Comments for jeremYprieS.com http://www.jeremypries.com Virtualization Boy - Jeremy Pries Sat, 21 Nov 2009 18:17:20 -0700 http://wordpress.org/?v=2.9.1 hourly 1 Comment on No longer @ Xcedex by Mike Langhus http://www.jeremypries.com/?p=211&cpage=1#comment-19466 Mike Langhus Sat, 21 Nov 2009 18:17:20 +0000 http://www.jeremypries.com/?p=211#comment-19466 email Jeremy, I am interested to know more. email Jeremy, I am interested to know more.

]]> Comment on Create empty floppy image by Jeremy http://www.jeremypries.com/?p=42&cpage=1#comment-19276 Jeremy Tue, 20 Oct 2009 16:19:00 +0000 http://www.jeremypries.com/?p=42#comment-19276 This command creates an empty floppy image on a mac. hdiutil create -size 1440k -fs MS-DOS floppy The last parameter is the file name, floppy in this case. It will add the .dmg extension. After you can rename to img or flp or whatever. This command creates an empty floppy image on a mac.

hdiutil create -size 1440k -fs MS-DOS floppy

The last parameter is the file name, floppy in this case. It will add the .dmg extension. After you can rename to img or flp or whatever.

]]> Comment on Hung VM – Find the pid by matt http://www.jeremypries.com/?p=9&cpage=1#comment-8610 matt Thu, 23 Oct 2008 20:21:17 +0000 http://www.jeremypries.com/?p=9#comment-8610 ps -ef | grep vmware look for name of vmachine... kill -9 pid of hung vmachine ps -ef | grep vmware

look for name of vmachine…

kill -9 pid of hung vmachine

]]> Comment on Hung VM – Find the pid by jeremy http://www.jeremypries.com/?p=9&cpage=1#comment-8471 jeremy Wed, 15 Oct 2008 14:32:54 +0000 http://www.jeremypries.com/?p=9#comment-8471 Paul, The instructions were written for ESX 2.x and do not work in 3.x. You have a number of options with 3.x. Safest options listed first... 1. 'vmware-cmd /path/to/vm.vmx stop hard' -- may or may not work depending how screwed up the vm is. 2. 'vm-support -x' to list the vmids (small x). Then 'vm-support -X vmid' (big x) to generate logs and kill it. This way leaves you info for vmware support, but it takes forever to actually kill the vm. 3. ps -auxfww | grep VMNAME. Then kill the pid or kill -9 it. More info is here. http://virtrix.blogspot.com/2007/09/vmware-stopping-virtual-machine-gone.html Good luck Jeremy Paul,

The instructions were written for ESX 2.x and do not work in 3.x.

You have a number of options with 3.x. Safest options listed first…

1. ‘vmware-cmd /path/to/vm.vmx stop hard’ — may or may not work depending how screwed up the vm is.

2. ‘vm-support -x’ to list the vmids (small x). Then ‘vm-support -X vmid’ (big x) to generate logs and kill it. This way leaves you info for vmware support, but it takes forever to actually kill the vm.

3. ps -auxfww | grep VMNAME. Then kill the pid or kill -9 it.

More info is here. http://virtrix.blogspot.com/2007/09/vmware-stopping-virtual-machine-gone.html

Good luck
Jeremy

]]> Comment on Hung VM – Find the pid by Paul http://www.jeremypries.com/?p=9&cpage=1#comment-8469 Paul Wed, 15 Oct 2008 08:51:11 +0000 http://www.jeremypries.com/?p=9#comment-8469 any idea why i get a pid of -1 for all VM's? (extra '*' in first example as 2nd example doesn't return a PID at all? [root@svr-vmh-crcla06 1236]# grep SVR-IAS-CRS01 /proc/vmware/*/*/* /proc/vmware/vm/1342/names:vmid=1342 pid=-1 cfgFile="/vmfs/volumes/47fabc0b-cb57433f-2597-0019bb4fcf66/SVR-IAS-CRS01/SVR-IAS-CRS01.vmx" uuid="50 0c ec b5 52 d8 26 2c-5e ff 72 45 4f 83 7c 28" displayName="SVR-IAS-CRS01" [root@svr-vmh-crcla06 1236]# grep SVR-IAS-CRS01 /proc/vmware/*/* /proc/vmware/sched/drm-stats: 111 1000 0 -1 1 2 1 0 2 6 2 0 2 6 2 0 4294967293 92 604 512 44 0 0 207 24 133 vm.1341 (/vmfs/volumes/47fabc0b-cb57433f-2597-0019bb4fcf66/SVR-IAS-CRS01/SVR-IAS-CRS01.vmx) any idea why i get a pid of -1 for all VM’s?

