There are times as a vSphere admin, you are going to want to run ESXCLI commands against multiple ESXi Hosts from a central location. This could be for configuration / administration, reporting, patching or a number of other things.
Recently I have been testing different values in the /DataMover/MaxHWTransferSize advanced setting. To make life easier, I wanted a way to change multiple hosts quickly and easily. To do this, I customised a script that Luc Dekens posted as a solution to a problem someone was having that can be used to send ESXCLI commands to multiple hosts using PowerCLI and plink.exe. This slightly modified version uses a CSV file as a source containing my hosts FQDN and the username and password I will be connecting with.
Plink, which is part of the PuTTy suite, can can be found here.
When using this script, you need to either run the script from a directory containing the plink executable, copy it to where you want to run the script, or adjust the script to include the path to the plink executable… whichever takes your fancy.
Disclaimer: Always complete your own testing in an appropriate environment and refer to the vendors official documentation!
$Hosts = Import-Csv C:\ESXiHosts.csv
$Commad = 'esxcfg-advcfg -s 16384 /DataMover/MaxHWTransferSize'
Foreach ($H in $Hosts) {
#Starting the SSH Service if not already started
$SSHService = Get-VMHostService -VMHost $H.HostName | where {$_.Key -eq 'TSM-SSH'}
if ($SSHService.Running -eq 'True') {
Write-Host "****************************" -ForegroundColor Blue
Write-Host "WARNING: SSH already enabled, this will be stopped on completion of this script" -ForegroundColor Yellow
}
Else {
Write-Host "Starting SSH Service on Host $($H.HostName)" -ForegroundColor Green
Start-VMHostService -HostService $SSHService -Confirm:$false > $null
}
#Running the defined ESXCLI Command(s)
Write-host "Running remote SSH commands on $($H.HostName)." -ForegroundColor Green
Echo Y | ./plink.exe $H.HostName -pw $H.Password -l $H.UserName $Commad
#Stopping the SSH Service
$SSHService = Get-VMHostService -VMHost $H.HostName | where {$_.Key -eq 'TSM-SSH'}
if ($SSHService.Running) {
Write-Host "Stopping SSH Service on Host $($H.HostName)" -ForegroundColor Green
Stop-VMHostService -HostService $SSHService -Confirm:$false > $null
Write-Host "****************************" -ForegroundColor Blue
}
}
Write-Host "Complete $(Get-Date)" -ForegroundColor Green
You can run as many commands as you need by declaring another ‘Command’ variable at the beginning of the script and adding another line to the ‘Running the defined ESXCLI Command(s)’ section.
When run, it will then cycle through each of the ESXi hosts from your CSV file, enable SSH (if its not already enabled), accept the host key, run the commands you have specified and finally turn the SSH service off.
Here you can see it has set the MaxHWTransferSize to 16384 on each host.
You will see the Recent Task pane show the SSH Service starts and stops.
The commands passed in can be anything you need. All you need to do is change the commands that are defined in the variables section. For example, restarting the management agents –
Recently I decided it was time to add a second vCenter 7.0 Appliance to my main lab environment after the lab containing my SRM and vSphere Replication installation ceased to exist…
I thought I would take the CLI route as its been a while, and thought I’d share!
To begin, you need to decide what you are deploying. There are four deployment options available to you, which you can see listed below. To see the options, mount the vCenter ISO image, browse to vcsa-cli-installer\templates\install, and you will find 4 templates;
Embedded on ESXi
Embedded on VC
Embedded replication on ESXi
Embedded replication on VC.
Note there is not a distributed option here anymore as this is depreciated in 7.0.
For my lab I will be using the 3rd option; ‘Embedded replication on ESXi’. Firstly because I’m deploying to a standalone host and not to an existing vCenter. Secondly as I already have an existing VCSA and SSO Domain. This new VCSA will be added, or linked to the existing VCSA for my ‘Recovery’ site, in my Site Recovery Manager (SRM) setup.
If you are looking to deploy your first VCSA, onto a standalone host, you will want to use the ‘Embedded on ESXi’ template.
Once you have decided on the template that suits your scenario, you are going to add some details to this template, such as the ESXi host information you are deploying to, networking information, NTP and in my case SSO details as I will be adding it to an existing SSO Domain. One important value is the deployment size (deployment_option in the example below).
A useful command that can be run to help you decide what size appliance is suitable for your needs is:
vcsa-deploy --supported-deployment-sizes
This outputs the vCenter sizing to assist you. It shows you the resource requirements as well as the amount of hosts and VM’s each can support.
For my lab, ‘tiny’ covers my needs.
Here is the json file I used for the deployment in my lab. I have excluded the passwords for obvious reason, but it can be ran like this, and will prompt you for the passwords in the terminal.
