Search Results for: kickstart

How to Create Custom Firewall Rules in ESXi 5.0

07.18.2011 by William Lam // 29 Comments

In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.

To list the default firewall rules, you can run the following command:

esxcli network firewall ruleset list

You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.

In the following example, I will create a new firewall rule called "virtuallyGhetto" and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml

<ConfigRoot>
  <service>
    <id>virtuallyGhetto</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>1337</port>
    </rule>
    <rule id='0001'>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>1337</port>
    </rule>
    <rule id='0002'>
      <direction>inbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>20201</port>
    </rule>
    <rule id='0003'>
      <direction>outbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>20201</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>

Next we will need to reload the firewall by performing a "refresh" operation and then list the rules again using the following command:

esxcli network firewall refresh
esxcli network firewall ruleset list

We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:

esxcli network firewall ruleset rule list | grep virtuallyGhetto

The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the "allow all" and specify a particular range for the virtuallyGhetto service using the following commands:

esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto

The new firewall rules/services are also viewable under the host configuration section "Security Profile" using the vSphere Client:

As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.

UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.

UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.

UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.

SSH Keys & Lockdown Mode Caveat in ESXi 5

07.17.2011 by William Lam // 6 Comments

Hopefully everyone is familiar with ESXi's Lockdown Mode and what it means from a security standpoint. Here is a table of the behavior between normal and Lockdown Mode:

In ESXi 5, the use of SSH keys is officially supported without having to manually create any hacks to preserve .ssh directory as you did with prior releases of ESXi. If you use Lockdown Mode, there is an additional caveat to be aware of in which the use of SSH keys is able to by-pass the Lockdown Mode configuration for an ESXi 5 host.

Here is a quick example demonstrating the process from VMware's VCVA (vCenter Virtual Appliance):

Step 1 - Create SSH keys

vcenter50-1:~ # ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a1:8c:24:60:0e:fe:9a:cf:4a:35:17:d6:89:ba:08:9d root@vcenter50-1
The key's randomart image is:
+--[ DSA 1024]----+
|o. |
|=. o . |
| o. .+ o. |
| ..+oo.. . |
|. E=..o S |
|. = + |
| = . |
|. o |
| ..o |
+-----------------+

Step 2 - Copy SSH public keys over to destination ESXi 5 host into the authorized file under /etc/ssh/keys-root/authorized_keys

vcenter50-1:~ # scp .ssh/id_dsa.pub root@vesxi50-4:/etc/ssh/keys-root/authorized_keys
Password:
id_dsa.pub 100% 606 0.6KB/s 00:00

Step 3 - Enable Lockdown Mode via vCenter

Step 4 - SSH into locked down ESXi 5 host utilizing SSH keys

By default the support of SSH is enabled, you will need to manually disable it to ensure that you are fully lockdown when you choose to enable Lockdown Mode. To disable SSH key support, you just need to comment the following line in /etc/ssh/sshd_config

# AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

The change takes effect right away and you do not need to restart the SSH daemon.

If you are interested in automatically disabling the use of SSH keys or you would like to copy an existing SSH key into your ESXi 5 host via kickstart, take a look at Automating ESXi 5.x Kickstart Tips & Tricks for more details.

Major Enhancements in esxcli for vSphere 5

07.14.2011 by William Lam // 10 Comments

esxcli in vSphere 5 has undergone significant updates compared to version in vSphere 4.1 which only had 6 major namespaces and 43 commands.

Namespace	Description
corestorage	VMware core storage commands
network	VMware networking commands
nmp	VMware Native Multipath Plugin (NMP) This is the VMware default implementation of the Pluggable Storage Architecture
swiscsi	VMware iSCSI commands
vaai	Vaai Namespace containing vaai code
vms	Limited Operations on Virtual Machines

With latest vSphere 5 release, esxcli now includes a total of 10 namespaces and 251 commands! You will notice some of the updated namespaces from vSphere 4.1, such as corestorage which is under the namespace storage and it also contains other sub-namespaces dealing with the storage stack.

Namespace	Description
esxcli	Commands that operate on the esxcli system itself allowing users to get additional information
fcoe	VMware FCOE commands
hardware	VMKernel hardware properties and commands for configuring hardware
iscsi	VMware iSCSI commands
license	Operations pertaining to the licensing of vmware and third party modules on the ESX host. These operations currently only include updating third party module licenses
network	Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands to manipulate virtual networking components (vswitch, portgroup, etc) as well as local host IP, DNS and general hsot networking settings
software	Manage the ESXi software image and packages
storage	VMware storage commands
system	VMKernel system properties and commands for configuring properties of the kernel core system
vm	A small number of operations that allow a user to Control Virtual Machine operations

To get a complete list of the available esxcli commands in vSphere 5, you can run the following:

esxcli esxcli command list

The goal of esxcli is to provide a centralize, consistent and easy way of accessing and managing your ESXi host from both locally within ESXi Shell or remotely using vCLI and/or vMA. With the release of 5.0, the majority of the legacy esxcfg-*/vicfg-* commands have been migrated over to esxcli. At some point, hopefully not in the distant future, esxcli will be parity complete and the esxcfg-*/vicfg-* commands will be completely deprecated and removed including the esxupdate/vihostupdate utilities.

