Latest Headlines

ThinApp 4.5: best new feature – Linux support?

By
Forbes Guthrie
18 March 2010

ThinApp 4.5 has just been released in the last couple of days, and many of my fellow bloggers have been picking over the new goodies.  Unfortunately most articles I have read just highlighted the “What’s New” section of the Release Notes.

However if you wander over to the What’s new? article on the VMware ThinApp blog site, there are some additional highlights.  The one that grabbed me in particular is the section entitled “Quality improvements & Wine test”:

Additionally the ThinApp engineering team has been working diligently with the Linux Wine team to collaborate on suites of automated test. A significant number of test fixes made by ThinApp engineering were contributed back to the Wine project, especially targeted at reducing the number of test failures on Windows 7. The ThinApp engineering team has also set up ‘WineTestBot’, a service which allows Wine developers to run tests on VMware Virtual Machines which run a large selection of Windows versions. The result of the collaboration is both Wine and ThinApp improve their quality.

For the uninitiated it is worth explaining what Wine is used for.  You could describe Wine as this: software which provides a layer of abstraction between applications and the underling Operating System, resolving required dependencies and enabling greater portability.  Now, if you read that last sentence again, you could easily transpose the term ThinApp for Wine.  Now, don’t get the impression that ThinApp and Wine are much of muchness as they’re not. Wine is set of APIs whose aim is to provide a Win32 compatible environment, allowing Windows applications to run on POSIX systems like Linux and BSD.

Now its no secret that people have been using ThinApp (and Thinstall before it) to improve compatibility with Wine on Linux.  Jonathan Clark of VMware blogged about it over 2 years ago: http://communities.vmware.com/blogs/thinapp/2008/02/26/thinstall-and-wine, and even Brian Madden had a few derisory words about its real-world feasibility at the time: http://www.brianmadden.com/blogs/brianmadden/archive/2008/05/15/thinstall-wine-windows-apps-without-windows.aspx.

So why should this be any more relevant now; why should enterprises care more now than they did when it was being dismissed as nothing more than a parlour trick.

Several things have changed to make this quite an exciting area.  Firstly, Wine has indeed improved.  When Google bought Picasa, the photo editing application for Windows, they decided they also wanted to support Linux computers.  When they looked at how complex (and expensive) a Linux port would be they decide to instead utilise Wine technologies to make it happen.  If you install Picasa on Linux today, it comes with its own set of Wine binaries.

Today, devices in the workplace are more diverse than ever before.  The lines have blurred, and IT departments are asked to support more and more appliances.  It is not unusual to see Apple Macbooks in corporate offices, whereas only a few years before they were something you might only expect to see in a library or studio.  Smartphones are smarter, with large touch screens, and plenty of  horsepower to run a full stack including Wine and your indispensable Win32 app (and some do).

Within business today, a big change is occurring that will undoubtedly make this particularly pertinent. The enterprise desktop has largely stagnated over the last five years.  Most companies settled on XP, built their “SOE” and figured out how to use Group Policy to manage it.  Very little has changed since then, and there hasn’t been much pressure to upgrade until now.  Companies large and small are looking at ways to upgrade.  Now I’m relatively vocal about my support for Linux as a general purpose OS, and its suitability as a desktop replacement.  However I’m also pragmatic enough to know that migrating an entire workforce to a new platform is something only the most rabidly enthusiastic administrators would attempt.  What will happen over the next eighteen months is that corporations will deploy Windows 7 en-mass, and many of them will hardware refresh and probably switch to 64bit. Their biggest concern is not whether the OS will work, but if their legacy applications will still run, and how to deploy said applications.  This is where application virtualisation comes in to play, and why its going to be front and centre in most company’s biggest IT project for 2010/2011.

Now VMware has a great product offering in this space, and a foot in the door with the Architects who have been pushing IT plans out recently.  However Microsoft is the obvious elephant in the room.  Their App-V product seems to be able to compete on features, and when you couple this with sweet licensing deals and a seamless tie-in to SCCM, then VMware has to look for another angle.

Well, I think this could be it.  And frankly it is something that VMware knows Microsoft won’t try to compete on.  So, would you pick an application virtualisation product to package, test and deploy everything which only works on Windows machines.  Or would you pick one which will happily do this, but might also let you deploy to Linux based desktops, thin clients, kiosks, call-center stations, VM desktop pools, virtual appliances, oh and maybe even the boss’s Apple Mac.  I’m not saying that everyone is going to suddenly ditch their Windows workstations.  I just think that most people can see this profusion and will see Wine compatibility as a genuinely marketable advantage.