{
"__version": "2.13.0",
"__comments": "Sample template to deploy a vCenter Server Appliance with an embedded Platform Services Controller as a replication partner to another embedded vCenter Server Appliance, on an ESXi host.",
"new_vcsa": {
"esxi": {
"hostname": "smt-lab-esx-04.smt-lab.local",
"username": "root",
"password": "",
"deployment_network": "vSS_PG_Management",
"datastore": "smt-lab-vmfs-02a"
},
"appliance": {
"__comments": [
"You must provide the 'deployment_option' key with a value, which will affect the VCSA's configuration parameters, such as the VCSA's number of vCPUs, the memory size, the storage size, and the maximum numbers of ESXi hosts and VMs which can be managed. For a list of acceptable values, run the supported deployment sizes help, i.e. vcsa-deploy --supported-deployment-sizes"
],
"thin_disk_mode": true,
"deployment_option": "tiny",
"name": "smt-lab-vcsa-02"
},
"network": {
"ip_family": "ipv4",
"mode": "static",
"system_name": "smt-lab-vcsa-02.smt-lab.local",
"ip": "10.200.15.249",
"prefix": "24",
"gateway": "10.200.15.254",
"dns_servers": [
"10.200.15.10"
]
},
"os": {
"password": "",
"ntp_servers": "0.uk.pool.ntp.org",
"ssh_enable": true
},
"sso": {
"password": "",
"domain_name": "vsphere.local",
"first_instance": false,
"replication_partner_hostname": "smt-lab-vcsa-01.smt-lab.local",
"sso_port": 443
}
},
"ceip": {
"description": {
"__comments": [
"++++VMware Customer Experience Improvement Program (CEIP)++++",
"VMware's Customer Experience Improvement Program (CEIP) ",
"provides VMware with information that enables VMware to ",
"improve its products and services, to fix problems, ",
"and to advise you on how best to deploy and use our ",
"products. As part of CEIP, VMware collects technical ",
"information about your organization's use of VMware ",
"products and services on a regular basis in association ",
"with your organization's VMware license key(s). This ",
"information does not personally identify any individual. ",
"",
"Additional information regarding the data collected ",
"through CEIP and the purposes for which it is used by ",
"VMware is set forth in the Trust & Assurance Center at ",
"http://www.vmware.com/trustvmware/ceip.html . If you ",
"prefer not to participate in VMware's CEIP for this ",
"product, you should disable CEIP by setting ",
"'ceip_enabled': false. You may join or leave VMware's ",
"CEIP for this product at any time. Please confirm your ",
"acknowledgement by passing in the parameter ",
"--acknowledge-ceip in the command line.",
"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
]
},
"settings": {
"ceip_enabled": true
}
}
}
Once you have prepared your file, there are a couple of commands you can run from a PowerShell prompt to validate your configuration before deploying, saving you some time should mistakes have been made. The first being:
.\vcsa-deploy.exe install --accept-eula --acknowledge-ceip --verify-template-only <Path to json File>
This completes some basic checks to ensure your json file is correct, here is a successful output:
Secondly:
.\vcsa-deploy.exe install --accept-eula --acknowledge-ceip --precheck-only <Path to json File>
This will perform a more in depth validation, checking things like the credentials for your SSO domain, DNS or whether the IP or name you plan to use for your VCSA is in use already.
Note: Make sure you have your DNS setup correctly and is resolving the appliance FQDN!
It will also provide warnings if it thinks you might not be using an appropriate template. I originally specified a host what was already managed by vCenter, so it warned me like so:
You will get a similar output to the first command, should you pass all the tests. If not you will need to look at resolving them to ensure you get a successful deployment.
The Install!
Once you are confident you have everything in place, including DNS, and your configuration files are correct, you are ready to install:
.\vcsa-deploy.exe install --accept-eula --acknowledge-ceip --no-ssl-certificate-verification <Path to json File>
Here is a cut down version of the output you will see during the deployment:
====== [START] Start executing Task: To validate CLI options at 12:46:25 ======
Command line arguments verfied.
[SUCCEEDED] Successfully executed Task 'CLIOptionsValidationTask: Executing CLI
optionsValidation task' in TaskFlow 'template_validation' at 12:46:26
[START] Start executing Task: To validate the syntax of the template. at
12:46:27
Template syntax validation for template
'M:\Software\VMware\vCenter\embedded_vCSA_replication_on_ESXi.json' succeeded.
Syntax validation for all templates succeeded.
====== [START] Start executing Task: Perform precheck tasks. at 12:46:39 ======
[START] Start executing Task: Verify that the provided credentials for the
target ESXi/VC are valid at 12:46:45
The certificate of server 'smt-lab-esx-04.smt-lab.local' will not be verified
because you have provided either the '--no-ssl-certificate-verification' or
'--no-esx-ssl-verify' command parameter, which disables verification for all
certificates. Remove this parameter from the command line if you want server
certificates to be verified.
================== [START] Start executing Task: at 12:47:47 ==================
= [SUCCEEDED] Successfully executed Task '' in TaskFlow 'install' at 12:47:47 =
[START] Start executing Task: Check whether the datastore's free space
accommodate the VCSA's deployment option at 12:47:51
[SUCCEEDED] Successfully executed Task 'Running precheck: TargetDsFreespace' in
TaskFlow 'install' at 12:47:51
==========VCSA Deployment Progress Report========== Task: Install
required RPMs for the appliance.(RUNNING 5/100) - Setting up storage
VCSA Deployment is still running
==========VCSA Deployment Progress Report========== Task: Install
required RPMs for the appliance.(SUCCEEDED 100/100) - Task has completed
successfully. Task: Run firstboot scripts.(SUCCEEDED 100/100) - Task has
completed successfully.
