config file so that it does not start on its own when the server is rebooted.

To verify firewalld is stopped following command can be used.

# systemctl status firewalld

And then execute the following to verify iptables.

# iptables -L

There is no need to install iptables after disabling firewalld because firewalld cannot function without iptables. To verify if you have the necessary package, execute the following.

# yum list installed | grep iptables

Now the containers should work properly. Any issues? Please feel free to comment.

VCP6-DCV Study Guide Part 2: Secure ESXi, vCenter Server, and vSphere Virtual Machines

Data security strategy is very important and it must be well planned; especially in the data center all the virtual assets must be well protected. A hacker with bad intentions may hijack a VM and re-configure it to act for his/her own purpose. This chapter is all about vSphere security. What we discuss here is a set of security measures suggested by VMware to harden access to ESXi hosts, VM’s and the vCenter Server. Following are the topics which we will cover in this post,

  1. Harden virtual machine access
    1. Control VMware Tools installation
    2. Control VM data access
    3. Configure virtual machine security policies
  2. Harden a virtual machine against Denial-of-Service attacks
    1. Control VM-VM communications
    2. Control VM device connections
    3. Configure network security policies
  3. Harden ESXi Hosts
    1. Enable/Configure/Disable services in the ESXi firewall
    2. Change default account access
    3. Add an ESXi Host to a directory service
    4. Apply permissions to ESXi Hosts using Host Profiles
    5. Enable Lockdown Mode
    6. Control access to hosts (DCUI/Shell/SSH/MOB)
  4. Harden vCenter Server
    1. Control datastore browser access
    2. Create/Manage vCenter Server Security Certificates (Work in progress)
    3. Control MOB access (Work in progress)
    4. Change default account access (Work in progress)
    5. Restrict administrative privileges (Work in progress)
  5. Understand the implications of securing a vSphere environment (Work in progress)

Harden virtual machine access

VMware tools enable greater interaction between ESXi host and the virtual machine. VMware tool is mandatory for several VMware features to function. VMware recommends to restrict VMware tools installation access to only users who would need it. It is controlled by a privilege.

  • Virtual machine.Interaction.VMware Tools install

This privilege allows mounting and un-mounting the VMware Tools CD installer as a CD-ROM for the guest operating system. And this is on the Virtual Machine object.

It is also a good idea to restrict virtual machine data access. Note that data access means, the ability to cut/copy, paste data into and from virtual machine console. The administrator may also want to consider removing unwanted/unused virtual hardware of virtual machines. Doing this will eliminate some of the options available for hacker to compromise the systems. A virtual machine must be considered as a separate entity and its relevant security policies must be applied. To further harden the security of a virtual machine the following actions can be carried out,

  • Patching the guest OS with latest security releases and run any anti-spyware or anti-malware software programs. It’s a good practice to follow the suggestions made by the guest operating system vendor.
  • Disabling unnecessary services running in guest OS.
  • Making the virtual machine deployment process streamlined by using templates and scripts.
  • Disable HGFS file transfers.
  • Prevent Virtual Machines from taking over resources by defining required CPU and Memory and to set correct shared value. It is also a good practice to move the virtual machines into a resource pool.
  • Limit informational machine from virtual machine to the VMX file to avoid filling up the datastore. This would prevent a Denial Of Service (DoS).

Harden a virtual machine against Denial-of-Service attacks

Preventing Denial-of-Service of a VM requires good network planning and the settings in virtual switch and physical switch need to be configured properly to withstand Denial-Of-Service attacks.

Control VM-VM communications

Different virtual machines within a host can be configured to use different network segments. When virtual machines are isolated in its own segment, data leakage from one virtual machine to another is minimized. This technique (Segmentation), prevents ARP spoofing (man in the middle attacks), Denial-of-Service (DoS) attack, hijack the target system etc. There are two approaches to implement segmentation,

  • Use separate physical network adapters for virtual machine zones to ensure that the zones are isolated. Maintaining separate physical network adapters for virtual machine zones is probably the most secure method and is less prone to misconfiguration after the initial segment creation.
  • Set up virtual local area networks (VLANs) to help safeguard your network. Because VLANs provide almost all of the security benefits inherent in implementing physically separate networks without the hardware overhead, they offer a viable solution that can save you the cost of deploying and maintaining additional devices, cabling, and so forth

Control VM data access

Although the VM-VM is secured by segmentation, it is connecting to the physical network; the physical network is prone to breaches. Therefore the protected VM can be a victim of attacks from other compromised physical servers or virtual machines in the network. Therefore overall network must be monitored for threats and breaches. Network must be carefully planned to avoid such breaches. Also using security software to monitor network and conducting security checks in network can significantly reduce the risk of getting breached.