VMware’s open relationship with Wine certainly points to their realisation of this fact.  This is significant.  Personally, when I think of this, I dream of a stripped down VM with a minimal Linux install, GNOME desktop, vMA integrated Service Console application and a ThinApp version of a vSphere client.  However that is me just thinking too small and too selfishly.

What about the bigger picture.  It’s not inconceivable to imagine more general purpose Linux based vApps, with the ability to run all the common (and most uncommon) windows applications out there.  Isn’t Novell up for sale at the moment?

Tags: , ,

Official: Likewise software to be included in next vSphere release

By
Forbes Guthrie
15 March 2010

Back in January I noticed a trail which indicated that VMware would be including Likewise authentication software in their next vSphere software.

Well, Likewise have just released a press release confirming the partnership:

Likewise Software to be Included in VMware vSphere™ for Privileged User Access Management

Software Enables VMware vSphere™ Users to Securely Manage Privileged User Access with Microsoft Active Directory within Windows Environments

BELLEVUE, Wash. – March 15, 2010 – Likewise, the leader in delivering integration and authentication software for mixed networks, today announced a technology licensing agreement with VMware, enabling Likewise software to be directly integrated and included with VMware vSphere™.

The integration will enable VMware vSphere users to manage privileged user access with Microsoft Active Directory, providing large enterprises with a scalable means to improve authentication and access control in virtualized environments to help meet IT security audit requirements. Likewise is a member of the VMware Technology Alliance Partner (TAP) program.

“Virtualization platform vendors have realized the need to architect security capabilities into their platforms instead of relying solely on third-party add-on solutions,” said Neil MacDonald, VP and Gartner Fellow. “As enterprises build out their virtual environments, they should include the security capabilities of the virtualization platforms they consider into their evaluation process.”

“Virtualization is changing the landscape of the enterprise data center, creating new opportunities and considerations for our customers,” said Barry Crist, CEO of Likewise. “By directly integrating Likewise into VMware vSphere™, we can help customers leverage their existing investment in their Windows environments while providing additional security for their virtual environments.”

“As customers continue on the journey to cloud computing, they need to leverage existing security infrastructure for their virtualized environments,” said Patrick Lin, vice president, product management, VMware. “To help meet this demand, we plan to leverage Likewise software to seamlessly integrate this capability in large-scale environments running VMware vSphere™, providing a secure way for customers to manage their access controls.”

Most awesome ESX script known to mankind ever

By
Forbes Guthrie
26 February 2010

Here is the most awesome ESX script known to mankind (by mankind I mean me) ever in the history of time (by ever I mean at least this week).

SnapVMX by Mr Ruben Garcia

I’ve being driving myself crazy over the last week trying to manually re-chain some horribly complicated and completely broken snapshots.  This script (under a GPL3 license) analyses the complete snapshot chain and tells you exactly where there are broken links or missing files.  It even reports exactly how much space you’ll need on the home datastore to commit them all.  All automagically.

I was going to follow the link to this script with a detailed explanation of how snapshots work, how they commonly break and of course how to fix up the mess.  However, it seems the author of the SnapVMX script has also written a paper (under a Creative Commons license) explaining the details more effectively than I could.  It’s great read if you want to learn more about the inner workings.

Troubleshooting Virtual Machine snapshot problems by Mr Ruben Garcia

It even explains how to commit the individual disks of a VM, if room is tight on the datastore. And has this nice flowchart to help suppress the inevitable panics when the snapshots go South.

Rubian – if you make it VMworld this year, please make yourself known to me to redeem your free beer token.

Firewall diagram – version 5

By
Forbes Guthrie
23 February 2010

Here is version 5 of Dudley Smith’s fantastic Firewall Diagram:

ConnectionsPorts-v5.pdf

And here is the “source” spreadsheet for version 5. It makes looking for a specific port when troubleshooting much easier.

NetworkPortCompendium

First vSphere 4 book in Spanish

By
Forbes Guthrie
22 February 2010

I received an email from my friend Jose Maria Gonzalez, to say he has just published a new book.  In his own words:

The time has come and I am delighted to announce the details of my new book, a book I’ve been working for the past four months without a “rest”: 101 Secrets VMware vSphere.

101 Secrets in VMware vSphere is the first book published on VMware vSphere technology into Spanish and addresses all areas of the most important technology in VMware vSphere, while help you to prepare the official certification VCP4.

It is a very thorough review of the basics of virtualization and VMware vSphere ESX / ESXi, very useful for those beginning in the world of virtualization and VMware  vSphere, and for those who are already experts in VMware ESX / ESXi and want delve into the details of VMware vSphere.

