WilliamLam.com

Retrieving Information from a Distributed vSwitch

by // 30 Comments

There was a question on the VMTN community forums about retrieving the security policies: promiscuous, forged transmits and MAC Address change from a distributed vSwitch and distributed portgroup and I realized my getdvSwitchInfo.pl script that I wrote awhile back only included basic information about the dvSwitch.

I spent some time updating my vSphere SDK for Perl script to include additional information such as the high level summary, configuration of the dvSwitch, network resource pools, dvportgroups, hosts attached to dvSwitch and virtual machines attached to the dvSwitch. The script also includes information about many of the new features in vSphere 5.0 networking such as netflow, port mirror, LLDP, NIOC to just name a few. You can take a look at the What's New in vSphere 5 Networking whitepaper for more details.

The script allows for the following type of "list" operations: summary, config, networkpool, portgroup, host and vm. In addition, you can display all information by specifying the "all" operation and you can specify a specific dvSwitch by using the --dvswitch flag and providing the name of a dvSwitch.

Here is an example output for the list "summary" operation for all dvSwitches:

Here is an example output for the list "config" operation on a specific dvSwitch:

Here is an example output for the list "networkpool" operation on a specific dvSwitch:

Here is an example output for the list "portgroup" operation on a specific dvSwitch:

Here is an example output for the list "host" operation on a specific dvSwitch:

Here is an example output for the list "vm" operation on a specific dvSwitch:

Hopefully this script will be helpful if you need to quickly get information about your dvSwitches.

Identifying Idle vCenter Sessions

by // 4 Comments

I recently received a question on how to identify idle vCenter sessions that may stem from a non-active vSphere Client or vSphere API connection. Properly managing sessions to your vCenter Server is as important as knowing who is logging in. If you exhaust the maximum number of connections, you can easily deny login access to other users and/or services that are needed to connect to vCenter Server which can lead to very bad things. In the worse case, you can even prevent administrators from logging into a new session to help terminate any stale/idle connections.

The vSphere API provides a sessionManagement manager to help you manage all sessions, including checking whether a session is still active and terminating a session. I wrote a quick vSphere SDK for Perl script called sessionManagement.pl which allows you to list all sessions for a given vCenter and terminating a a specific session. Every session has a unique sessionKey that the vCenter Server uses to track and it provides information such username, login time and last active which can be used to create an unattended script to automatically terminate sessions that have gone beyond a certain threshold.

Here is an example script output of performing the "list" operation:

Note: There maybe vCenter Plugins/Extensions that creates sessions such as CapacityIQ, those will be denoted by "vCenter Ext Session" field. These should not be terminated as it can negatively impact 3rd party applications.

Here is an example script output of terminating a specific session using the "disconnect" operation which you will need to specify sessionkey provided in the previous command:

For those of you that are interested in creating your own script to terminate idle sessions, you can use the DateTime Perl module to help with calculating the amount of idle time and comparing that to a pre-defined timeout value.

Ghetto webAccess for ESXi

by // 14 Comments

I got the idea for this post a few months back after noticing several questions on the VMTN forums on how to enable webAccess for ESXi. With ESXi, the webAccess interface is no longer available as it was with classic ESX. After seeing the question and randomly browsing through the various flings on VMware Labs, I noticed an interesting fling called Ops Panel for ESX. Ops Panel provides a simple javascript that leverages the vSphere MOB to perform basic power operations for virtual machines and it is loaded onto the homepage of a classic ESX host remotely using Greasemonkey.

I immediately wondered if I could run the javascript directly on an ESX or ESXi host without the use of Greasemonkey. With a quick tweak of the default index.html homepage, I was able to get a simple "ghetto" webAccess running on both an ESX and ESXi host. I also ran into several bugs, one that dealt with how the power state of a virtual machines was being captured by the differences in the ESX(i) 4.0, 4.1 and 5.0 APIs and a recent fix to a CSRF (Cross-Site Request Forgery) vulnerability in ESX(i) 4.1 Update 1 that made it difficult to get Ops Panel running on more than just ESX(i) 4.0.

I reached out to the fling creator Ivan Donchev and he was kind enough to help assist me in the issues I ran into and also provided an updated version of his script to properly handle both the power state and the CSRF workaround. He recently published an update to his script a few weeks back supporting both ESX 4 and ESXi 5 but missed ESX(i) 4.1 support due to limited amount of testing. This was an easy fix and I modified the script to include support for ESX(i) 4.1 and also changed the default power off operation to a guestOS shutdown. The modified version of the script can be downloaded here.

When you browse to the homepage of your ESX(i) host using the browser, you will be prompted to login which require the same credentials as if you were to login to the host directly using the vSphere Client or vSphere MOB.

Once you have logged in, it will search for all virtual machines running on the host and generate the list of virtual machines and their respective power states.

You can then perform the appropriate power operation such as a power on, shutdown or suspend using the icons on the right. This can be really useful if you don't have access to vCenter Server, vSphere Client or SSH access to the host but just have a web browser.

To load the Ops Panel script on an ESX(i) host, you will need to do the following:

Note: These instructions are applicable for both ESX and ESXi, but with ESXi, it is important that the commands to copy both the modified index.html and Ops Panel script to docroot are executed as changes are not persisted after a reboot for ESXi hosts.

You can also add this to your kickstart file by appending the lines above in your %firstboot stanza so you automatically get Ops Panel after install. Though this will not give you a full webAccess that classic ESX did but it definitely is a useful way to quickly get to your virtual machines and perform simple power operations using a web browser.