Configure network security policies

Just like a physical network adapter the virtual machine virtual network adapter can send packets that may appear like it is sent from a different machine. This is because; it lets the impersonating VM to receive packets that are intended for that VM. This poses a serious security threat. If an attacker takes control of a VM, the attacker can use it to listen to packets with valuable information.

When a standard switch is created on a ESXi host, appropriate security policies can be configured on virtual machine port group as well as VMkernel port group that carries system traffic such as management, vMotion etc,

Please note that, the security policies that we are defining at the port group level is a feature offered by hypervisor and not of the operating system running in the virtual machine. Once configured the ESXi hypervisor will then prevent the VM network adapters from doing such unnatural behavior. Another interesting things to note is, once enabled the guest operating system will not that its impersonation attempt is prevented.

Securing vSphere Standard Switches

Before making any attempt to secure the vSphere standard switch we must understand how it handles traffic during various conditions. We all know that MAC address is a very important and unique identifier used to identify source or destination. In vSphere when you create a virtual machine with one or more virtual network adapter, vCenter (in case of the host is managed by vCenter) or the ESXi host will assign a MAC address to the virtual NIC. There are three types of MAC address; let’s discuss the types and when it is assigned,

Initial MAC Address

It is the initial MAC address that gets assigned to a vNIC during the creation of virtual machine or while adding the vNIC to an existing VM. You can let the ESXi or the vCenter to decide what the MAC address can be or you can also manually input the desired. You can relate this to a physical NIC burned in address.

Effective MAC Address

The effective MAC address is set by the guest operating system. Usually the OS will use Initial MAC address as its effective MAC address. Some application may need the MAC address to be different and this option enables to just do that.

Runtime MAC address

Runtime MAC address is the actual (live) MAC address seen by standard switch port.

The following security options help us to prevent/allow communication from guest VM under certain pre-defined conditions. There are three security policies,

  • MAC address change
  • Forged transmits
  • Promiscuous mode

There are two options for these policies, Accept or Reject. Each option has its own policy. To change these values you can select the ESXi host from the inventory, click Manage and then Networking. Under virtual switches select the appropriate switch and then click the edit icon. In the new window select security. The same options are available at port group level as well. The port group level policy supersedes the ones set at vSwitch level. Following picture shows the options,

Figure 11: Security settings of a vSwitch
Figure 1: Security settings of a vSwitch
MAC Address Change

By default the option is set to “Accept”. When it is set to accept, ESXi will allow the request from operating system to change the effective MAC address to a different address than the initial MAC address. When it is set to “Reject” as you have guessed it, the opposite happens. The OS will not be allowed to change the effective MAC address.

MAC spoofing (MAC impersonation) is a common tactic used by hackers to change the effective MAC of a VM to impersonate another VM or to gain stealth by changing MAC to a random value. If this option is set to reject, ESXi will disable the port when it receives such request to change. The guest OS will not be aware that the request to change was rejected.

 Forged Transmits

The default option is “Accept”. When it is set to accept ESXi does not compare the source and effective MAC addresses and the frame is allowed. When set to reject, ESXi will compare the source and effective MAC address. If they are not same then ESXi will drop packer. To protect VM against MAC impersonation, this option can be set to reject.

Promiscuous mode

The default option is “Reject”. When set to reject, the guest OS cannot receive packets destined for other VM’s using its adapter. When it is set to accept, guest OS typically the tools running in guest OS; can see the packets which are intended for other VMs.

This option is very useful in case of using a network intrusion software or software like Wire Shark in the VM to monitor network traffic. At the same time, a person with bad intentions can snoop the network.