I tried to gather and synthesize everything you need to know so that you would improve and increase your knowledge in vSphere VMware by providing lots of advice illustrated with hundreds of
examples. All the VMware vSphere secrets are in this book – at least I have done everything possible to make sure of it.

101 Secrets in VMware vSphere is now available via the Web at the following link in two format, electronic (ebook) and in book format:

http://www.lulu.com/product/tapa-blanda/101-secretos-de-vmware-vsphere/6233290

There’s never been a better time to brush up on your Spanish!

n+1 is hogwash!

By
Forbes Guthrie
15 February 2010

Too frequently I hear the expression n+1 as a model for ESX clusters to provide High Availability.  If you EVER expect to patch ESX servers without VM downtime then you need at least(†) n+2.  When running your clusters to only n+1, you can never safely put one of your hosts in Maintenance Mode; not if High Availability is important to you.

Footnote: If you don’t understand the importance of HA slot sizes, go learn.

Tags: , , ,

esxtop precis updated to version 1.1

By
Forbes Guthrie
1 February 2010

I’ve update the esxtop precis to version 1.1.

This is just a small update, with a couple of corrections and incorporating the updates that Duncan has recently added recently.  As ever, this is really Mr Epping‘s great work that I’ve just re-presented  in a handy little card.

Feel free to help yourself.

ESX 4.1 to include likewise AD authentication?

By
Forbes Guthrie
20 January 2010

*** Please note, I am not in any ESX4+ beta programme, so anything I write below is not covered by an NDA. I found this openly published on the internet ***

Following my last post about ESX and AD authentication, I have been investigating how I could refine things.  This caused me to take a closer look at Likewise’s solutions, which I have used previously for managing Apple Macs in an AD environment.  Whilst digging around their site, I noticed that VMware ESX was a supported option.  So I moved to their forum to see if I could find any users who had implemented this to find out what their experience had been like.  A simple search for VMware popped up this thread: http://www.likewise.com/community/index.php/forums/viewthread/542/ posted on the 10th December by one of the forum’s Administrators.

(The emboldening is my own emphasis)

Q: Which VMware products are supported by Likewise?

A: VMware ESX and ESXi 4.1 are the first VMware products to provide Likewise based Active Directory authentication as part of its hypervisor host OS.  VMware provides full support for the Likewise technologies in its platform.  Likewise Open and Likewise Enterprise are supported on previous versions of VMware.  For more information, please contact support@likewise.com or post a question to the VMware Virtualization forum.

Q: What components of Likewise Open are included in VMware?

A: VMware has licensed the Likewise Identity Service from Likewise Software and integrated it into its hypervisor host operating systems ESX andESXi.  This includes the components required to the support domain join, authentication and name based lookups of users among other features.

Q: How do I join a VMware 4.1 ESX or ESXi server to Active Directory?
A: VMware ESX 4.1 system is in early beta.  Contact VMware for directions on joining to AD.

Q: Are event logging and group policy features available for VMware?
A: Event logging and group policy features are unique to Likewise Enterprise.  These are not available on ESXi systems.

Q: Is VMware Server on other OS distributions supported?

A: Yes, as long as the OS is supported by Likewise.  sudo can be used with VMware and Likewise to control access to the VMware management commandline.

Q: Can I install Likewise Enterprise or Likewise Open agents on an existing VMware 4.1 system?
A: This is not currently supported in Likewise 5.3 and VMware 4.1 is still in beta.  Stay tuned to the forums for updates.

Q: Is VMware vMA supported by Likewise Enterprise or Likewise Open?

A: vMA is the vSphere Management Assistant, a Red Hat Linux VM used to enable automation and troubleshooting scenarios with ESXi which doesn’tnormally support a service console.  As a Red Hat compatible distribution, Likewise is supported on this system, but may require specific changes or additional packages.

Q: I installed Likewise on a VMware 4.0 system and the domain-join failed.  How can I get it to join properly?

A: The pam configuration of VMware changed from 3.5 to 4.0.  Likewise 5.3 does not currently support these changes.  However, the join can be completed with instructions from support@likewise.com.

This is certainly exciting news as far as I’m concerned.  Likewise provides some great functionality, and should make user management in ESX much easier for Enterprise deployments.  You can read about the features of the Likewise Identity Service, which is the component that VMware is licensing.

Here’s a quick rundown of a few of the nice things it might offer:

  • Authenticate with AD users and groups. AD schema changes not required.
  • Cached credentials support if the DCs are unavailable.
  • Backup alternative to ntpd via AD.
  • Support for AD site affinity.
  • Support for multiple forests.