Successfully completed VCSA deployment. VCSA Deployment Start Time:
2020-12-28T13:19:19.291Z VCSA Deployment End Time: 2020-12-28T14:18:27.103Z
[SUCCEEDED] Successfully executed Task 'MonitorDeploymentTask: Monitoring
Deployment' in TaskFlow 'embedded_vCSA_replication_on_ESXi' at 14:18:45
Monitoring VCSA Deploy task completed
The certificate of server 'smt-lab-vcsa-02.smt-lab.local' will not be verified
because you have provided either the '--no-ssl-certificate-verification' or
'--no-esx-ssl-verify' command parameter, which disables verification for all
certificates. Remove this parameter from the command line if you want server
certificates to be verified.
== [START] Start executing Task: Join active domain if necessary at 14:18:59 ==
Domain join task not applicable, skipping task
[SUCCEEDED] Successfully executed Task 'Running deployment: Domain Join' in
TaskFlow 'embedded_vCSA_replication_on_ESXi' at 14:18:59
[START] Start executing Task: Provide the login information about new
appliance. at 14:19:10
Appliance Name: smt-lab-vcsa-02
System Name: smt-lab-vcsa-02.smt-lab.local
System IP: 10.200.15.249
Log in as: Administrator@vsphere.local
[SUCCEEDED] Successfully executed Task 'ApplianceLoginSummaryTask: Provide
appliance login information.' in TaskFlow 'embedded_vCSA_replication_on_ESXi' at
14:19:10
=================================== 14:19:16 ===================================
Once complete, you will now have a second vCenter appliance deployed in Linked mode with the original. Here it is once I had configured a datacenter and cluster with two hosts.
Tags are a really useful component in VMware. They can be used for all manor of things, whether it’s for storage policies, backups, identifying a group of objects or in the case of this post, managing permissions.
Having a method of easily assigning permissions to singular or multiple objects in vCenter can be a great benefit to a vSphere Admin as it’s gives them greater control over the environment they manage.
Lets take a look at what is needed to get this setup:
Script
Tag Category & Tags for each support role.
AD Security Groups
AD Service Account
vCenter Roles (one for the service account, then one for each of the support roles)
PowerCLI VICredentials
Scheduled Task
In this example I will use 4 common support teams that could be used, DBA, EUC, Operations and Storage. These can be anything you have a requirement for.
Script
Here is the script that applies the permissions based on the assigned tags. It can also be found here on GitHub. Save this on your management server of choice, or wherever you intend to run the scheduled task as a .PS1 file. In this example it’s saved on a management server in C:\Scripts\VI_Permissions.ps1.
Now onto Tag Categories and Tags in vCenter. Create a Tag category called ‘Support _Teams’ (Or something of your choosing, just make sure you are consistent throughout):
Or using PowerShell – New-TagCategory -Name Support_Teams -Cardinality Multiple -EntityType All
You can select as many object types as you wish and you will also want to allow multiple tags per object.
Now create a tag for each of the support teams in the tag category you just created:
Now for some corresponding AD Security Group for each role you wish to have:
Service Account (AD User)
Now to create an AD user account that will be used to apply the permissions within vCenter. This will be the account that will be used to run the scheduled task, connect to vCenter and will have the appropriate permissions to assign permissions for the support roles.
Support Team Roles
Now we need to create a suitable role for each team. In this example I have copied the Virtual Machine Power User role, but these roles can contain which ever privilege’s you require.
Under ‘Administration > Roles’ you will see the options to either create a new Role or copy an existing. From here you will be able to assign it a name and specify the privilege’s you require.
You will be referencing these Role names in the script so make sure you continue to match the names thought the process.
Permissioning Role
As mentioned in the service account section, the account (tag_permissions) running the scheduled task will need permissions in vCenter through a role. The privileges this role will hold, needs to include all the privilege’s that are referenced in all of your Support Team Roles in order for it to have the right to assign the permissions. For example, if all your support roles are a copy of the ‘Virtual Machine power user’ role, your tagging permissions role will need to contain the same privileges.
Depending on how broad the scope of your support team roles, you may want to use the ‘Administrator’ or the ‘No cryptography administrator’ role. This is entirely up to you and how you manage your estate.
For this example in my lab, I will use the predefined ‘Administrator’ role to grant the ‘tag_permissions’ AD account permissions at the Global Root, ensuring you have selected the ‘Propagate to children’ option.
You could create a copy of the ‘Administrator’ role and name it something like ‘VI Permissions Service’ for instance, to give you flexibility to modify it in the future as well as making it easy to identify. With any high privileged account, ensure you secure it appropriately.
Create VI Credential Item
Now to create an encrypted credentials file that the service account running the scheduled task can import and then use to connect to vCenter without any intervention.
