Photon OS – no ping and no ECMP replies? Other quick hints on Photon too.

Posted on March 27, 2018 by Daniel Paluszek

So I’ve been playing with Photon OS recently with a few of our Cloud Provider solutions, very nice lightweight appliance.

However, one thing that surprised me is the minimal/lightweight install does not have ping installed nor can you ping it (ECMP echo replies). In my opinion, this is a basic function for any type of network troubleshooting. I understand it’s minimal…but go cut something else out. 🙂

So how do we set up some basic network functions?

Setting up a Static IP

cd to /etc/systemd/network
vi (or use your preferred text editor) a file called 10-eth0.network

There’s three sections required: Match, Network, and DHCP

Below is the code required:

[Match]

Name=eth0

[Network]
Domains=HOSTNAME domain.local
Gateway=192.168.110.1
Address=192.168.110.61/24
DHCP=no

[DHCP]
UseDNS=false

Save it (wq!), and now it’s time to chmod the file so it can be read by the OS
```
chmod 644 10-eth0.network
```
Now we should see the correct permissions:
Now restart the network daemon service.
```
systemctl restart systemd-networkd
```
Complete!

Installing Ping on Photon OS

Pretty easy – as you can see, doesn’t exist.
Now there’s two different versions of Photon – version 1 and 2. On version 1, it’s pretty easy – type in the following:
1. ```
yum install iputils
```
Now for Photon 2.0 (which I’m currently using), repos are disabled by default and so I was getting a message stating “package not found” which was odd. However, digging in further, I found the repos were not enabled.
1. Enabling Repos so we can pull iputils
  1. ```
  cd /etc/yum.repos.d/
```
2. I enabled three repos:
  1. photon
  2. photon-extras
  3. photon-updates
3. We need to edit each file and change the enabled=0 to enabled=1
4. Once I did this, run “tdnf repolist” and we should now see the following:
5. Now let’s install it!
6. ```
tdnf install iputils
```
  7. Now we should see the following:
  8. Sucess! Ping is available now, along with netstat too.

Allow ICMP echo responses

This is a change in the firewall table. By default, ICMP echo and replies are dropped.
Here are the two commands required to enable ICMP traffic:

iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

Before I make the change on my system, I’m unable to ping
Make the iptables change….
Voila! We now get a response.

One last tidbit – SSHD not starting?

During some of my testing, my lab environment went bottoms up – thanks, Timo 😉
After my Photon appliances started back up, I could not SSH to them. So after some troubleshooting and help from the VMware internal team, figured out what happened.
Steps to resolve:
1. Log into the console and ls -l /var/vmware/skip_sshd and you can also check the status of sshd by typing “systemctl status sshd”
3. If the file does exist, you need to remove it. No clue why it was added when I had a hard power outage, but it did.
4. ```
rm /var/vmware/skip_sshd
```
6. Now start up ssh..
7. ```
systemctl start sshd
```
8. Voila! we can now see it’s started
10. Now, SSH works!

Other great details on Photon commands can be found here: Photon OS Troubleshooting Guide

Thanks!

vSAN Specialist Exam 2VB-601 – Tips

Posted on February 15, 2018 by Daniel Paluszek

This was on my radar from last year but did not have enough time to get this done. I sat and passed the vSAN Specialist Exam today and wanted to share my feedback and experiences on how I approached it.

Read the Exam Preparation Guide

I know this is stating the obvious, but the blueprint should be your compass on preparing for this test. It reviews the Exam Sections and what to know before taking this test. Moreover, there are 10 practice questions to gauge your level of knowledge. When I started, I tested myself and knew what areas I had to prepare further for.

Download the latest guide here.

Read Storage Hub!!!!

I cannot stress this enough – storagehub.vmware.com is a WEALTH of information.

I went through each section and read each pertinent area of focus. Moreover, the Storage Hub has some nice features. Did you know you can export each respective section to PDF or mark it offline?

Very nice options for travel. I read quite a bit on my iPad and highlighted things I did not know.

What’s amazing is the depth and completeness of our documentation. I learned SO much by reading through many of these detailed documents. This should be everyone’s single source of truth for all things vSAN. Our vSAN Technical Marketing and Engineering teams have done a great job of making the inner-workings of vSAN public.

Do the Hands-on Labs!

There are three great labs available:

vSAN 6.6 – Getting Started
vSAN 6.6 – Challenge Lab
Storage Policy Based Management

