ESX Commands – esxcfg-firewall

I have really forgot to keep up on my VCDX study path. So today a quick tidbit on the esxcfg-firewall command.
Many of us today will use the vCenter Client to change firewall ports on the ESX. One instance where I exclusively mess with the firewall from the command line using esxcfg-firewall is when I install Dell OpenManage. I am already in the console to install the agents so I might as well open the firewall from the console too.
This really applies to any kind of agent or software you add to your ESX installation. So if you find yourself already in the console why not save a step and do it from the cli?

Lets look at the command

# esxcfg-firewall -o 1311,tcp,in,OpenManageRequest

First is the command, esxcfg-firewall, -o is for openport, the 1311 is the port number, tcp is protocol, in is the direction and the final part is the name of the service.

Now if you want to see all of your esxcfg-firewall settings try:
esxcfg-firewall -q

Show if specifig service is enabled.
esxcfg-firewall -q [service name]

Of course typing esxcfg-firewall -h gives lots of good help.

Some links: (You can google and find a ton more)

ESX Guide
VMware Land
Yellow Bricks
Vritualization Admin

The Philosophy of Cloud

With several great posts recently about the cloud and its definitions I decided to jump in from maybe a new perspective.
So check out these links:
The Cloud is Kicking my Butt – Mike DiPetrillo

Is Virtualization Required for the Cloud to Work? – Mike DiPetrillo

Cloud Butt Kicking – Jason Boche

So to relate Cloud Computing to Philosophy. I have to define the previous way of computing would be the Modern way of thought. It fit with the very way most Engineers thought. It is linear. A + B = C computing design made sense. Faster CPU’s means faster programs. More memory meant bigger programs running faster. More Storage means we could store more and more data. Faster Networks let us move that data faster and faster.
Cloud computing redefines our existing way of thought but only does so be erasing our previous definitions. Cloud computing is POST-modern. It is the next step in the philosophy of computing. Postmodern philosophy is defined by being undefinable. The more you try to label and categorize the more it wiggles away. I have read a lot about the Cloud abstracting computing away from our traditional way of defining data center, computing, or information systems. So some thoughts on what this actually means to me.

1. It is ok that Cloud can mean 1000 different things to 1000 different people. That is what makes it “cloud”. What matters is what you experience from the cloud. Virtual Desktops? ok. Distributed Computing or Software as a Service? ok. Online backups? sure. Virtual Firewalls?. You bet! Going on and on…

2. Claiming to be the sole provider of what is really “cloud” will make you seem very “un-cloud”. Cloud computing will be such that when we hold it tighter the more we don’t understand it.

3. As we abstract our data away from the linear thought of the PC in front of me uploads and downloads data to various servers through various network devices sitting in various data centers in certain cities. We will work on relationships and experiences. As a consultant my goal would be to show how your information will “relate” to others and how you interact with the information.

What does all this mean for privacy, security and identity?
Our technical devices will be “connection points” to what is happening in the cloud.

This is getting rambling now so I will stop.

Cisco Data Center Networks Blog

I ran across the Cisco Data Center blog yesterday after following a link from twitter @CiscoDC. It is now going on my google reader list.

Some good stuff and with the convergence of Virtualization and Networking I am sure there will be more to come.

Unified Computing System: Plays Well With Others – Data Center Networks

Unified Computing System Management Basics

Change Service Console IP

Want to change the Service Console IP address from the command line real quick like?

esxcfg-vswif -i [new IP] -n [netmask] [vswif]
example (as root)
esxcfg-vswif -i 172.25.100.92 -n 255.255.255.0 vswif0

Q: How do I know what is my vswif?
A: esxcfg-vswif -l
output

you can also use esxcfg-vswif -l to verify the ip of your service console.

A good reference is also available here.

Have VCP will Travel or Move!

As are the times, my employer has decided to move their focus in another direction. It was never firmly on the Virtualization industry, so I guess I could see it coming when things were getting tight.

So I write today to inform the world I am considering all offers. I have a passport so I am not against going international. I enjoyed my trips to the UK and Dubai, I have lived in Southern California and “The South” (Memphis). So I can fit in just about anywhere.

Now I don’t think having a VCP uniquely qualifies me for any job. I just thought it would be a clever title, and it does mean something, I guess. I have almost 13 years experience in the IT field. Started as a help desk associate at USC in September 1996. I had the fun time of supporting PC’s, Apples, and Unix for the entire University user community. I then moved to Memphis and started on the help desk for an investment firm here in town. Worked my way up to a Citrix Administrator role then left to become the Network Administrator for another company here in town. All of my experience led me to a position with my last company doing pre-sales, Design, implementation and management of VMware, Cisco and SAN products. I don’t know everything, but I can immediately help any organization.

I am looking now for a position Promoting, Designing, Implementing VMware in Enterprise environments. I would love to live near family in Southern California or Memphis Tennessee, but that is not a requirement.

