WilliamLam.com

Dynamic ESXi firewall rulset for non-standard syslog ports in vSphere 8.0 Update 2b

03.21.2024 by William Lam // 5 Comments

For most users who configure syslog for their ESXi hosts (hopefully everyone is doing that for audit, compliance and troubleshooting purposes), they typically stick with the default syslog ports 514 for UDP/TCP or 1514 for TLS.

A huge benefit of using the default syslog ports is that the ESXi firewall is already configured with these rulesets configured for outbound access.

If you require to use a non-standard syslog port for ESXi, the current solution was not ideal. While you can open up a custom port using the ESXi firewall, the issue is persisting that customization, which either requires a custom VIB or messing around with local.sh startup script.

A nice enhancement that is included with the recent release of vSphere 8.0 Update 2b is the support for a dynamic ESXi ruleset when non-standard syslog ports is configured.

As you can see in the example below when I configure my ESXi host to use a syslog server with a custom port 12345, the ESXi will automatically create a dynamic firewall ruleset that will open up that port for outbound connectivity. If you change the port or disable the syslog configuration, then the dynamic ruleset will be updated and/or removed.

Custom ESXi "Dummy" Reboot VIB for vSphere Lifecycle Manager (vLCM)

03.19.2024 by William Lam // 2 Comments

A few weeks back, I had a request from one of our Technical Adoption Managers (TAM) that their customer wanted to create a custom ESXi VIB that could be used with vSphere Lifecycle Manager (vLCM) and would only require the ESXi host to reboot as part of the remediation.

This might sound like a strange request but I suspect the customer was either building out some automation for vLCM or simply getting more hands on with vLCM without applying any changes, which is great because its predecessor, vSphere Update Manager (VUM) will be removed in a future major release of vSphere.

While the customer was able to create a custom VIB by following the instructions in my recent blog post for building a custom VIB for ESXi 8.x, I did noticed that their descriptor.xml did not properly set the live-install-allowed and live-remove-allowed options which controls whether an ESXi host should reboot after installing and removing a VIB from the host respectively.

Since vLCM only works with offline bundles, we actually need to create an offline bundle with our custom ESXi VIB that vLCM can import. To further complicate things, starting with vSphere 7.x, a proper offline bundle that can be imported into vLCM requires the use of components rather than bulletins, which is what VUM previously had used.

With the assistance of the vLCM Engineering team, I was able to create my own "Dummy" ESXi VIB/Offline Bundle that is compatible with both vSphere 7.x and 8.x, which can be used directly by a standalone ESXi host via ESXCLI or imported and lifecycle using vLCM.

[Read more...]

Automated VMware Cloud Foundation (VCF) host commission using ESXi Kickstart

03.18.2024 by William Lam // 1 Comment

ESXi Scripted Installation (Kickstart) has been my go-to method for achieving zero-touch provisioning of ESXi hosts at scale, which I had started using back in the ESX 2.5 days when I was a customer! Having worked at some very larger enterprises, I got the opportunity to experience and manage a variety of environments for automated ESXi provisioning.

For more than a decade, I have written hundreds of articles about ESXi kickstart and how it can help solve a variety of use cases stemming from my own background to some of the unique requirements that have come up from some of our largest VMware customers. To date, some of my favorite ESXi kickstart solutions includes my 2014 blog post in automating VM deployments using a USB device which became the basis for my USB to SDDC project in 2017.

While playing with the latest VMware Cloud Foundation (VCF) 5.1 Holodeck release (currently in Beta), I was thinking about the current VCF host commissioning workflow, which is a multi-step process after an ESXi host has been provisioned where you need to manually (or using automation) to add the hosts to SDDC Manager before they can be consumed for either expanding and/or deploying a new workload domain.

I thought, why could we not just skip this step all together and that was when I had the idea of just incorporating the VCF host commissioning workflow automatically as part of an ESXi Kickstart installation! 😀

[Read more...]