They are very comprehensive and cover your typical tasks within vSAN deployments and designs.

Exam Experience

I haven’t taken any of the Specialist exams before, so this was my first experience. I thought the test was fair, and not easy but not very difficult either. If you know vSAN, you should be able to knock this out. Key factors for preparation:

Ensure you know how to size an environment. This is important in real life, but you should be able to calculate raw and usable sizes on the back of a napkin.
Know your FTT policies.
Go build vSAN in your lab and play around with it. I think this is critical to the learning process and also passing this exam.
Last of all, know how storage operates. Having a storage background *does* help here.

It’s 60 questions and you have 105 minutes to complete, which in my opinion is plenty of time. I think I went through all 60 questions in about 35 minutes or so and was able to go through again and review all of the questions.

Good luck and onward to my next challenge!

-Daniel

Meltdown and Spectre Vulnerabilities

Posted on January 4, 2018 by Daniel Paluszek

25Jan2018 – Updated with latest VMware Public KB for vCloud Director info

I’m sure many of you have heard of the Intel CPU vulnerabilities and how they can impact x86 architectures – I have a feeling this is just the start of something larger too.

I’ve had many Providers reach out to me, very concerned about how this can impact a SP design, especially with virtualization.

To step back, I found this very simple depiction that was shared on Twitter that summarizes the two vulnerabilities – thank you Daniel Miessler (link to his blog article):

So, what does this mean for VMware Cloud Providers? Well, official statements are underway, but here’s what I know so far – again, this is NOT an official statement:

There are three CVEs:
- CVE-2017-5753
- CVE-2017-5715 (Spectre)
- CVE-2017-5754 (Meltdown)
The patches made available by VMware should cover CVE-2017-5753 and CVE-2017-5715. Considering the patches were released earlier, you may very well be already patched.
CVE-2017-5754 (or Meltdown) does not seem to affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides. Thus, the underlying OS that should probably be patched for the vulnerability. Therefore, the following three links are for the first two CVEs only.
BEFORE READING ANYTHING ELSE, PLEASE READ THIS KB: https://kb.vmware.com/s/article/52085
- ~~2018-0004 includes microcode updates~~ PULLED
Impact to VMware Appliances KB: https://kb.vmware.com/s/article/52264
14January2018 – Intel Sightings – PLEASE READ NEXT:
- https://kb.vmware.com/s/article/52345
- If you have applied 2018-0004 – William Lam has written a nice blog and PowerCLI script to remove the new CPU Instructions. PLEASE review and follow: https://www.virtuallyghetto.com/2018/01/automating-intel-sighting-remediation-using-powercli-ssh-not-required.html
Public KB Posted: https://kb.vmware.com/s/article/52245
9Jan2018 – New Security Advisory Posted: https://www.vmware.com/pl/security/advisories/VMSA-2018-0004.html
- Discusses updates for Hypervisor-Assisted Guest Remediation for speculative execution issue.
vCloud Director KB: https://kb.vmware.com/s/article/52491
Information on VMware appliances and any impact (VMware KB): https://kb.vmware.com/s/article/52264
VMware’s Security and Compliance Blog VMSA-2018-0002: https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html
VMware Security Advisory Link: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Security List Announcement: https://lists.vmware.com/pipermail/security-announce/2018/000397.html

Further information on Spectre and Meltdown on the newly created URL: https://meltdownattack.com/

As I see further information, I will continue to share – this impacts everyone and I have a feeling this is something we all will be dealing with for a long time.

-Daniel

vROps Management Pack for vCD – NOW Tenant App!

Posted on August 25, 2017 by Daniel Paluszek

I recently did a blog on the Management Pack for vCD on vROps – great way of a vCD admin to manage their vCD solution.

VMware just released the vRealize Operation Tenant App for vCloud Director 1.0 – this now allows you to provide tenant access to their org/VDC and provide tenant-level metrics! Very excited about this.

What’s New?

Tenant Admin specific views to enable Operations Management solving monitoring, troubleshooting and capacity planning use cases
Provider Admin can pick and choose the tenants to whom access it to be provided
Photon OS based Virtual appliance (OVA) for easier installation
HTML5 Client based on VMWare Clarity

Get it here: https://marketplace.vmware.com/vsx/solutions/management-pack-for-vcloud-director

Clouds, etc.

Category Archives: VMware