The AD account that is used to run the scheduled task, must be the account that also creates the credentials file as this is the only user that can use it. It will require permissions to run PowerShell and have access to a folder location to store the credentials file on your chosen management server.
To begin, start a PowerShell session in the context of the service account:
Note: Ensure the server that you are running this scheduled task from has PowerCLI installed. Installing PowerCLI.
Then run the following, entering your vCenter FQDN and the user and password that you created:
Ensure you are storing the file somewhere with appropriate access to allow this but, also to restrict any unnecessary access. The credentials file can have the password read if the user account that created it is compromised and gains access to the file using those windows credentials.
Scheduled Task
Now for the last component, the scheduled task. On a management server or a server of your choosing, create a scheduled task:
Assign an appropriate schedule that suits the level of change and size of your environment:
Now configure the trigger to execute the script:
Now thats everything you need to set this up, so lets give it a run though!
Assigning Tags and Permissions
Lets take a look at my demo VM permissions before we begin assigning permissions:
Lets check the VM permissions before having any tags assigned:
Now you can either manually run the scheduled task or wait until its next scheduled run time. Once the job has run, you can now check the tags match the permissions assigned by running the following:
Finally, if you want to know which objects are supported by a specific team and have access you can check this by running:
Get-TagAssignment | Where {$_.Tag -like "Support_Teams/DBA_Team"}
You now have a way of assigning and removing permissions from vCenter objects using Tags. In this example I have used virtual machine object, but depending on your requirements, and the scope you set on the tag category, you could use this for other vCenter objects.
Following on from my last post on vSphere 7.0 certificate Management, I wanted to continue with another certificate related post. This one being Site Recovery Manager (SRM) 8.3. Like vSphere 7.0, this version seems simpler than previous versions I have used.
With SRM, it’s the Appliance Certificate replacement that I am going to take you through in this blog post.
Firstly log into the SRM appliance management console via https://<srm-fqdn>:5480 and select the ‘Certificates’ option on the left, followed by ‘Generate CSR’ in the top right.
Fill in the information for your certificate, then click ‘Generate and Download’. You then need to process the CSR with your certificate authority, whether thats an internal, public or lab CA.
Once you have your certificate, select the ‘Certificates’ option on the left again, this time followed by ‘Change’ in the top right.
Select the last option in the Select certificate type section; ‘CA-signed certificate generated from CSR’. Then, browse both your newly generated certificate and either you root CA certificate, or the CA chain. Click ‘Change’ once done.
This should complete the replacement of the SRM appliance certificate!
If like me you get an error complaining that the IP or Common name / SAN is missing, make sure the local host field is set to the FQDN when connecting SRM to vCenter.
vCenter 7.0 brings many new features, one of which is a much smoother certificate management experience. There are now 4 main ‘modes’ for certificate management.
These are; Fully Managed Mode, Hybrid Mode, Subordinate CA Mode and finally Full Custom Mode. There is a great article here from Bob Plankers explaining the difference between each.
As mentioned in Bob’s blog, Hybrid Mode is the recommend option, and I will show you that process here in this blog.
Firstly, in your vSphere Client, browse to Administration > Certificates. Then click Actions and select ‘Generate Certificate Signing Request (CSR)’.
Complete the required fields with your information, making sure you have at least added the common name as a Subject Alternative Name to avoid issues with modern browsers. Click Next.
Finally, copy or download your CSR to generate the certificate on the CA of your choosing. Click Finish when ready.
Once you have your certificate, return to Administration > Certificates and this time select ‘Import and Replace Certificate’.
You then need to select the second option. This may seem slightly deceiving but it effectively is the option you need when you have generated the CSR from vCenter like this.
Now browse and select both your freshly produced certificate, and the root certificate or certificate chain if you have issuing CA’s.
Hit replace, then wait for the Web Client to restart with the new certificate.
Now one final step is needed to complete Hybrid Mode. You need to download the VMCA Root certificate from https://<vCenterFQDN by clicking the ‘Download trusted root CA certificates’ option and distributing it to your vSphere admins.
Once distributed and installed on your vSphere admins client devices, they should not get certificate errors when either browsing to vCenter or the hosts it manages.
You could however, get this error due to the default certificate having a 5 year validity period and not being within the new ‘standard’ of 398 days.
NET::ERR_CERT_VALIDITY_TOO_LONG
If you receive this, you will want to adjust the vpxd.certmgmt.certs.daysValid value in the vCenter Advanced Settings. It defaults to 1825, making it 365 (one year) will stop this.
You can then renew the certificate on each host by clicking ‘Renew’ in the Configure > Certificates menu –
Before (5 years) –
After (1 Year)-
If you want to do this renewal via PowerCLI (because…well why wouldn’t you!?) there is a nice function here by Ankush Sethi which does a great job.
This has to be one of the first things you consider with any technology solution or decision today. So when I was lucky enough to receive a NFR license from HyTrust for their KeyControl Key Management System I was excited to get this into my lab so I can make use of VMware’s vSAN and VM Encryption.