There are still several types of operations that require tools in addition to esxcli such as configuring licenses for standalone host, enabling/disabling local and remote ESXi Shell, enabling/disabling Fault Tolerance & vMotion traffic types just to name a few. For more details on some of the common operations that you may need to perform using both esxcli and other utilities, take a look at my ESXi 5 kickstart tip and tricks post.

The new remote version of esxcli is compatible with both ESXi 5 and ESX(i) 4.1 hosts. Due to the nature of the framework, the capabilities are located on the host and when you initially connect, it will automatically down the available namespaces that can be supported. The new namespaces in ESXi 5 will not be available on 4.1 but the old 4.1 namespaces will be. In the latest release, there are still no vSphere APIs exposed for esxcli, they are all still hidden. To access esxcli, you will need to either use local esxcli, remote esxcli using vCLI and/or vMA or PowerCLI's esxcli cmdlets.

The syntax of esxcli is very simple to understand:

To get more details on a namespace, you just need to specify the --help option after the namespace selection. In this diagram, we are accessing "network" namespace and we can see there are 5 additional namespaces we can access.

Let's say we're interested in the "firewall" and would like to know more, we can again specify --help option again.

Now we have a set of commands, let's go ahead and run the "get" command

As you might have guessed, the "get" command will get the network firewall status. The actual commands are pretty intuitive and you will find that most esxcli namespaces will support get, set and list operations. The other nice thing about esxcli is that the output is consistent whether you are running this locally on ESXi Shell or remotely using vCLI and/or vMA, which makes scripting extremely simple.

Note: With remote esxcli, you will need to specify the ESX(i) host and credentials to login to as it is going through the APIs.

You also have the ability to control the type of output that is generated whether that is xml, csv or keyvalue. To do so, you can specify --formatter option and specify one of those options. The xml and keyvalue pair works across all namespaces and csv works on majority of the namespaces.

Let's go ahead and run the same command as above but output it in keyvalue pair

~ # esxcli --formatter=keyvalue network firewall get
Firewall.DefaultAction.string=DROP
Firewall.Enabled.boolean=false
Firewall.Loaded.boolean=true

In addition to type of format output, you can also display specific columns of information using --format-param, this is useful in-conjunction with csv output.

Here is an example of listing the standard vSwitches without any formatting:

~ # esxcli network vswitch standard list
vSwitch0
Name: vSwitch0
Class: etherswitch
Num Ports: 128
Used Ports: 6
Configured Ports: 128
MTU: 1500
CDP Status: listen
Beacon Enabled: false
Beacon Interval: 1
Beacon Threshold: 3
Beacon Required By:
Uplinks: vmnic1, vmnic0
Portgroups: ESXSecretAgentNetwork, VM Network, vmk2, vmk1, Management Network
vSwitch1
Name: vSwitch1
Class: etherswitch
Num Ports: 128
Used Ports: 3
Configured Ports: 128
MTU: 1500
CDP Status: listen
Beacon Enabled: false
Beacon Interval: 1
Beacon Threshold: 3
Beacon Required By:
Uplinks: vmnic2
Portgroups: VMkernel

Here is the same example, but now only displaying Name, Num of Ports, MTU, CDP and Portgroups using the formatter and format-param options:

~ # esxcli --formatter=csv --format-param=fields="Name,Num Ports,MTU,CDP,Portgroups" network vswitch standard list
Name,NumPorts,MTU,Portgroups,
vSwitch0,128,1500,"ESXSecretAgentNetwork,VM Network,vmk2,vmk1,Management Network,",
vSwitch1,128,1500,"VMkernel,",

If you like to learn more about esxcli, you can take a look at the What's New in vSphere 5 Platform whitepaper. I would also highly encourage you to play with the new esxcli and see what the new capabilities are. Also, when the vSphere 5 documentation is released, a must read document is the Command-Line Management in vSphere 5.0 for Service Console Users which goes into detail about the specific esxcli commands to use in replacement of the esxcfg-*/vicfg-* commands.

Note: Hopefully it was okay to borrow some of these esxcli slides from VMware, I made some slight modifications. The diagrams are a great way to explain how esxcli namespaces work.