PowerCLI - VM Resource Configuration

READ CURRENT SETTING

Get-VM -name NSX-FBSD-01 | Get-VMResourceConfiguration | Format-Table -Property VM, CpuReservationMhz

CHANGE SETTING

Get-VM -name NSX-FBSD-01 | Get-VMResourceConfiguration | Set-VMResourceConfiguration -CpuReservationMhz 2000 | Format-Table -Property VM, CpuReservationMhz

Associate UTAG with VM on Secondary NSX Managers.

Here is the API call you can use on the Primary NSX Manager to assign tags to VMs (which could also be running on the secondary):

POST /api/2.0/services/securitytags/tag/{tag-id}/vm?action=attach

The request body will depend on the Unique ID selection criteria. If you are using instance UUID use:

<securityTagAssignment>

  <tagParameter>

    <key>instance_uuid</key>

    <value>a702c039-fb86-4c5f-b8f4-1c2d80299c97</value>

  </tagParameter>

</securityTagAssignment>

You can determine the appropriate security tag-id using:

GET /api/2.0/services/securitytags/tag

ESXi host script - list all VM files and check lock status

VM=DLR

VMX=`esxcli vm process list | grep -A 6 $VM | grep "Config" | cut -c 17-300`

egrep "\.vmdk|\.vswp|\.vmx|\.vmxf|\.log" $VMX | cut -d "\"" -f 2 > /tmp/files.txt

for cf in `cat /tmp/files.txt`; do

    echo "the next config file is $cf"

    vmfsfilelockinfo -p $cf -v 192.168.4.100 -u administrator@uw.cz

done

Jeste je potreba doladit cesty k souborum, ktere jsou relativni a ne absolutni.

Windows vCenter 5.5/6.0 upgrade/migration to VCSA 6.5

VMware clearly announced that windows based vCenter server is deprecated and future versions will be released only as a virtual appliance known as vCenter Server Appliance (VCSA). I have helped one of my customers with upgrade / migration of their vCenter 5.5 to 6.5 and I have documented few points which can be useful for others.

Before migration following points should be validated

• All ESXi hosts managed by old vCenter must be at least 5.5 because ESXi 5.1 is not supported by vCenter 6.5 
• All external solutions previously integrated with vCenter must be compatible with vCenter 6.5 

Migration process

1. If you want migrate VMware Update Manager (VUM) configuration you must run migration assistant on VUM windows server. We have experienced some issues with VUM migration therefore we have decided to unregister VUM (VUM extension name = com.vmware.vcIntegrity) and continue with vCenter migration without VUM data migration. 
2. Unregister all external vCenter extensions like (SRM, vSphere Replication, Backup Softwares, Storage Extensions, etc.) which must be registered later back to new vCenter (VCSA)
3. Run Upgrade/Migration assistant on Windows where vCenter service is running
4. Run Upgrade/Migration wizard on administrator workstation and follow upgrade wizard
5. If vCenter is joined into Active Directory, Migration Wizard ask you for AD account which is used to join new VCSA 6.5 host into AD. AD account is entered without domain so account DOMAIN\USER must be entered only as USER.

Stages of data migration from source to target vCenter (approx. 35 minutes)

• 41% - Exporting VMware vCenter Server data - this is the most time consuming part of data migration and progress bar is the whole time in 41% 
• 42% - vCenter Orchestrator data 
• 50% - vCenter Authentication Framework
• 50% - Shutting down source machine 
• 75% - Applying Active Directory configuration
• ??

Setup target vCenter Server and services

• 2% - Starting vCenter Authentication Framework
• 5% - Starting VMware Identity Management Service
• 17% - Starting VMware Component Manager 
• 20% - Starting License Manager
• 25% - Starting VMware ervice Control Agent
• 28% - Starting VMware API Endpoint
• 31% - ???
• 45% - Starting VMware Postgres - takes a long time
• ??% - Starting Web Client
• 62% - Starting vCenter Server
• 65% - Starting Content Library Service
• 68% - Starting ESX Agent Service
• 77% - Starting VMware Update Manager
• 80% - Starting vCenter High Availability
• 85% - Starting VSAN 
• 97% - Starting Vmware performance Charts
• 100% - ???

Importing copied data to target vCenter Server

• 14% - Importing Vmware vCenter Inventory Service data
• ??
• 50% - Import vSphere Web Client data
• ??