In this post I will be going through the process of deploying a HyTrust Key Control appliance and creating a trust with vCenter. It was surprisingly straight forward and I was up and running in no time at all!
Firstly, deploy the OVA to an ESXi Host or Cluster that isn’t going to be managed by the Key Control appliance. You don’t want your encryption keys in the same place as the objects you are encrypting!
Follow the OVF deployment wizard, providing the details as prompted, and once the appliance is online, complete the final configuration steps to finish the installation.
You will then be met with this screen –
Now, browse to the web GUI and log in using the default credentials. You will then be prompted to set your own, followed by SMTP and online monitoring configuration options.
Once this is done and you are logged in there are a few KMIP settings you need to adjust in order for it to be ready to connect to vCenter as a Key Provider –
State = ENABLED
Protocol = Version 1.1
Below is a link to a HyTrust document with the details for vSphere 6.5. I used this for deployment in my vSphere 7 environment. You can find it here.
You will also want to apply a license file. This is done via; ‘Settings > License’, by way of uploading the license file you have been issued.
This completes a basic configuration that is now ready to connect to vCenter. If you are deploying outside of a lab environment, you are going to want to review your installation appropriately for the environment it is intended for.
So over to the Web Client. Select the vCenter Server object, select ‘Configure > Security > Key Providers’ and hit ‘Add Standard Key Provider’.
You will then want to give it a name, followed by the requested information. Once done, click ‘Add Key Provider’
You will receive the following prompt to confirm you want to from the Key Provider you have entered. Click ‘Trust’
This will have now created a Key Provider, but will show that it is not connected and has a certificate issue. So next we need to set up the trust.
This can be done by clicking ‘Establish Trust’ and selecting ‘Make KMS trust vCenter’
In my lab, I have gone with the option of creating a CSR and having the KMS issue a certificate –
Download the CSR using the option available. This will be in the .pem format which is exactly what you need.
Now over to the HyTrust appliance, load the CSR we downloaded into the wizard, as well as a name, and hit create. This is via the KMIP menu and selecting ‘Actions’ followed by ‘Create New Client Certificate’.
Once this is done, select the certificate and click ‘Actions’ and select the ‘Download Certificate’ option. This again will come in the requested .pem format.
Back to vCenter, we now need to upload the certificate using the ‘Establish Trust’ option and selecting ‘Upload Signed CSR Certificate’.
Once uploaded, you will see that the connection is now showing as connected and has a valid certificate.
This is now setup and ready to begin looking at VM and vSAN Encryption. Check out the next post which will go into both these options in more detail.
Configuring host VMKernel adapters for iSCSI can be a time consuming process. PowerCLI can take away a lot if not all of the effort.
Below is an example of using PowerCLI to create a Standard Virtual Switch (vSS), configure a VMKernel adapter, set the VLAN, enable the software iSCSI adapter (if that’s what you are using), bind it to the required network adapter and finally, add a dynamic Discovery target and rescanning the HBA’s.
This is based on targeting a single host at a time and re-running it with the paramaters for each host.
#Load PowerCLI Modules
Import-module VMware.PowerCLI
#Variables
#vCenter or Host to Connect to
$vCenter = "smt-lab-vcsa-01.smt-lab.local"
#ESX Host to target
$ESXHost = Get-VMHost "smt-lab-esx-01.smt-lab.local"
#Name of the iSCSI Switch
$iSCSISwitchName = "vSS_Storage_iSCSI"
#vmnic to be used for iSCSI Switch
$iSCSISwitchNIC = "vmnic2"
#MTU size
$MTU = "9000"
#Name of the Portgroup for the VMKernel Adapter
$iSCSIVMKPortGroupName = "vSS_VMK_iSCSI_A"
#iSCSI VMK IP
$iSCSIIP = "10.200.33.50"
#iSCSI VMK SubnetMask
$iSCSISubnetMask = "255.255.255.0"
#iSCSI VMK VLAN ID
$VLANID = "300"
#iSCSI Portal Target
$Target = "10.200.33.1:3260"
#Connect to vCenter
Connect-VIServer $vCenter -Credential (Get-Credential) -Force
#New Standard Switch for iSCSI
$NewSwitch = New-VirtualSwitch -VMHost $ESXHost -Name $iSCSISwitchName -Nic $iSCSISwitchNIC -Mtu $MTU
$NewPortGroup = New-VMHostNetworkAdapter -VMhost $ESXHost -PortGroup $iSCSIVMKPortGroupName -VirtualSwitch $NewSwitch -IP $iSCSIIP -SubnetMask $iSCSISubnetMask -Mtu $MTU
Set-VirtualPortGroup -VirtualPortGroup (Get-virtualPortGroup -VMhost $ESXHost | Where {$_.Name -eq $iSCSIVMKPortGroupName}) -VLanId $VLANID
#Enable Software iSCSI Adapter
Get-VMHostStorage -VMHost $ESXHost | Set-VMHostStorage -SoftwareIScsiEnabled $True
#Bind the iSCSI VMKernel Adapter to Software iSCSI Adapter (credit to Luc Dekens for this)
$esxcli = Get-EsxCli -V2 -VMHost $ESXHost
$bind = @{
adapter = ($iscsiHBA = $ESXHost | Get-VMHostHba -Type iScsi | Where {$_.Model -eq "iSCSI Software Adapter"}).Device
force = $true
nic = $NewPortGroup.Name
}
$esxcli.iscsi.networkportal.add.Invoke($bind)
#Add Dynamic Discovery Target
$ESXHost | Get-VMHostHba $iscsiHBA | New-IScsiHbaTarget -Address $Target
#Rescan Hba
Get-VMHostStorage -VMHost $ESXHost -RescanAllHba
The results –
Something you may also want to do is set the Path Selection Policy (PSP) to the commonly used; ‘Round Robin’. The first command will provide a list of attached storage, showing you the CanonicalName (which is what you need for the second command), the current Multipathing Policy and the size of the storage device.