(extra ‘*’ in first example as 2nd example doesn’t return a PID at all?

[root@svr-vmh-crcla06 1236]# grep SVR-IAS-CRS01 /proc/vmware/*/*/*
/proc/vmware/vm/1342/names:vmid=1342 pid=-1 cfgFile=”/vmfs/volumes/47fabc0b-cb57433f-2597-0019bb4fcf66/SVR-IAS-CRS01/SVR-IAS-CRS01.vmx” uuid=”50 0c ec b5 52 d8 26 2c-5e ff 72 45 4f 83 7c 28″ displayName=”SVR-IAS-CRS01″

[root@svr-vmh-crcla06 1236]# grep SVR-IAS-CRS01 /proc/vmware/*/*
/proc/vmware/sched/drm-stats: 111 1000 0 -1 1 2 1 0 2 6 2 0 2 6 2 0 4294967293 92 604 512 44 0 0 207 24 133 vm.1341 (/vmfs/volumes/47fabc0b-cb57433f-2597-0019bb4fcf66/SVR-IAS-CRS01/SVR-IAS-CRS01.vmx)

]]> Comment on Hung VM – Find the pid by Hal Rottenberg http://www.jeremypries.com/?p=9&cpage=1#comment-8106 Hal Rottenberg Mon, 15 Sep 2008 23:56:52 +0000 http://www.jeremypries.com/?p=9#comment-8106 FYI, this works on and applies perfectly to 3.x. However, it does NOT apply to 3i, which does not have a service console. It also probably will not apply to VI4 because I think they've changed some things but I don't know yet. FYI, this works on and applies perfectly to 3.x. However, it does NOT apply to 3i, which does not have a service console. It also probably will not apply to VI4 because I think they’ve changed some things but I don’t know yet.

]]> Comment on vSwitch0, Native VLANs and Host Building by quick http://www.jeremypries.com/?p=83&cpage=1#comment-4665 quick Thu, 08 May 2008 13:24:03 +0000 http://www.jeremypries.com/?p=83#comment-4665 Jeremy, Thanks for the reply. It seems you're under the impression that our provisioning VLAN is the same as the kernel VLAN. We have a VLAN for the Kernel, another for Service Console, and once the ESX server is built, there will be a separate vswitch just for them with multiple uplinks. We have a different VLAN for provisioning. Plus others for production traffic. Unfortunately, the same provisioning VLAN will be used for building new virtual machines and other physical host OSes as well, so setting the native VLAN to the provisioning VLAN is probably not going to fly. Although I was hoping to avoid it, I'm pretty sure the only acceptable solution to our security folks will be to configure additional uplinks as access ports to use for provisioning and swap things around after the OS is deployed (although we're using HP virtual connects, so we may do it there). Perhaps eventually, the install kernels will jump into the 21st century and figure out a way to support VLANs. Thanks, Jeremy,
Thanks for the reply. It seems you’re under the impression that our provisioning VLAN is the same as the kernel VLAN.

We have a VLAN for the Kernel, another for Service Console, and once the ESX server is built, there will be a separate vswitch just for them with multiple uplinks. We have a different VLAN for provisioning. Plus others for production traffic. Unfortunately, the same provisioning VLAN will be used for building new virtual machines and other physical host OSes as well, so setting the native VLAN to the provisioning VLAN is probably not going to fly.

Although I was hoping to avoid it, I’m pretty sure the only acceptable solution to our security folks will be to configure additional uplinks as access ports to use for provisioning and swap things around after the OS is deployed (although we’re using HP virtual connects, so we may do it there).

Perhaps eventually, the install kernels will jump into the 21st century and figure out a way to support VLANs.