You think you might find this useful?

AD and sudo integratation in kickstart

By
Forbes Guthrie
14 January 2010

Following on from my last post about kickstart scripts which looked at partitioning, this one concentrates on user account provisioning.  There are lots of useful guides online about how to configure user accounts, however none that fitted all my requirements.  So nothing below is groundbreakingly new, but it does demonstrate a complete working solution.

I had 2 basic requirements that I wanted to implement:

  • AD integration for passwords

Although the thought of making the ESX hosts reliant on a Microsoft technology gives me the “willies“, it is the de facto authentication method in most enterprises.  As I didn’t want everyone logging in under the one account, password management for multiple accounts quickly becomes impossible when you have more than a handful of host servers.  AD integration means you can offload the burden of maintaining local passwords.

  • Use of sudo

In my experience, it has become quiet common for companies to create a single root password across all their ESX servers and share this amongst the administrators.  These days no-one would create a single Domain Admins account for their Windows computers and share this around their staff, encouraging everyone to log in with it.

There are several approaches to reducing the (obvious) risk that this creates.  For example, VMware disables root access via SSH as a default, but this is usually the first thing most people enable once the install is finished.  I don’t purport to be any sort of security expert, and I certainly don’t think my solution below is the most secure possible, but I do consider it a sensible medium of security versus convenience. We all know that if its anything more than a mild nuisance, then we’ll just break it open.

How to implement this in a kickstart script

I will explain each part of the script, but it is worth noting that all the commands can be run on the Service Console, or from a shell script, if you want to retroactively fit this sort of user model to an existing server.  It was tested to run on ESX 4 servers, but should run fine against ESX 3.x hosts.

%post –interpreter=bash

# Enable  AD Authentication
/usr/sbin/esxcfg-auth –enablead –addomain=[DOMAIN] –addc=[DOMAIN]

This allows the local accounts to authenticate against your AD domain.  I found the –addc option would run fine if I just specified the domain instead of hard coding it to an individual DC.  There are several additional switches available for kerberos authentication, however I found that in my test environment I didn’t need to stipulate them.  Your mileage will undoubtedly vary, depending on your AD mode and setup .  There are some excellent guides out there, if you need to add this in.

# Give new accounts the path variables to run esxcfg commands
sed -e “s/PATH=\$PATH:\$HOME\/bin/PATH=\$PATH:\/usr\/local\/sbin:\/sbin:\/usr\/sbin:\$HOME\/bin/g” /etc/skel/.bash_profile > /etc/skel/.bash_profile.new
mv -f /etc/skel/.bash_profile.new /etc/skel/.bash_profile

This adds in all the normal root path variables to new user accounts, so when using sudo you don’t need to specify the whole path. This is one of those things that isn’t strictly necessary, but without makes using sudo such a pain for the uninitiated that users get fed up with “change”.

# Help identify when logged in as root
echo “PS1=’\[\e[31m\]\u@\h:\w#\[\e[m\]‘” >> /root/.bashrc
echo “PS1=’\[\e[32m\]\u@\h:\w#\[\e[m\]‘” >> /etc/skel/.bashrc

Again another nicety that I like to add in.  It just helps to highlight when you are “su”ing or logging in as root.

# Add enterprise Groups and Users
/usr/sbin/groupadd -g 5000 esxadmin
/usr/sbin/useradd -u 501 -G esxadmin tom -m
/usr/sbin/useradd -u 502 -G esxadmin dick -m
/usr/sbin/useradd -u 503 -G esxadmin harry -m

# Add local users needing admin access
# /usr/sbin/useradd -u 601 -G esxadmin [LOCAL_USER1] -m
# /usr/sbin/useradd -u 602 -G esxadmin [LOCAL_USER2] -m

Firstly, this creates a group called “esxadmin”.  It then creates local accounts for 3 users: tom, dick and harry and adds them to the group. The second section is commented out, but allows for additional accounts to be added.  My thinking here is that in a largish enterprise environment there will always be some users that need to log into all ESX servers – your “domain admins” of the ESX world if you like.  You would leave their names in the script for all your servers.  However, you’re likely to have some administrators that are specific to just a few local servers, so these would be added in on a per server basis.  The usernames used here have to match their AD usernames.

# Add esxadmin to sudoers
echo #
echo “# Allow esxadmin group to sudo” >> /etc/sudoers
echo %esxadmin ALL = \(ALL\) ALL >> /etc/sudoers

This allows all members of the esxadmin group to run commands using sudo with effectively the elevated privileges of root.