Harden ESXi Hosts

When an ESXi host is installed and initialized for the first time, ports are disabled by default and can only the required are open. These firewall ports that we are talking about is port used for SSH access, SNMP, vSphere web access etc. The ports can be enabled and disabled when needed and also can be configured to start and stop with host.

These setting can be viewed and changed in vSphere web client, ESXCLI and also via Power CLI.

Enable/Configure/Disable services in the ESXi firewall

ESXi firewall setting can be accessed via vSphere web client. Following is the procedure,

  1. Click the host in the inventory
  2. Then click manage tab and then settings tab under that
  3. Now click security profile under system

You can see a number of incoming and outgoing ports. You can click “Edit” to modify each connection setting. Only some of the connections can be edited/modified here. Following figure shows the same,

Figure 12: Edit security profile
Figure 2: Edit security profile

You can observer the options start, stop, restart and startup policy. The startup policy is a pretty straight forward option. When this is set to start and stop with host the port will start and stop along with host. Also note the option to allow connection from a specific IP address can be defined here.

To further harden ESXi security; shrink the incoming and outgoing connections option, then you will be able to see all services. Each of the services can be individually set to start and stop with host or manual start and stop. Following image illustrates the services list and its various options,

Figure 13: Start and Stop services
Figure 3: Start and Stop services

Lockdown mode can be enabled to prevent all remote users logging into ESXi host via SSH and other methods. When enabled, the host can be only accessed in vCenter Server and the console (DCUI) will be accessible. Some of the user can be exempted from lock down mode. Those users will be able to access the host remotely. To access lockdown mode, scroll down while on the security profile and the option can be found at the bottom after services.

Figure 4: Lockdown mode options

When set to Normal, the host can be accessed using vCenter as well as DCUI. But if the option is set to strict DCUI is also disabled and the host is managed only via vCenter server. To add uses to the exception list the next option can be used.

Apply permissions to ESXi host using host profiles

From a properly configured host (a reference host) its configuration information is extracted and kept in a profile. This template is called “host profile”. Later on this profile can be used to apply the configuration that is contained in it to a single host or a cluster. When applied on a cluster, all hosts participating in the cluster will have same configuration.

In vSphere web client host profile option can be found in the Home page under Monitoring. When you click that option you will be presented with the following screen. Click the green + icon to extract profile from a reference host.

Figure 15: Extract host profile
Figure 5: Extract host profile
Extract host profile

Select the reference host from the list and then click next. Give a name and then click next, review summary and click finish.

Figure 16: Extract profile from a host
Figure 6: Extract profile from a host

To the created profile you can then attach a host or cluster. It is also possible to check the compliance of host attached to the profile. Right click on the host profile to explore more options.

Harden vCenter Server

In the previous chapters we discussed how to harden virtual machines and ESXi hosts. This chapter we discuss some of the options available to harden the vCenter server.

Control datastore browser access

In order to control what one can do on a datastore browser it’s time to revisit “privileges”. Datastore.Low level file operations privilege can be enabled or disabled to allow/disallow a user to perform read, write, delete, and rename operations in the datastore browser.

Figure 17: Control datastore browser access
Figure 7: Control datastore browser access

Create/Manage vCenter Server Security Certificates

Security certificates are used by vSphere components to establish and communicate with each other securely (SSL). A certificate cannot be just created by you. VMCA, VMware certificate authority which is a service that resides in PSC provides certificate for ESXi hosts and each vCenter service. Alternatively you can also supply your own certificate that was obtained from a PKI (Public key infrastructure). The PKI can be either internal or external PKI’s such as Verisign etc. vCenter Certificates can be managed using the following tools,

  • vSphere Certificate Manager Utility – Command line tool to perform all certificate related operations/tasks
  • Certificate Management CLI’s – Certificate related tasks can be performed in dir-cli, certool and vecs-cli
  • vSphere web client certificate management – Using the vSphere web client we can only view certificate and its associated information such as expiration date.

Procedure on how to perform certificate operation is beyond the scope of this document. To view active/revoked/expired/root certificates in web client navigate to Administration -> System configuration -> Click the vCenter server -> Manage -> click Certificate Authority tab.