The other idea is to take 2Vcps to it full potential. I just need some support until it gets off the ground.

So for the time being I am sending this to let the word get out. Thanks to everyone for their kind words. I know this is going to become a greater opportunity then I can imagine.

Contact me at jowings@2vcps.com if you want more information.

The watch command in the Service Console

UPDATE: Eric Siebert wrote an almost identical article here for techtarget. Since I don’t want people to think I just lift ideas from other blogs I would like to credit this article at the top. Although I have been using this procedure for nearly 2 years for snapshots. I would like to say I didn’t see his article before I posted mine. Next time I will do more googling. I try to keep this blog from regurgitating ideas that can be found elsewhere.

Do you ever have to commit gigantic snapshots that the vCenter client times out before it is finished. After the initial panic a while ago I learned the snapshots continue to delete even if the client times out. So how do you know what they are finished?
Answer ssh in the service console and look.

A ‘ls’ of a normal virtual machine:

A ‘ls’ of the vm with a snapshot:

Now a try – watch -n 30 ‘ls -alh’
This will re-run the ls -alh command every 30 seconds.
In action:

Now if you VI Client times out you can leave this window running so you will know the snapshots are gone when the vmdk with the “delta” in the filename are gone.

Notice the additional delta files that appear. When deleting snapshots the vCenter will create a new delta file for changes that occur during the delete of the original delta. Then it deletes this new delta. I know I know an awesome video. I really like playing with Jing though.
The watch command can be used with an linux command you want to repeat over and over and over.

ESX Commands – esxcfg-dumppart

Finally have a second to log into the test ESX and mess with esxcfg- commands again.

Today, esxcfg-dumppart, this command can be used to list, create and activate dump partitions used by the VMKernel during a crash. I would bet almost everyone automatically creates one of these during the install of ESX. What I mean is I never even tried to not create a dump part on installation. I was trying to think of a practical use for this. Maybe we want the dump to go to a SAN partition or a some other drive? I would guess this would make is possible.

I found a neat PDF from VMware while researching this command.

Secure to the Hosted VM

While trying to cook up a way to secure client hosted VM’s I thought of this layout. A Virtual Firewall Appliance that creates an IPsec tunnel back to the client network. Then placing the client virtuals on a dedication vSwitch.
Has anyone tried something like this? I hope that VI4 / vSphere will include a way to make this a reality. I figure a downside of just creating a infrastructure with some kind of m0n0wall appliance is the appliance would need to move from host to host in a DRS/HA cluster. I bet with some scripting and/or affinity rules I might be able to keep them together. It would be good of the new infrastructure would have layer 3 or firewall capability that would exist across the cluster. Then you would not have to worry about vMotioning a virtual firewall around.
Maybe someone has a better way to do this? Am I over thinking it? I would want this best way of assuring clients their data doesn’t mix at any point physical or virtual unless it is in the VPN tunnel.

The Forging of the new Network/VMware/Storage Professional

When I first started out in College I needed a work study job. Since I liked to help people with their computer problems I applied and was hired for a position doing phone and in person support for the University. One of the best things about starting out at a school they don’t mind teaching. Our trainer said that in previous years new employees would be slotted into being Windows or Mac or UNIX support. He said we would be Wunder-Cons (our title was consultant instead of help desk dude). We had the privilege of having to support all of it. This thrust me into the world IT no matter what the piece of paper from USC said I was a Bachelor of.

I believe a new kind of Wunder-Consultant/Engineer is being made. With the announcement of the Nexus 1000v last fall the line between Network Engineer and Datacenter/Server Engineer is getting blurred. The SAN and Server Engineers have had this tension for a while now. Virtualization is a fun technology to learn but who gets the responsibility? I have seen where the SAN team owns the ESX’s and the Server team operates the VM’s like they are physical. The Network team not trusting or understanding why they want a bunch of 1GigE trunk ports. Across larger organizations it would look different but the struggle may be just the same. Who is in control of the VM’s? Are they secure? Who gets called at 1am when something dies? This is internal to the IT department and does not consider that Sales doesn’t want to share memory with accounting.

I can see these technologies pushing engineers into being jacks of all trades. To be a truly Architect level in VMware today you must be awesome with storage and servers. You have to be able to SSH into an ESX, choose the right storage for an application, and setup templates of Windows 2003. That is an easy day. You already will have to troubleshoot IO (because all problems get blamed on the virtualization first).

With the Nexus 1000v I picture the Virtualization Admins learning the skills to configure and troubleshoot route/switch inside and outside the Virtual Infrastructure. Add to that Cisco’s push this year with 10GigE and FCoE and their own embedded virtualization products. The lines between job duties are getting blown away.

Who is poised to become the experts in this realm? The network, server or storage admins? In this economy it may be good to know how to do all three jobs. I am sure corporations would love to pay just one salary to perform these tasks.

Randomly I though how would this relate to SOX? Could it pose any problems with compliance? I will save that for next time.