WilliamLam.com

VMware Community Homelabs Project

by // 2 Comments

On a weekly basis, I easily get at least half a dozen inquires ranging from our customers, partners and even internal VMware employees on the topic of VMware Homelabs. The most common requests I receive is whether hardware X will work and whether I have tried it to recommended known build-of-materials (BOM). Funny enough, just last week I was asked to review our CTO's (Greg Lavender) BOM as he was also interested in building his own personal VMware homelab which goes to show just how popular this topic really is 😊

Although I have written a TON of content regarding VMware Homelabs, I definitely can not cover every single permutation. Having seen so many awesome VMware Homelabs over the years from the VMware Community, why not leverage the power of our community to crowdsource all the different homelab configurations into a single location which can then be shared with the rest of the community? This idea was kicked off about two weeks ago and I have put together a simple Google Form which you can find the link below to submit your information.

Submit VMware Community Homelab: https://www.williamlam.com/homelab

As of writing this blog post today, I have received a total of 48 valid submissions (there were a handful that had invalid URLs and/or did not follow directions and published a publicly accessible URL to their homelab BOM which I had to remove from the submission). The submissions have been pretty interesting to see and just how different each homelab is, especially from a cost perspective ranging from $800 up to $150,000 🤯At that price, this is a full blown datacenter and I am sure folks have an ideas on who owns those labs (hint, its not me 😉). I want to thank everyone who has submitted to the project and help get the word out, hopefully we will see even more submissions in 2020! The results have been pretty interesting and it is great to see how different each homelab is, especially on the price 

For now, you can view the complete results in the short URL below and periodically I will process any additional submissions and publish them to the Github repo.

VMware Community Homelab Results: http://vmwa.re/homelab

How to exclude VCSA UI/CLI Installer from MacOS Catalina Security Gatekeeper?

by // 9 Comments

A couple of weeks ago I had upgraded my personal home computer to the latest MacOS Catalina (10.15) and one of the first issues I ran into was being able to access my vCenter Server. It turned out this was due to changes to MacOS security (which is a good thing) but certainly caught me and others off guard. In fact, I spent quite some time searching online and eventually found this workaround here.

After sharing this tidbit online (which several others also ran into) I came to learn that both Duncan Epping blogged about this issue back in Nov 2019 here and Christian Mohn blogged about this in Dec 2019 here. Sadly I did not come across either of their blogs using "NET::ERR_CERT_REVOKED macos catalina" in Google. I had assumed this was a Chrome issue and simply landed on the first few links and looking back, I now see Duncan's blog was #6 in the search results (doh!)

Today, I ran into another issue when attempting to use the VCSA CLI Installer, the following error was thrown:

“vcsa-deploy.bin” cannot be opened because the developer cannot be verified


This is again due to a security change in MacOS Catalina which now prevents terminal-based applications which are not notarized from running. For a single application/binary, you can go into System Preferences->Security & Privacy and allow anyway. For more complex applications like the VCSA CLI Installer which has a number of libraries and scripts, this will take awhile and end up frustrating end users. The updated security enhancement is actually a good thing and I did not want to disable the Gatekeeper service but I was interested in disabling it for the VCSA CLI Installer. While searching online, I came across this Hashicorp Terraform thread where folks were having the exact same issue and I found out there was a way to disable the MacOS Security Gatekeeper for a specific application.

To do so, we just need to recursively remove the metadata attribute "com.apple.quarantine" for the extracted VCSA ISO by running the following command:

sudo xattr -r -d com.apple.quarantine VMware-VCSA-all-6.7.0-Update-15132721

After the quarantine attribute has been removed, you can now run the VCSA CLI Installer (including UI Installer) without being prompted with an error. Hopefully VMware will consider notarizing future releases of the VCSA Installer and I will be sharing this feedback internally if it has not already.

Using PowerCLI to automate the retrieval of VCSA Password Policies

by // Leave a Comment

I hope that every vSphere administrator or operator by now is familiar with the extremely powerful vSphere Guest Operations API functionality (details here and here), which can easily be consumed using PowerCLI's Invoke-VMScript cmdlet. If not, highly recommend you check out the links referenced. I know the GuestOps API is certainly my top favorite with sending VM keystrokes capability a very close second!

Not only does the GuestOps API unlock functionality that simply may not be possible (e.g. there's no API or automation interface) but it also enables automation within a VM without requiring any type of remote management services enabled (e.g. SSH or WinRM) or even networking to the VM for that matter!

The reason I am bringing all this up is that although there is not an API for managing and retrieving vCenter Single Sign-On (SSO) configurations which includes password policies, there is a way in which customers can still automate and retrieve this and other information by leveraging the GuestOps API. In fact, back in 2015 I demonstrated on how you can retrieve VCSA SSO password policy and configurations and we can simply apply the GuestOps API to help us automate this task. In addition, most customers do not enable SSH by default and we can still apply the GuestOps API technique and perform automation tasks to VSCSA without requiring SSH as described in this blog post back in 2016.

[Read more...]