Control MOB Access

MOB – Managed Object Browser can be used to modify host configuration. Usually MOB is used only for debugging and disabling this interface may prevent an attacker from changing host configuration.

Procedure

Click the host from inventory -> Manage -> Settings tab -> click Advanced System Settings under system.
HostAgent.plugins.solo.enableMob is the name; the value should be “False” which means MOB is disabled.

Change default account access & Restrict administrative privileges

By default, root user has all the privileges on a single host and user administrator can perform all functions in vCenter. To enhance security, it’s a good idea to avoid using these default accounts and create username for each administrator or simply use VM directory service.

Thanks for reading through, If you find this worth sharing please spread the words.

VCP6-DCV Study Guide Part 1: Configure and Administer Role-based Access Control

In vSphere, Role-based Access Control is a over all mechanism for controlling access to various objects in vCenter Server. This is accomplished by set of permissions and privileges. Role-based Access Control falls under vSphere 6.x Security. This post is a study guide for VCP6-DCV exam (2V0-621) and it is a work in progress, more similar post will be published periodically. I am making this study guide as per VMware 2V0-621 exam blue print. Enjoy reading!

In this post we will discuss the following topics,

  1. Compare and contrast propagated and explicit permission assignments
  2. View/Sort/Export user and group lists
  3. Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
  4. Determine how permissions are applied and inherited in vCenter Server
  5. Create/Clone/Edit vCenter Server Roles
  6. Configure VMware Directory Service
  7. Apply a role to a User/Group and to an object or group of objects
  8. Change permission validation settings
  9. Determine the appropriate set of privileges for common tasks in vCenter Server
  10. Compare and contrast default system/sample roles
  11. Determine the correct permissions needed to integrate vCenter Server with other VMware products

Compare and contrast propagated and explicit permission assignments

Authorization in vSphere:

A user or a group in vSphere is authorized using vCenter Server permissions. A privileged user can assign permissions to another user or group in following ways,

a.      vCenter Server permissions

The permission model of vCenter Server relies on assigning permission to objects in the object hierarchy of that vCenter Server. Each permission gives one user or group a set of privileges that is, a role for a selected object.

b.      Global permissions

Global permissions are applied to global root objects that spans across solutions such as vCenter and Orchestrator. A user can be given permission to access all objects that are present in both object hierarchies.

c.       Group membership in vsphere.local group

The user administrator@vsphere.local can perform tasks that are associated with services included in Platform Service Controller (PSC). Following are the services in PSC,

  • VMware vCenter Single Sign-On
  • VMware License Server
  • Lookup Service
  • Certificate Authority
  • Certificate Store
  • VMware Directory Services

If user is a member of LicenseService.Administrator group the user can perform license management.

d.      ESXi Local host permissions

A user with this permission can manage a standalone ESXi host which is not managed by vCenter Server.

View/Sort/Export user and group lists

In this chapter we discuss some of the basic operation in vSphere Web Client related to users and groups.

To view users and groups present in a vCenter Server click Administration in the left navigation pane present in vSphere Web Client. Once in Administration click Users and Groups present under Single Sign-On. Now the tabs can be used to navigate to see Users, Solution Users and Groups. Click on a Group to see the Group members.

vCenter Web Client allows us to export the list of users and groups present in the inventory. To do that, on a relevant tab such as users or groups click the down pointing arrow located at the bottom right hand corner. Figure 1 illustrates all of this,

Note: The other way to view the users and groups associated with a vCenter Server, we can navigate to vCenter Server in the vCenter Inventory Lists and then by selecting the vCenter Server, number of options will appear in the middle pane. Now click Manage and then click Permissions tab to see the users and groups associated with this vCenter and the role they are associated with.

Figure 1: View, Sort, Export users and groups.
Figure 1: View, Sort, Export users and groups.

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

Permissions can be easily added to a user or to a group in vSphere Web Client. In order to do these, again navigate to Administration from the vSphere Web Client main navigation panel called as Navigator. Once in Administration menu select Global Permissions. Click the green + icon to add a user with pre-defined roles. To edit the user permissions click on the user and then click the pencil icon. And to remove the permission select the desired permission and click red X icon.

