William Lam

Using the New vCloud Networking and Security to Load Balance Multiple vSphere Web Client Servers

10.16.2012 by William Lam // 1 Comment

If you followed my previous two articles Configuring Additional Windows vSphere Web Client 5.1 Servers & Configuring Additional VCSA 5.1 as vSphere Web Client Servers I demonstrated how easy it is to add additional vSphere Web Client Servers to provide additional connection load balancing as well as redundancy in accessing your vSphere 5.1 environment. The next logical step is to actually place a load balancer in front of all the vSphere Client Servers to provide a single entry point for users to connect to.

I did a quick search for some load balancer solutions for testing, but found that they were quite complex and non-intuitive to setup. Since this was for my home lab, I decided to try out the new vCloud Networking & Security 5.1 (previously known as vShield). This being my first time setting up a load balancer (usually a task given to Network Engineers), I was pleasantly surprised and shocked at how easy it was to deploy and configure a load balancer using the new vCloud Networking and Security. Instead of going through this step by step, I thought I record a quick video.

The video below shows how you can leverage the new vCloud Networking & Security 5.1 to deploy and configure a Load Balancer to load balance multiple vSphere Web Client Servers.

If you have not tried out the new vCloud Networking and Security, I highly recommend you give it a try, especially with all the new network and security features in the latest 5.1 release.

Adding Non-Supported ESXi Builds to VIN (vSphere Infrastructure Navigator)

10.15.2012 by William Lam // 4 Comments

I was recently asked whether it was possible to add a non-supported ESXi host into VIN (vSphere Infrastructure Navigator)? The reason for this request is if you are running an ESX(i) build which is not on the list of supported builds, VIN would fail to discover virtual machines on that host. You may see the following error "Access failed. Unsupported ESX version"

The latest release of VIN 1.2 supports the following ESX(i) builds:

ESX/ESXi 3.5 (builds 425420, 408533, and 409724)

ESX/ESXi 4.0 (builds 398348, 403553, and 403554)

ESX/ESXi 4.1 (builds 433742, 433803, and 433804)

and all builds of ESXi 5.x.

If you happen to be running an ESX(i) build which is not listed but the build number is greater than the ones shown above, then there is a workaround. You can add the non-supported ESX(i) build into VIN's whitelist which would allow VIN to discover the virtual machines. In the example below I will be adding an ESXi 4.1 Update 3 Build 800380 which is not listed as a supported build.

Disclaimer: ESX(i) hosts with build numbers that are smaller than the ones listed may still be added, but this will most likely not be supported as the list of default build numbers are the minimum requirements. Please thoroughly test this in a lab environment before applying to your production environment.

You will need SSH access to your VIN appliance and before we get started, we will quickly verify the list of supported ESX(i) build versions by querying the VIN database (I was able to find the details in /var/log/vadm/dbconfig.log). Run the following command which will connect to VIN Postgres DB:

psql -h 127.0.0.1 -U vadm -d inception

The password for the database is vadm

Next, we will run the following SQL query to display the list of supported ESX(i) build numbers which should match the release notes. Run the following command:

select * from valid_host_build;

As you can see from the screenshot, the ESX(i) build numbers matches those listed in the VIN 1.2 release notes and we can also see that a wildcard is also a valid input value for ESXi 5.x which denotes any build of 5.x supported as noted in the release notes.

To add a non-supported ESXi build number into VIN's DB, we will be using the following script /opt/vadm-engine/set_valid_host_versions.sh which is located in the VIN appliance.

Note: You do not need to stop or restart the VIN service to run the command.

The script accepts a very simple XML file that contains the list of supported ESX(i) build numbers and it is very IMPORTANT to note that this will override the original defaults. This is part of the reason we performed a query to the VIN DB to ensure we have a copy of the original build numbers as a reference.

To add our additional ESXi build number, we will need to construct an XML file containing both the original build numbers as well as our non-supported. In this example, I created a file called myHostVersion.xml (based on the original DB data) which contains following:
Next we will pass in our XML input file to the set_valid_host_versions.sh script. Here is a screenshot of what that looks like after the operation has been successfully completed:

If we log back into the VIN DB and query the list of supported ESX(i) builds, we should be able to see our new build number that we inserted into the DB along with the original defaults:

During the next automatic discovery cycle, VIN should now be able to discover virtual machines running on the ESXi host that was not supported earlier.

Changing VCSA Failed Login Attempt & Lock Out Period

10.05.2012 by William Lam // 2 Comments

I was going through my twitter-feed this morning and came across an interesting article by @herseyc Locked out of the vCenter Server Virtual Appliance. I recommend you give Hersey's article a read as it contains some very useful information about failed login attempts to the VCSA (vCenter Server Appliance).

There was a question posed at the end of the article on how to increase the number of login attempts before an account would be locked out. The answer is to simply modify one of the PAM modules on the VCSA, specifically /etc/pam.d/common-auth

The system default for login attempts before locking out an account is 3 and you can modify this by changing the following line, where X is the number of attempts:

auth requisite pam_tally.so deny=X

You also have the option of specifying an "unlock" time which will lock the account for the specified period of time after reaching the max failed login attempts. This can useful if you do not want to manually reset a user account due to a user fat fingering a password. For more details about these parameters, you can search on Google or refer to this article.

Note: The login attempts here is specific to the OS system login on the VCSA (5.0 & 5.1) and not vCenter Server. If you successfully login before hitting the maximum attempts, the tally will automatically reset back to 0.

In vSphere 5.1, and with the use of vCenter SSO, you now have an easy way of controlling password and lock out policy using the new vSphere Web Client. Here is a screenshot of where the configurations are located at:

Note: These policies only pertain to identity sources connected to vCenter SSO and not OS system logins.