After migration

• If you upgraded from vCenter 5.5 you do not have vCenter 6.5 license therefore you have to upgrade your 5.5 license to 6.x on my.vmware.com license portal

Conclusion

We have migrated just vCenter inventory without Events and Performance data. Source vCenter inventory had approx. 1700 virtual machines and around 65 ESXi hosts and the whole migration took 70 minutes. It is not bad if you ask me.

vCenter TCP/UDP ports

Service	Port	Notes
vCenter Server	443	• Listens for connections from the vSphere Web Client • Monitors data transfer from SDK clients
Platform Services Controller (PSC)	389, 636	• LDAP port number for the Directory Services for the vCenter Server and PSC • Single Sign-On LDAPS
DNS	53	• Resolves on-prem Identity Source and PSC from VMC
Active Directory / OpenLDAP	389, 636, 3268, 3269	• Identity Source used for HLM  • Configured in VMC vSphere Client
ESXi	902, 903	• Host access to other hosts for migration and provisioning  • Status update (heartbeat) connection from ESXi to vCenter Server • Remote console traffic generated by user access to virtual machines on a specific host • Required for cold migration

x86 boot proces FreeBSD

Mozna bude jednodussi, kdyz, co mozna strucne, popisu jak takovy boot vlastne vypada. Pro jednoduchost se budu venovat pouze klasickemu BIOSu a nikoliv UEFI firmware.

1. BIOS nainicializuje zakladni desku s prislusenstvim a pristoupi k bootovani operacniho systemu - z jakeho zarizeni se pokusi system nabootovat je zalezitosti konfigurace BIOSu. Pro jednoduchost budeme vybranemu bootovacimu zarizeni rikat systemovy disk.

2. BIOS precte obsah prvniho sektoru systemoveho disku, okontroluje, ze na pozicich 510 a 511 jsou hodnoty 55h a AAh (takzvana "boot signature", znamka toho, ze obsah sektoru je platny), placne ho do pameti a preda rizeni programovemu kodu na zacatku sektoru. A co se bude dit dal je uz zalezitosti toho kodu.

Uz jen FreeBSD dava na vyber dve varianty co do tohoto sektoru dat. "Klasicky" a FreeBSD interaktivni. V trifazovem bootovani, ktere je pro FreeBSD typicke, je toto faze 1.

3a. klasicky kod prohrabe partition table, ktera je v tom sektoru taky, najde prvni aktivni partition, z ni precte precte prvni sektor, okontroluje, ze je platny, flakne ho do pameti a preda mu rizeni

3b. Interaktivni, z partition table a dalsich kofniguracnich informaci, ktere ma v sektoru ulozene vytvori "seznam kandidatu", necha z nich uzivatele vybrat (to je ten Fn... prompt), z vybraneho oddilu precte precte prvni sektor, okontroluje, ze je platny, flakne ho do pameti a preda mu rizeni.

Pokud se systemovy disk jmenuje ada0, pak jednotlive partition jsou s1..s4 a mluvime tedy o precteni prvniho sektoru z, napriklad, ada0s1

4. V pripade, ze partition vybrana (v 3a nebo 3b) je FreeBSD, pak ma na zacatku BSDLABEL - a jeji soucasti je znovu kod, ktery se po jeho umisteni do pameti spusti udela velmi podobnou vec co kod z MBR. Kod tabulku, ktera oddil dale deli (oddily oznacene pismenky - a,b,c,d,...) a vybere, ktera z nich bude bootovaci. Tady se na zadne "active" nehraje, tenhle kod si "konfiguraci" precte v souboru /boot.config, krome toho je interaktivni (FreeBSD/x86 boot) takze ho muze ovlivnit i uzivatel. Vysledkem rozhodovaciho procesu je "co a odkud natahnout dal".

To o cem ted mluvim je "faze 2".

Natahnout se da ledacos z ledakdes, obvykle to ale je /boot/loader z oddllu 'a'. A pote co se natahne mu je predano rizeni. Tim vstupujeme do faze 3.

5. Loader za pouziti informaci v /boot/loader.conf a pripadne take dalsich vcetne interaktivniho vstupu uzivatele (menu a/nebo prompt) rozhodne co natahne a odkud. Typicky /boot/kernel/kernel - ten se natahne a preda se mu rizeni, cimz je okonceno zavadeni systemu a zacina jeho vlastni beh.

Dobu kdy bezel kod 'loader' hovorime o fazi 3.

No a to je ze zakladu vsechno. Ano, da se to komplikovat - napriklad vynechavat faze (fyzicky disk muze rovnou zacinat BSDLabel a nemit vubec zadnou MBR a navic nemusi natahnout /boot/loader ale klidne rovnou /boot/kernel/kernel) ale ja myslim, ze to je komlikovay dost i bez toho ;-)

Ted bys uz mel tusit jak se v jednotlivych fazich vybira "kudy dal" a jak teda dosahnout toho, co potrebujes.