The following image illustrates group Az is being assigned with a pre-defined role “Administrator”. Note the option “Propagate to children” is checked.

Figure 2: Group Az is assigned a pre-defined role “Administrator”
Figure 2: Group Az is assigned a pre-defined role “Administrator”

Lesion 4: Determine how permissions are applied and inherited in vCenter Server

vCenter Server permission model:

In vSphere, Object is nothing but a category in vCenter or action that can be performed. For Example, a VM folder is considered as an object. In its hierarchical view there can be VM’s, vApp’s, templates. And the vApp can in turn have resource pool and VM in its own hierarchy. Figure 3 is an illustration of object and its child objects in its hierarchy.

Figure 3 Hierarchical view of an Object in vCenter Server
Figure 3: Hierarchical view of an Object in vCenter Server

In vCenter each object is assigned with permissions. The permission is propagated to child objects. It is also possible to prevent it from propagating to child objects. The created permission can be assigned to a user or a group. Following figure 4 and 5 illustrates group, user in a group and the permission assigned to all users in that group.

Figure 4: Az is a group and azhagarasu is a user in that group
Figure 4: Az is a group and azhagarasu is a user in that group
Figure 5: Group Az visible in Administrator role
Figure 5: Group Az visible in Administrator role

Let’s takes some time to understand what is Permissions, Users and Groups, Roles and Privileges.

a.      Permissions

Each object in the vCenter Server hierarchy has associated permissions. A role can be defined with a set of permissions and then a user or group can be assigned that role. Once done the user or users in that group will inherit the permissions defined in the role. The following image illustrates creation of role “Oracle_Dev” with certain permissions.

Figure 6: Role Oracle_Dev creation
Figure 6: Role Oracle_Dev creation
a.      Role

Like the one in above image, a Role is nothing but a collection of permission a normal user would perform. It is then assigned to a user or group. In vCenter Server there are predefined roles, some of them cannot be modified or deleted but can be cloned. The other sample roles can be modified, cloned and deleted.

b.      Users and Groups

Users and groups can be created in vCenter Server and also the Active Directory user and groups can be assigned permission. A user or group can be assigned permissions only after authentication in vCenter Server. Users are authenticated through vCenter single sign-on. The user and group must be defined in the identity source that vCenter single sign-on is using to authenticate.

c.       Privileges

Privileges are fine grained access control. Let’s put that in a simple way, Permissions are grouped into role and role is a collection of permissions. A permission is directly associated with a vCenter object. Privileges are grouped into role and assigned to a user or group. Still confused about permission and privileges? Refer Figure 2 and note what privilege is.

Now the following image from VMware should make much sense.

Figure 7: vSphere Permissions conceptual block diagram
Figure 7: vSphere Permissions conceptual block diagram

Create/Clone/Edit vCenter Server Roles

In the previous lesion we understood what a role is and in this lesion let’s create, clone and edit roles in vCenter Server.

Again to access roles, navigate to Administration from the vSphere Web Client main navigation panel called as Navigator. Once in Administration menu select Roles. The Green + icon can be used to add a new role and the ID badge like icon can be used to clone a role. Pencil icon for editing and red X to remove a role. Following figure illustrates the options available in Roles.

Figure 8: Figure 8 Create Clone Edit vCenter Server Roles
Figure 8: Figure 8 Create Clone Edit vCenter Server Roles

Configure VMware Directory Service

VMware Directory Service (VMDir) is one of the services in Platform Service Controller (PSC). The VMware Directory Service is associated with the domain you specify during installation of vCenter Server and is included in each embedded deployment and on each Platform Service Controller. VMDir replication ensures that vsphere.local domain is identical across all platform service controllers. VMDir is a multi-tenanted, multi-mastered directory service. It makes an LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.

ESXi host can be joined to domain so that management of users and groups becomes easier rather than having to create local users on the ESXi host. When an ESXi host is added to active directory the domain group called “ESXi Admins” will be given full administrative access if the group exists. There is a workaround available to prevent that from happening if it is not needed.

