WilliamLam.com

KMIP Server Docker Container for evaluating VM Encryption in vSphere 6.5

by // 10 Comments

There are a number of vSphere Security enhancements that were introduced in vSphere 6.5 including the much anticipated VM Encryption feature. To be able to use the new VM Encryption feature, you will need to first setup a Key Management Interoperability Protocol (KMIP) Server if you do not already have one and associate it with your vCenter Server. There are plenty of 3rd party vendors who provide KMIP solutions that interoperate with the new VM Encryption feature, but it usually can take some time to get access to product evaluations.

During the vSphere Beta, VMware had provided a sample KMIP Server Virtual Appliance based on PyKMIP, which allowed customers to quickly try out the new VM Encryption feature. Many of you have expressed interest in getting access to this appliance for quick evaluational purposes and the team is currently working on providing an updated version of the appliance for customers to access. In the mean time, for those who can not wait for the appliance or would like an alternative way of quickly standing up a sample KMIP Server, I have created a tiny (163 MB) Docker Container which can be easily spun up to provide the KMIP services. I haver published the Docker Container on Docker Hub at lamw/vmwkmip. The beauty of the Docker Container is you do not need to deploy another VM and for resource constrained lab environments or quick demo purposes, you could even run it directly on the vCenter Server Appliance (VCSA) as shown here, obviously not recommended for production use.

The Docker Container bundles the exact same version of PyKMIP that will be included in the virtual appliance, this is just another consumption mechanism. It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes.

UPDATE (10/08/22) - The KMIP Docker Container is now available for both x86 and Arm platforms. Simply run docker pull lamw/vmwkmip and the correct architecture will automatically be downloaded.

Note: The version of PyKMIP is a modified version and VMware plans to re-contribute their changes back to the PyKMIP open-source project so others can also benefit.

Below are the instructions on using the KMIP Server Docker Container and how to configure it with your vCenter Server. I will assume you have worked with Docker before, if you have not, please have a look at Docker online resources before continue further or wait for the virtual appliance to be posted.

[Read more...]

VCSA 6.5 CLI Installer now supports new ovftool argument pass-through feature

by // 2 Comments

I had recently discovered a really cool new feature that has been added into the vCenter Server Appliance (VCSA) 6.5 CLI Installer while helping out a fellow colleague. For those of you who have not worked with the VCSA before, you can deploy it using one of two methods: 1) Guided UI Installer 2) Scripted CLI installer. The latter approach is great for Automation purposes as well as being able to quickly spin up a new VCSA as the UI wizard can get tedious once you have done it a few times. The VCSA CLI Installer reads in a JSON configuration file which defines what you will be deploying whether that is an Embedded, PSC or VC node and its respective configuration (networking, password, etc).

In VCSA 6.5, the CLI Installer introduces a new option in the JSON schema called ovftool.arguments. Here is the description of what this new option provides:

Use this subsection to add arbitrary arguments to the OVF Tool
command that the script generates. You do not need to fill it out in
most circumstances.

First of all, I just want to mention that this option should not be required for general deployments but it may come in handy for more advanced use cases. Behind the scenes, the CLI Installer takes the human readable JSON and translates that to a set of OVF properties that are then sent down to ovftool for deployment. Not every single option is implemented in the JSON and for good reason as those level of details should be abstracted away from the end users. However, there may be cases where you may need to invoke a specific configuration or trigger a specific ovftool option and this would allow you to provide what I am calling a "pass-through" to ovftool.

Let me give you one concrete example on how this could be useful and how we can take advantage of this new capability. Since the release of VCSA 6.0, when you enable SSH and you login, you will notice that you are not placed in a regular bash shell but rather a restricted appliancesh interface. From an Automation standpoint, it was some what painful if you wanted to change the default as this feature is not implemented within the JSON configuration file. This meant that if you wanted the bash shell to be the default, you had to either change it manually as part of a post-deployment or you would have to by-pass the native CLI Installer and manually reverse engineer the required set of OVF properties needed for the deployment which is also not ideal.

[Read more...]

Automating the installation of VUM Update Manager Download Service (UMDS) for Linux in vSphere 6.5

by // 10 Comments

One of the most highly requested feature from customers with regards to the adoption of the vCenter Server Appliance (VCSA) is to have vSphere Update Manager (VUM) available as a Virtual Appliance. With the vSphere 6.5 release, this is now a reality as VUM is now embedded within the VCSA. The VUM service is also automatically enabled and associated with the vCenter Server instance which means from a customer standpoint, it is zero touch to get VUM up and running!

In addition to VUM being part of the VCSA 6.5, there is also the VUM Update Manager Download Service (UMDS) that can be installed on a separate Linux system. You can find the UMDS installer within the VCSA 6.5 ISO under the umds directory. To install UMDS, there are several pre-requisites that you must meet, some of which are documented here. The other requirements which are not documented are the additional OS package dependencies required to run the UMDS installer. While going through this by hand the first time, I found the following packages were required to install on an Ubuntu 14.04 distribution:

  • perl
  • tar
  • sed
  • psmisc
  • unixodbc
  • postgresql
  • postgresql-contrib
  • odbc-postgresql

For those of you who know me, if I have to perform something manually once, I might as well automate it for the future 🙂 I decided to create this quick shell script called install_umds65.sh which will allow you to easily deploy UMDS on an Ubuntu LTS 14.04 distribution. This can be useful for automated deployments or quickly standing up a lab environment.

[Read more...]