Identify the device you wish to set the pathing policy on and substitute the Canonical Name (naa.xxxx) into the second command.
You could of course take this further by importing all the data required for multiple hosts using an array, whether as a a manually created array in PowerShell, or by importing a csv or txt file to enable you to configure numerous hosts at once by making use of a ForEach loop.
Now, if you are using Virtual Distributed Switches (vDS), here is an alternative (I have assumed you already have an operational vDS in place).
#Load PowerCLI Modules
Import-module VMware.PowerCLI
#Variables
#vCenter or Host to Connect to
$vCenter = "smt-lab-vcsa-01.smt-lab.local"
#ESX Host to target
$ESXHost = Get-VMHost "smt-lab-esx-02.smt-lab.local"
#Name of the vDS
$iSCSISwitchName = "smt-lab-dc01_vDS_01"
#Name of the Portgroup for the VMKernel Adapter
$iSCSIVMKPortGroupName = "smt-lab-dc01_vDS_VMK_iSCSI_B"
#MTU size
$MTU = "9000"
#iSCSI VMK IP
$iSCSIIP = "10.200.34.51"
#iSCSI VMK SubnetMask
$iSCSISubnetMask = "255.255.255.0"
#iSCSI VMK VLAN ID
$VLANID = "301"
#iSCSI Portal Target
$Target = "10.200.34.1:3260"
Connect-VIServer $vCenter -Credential (Get-Credential) -Force
#New VMKernel Adapter on vDS
$NewPortGroup = New-VMHostNetworkAdapter -VMhost $ESXHost -PortGroup $iSCSIVMKPortGroupName -VirtualSwitch $iSCSISwitchName -IP $iSCSIIP -SubnetMask $iSCSISubnetMask -Mtu $MTU
Set-VDPortGroup -VDPortgroup (Get-VDPortGroup | Where {$_.Name -eq $iSCSIVMKPortGroupName}) -VLanId $VLANID
#Bind iSCSI VMKernel Adapter to Software iSCSI Adapter (credit to Luc Dekens for this)
$esxcli = Get-EsxCli -V2 -VMHost $ESXHost
$bind = @{
adapter = ($iscsiHBA = $ESXHost | Get-VMHostHba -Type iScsi | Where {$_.Model -eq "iSCSI Software Adapter"}).Device
force = $true
nic = $NewPortGroup.Name
}
$esxcli.iscsi.networkportal.add.Invoke($bind)
#Add Dynamic Discovery Target
$ESXHost | Get-VMHostHba $iscsiHBA | New-IScsiHbaTarget -Address $Target
#Rescan Hba
Get-VMHostStorage -VMHost $ESXHost -RescanAllHba
A slight change to the cmdlts used; PortGroup > VDPortGroup.
Here are the results –
There are now two paths to my iSCSI device, one via a Standard Switch (vSS) and one via a Distributed Switch (vDS) across two subnets.
Hope this has been helpful. It has saved me plenty of time throughout the countless builds and tear downs of my VMware home lab.
A useful thing for a home lab or VMware lab, is a certificate authority. There are Windows based CA’s as well as Linux based and many others. I wanted to take the Linux based route for my home lab to give me some administration time in Linux, being that Windows is my safe place! After a bit of googling, I settled on Easy-RSA as it looked like it would do what I needed in the lab. There are already a few guides out there for this, but this is my take on it for use in my VMware home lab.
I settled on CentOS 8 as a base OS. Why? Why not, I don’t have any Centos VM’s and I decided it would be good to use something other than Ubuntu or Photon.
Firstly, I stood up a low resource VM (1 vCPU, 1GB RAM) giving it a static IP and creating an admin account.
I then kicked off the update of all the install packages on the OS by first elevating to the root account using ‘SU’ and then running the upgrade command for the DNF package manager.
dnf upgrade
This prompts a ~600MB download after confirming you want to continue. Once the download completes it gets on with upgrading.
Once done, its time to install some additional packages starting with epel-release, easy-rsa and openssl. Lets quickly give some background to each.
epel-release (Extra Packages for Enterprise Linux) is a repository of popular packages which aren’t available by default. easy-rsa is one of the packages in this repository.
easy-rsa This is a utility for managing Public Key Infrastructure(PKI) aka Certificate Authority. Check out some info here.
openssl A widely used tool, in this case to create Certificate Signing Requests (CSR). I’ll let you read about this here.