Procedure to add a host to domain

  1. Browse to the host in the vSphere Web Client inventory
  2. Click the Manage tab and click Settings
  3. Under System, select Authentication Services
  4. Click Join Domain.
  5. Enter a domain.
  6. Enter the user name and password of a directory service user who has permissions to join the host to the domain, and click OK.
  7. (Optional) If you intend to use an authentication proxy, enter the proxy server IP address.
  8. Click OK to close the Directory Services Configuration dialog box
Figure 9: Joining ESXi host to a domain
Figure 9: Joining ESXi host to a domain

Apply a role to a User/Group and to an object or group of objects

This particular topic is already discussed in previous topic “Determine how permissions are applied and inherited in vCenter Server”.

Change Permission Validation Setting

vCenter Server periodically validates users and groups against the users and groups in active directory. If for some reason the user and group is not available in the directory vCenter Server then removes it from its list. This validation process can be disabled or the search interval can be adjusted according to the needs.

Note: This validation only applied to vCenter users and group list and not the ones present in the ESXi host itself.

Procedure to change validation settings

  1. Browse to the vCenter Server system in the vSphere Web Client object navigator.
  2. Select the Manage tab and click Settings.
  3. Click General and click Edit
  4. Select User directory.
Figure 10: Change validation settings
Figure 10: Change validation settings

The User Directory timeout value dictates, how long a vCenter Server is allowed to run search on the domain. This value is in seconds. Larger domains requires more time. Query limit and Query limit size are closely related to each other. When the Query limit check box is checked, it means the value entered in Query limit size is accepted. This value dictates how many numbers of users and groups are displayed in “Select Users and Groups” dialog box. Setting this value to 0 will show all users and groups from domain.

Determine the appropriate set of privileges for common tasks in vCenter Server

For us to a task in vCenter such as moving a Virtual machine from one folder to another requires permissions on more than one object in the inventory. In this chapter we discuss some of the common tasks that typically an administrator will perform in vCenter and permissions required for such tasks. Earlier we discussed, predefined roles can be assigned to users or groups. Also we discussed on how to define custom roles as well.

Example 1: Move a virtual machine into a resource pool

Following privileges required to perform this action,

  • On the virtual machine or the folder of virtual machine
    • Assign virtual machine to resource pool
    • Virtual machine.Inventory.Move
  • On the destination resource pool
    • Assign virtual machine to resource pool

The above described task is typically performed by Administrator.

Example2: Install a guest operating system on a virtual machine

To install a operating system on virtual machine the following privileges are required,

  • On the virtual machine or folder of virtual machines
    • Virtual machine.Interaction.Answer question
    • Virtual machine.Interaction.Console interaction
    • Virtual machine.Interaction.Device connection
    • Virtual machine.Interaction.Power Off
    • Virtual machine.Interaction.Power On
    • Virtual machine.Interaction.Reset
    • Virtual machine.Interaction.Configure CD media (if installing from a CD)
    • Virtual machine.Interaction.Configure floppy media (if installing from a floppy disk)
    • Virtual machine.Interaction.VMware Tools install
  • On a datastore containing the installation media ISO image
    • Browse datastore (if installing from an ISO image on a datastore)
  • On the datastore to which you upload the installation media ISO image
    • Browse datastore
    • Low level file operations

For every other task that a user performs in vCenter, similar privileges are required. For further reading on this topic refer to vCenter Server security guide.

Compare and contrast default system/sample roles

Earlier we discussed what roles, permissions and privileges are. In vCenter Server by default there are predefined roles, some of these cannot be modified or deleted but can be cloned (default roles). The other sample roles can be modified, cloned and deleted.

Following are the default roles,

a.      Administrator Role

This role includes all privileges and users with this role can perform all actions on the objects. A user with administrator role can assign privileges to other users and groups. By default administrator@vsphere.local user has Administrator role on both vCenter Single Sign-On and vCenter Server after installation.

b.      No Access Role

Users with this role cannot view of change the object. New users and groups are assigned this role by default, it can then be changed.

c.       Read Only Role

Users with this role are allowed to view the state of object and details about object. This user cannot modify anything in the inventory but can view virtual machines, hosts, resource pool and cannot view the remote console of a virtual machine. All the other actions are disallowed.