Notifikace na mobil

https://pushover.net/

Ach ti mladi

 „Naše mládež je nevychovaná, vysmívá se autoritám a nemá žádný respekt ke starcům. Naše děti dnes nevstávají, když vstoupí do místnosti kmet, odmlouvají rodičům a místo práce se vybavují. Jsou docela prostě špatní.“ Sokrates (469-399 př. Kr.)

„Ztrácím veškerou naději v budoucnost naší země, pokud ji zítra povede dnešní mládež, protože tahle omladina je nesnesitelná, nezkrotná, prostě strašná.“ Hesiodos (720 př. Kr.)

„Náš svět dosáhl kritického stadia. Děti už neposlouchají rodiče. Konec světa nemůže být daleko.“ Egyptský kněz (2000 př. Kr.)

„Tato mládež je prohnilá skrz naskrz. Mladí lidé jsou zlomyslní a leniví. Nikdy nebudou jako mladí kdysi. Ti dnešní nedokážou zachovat naši kulturu.“ Hliněná tabulka nalezená v troskách Babylonu, stará 3000 let 

Installing PSC SSL Cert from machine certificate

In relation to the action plan provided by Paul, it would be indeed beneficial to replace the Lookup Service SSL certificate on a Platform Services Controller 6.0 to be the same as the PSC Machine SSL Certificate.

I would recommend to use below steps - they are based on provided KB article, however, the difference is that we are not going to generate new certicate for Lookup Service SSL certificate - we are going to use the same certificate like for PSC Machine SSL Certificate. By doing this, it will be no difference in certificate that is present on port 443 (Machine SSL certificate) and 7444 (Lookup service SSL certificate).

Please find below the procedure to change the lookupservice certificate (presented on port 7444) to be the same as the PSC Machine SSL Certificate (presented on port 443):

1. Connect to PSC server as root through SSH session.

2. Make a new directory

mkdir /ssl

3. Run the following VECS-CLI commands to export the PSC Machine SSL Cert

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /ssl/machine_ssl.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /ssl/machine_ssl.key

4. Run this command to generate a .p12 file consisting of both the ssoserver.cer and ssoserver.key file:

openssl pkcs12 -export -in /ssl/machine_ssl.crt -inkey /ssl/machine_ssl.key -name "ssoserver" -passout pass:changeme -out /ssl/ssoserver.p12

Note: Do not modify the -passout value. This must remain as changeme.

5. Run this command to backup the existing ssoserver.p12 file:

cp /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12 /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12.backup

6. Run this command to replace the old ssoserver.p12 with the newly generated ssoserver.p12 file:

cp /ssl/ssoserver.p12 /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12

7. Run this command to restart the Platform Services Controller services:

service-control --stop --all

service-control --start --all

WordPress - instalace

su -l [webmaster]
cd [web-document-root-directory]
fetch https://wordpress.org/latest.zip
unzip latest.zip
mv wordpress [site-name]

su -l root
cd /usr/local/etc/apache24/extra/
vi httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin david.pasek@gmail.com
    DocumentRoot "/usr/home/[webmaster]/[site-name]/"
    ServerName [site-name].dpasek.com
    ServerAlias [site-name].dpasek.com
    Options Indexes FollowSymLinks Includes
    ErrorLog "/var/log/[site-name]-error.log"
    CustomLog "/var/log/[site-name]-access_log" common
</VirtualHost>

apachectl restart

mysql -u root -p
CREATE DATABASE wp_[site-name] CHARACTER SET utf8 COLLATE utf8_bin;
grant all privileges on wp_[site-name].* to 'wp_[site-name]'@'localhost' identified by "pwd-[site-name]";

PowerCLI installation

Find-Module VMware.PowerCLI
Install-Module VMware.PowerCLI

Get-Module -ListAvailable VMware*

Update-Module VMware.PowerCLI

VCSA HA heartbeating

Q: What method is used for VCSA HA heartbeating (to validate that the primary VC is really not available)?

A:
There is a TCP hearbeat that happens every second between the nodes (initiated from the Active node). We monitor the active node via that heartbeat and ping. A failover is triggered when there are 3 lost heartbeats followed by 5 failed pings. Therefore, the node (or network) would need to be down for at least 8 seconds for a failover to be triggered.

The heartbeating technology that we use is based off of FDM (which is what vSphere HA uses) so it is a mature methodology that should work quite well.

