My role currently involves dealing with Windows in addition to the standard VMware/hardware infrastructure. If we ever thought that patching ESXi was fun, dealing with WSUS is whole other ball game. I will no doubt get around to writing a full post about it in the near future, as dealing with it has been quite time consuming and there are a few gotchas 😉
However the point of this post is looking at WSUS and automation, in this case using Powershell. There are two obvious approaches to using WSUS:
Approve everything to every computer group (depending on your patching schedule).
Approve only the required patches to each computer group.
The latter approach appeals to me, purely because we can ensure that a patch is approved/applied to a less important environment (think Dev -> UAT – > Production) and easily identify those patches that *haven’t* been required previously (Do you really want to apply a patch for the first time to Production ?)
I think it is a good rule of thumb that the security maturity of the organisation can be measured by whether SSH is left enabled (with warnings muted) or disabled on ESXi Hosts. As there is a warning on the host if the service is enabled, and the hardening guides recommend that it is disabled, there is little doubt that this disabled state is VMware’s preference and a security best practice.
So how do we enable SSH on ESXi ? I am assuming that the only accessible interface is the Web Client, as access to the console is likely restricted too – perhaps the hosts are in lockdown mode ? We have a few options..
Quick powershell snippet time ! When you have a UCS Central instance with a number of domains, knowing what free slots you have available is quite useful – especially when you’ve got a smart hands service and won’t be racking new servers but instead having to communicate instructions.
In my time I’ve seen UCS Central used to manage geographically separate domains and a large number of domains across a small number of sites. When you get a new blade it needs to be put into a free slot, the question is where ?
The script below uses domain groups to separate out domains, but the code is formatted so it can be removed if they aren’t used.
vSphere Replication is really a wonderful product – I’ve been using it for a few years now across a few employers and I’ve never had a really serious problem with it – it just seems to work.
Sure, there are a few feature requests we could make of it, for example setting a schedule of when to replicate and ignoring RPO violations outside of that, and bandwidth limiting on the traffic coming out of the appliance, but they really aren’t necessary for what it is designed for.
Something I like exists in the Flash/Flex UI, where we can find out the size of the last data replication was (“Last sync size” in the image below). However this only exists in this one place and I haven’t found that this can be reported on anywhere else. It’s good to know the rate of change for your servers for judging bandwidth (yes we should have monitoring on the lines, but this won’t break transfers down into individual servers)
The use case for this challenge was a small (8-10 ESXi hosts) cluster, that only a subset of servers were ‘assigned’ with Windows datacenter licenses – so in order to maintain compliance all the Windows VMs would need to run on those hosts. The natural choice for ensuring this happens is a “must run” DRS rule between a group of VMs and a group of hosts and the automation step for this is ensuring that the VM group is accurate by only containing VMs that are still in the cluster and contains all Windows VMs in the cluster. Thus, the plan is use vRealize Orchestrator to manage the DRS group.
A security vulnerability against Hewlett Packard iLOs was announced last year (link – https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account), along with the required firmware to patch. No doubt there are some amazing tools by HP that will allow firmware to be patched across an estate, but as I don’t have access to them I need to find another way to get firmware out to 20+ servers.
Adding users to groups within the same domain using Powershell is quite simple – there is a cmdlet Add-ADGroupMember (and removing them is just as easy !), but how we accomplish when one domain contains groups and has a one way trust with a domain in another forest that contains the users ?
This is a rhetorical question 😉 Assuming we are running from the domain containing the groups, the other domain needs to be mapped to a PSDrive. Once done we can search for the user and use the Add-ADGroupMember cmdlet to add them.
Removing users is nearly as straight forward, though I only had success using Remove-ADPrincipalGroupMembership to remove the remote user.
One of the main issues that face departments on their virtualisation journey is how they are managing snapshots:
Who can take them
Who can delete them
How long do they stick around for
Name/Description formatting policy
I consider them ‘low hanging fruit’ on the management tree – how an organisation approaches this is defined by policy and there shouldn’t be anything too contentious involved. There are also options to have the snapshots deleted automatically, with most management software providing the function. If you don’t have this, then a vSphere alarm can be created to warn on snapshots sizes.
There was no option to automatically remove snapshots that was in accordance with the policy that was agreed at a previous role, so it was time to automate something :). One of the items revolved around communication to the snapshot owner – it is very important to inform them that the snapshot will be automatically removed and when it has been. Another item was where some snapshots that might be automatically cleared up would need to be held for longer – perhaps as a part of a Root Cause Analysis investigation.
I’m getting into ScaleIO (Software Only) so am still quite new to the ecosystem and management commands, but having just gone through an upgrade cycle to the 2.5 release (from a later version than 18.104.22.168) I thought I’d note down my experience from doing a ScaleIO 2.5 upgrade and some things that might be useful to anyone else who does this.
Please note that this is just me experience and I am not to be considered a guru in all things ScaleIO. I’m happy to be corrected and educated 🙂
Ensure these are accepted before you begin otherwise you’ll have to accept them and restart. Not a big deal, but just one of those nice things for a smooth process 🙂