Thanks,

]]> Comment on vSwitch0, Native VLANs and Host Building by jeremy http://www.jeremypries.com/?p=83&cpage=1#comment-4658 jeremy Thu, 08 May 2008 02:58:11 +0000 http://www.jeremypries.com/?p=83#comment-4658 Quick, thanks for bringing this up. I have been meaning to get to this since Scott put together his post in March. I need to put together a post to address it fully. The short story is that using the native vlan does open you to some additional risk. An attack does need to originate from an access port on the same vlan as the native vlan. In my case, normally I will suggest a "management" vswitch used only for ESX things like the service console, vmotion, and nfs mounts for ISOs. The only vlan's exposed to the risk would be any vlans except the native. This pretty much comes down to the vmotion vlan. Following best practice, this should be a non-routed vlan. If I am fully understanding this, the return traffic from the vmotion network to the attacker should not make it as there would be no return route. The attack would need to consist of a single packet or packets with no return necessary. Also, many clients I work with have dedicated vlans just for ESX service console and vmkernel interfaces. This would also help narrow down the attack sources. You can assess your own risk vs reward. Deploying ESX without the native vlan leaves you the following options. 1. Designate a port per rack for deployment. This would be an access port on the same vlan as your service console. Plug in the deployment cable for building. Post build, add the tagging to the service console with esxcfg-vswitch. 2. Same as #1 but build with UDA. 3. Dedicate network interfaces to the service console and use access ports. With HA, it is a best practice to have to vmnic's on this switch for heartbeat redundancy. 4. Install by hand and script the post installation configuration. So if you use blades in a lights out datacenter. Good luck. Also, your comment somehow was held in moderation by wordpress until I approved it. It may have been anti-spam. Anyway, that explains the delay in your comment appearing. Quick, thanks for bringing this up. I have been meaning to get to this since Scott put together his post in March. I need to put together a post to address it fully.

The short story is that using the native vlan does open you to some additional risk. An attack does need to originate from an access port on the same vlan as the native vlan. In my case, normally I will suggest a “management” vswitch used only for ESX things like the service console, vmotion, and nfs mounts for ISOs. The only vlan’s exposed to the risk would be any vlans except the native. This pretty much comes down to the vmotion vlan. Following best practice, this should be a non-routed vlan. If I am fully understanding this, the return traffic from the vmotion network to the attacker should not make it as there would be no return route. The attack would need to consist of a single packet or packets with no return necessary.

Also, many clients I work with have dedicated vlans just for ESX service console and vmkernel interfaces. This would also help narrow down the attack sources.

You can assess your own risk vs reward. Deploying ESX without the native vlan leaves you the following options.

1. Designate a port per rack for deployment. This would be an access port on the same vlan as your service console. Plug in the deployment cable for building. Post build, add the tagging to the service console with esxcfg-vswitch.

2. Same as #1 but build with UDA.

3. Dedicate network interfaces to the service console and use access ports. With HA, it is a best practice to have to vmnic’s on this switch for heartbeat redundancy.

4. Install by hand and script the post installation configuration.

So if you use blades in a lights out datacenter. Good luck.

Also, your comment somehow was held in moderation by wordpress until I approved it. It may have been anti-spam. Anyway, that explains the delay in your comment appearing.

]]> Comment on vSwitch0, Native VLANs and Host Building by quick http://www.jeremypries.com/?p=83&cpage=1#comment-4626 quick Tue, 06 May 2008 20:05:27 +0000 http://www.jeremypries.com/?p=83#comment-4626 Hi, The network security best practice is to set the Native VLAN to something that is not used anywhere else in the network. Your advice here seems to be to set the Native VLAN to be the same as the VLAN of the PXE boot server. If you set the Native VLAN on the Cisco switch trunk port in this manner, do you expose the network to the VLAN hopping attack via double encapsulation? This is described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml and also mentioned by Scott Lowe here: http://blog.scottlowe.org/2008/03/05/vmotion-and-vlan-security/ Thanks, Hi,
The network security best practice is to set the Native VLAN to something that is not used anywhere else in the network. Your advice here seems to be to set the Native VLAN to be the same as the VLAN of the PXE boot server.

If you set the Native VLAN on the Cisco switch trunk port in this manner, do you expose the network to the VLAN hopping attack via double encapsulation? This is described here:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

and also mentioned by Scott Lowe here:

http://blog.scottlowe.org/2008/03/05/vmotion-and-vlan-security/

Thanks,

]]> Comment on smtp_send.pl by Jeff http://www.jeremypries.com/?p=87&cpage=1#comment-3970 Jeff Mon, 14 Apr 2008 15:26:32 +0000 http://www.jeremypries.com/?p=87#comment-3970 Jeremy, I had the old copy of smtp_send. It works great with multiple attachments. Thanks for taking the time to put this together. Much Appreciated, Jeff Jeremy,

I had the old copy of smtp_send. It works great with multiple attachments.
Thanks for taking the time to put this together.

Much Appreciated,

Jeff

]]>