WordPress - mod_rewrite na staticke stranky

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
# BEGIN EWWWIO

# END EWWWIO

vSphere 6.5 - backup

I would like to follow up on the vSphere workshop we had on 9.3 and answer questions about vCenter 6.5 backup:

Q1: Is the backup single file?  What is approximately a size?

A1: Backup is multiple files (screen1 attached) one per specific service. Approximate backup size might differ base on the number of components you are using (VUM, image builder and their data). During the backup process, it is calculated how much space it will approximately need (screen2), the portal in latest available version seems to be still unable to include amount of data from VUM and Imagebuilder, therefore 1.2GB expected by the tool differs by about 500GB from the real situation.

Q2: Best practice for backup of VCSA in HA mode

A2: VCSA in HA mode supports standard configuration backup through VCSA VAMI. In such case only configuration of the primary appliance is backed up. During the restore process VCSA is properly restored with HA mode being disabled -> afterwards HA mode should be re-enabled. In this case this was expected behavior as the VCSA VAMI backup is in-guest backup therefore it is not fully aware of the configuration of the other VCSA nodes (like Image level backup would be).

More information can be found: http://pubs.vmware.com/vsphere-65/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc%2FGUID-AFF34FA6-B7CF-4AE0-9C12-C674F160682C.html andhttp://pubs.vmware.com/vsphere-65/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc%2FGUID-F02AF073-7CFD-45B2-ACC8-DE3B6ED28022.html.

Test observations

During the tests I noticed strange problem, which was so far identified as a bug. For initial placement of the Secondary and Witness appliance is not supported to choose SDRS Cluster. Further in the deployment you can choose specific datastores (can be part of the SDRS Cluster) and that should be supported configuration – but it is still not accepted and you are not allowed to proceed with the deployment (screen3). I’m currently working with the PM team and engineering to clarify the setup and resolve the problem.

VM Max Snapshots

get-vm  | New-AdvancedSetting -Name snapshot.MaxSnapshots -Value 0

vSphere SSL Certificate Management

INTRODUCION VIDEO

http://link.brightcove.com/services/player/bcpid2296383276001?bctid=ref:video_vsphere6_cert_infrastructure

Certificate Management Overview

https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-3D0DE463-D0EC-442E-B524-64759D063E25.html

Certificate management CLIs

Perform all certificate management tasks with dir-cli, certool, and vecs-cli.

VCSA files and tools

Template file for a CSR request is at /usr/lib/vmware-vmca/share/config/certool.cfg

VMCA – VMware Certificate Authority

VMCA Certificate Manager -  /usr/lib/vmware-vmca/bin/certificate-manager

VMCA Certificate Tool - /usr/lib/vmware-vmca/bin/certool

VECS - VMware Endpoint Certificate Store

VECS CLI - /usr/lib/vmware-vmafd/bin/vecs-cli 

Other resources:

vSphere 6 SSL certificate Replacement / Implementation using the Certificate-Manager automation tool

http://www.virtually-limitless.com/certificates/replacing-or-implementing-ssl-certificates-in-vsphere-6/

Understanding and using vSphere 6.0 Certificate Manager (2097936)

https://kb.vmware.com/kb/2097936

Using vecs-cli to manage VMware Certificate Endpoint Store (VECS) instances

http://www.virtually-limitless.com/certificates/using-vecs-cli-to-manage-vmware-certificate-endpoint-store-vecs-instances/

FreeBSD (FAMP) + Wordpress Installation RunBook

FreeBSD + Apache (apache24) + MySQL + PHP5 (php-fpm) + Wordpress

Procedures in this KB are based on articles

• How To Install an Nginx, MySQL, and PHP (FEMP) Stack on FreeBSD 10.1
• How To Install WordPress with Apache on FreeBSD 10.1

FreeBSD OS Configuration

/etc/rc.conf

hostname="fbsd01.dpasek.com"
ifconfig_vmx0="inet 192.168.58.1 netmask 255.255.255.0"
defaultrouter="192.168.58.254"

sshd_enable="YES"
ntpd_enable="YES"
ntpdate_enable="YES"

#VMware Tools
vmware_guest_vmblock_enable="YES"
vmware_guest_vmhgfs_enable="YES"
vmware_guest_vmmemctl_enable="YES"
vmware_guest_vmxnet_enable="YES"
vmware_guestd_enable="YES"

apache24_enable="YES"
mysql_enable="YES"
php_fpm_enable="YES"

Restart the network configuration:
/etc/rc.d/netif restart
/etc/rc.d/routing restart

Software installation
pkg update
pkg install open-vm-tools-nox11
pkg install git
pkg install apache24 mysql56-server php56 php56-extensions php56-zlib mod_php56 php56-mysql php56-mysqli php56-curl php56-mbstring
# php info http://www.blackies.net/info.php