# Allow ROOT access using SSH
sed -e ‘s/PermitRootLogin no/PermitRootLogin yes/’ /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
mv -f /etc/ssh/sshd_config.new /etc/ssh/sshd_config
service sshd restart

Now this section is a little controversial :) .  Why go to all this trouble and then allow root access via SSH.  Well I have included it for completeness, as its a common request.  There is a good reason that you may choose to include it though.  If the service console cannot connect to a DC for whatever reason (networking problem, DC is offline, vswif0 is screwed,…), then you won’t be able to log in with one of your local esxadmin accounts.  Imagine your whole environment is virtualised including all DCs and you start to see the chicken and egg possibilities. However, you can always log in with the root password.  So this isn’t an issue if all your hosts are in the server room next door, you have an iLO/RSA/DRAC card in them all, or have remote access to the console KVM.  If you don’t, then you might want to leave this in.

# Enable the SSH client (Out/From an ESX hosts)
/usr/sbin/esxcfg-firewall -e sshClient

This just let’s you bounce from one server to the next.  Effectively saves you having 8 different putty sessions open on your desktop at once.  It also allows you to do thinks like SCP files across to another host.

# Enable TCP outgoing kerberos, there are issues with udp and enable blockOutgoing
/usr/sbin/esxcfg-firewall –openport 88,tcp,out,KerberosClientTCP
/usr/sbin/esxcfg-firewall –openport 53,tcp,out,dns
/usr/sbin/esxcfg-firewall –blockOutgoing

Lots of people warned that the above was needed to get around some issues with the AD authentication.  I’m not sure if this has been fixed since then, and haven’t had a chance to test it myself, so I’ve included it here.

# Remove dangerous default of ctrl-alt-del from inittab
sed -e ‘s/ca::ctrlaltdel/# ca::ctrlaltdel yes/’ /etc/inittab > /etc/inittab.new
mv -f /etc/inittab.new /etc/inittab

This snippet fixes this issue.  I’ve been told that this default is going to be changed in an upcoming patch, but until then this removes the threat.

# SSH Legal Message…
echo  >> /etc/banner
echo  ************************************************************************* >> /etc/banner
echo  *   Legal banner if required                                            * >> /etc/banner
echo  ************************************************************************* >> /etc/banner
echo  >> /etc/banner
echo Banner /etc/banner >> /etc/ssh/sshd_config

If you need a message displayed on the console when a user logs in, then this takes care of it.

# Create post config script
cat << \EOF > /etc/rc3.d/S99postconf
#!/bin/bash

# Allow hostd etc. some time to load
/bin/sleep 90

# Grant the group named esxadmin admin permission to ha-folder-root
/usr/bin/vmware-vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root esxadmin true Admin true

# Reset system to normal boot mode
echo “Removing automated post script.”
rm /etc/rc3.d/S99postconf
EOF
chmod +x /etc/rc3.d/S99postconf

This last section runs after the first reboot and gives the local esxadmin group “Administrator” privileges.  This allows the local accounts in the esxadmin group to log into the host directly with the vSphere GUI client.

What’s the end result?

Once all these steps are implemented, the users tom, dick and harry can log into their ESX server using their regular AD accounts and passwords.  They will be able to run commands that normally need root privileges using sudo, all without having to know the root password.  All the commands will be logged against their own user accounts so everything is now auditable and bit more SOX compliant.

Tags: ,

New: esxtop precis

By
Forbes Guthrie
12 January 2010

This precis is a handy little guide to using the premier vSphere performance tools – esxtop and vscsiStats.  These are some of the most useful tools in a VMware administrator’s arsenal, but as most people don’t need to use them daily, it can be difficult to remember what’s important.

The card was inspired by Duncan Epping’s fantastic post, highlighting what he regards as the more important fields, providing some thresholds, and what you might look at doing to resolve the problems.  esxtop provides so much potential information, it can be overwhelming trying to figure out what you should be looking for.  When Mr VMware says this is what he looks for, then you sit-up and take notice.

I’ve also added in a short guide to using vscsiStats.  This tools helps to identify performance issues specifically with your storage.  Most performance experts will tell you that storage issues lead to more performance problems than any other single bottleneck.

I’ve formatted this precis as credit card sized, so you can slip it into your wallet and always have it on you.  It would be great to print out on business cards (Duncan thinks I should make a batch for VMworld :) ), unfortunately business cards are different sizes the world over.  Hence the credit card size, as they are the same and it should fit in everyone’s wallet (or purse) nicely.

Anyone know where you can get credit card sized things nicely printed or laminated?

Head over to the esxtop page and grab yourself the latest version.

« Older Entries
Newer Entries »