Lets get to the install. You can run them as separate installs like this –
Now for ease of administration, create a directory in the admin users home directory and create a symbolic link so it remains updated. You also want to limit access to your admin user in my case ‘ca_admin’.
If you’re not familiar with chmod commands, ‘chomd 700’ = Protects a file against any access from other users, while the issuing user still has full access.
Now to initialise your new PKI. Change Directory (cd) to the easy-rsa directory you created in your admin users home directory and run the initialisation command.
cd ~/easy-rsa
./easyrsa init-pki
You will get a message showing it is complete and it will state the new pki directory that has been created inside the easy-rsa directory (/home/ca_admin/easy-rsa/pki)
You now need to create and populate a file called ‘vars’ in /home/ca_admin/easy-rsa and populate it with your organisation/lab information. You can achieve this with the vi editor.
Once created, you are now ready to create the root certificate and private key by running the following command –
./easyrsa build-ca
You will be prompted to specify a passphrase which you need to keep safe as you will need it when issuing certificates. There will then be a second prompt to provide a common name; Enter you CA’s name. eg. CA01.
This process will have now created your root certificate and the private key (keep this safe). You will find them in the following locations /home/ca_admin.easy-rsa/pki/ca.crt (root certificate) and /home/ca_admin.easy-rsa/pki/private/ca.key (private key).
If you are using a Windows device to access your HomeLab, you are going to want to add the ca.crl file to the ‘Trusted Root Certification Authorities’ store on your Windows device so that any certificates issued are trusted. You can copy the ca.crt file using a tool such as WINSCP to transfer the file to a local directory to then install. You can do the equivalent on Mac and Linux OS’s too.
You will also need this handy for any certificates that require the full chain to be included.
I won’t go into every Certificate Signing Request (CSR) scenario as there are many. I will however, show you the commands needed to produce a certificate from a CSR.
To issue a certificate from a CSR, you will need to copy the .req or .csr file to a directory such as /tmp on your CA server, again using a tool like WINSCP.
You can then run the following commands to import the certificate signing request. The Common name is often the device name or FQDN.
cd ~/easy-rsa
./easyrsa import-req /tmp/<csr_file_name>.req <CommonName or FQDN>
./easyrsa sign-req server <CommonName or FQDN>
The import command will import the .req or .csr file into /home/ca_admin.easy-rsa/pki/reqs (you can’t place the .req directly in here!) which is then processed by the sign-req command, again asking for the passphrase, leaving you with your new certificate in the /home/ca_admin.easy-rsa/pki/issued directory.
You can then use WINSCP again to transfer the file off the CA, and install it on the device or service in which you requested it from.
As always with any root CA, you don’t want it to become compromised. To help with this, keep it turned off when you’re not issuing, or administering your certificates.
I have also not included any Certificate Revocation List details as this isn’t something I need in my lab environment.
Now the VMware bit… below is the process for acquiring the CSR and installing the generated certificate on an ESXi host and a vCenter server using the methods above.
Standalone ESXi Host 6.7
First for a standalone ESXi Host, browse to – Host > Manage > Security & Users > Certificates
Select Import new certificate then select either ‘Generate FQDN signing request’ or ‘Generate IP signing request’.
You will be presented with a screen like this.
Copy this into a file with the extension .req. This can then be imported and issued using the method above.
Then, go back the the ‘Import new certificate’ wizard and import the certificate in the same format at the CSR into the box. (Open the .crt file using notepad)
Once complete close and open your browser and head back to your hosts web client and you will see you no longer have a certificate error.
vCenter Server 6.7
Log into your vCenter appliance using via SSH. Then run the following command –
/usr/lib/vmware-vmca/bin/certificate-manager
Select option 1, (you will be prompted to provide your SSO credentials), followed by option 1 again.
You will then need to provide the following information for the CSR.
As you complete the wizard you will have a .csr and a .key file in /tmp which again can be issued using the process above.
If using WinSCP you may hit the following error.
You will need to change over to the bash shell.
chsh -s /bin/bash root
You could then face another error…
root@vcsa02 [ ~ ]# chsh -s /bin/bash root
You are required to change your password immediately (password aged)
chsh: PAM: Authentication token is no longer valid; new one required
This is due to the password expiring. To change the password on the account run the passwd command
Further info on both of these errors can be found at these two VMware Articles. Here and here.
Once you have issued the certificate, you need to then copy the .crt file back to the /tmp directory along with the root certificate (or chain).
Now back to the Certificate Manager. Selecting option 1 to now import the certifictes. You will be prompted to provide the path and file name of each component. The certificate you created, the .key file that was created during the CSR generation and the root or CA chain certificate. Finally you will be asked to confirm you want to replace the Machine SSL certificate, type y.
It will take a few minutes, but eventually you will get confirmation that the task is complete and you can then reload your browser to see the Web Client is now showing a valid certificate.