OS Tuning

Edit .profile
PS1="[${LOGNAME}@$(hostname)]$ ";        export PS1


Prepare .gitconfig
For more info See. http://intkb.blogspot.cz/2016/01/github.html

// *********** github config
git config --global user.name "davidpasek"
git config --global user.email "david.pasek@gmail.com"
// *********** Clone existing github repository
git clone https://github.com/davidpasek/math4kids

MySQL Start service and DB Configuration
service mysql-server start
mysql_secure_installation

# Login to database as administrator 
mysql -u root -p
# Show databases 
show databases;
# Create databases - kayak
CREATE DATABASE kayak CHARACTER SET utf8 COLLATE utf8_bin;
# Create DB username - kayak with password kayak
grant all privileges on kayak.* to 'kayak'@'localhost' identified by "kayak";

Apache Configuration
service apache24 stop

/usr/local/etc/apache24/httpd.conf

ServerAdmin david.pasek@gmail.com
ServerName c4c.dpasek.com:80

<Directory />
    AllowOverride none
    # Require all denied
    # Allow from all
    Require all granted
</Directory>

DocumentRoot "/usr/local/www/apache24/data"

# Virtual hosts
Include etc/apache24/extra/httpd-vhosts.conf

LoadModule rewrite_module libexec/apache24/mod_rewrite.so

/usr/local/etc/apache24/Includes/php.conf
<IfModule dir_module>
        DirectoryIndex index.php index.html

        <FilesMatch "\.php$">
                Sethandler application/x-httpd-php
        </FilesMatch>
        <FilesMatch "\.phps$">
                Sethandler application/x-httpd-php-source>
        </FilesMatch>
</IfModule>

/usr/local/etc/apache24/extra/httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin david.pasek@gmail.com
    DocumentRoot "/usr/home/cdave/web/math4kids/"
    ServerName m4k.dpasek.com
    ServerAlias m4k.dpasek.com
    Options Indexes FollowSymLinks Includes
    ErrorLog "/var/log/m4k.dpasek.com-error.log"
    CustomLog "/var/log/m4k.dpasek.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin david.pasek@gmail.com
    DocumentRoot "/usr/home/cdave/web/flexbook-examples/"
    ServerName flexbook.dpasek.com
    ServerAlias flexbook.dpasek.com
    Options Indexes FollowSymLinks Includes
    ErrorLog "/var/log/flexbook.dpasek.com-error.log"
    CustomLog "/var/log/flexbook.dpasek.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin david.pasek@gmail.com
    DocumentRoot "/usr/home/cdave/web/kayak/"
    ServerName kayak.dpasek.com
    ServerAlias kayak.dpasek.com
    Options Indexes FollowSymLinks Includes
    ErrorLog "/var/log/kayak.dpasek.com-error.log"
    CustomLog "/var/log/kayak.dpasek.com-access_log" common
</VirtualHost>

PHP Configuration

/usr/local/etc/php-fpm.conf
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www

listen.mode = 0660

# Create /usr/local/etc/php.ini
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Edit /usr/local/etc/php.ini
cgi.fix_pathinfo=0

session.save_path = "/tmp"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php

Final Apache restart and avalidation
# apache restart
service apache24 restart

# show current apache settings
apachectl -S


WordPress

# Change owner for directory where WordPress files exist 
chown -R www:www kayak


Guidelines pro presun WordPressu (Lukas Frei) 
(1)
zkopírovat wordpress složku

(2)
importovat databázi

• export originální databáze do souboru
• najít a vyměnit v souboru všechny instance domény
• ve wp-config.php jsou informace o databázi, změnit prefix podle originální db
• importovat tabulky originální db do čisté db

(3)
nastavit web server

• zapnout php a rewrite moduly
• změnit vlastníka wordpress složky na uživatele web serveru
• vygenerovat .htaccess (ve wordpress adminovi - nastavení -> trvalé odkazy)

WordPress - migrace

postup při přesunu wordpress webu:

1. zkopírovat wordpress složku
2. importovat databázi
1. export originální databáze do souboru
2. najít a vyměnit v souboru všechny instance domény
3. ve wp-config.php jsou informace o databázi, změnit prefix podle originální db
4. importovat tabulky originální db do čisté db
3. nastavit web server
1. zapnout php a rewrite moduly
2. změnit vlastníka wordpress složky na uživatele web serveru
3. vygenerovat .htaccess (ve wordpress adminovi - nastavení -> trvalé odkazy)