Determine the correct permissions needed to integrate vCenter Server with other VMware products

To be able to integrate same authentication with other VMware products such as vCenter Orchestrator, we must use Global Permissions. Global permission is applied to global root object that spans across solutions.

Thanks for reading through, If you find this worth sharing please spread the words.

Click here to continue to part 2 – Secure ESXi, vCenter Server, and vSphere Virtual Machines

P2000 G3 LUN and vmware VAAI

This might probably known to many by now, recently I bumped into a problem with ESX 4.1 and ESX 5.1 hosts. I am SAN engineer and have limited expertise when it comes to vmware, the problem is when we try to add a lun presented from P2000 G3 MSA it failed with an error. Both hosts are blade server and are able to see the lun. It fails at a point when I try to add that lun as a datastore with vmfs5.

Error : Call "HostDatastoreSystem.CreateVmfsDatastore" for object "ha-datastoresystem" on ESX - "Unable to create filesystem: Connection timed out" Check the kernel log
HP released a customer advisory – http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03668075&lang=en&cc=us&taskId=135&prodSeriesId=5077022&prodTypeId=329290

As per HP HardwareAcceleratedLocking needs to be disabled, so let’s take some time to know about VAAI and what it really does?

VAAI – vStorage APIs for Array Integration

This feature was introduced in ESXi/ESX 4.1 It provides hardware acceleration for compatible storage hardware. That means host can intelligently manage its storage related operations and can reduce its CPU cycles and storage bandwidth.

Features of VAAI:

  1. Atomic test & Set (ATS) –  which is used during creation and locking of files on the VMFS volume
  2. Clone Blocks/Full Copy/XCOPY – which is used to copy or migrate data within the same physical array
  3. Zero Blocks/Write Same – which is used to zero-out disk regions
  4. Thin Provisioning in ESXi 5.x and later hosts
  5. Block Delete in ESXi 5.x and later hosts

These features are controlled by the following parameters:

Advanced Parameter name

Description

HardwareAcceleratedLocking

Atomic Test & Set (ATS), which is used during creation of files on the VMFS volume

HardwareAcceleratedMove

Clone Blocks/Full Copy/XCOPY, which is used to copy data

HardwareAcceleratedInit

Zero Blocks/Write Same, which is used to zero-out disk regions

Let’s look at ATS since its relevant to the topic.

ATS is designed to overcome SCSI-2 reservation in which the full volume is locked including metadata. Vmfs allows multiple hosts to access data and to avoid data corruption it effectively handle conflict requests for both data and metadata so file level locking is implemented in SCSI-2 reservation. The SCSI reservation locks the complete LUN and prevent access from other hosts.

So ATS is nothing but SCSI compare-write instead of SCSI-2 reservation. ATS locks only the single sector if it’s a conflicting request instead of blocking the whole LUN.

That being said, now we know why the vmfs5 datastore creation fails, I went ahead and disabled HardwareAcceleratedLocking and was able to get the datastore created. In HP article they have mentioned the issue applies to all P2000’s running in firmware version starting TS230 and TS240. I also knew there was a new revision released by HP last month it starts at TS250. I thought the new firmware might have added this feature in P2000. But in release notes nothing related to VAAI was mentioned. But I anyway updated to the latest. But the issue still exists. I made it work by disabling HardwareAcceleratedLocking

 .Technical aspects like fashion art
porno5 Value Stock Ideas For The First Quarter
The Evolution of the Clutch Wallet
milf porn If we’re out on a walkIdeas for Laying Out Ceramic Tile Designs
anime porn relaxing by the pool and exploring foreign ports around the Caribbean

delivers the evil at the El Rey Theater in LA
large porn tube however most notably

Alden Indys or Wolverine 1k mile Boot
youjizz how to become a styles mannequin

Merona Wool Herringbone Blazer for
free gay porn will jump out of his

Study Confirms High Rates of Adverse Childhood Experiences in Juvenile Offenders
hd porn You can buy outlet shoes

Dolce and Gabbana Light Blue
snooki weight loss 5 creature of the night tv shows you’ve never heard about

How to Put on a Coconut Bra
miranda lambert weight loss and that is why we call it an opposing grip