Hope this has been useful. I will cover vCenter 7.0 Machine SSL certificate replacement in a future post.
Encrypted vMotion is a feature available in vSphere 6.5 onwards. It is something that is always used to secure vMotions of encrypted virtual machines, its a required option, but is optional for non encrypted virtual machines.
By default, non encrypted virtual machines will be set to ‘opportunistic’. If both the source and destination hosts support it (so ESXi 6.5 onwards), vMotions will be encrypted. If the source or destination does not support it, then the vMotion traffic will not be encrypted.
The ‘required’ option is exactly what it says, encrypted vMotion is required. If either the source or destination host does not support it, the vMotion will fail. As I’ve said, encrypted virtual machines have no choice, they have to use encrypted vMotion.
The final option is to set it to ‘disabled’, for when you don’t want it to even attempt encrypting vMotion traffic for a virtual machine.
To set this option on either a singular virtual machine or all virtual machines, you can use the options below. Firstly to view the current settings you can run this. If you want to target a single VM enter the VM name after Get-VM.
I recently needed to create a new Distributed Port Group and set a specific load balancing policy on an existing Distributed Switch. Nothing to exciting, but a task many have to complete. As this is a common repeatable task, i put together this short .ps1 to allow a repeatable way of completing this.
Just populate the Variables section with required information like so…
Save the file, then run the the .ps1 file from PowerShell prompt. (Ensure you have the PowerCLI Module installed; see my previous post)
Note you must add .\ to the beginning of the file name if you are executing the file from the directory you’re already in
Enter credentials with sufficient privilege in vCenter.
You will then see an output similar to this:
If you now take a look in the Web Client you will see the freshly created Distributed Port Group.
Creating just a single portgroup could potentially be quicker in the Web Client. What isn’t quicker, is multiple.
If you have a requirement to create multiple Distributed Port Groups on a vDS, you can use this script to do so in one go.
Just populate the Variables section with required information like above, then run the the .ps1 file from a PowerShell prompt. (Ensure you have the PowerCLI Module installed; see this post.
This uses and Array Table to build your source data, in this example, the PortGroup Name and VLAN ID for each. You can add further rows (more Port Groups) to the array by repeating the line in the red box, or add additional attributes by repeating the text from the green box on each line.
There are many ways you could modify this script to change the source of data, including ‘Get-Content’ from a .txt file for instance.
![[START] Start executing Task: To validate CLI options at
Command line arguments verfied .
[SUCCEEDED] Successfully executed Task 'CLIOptionsVaIidationTask: Executing CLI
optionsvalidation task' in TaskFIow 'template_validation' at
[START] Start executing Task: To validate the syntax of the template. at
Template syntax validation for template
'M: . json' succeeded .
Syntax validation for all templates succeeded .
[SUCCEEDED] Successfully executed Task 'SyntaxVaIidationTask: Executing
Template Syntax Validation task' in TaskFIow 'template_validation' at
[START] Start executing Task: To check the version of each template, and for
each older template that supports CEIP, convert it to the latest template
format, and save it to the Template Blackboard at
Template version processing for template
'M: . json' succeeded .
Version processing for all templates succeeded .
[SUCCEEDED] Successfully executed Task 'VersionprocessingTask: Executing
Template Version processing task' in TaskFIow 'template_validation' at
[START] Start executing Task: To validate the template structure against the
rules specified by a corresponding template schema. at
Template structure validation for template
'M: . json' succeeded .
Structure validation for all templates succeeded .
[SUCCEEDED] Successfully executed Task 'StructureVaIidationTask: Executing
Template Structure Validation task' in TaskFIow 'template_validation' at
[START] Start executing Task: To create a dependency graph for the provided
templates, with an edge pairing two templates that are dependent on each other.
Such graph relationships will affect whether certain templates can be deployed
in parallel, or must be deployed sequentially. at
Dependency processing for all templates succeeded .
[SUCCEEDED] Successfully executed Task 'DependencyprocessingTask: Executing
Template Dependency processing task' in TaskFIow 'template_validation' at
Template verification completed .
----------------------------------= 12 : l€:eu](https://stephanmctighe.files.wordpress.com/2021/01/image-1.png?w=743)
![v @ smt-lab-vcsa-02_smt-lab.locaI
smt-lab-dc02
a:] smt-lab-cl-wl-02a
(Maintenance Mode)
smt-lab-esx-07_smt-lab_local (Maintenance Mode)](https://stephanmctighe.files.wordpress.com/2021/01/image-3.png?w=452)
![TRUST
H
SECURITY
Actions •
Host Name:
port:
State
Basic
Client Certificates
Objects
10.200.15.15
5696
ENABLED
OFF
Yes
Version 1.1
Detault
OFF
O Infinite
CREATE-MODIFY
DISABLED
Connections Will use TLS 1.2 if set to Enabled
AUDIT LOG
v
Auto-Reconnect
Verity
Protocol:
Certificate Type:
Nöio:
Timeout:
Log Level:
Restnct TLS]
Custom nex value](https://stephanmctighe.files.wordpress.com/2020/08/image-1.png?w=1024)
