WilliamLam.com

Quick Tip - Retrieving the vSAN Rekey Interval using PowerCLI

07.26.2023 by William Lam // Leave a Comment

Since the release of vSAN 6.5.1, the PowerCLI team has introduced a number of high level vSAN cmdlets (current list HERE) that can be used to automate a variety of tasks. While the existing vSAN cmdlets are quite extensive and continues to get updated with new functionality, it will never be able to cover the rich set of functionality that is provided by vSAN.

For functionality that is not available in the high level vSAN cmdlets, user can still perform the task using PowerCLI, but they will need to directly access the underlying API, in this case the vSAN Management API.

Note: This concept also applies to other high level PowerCLI cmdlets, if you are unable to locate the functionality, then most likely you will need to interrogate the API using PowerCLI.

In the case of retrieving the vSAN Data-in-transit encryption rekey interval, which is not available in the high level Get-VsanClusterConfiguration cmdlet, we can easily retrieve it with the following PowerCLI snippet:

[Read more...]

Creating a custom VIB for ESXi 8.x

07.25.2023 by William Lam // 21 Comments

Back in 2012, a VMware Fling was released called VIB Author, which allowed users to create their own custom vSphere Infrastructure Bundles (VIB) that typically would include configuration changes that was not possible when using the vSphere API such as enabling custom ESXi firewall ports or even bundling up custom utilities that could run within the ESXi Shell.

The VIB Author tool was eventually deprecated and removed due to the lack of support from Engineering, after all, it was released as a Fling. While the need for opening non-standard ESXi firewall port has greatly improved over the years, with the majority of 2nd and 3rd party solutions simply incorporating that into their solution offering, there are still use cases for requiring a custom VIB.

Even with the VIB Author Fling being deprecated, many in the community was still able to construct custom VIBs which were still compatible with later ESXi 5.x to 7.x releases. In fact, I even use the VIB Author to make it easier to distribute and install the popular ghettoVCB solution which can be installed using either a VIB or an Offline Bundle, another format the VIB Author tool supports creating.

[Read more...]

Configuring TLS Cipher Suites in ESXi 8.0 Update 1

07.20.2023 by William Lam // 1 Comment

For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.

As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.

The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.

[Read more...]