vcsa

Quick Tip – List all open ports on the VCSA / PSC

07/20/2017 by William Lam Leave a Comment

The list of required ports for both a vCenter Server Appliance (VCSA) and Platform Services Controller (PSC) are pretty well documented here (6.5), here (6.0) and here (5.5) for customers who require this information to setup external connectivity within their networking infrastructure. Having said that, it is may not always be clear on what ports are actually opened as they will usually depend on the type of deployment and the services that are running. Instead, some customers have inquired about getting a list of all open ports directly from the VCSA/PSC to ensure they have the actual configuration which can be used to build firewall rules and/or for auditing purposes.

Today, the only method is to login directly into the VCSA/PSC via SSH (you could also use GuestOps API, so that SSH is NOT required) and fetching this information using iptables. Hopefully, in the future, this can be made available as part of the VAMI API since it already covers some basic inbound firewall rule capabilities. In the mean time, below are examples of how to get all the open ports for both VCSA/PSC

Run the following command to view all open ports on VCSA/PSC:

iptables -L port_filter -n --line-numbers

You will notice in the output above, there is also a chain number on the far left side which is associated with each rule. This chain number can be used to inspect the rule further and some rules include a nice alias to help you identify what the port might be used for.

For example, we can run the following to inspect chain rule #30 and find out this port is being used for syslog. If we want the port number, we simply add the -n option.

iptables -L port_filter 30
iptables -L port_filter 30 -n

Not all of the firewall rules have an alias name and even if they do, it still may not be apparent on what service is opening that particular port. We can actually look at the firewall rule definitions which are located under /etc/vmware/appliance/firewall and you will see a JSON file for each of the VCSA/PSC services that require firewall rules to be opened up. For a given port, you can just grep in this directory to identify the service that is requiring the port.

For example, if we take a look at the vmware-syslog, we see that it requires tcp/udp 514 and tcp 1514 under the "rules" array which defines the list of external ports open. You can ignore the internal ports as those are not exposed to the outside world but used by internal services. In case the services are still not clear, you can always reference the port number back to the documentation which I had linked above to get more details about the particular port.

Native OVF support for Fusion/Workstation 2017 Tech Preview

07/18/2017 by William Lam 1 Comment

The VMware Fusion and Workstation team just released their 2017 Tech Preview releases and there is a ton of new and awesome capabilities which you can read more about here and here. One of the exciting new features, which I was very fortunate to have been involved with is finally here, native OVF property support! Although customers have had the ability to import OVF/OVAs for some time now, if they included OVF properties, they would be ignored and often times this would result in a failed deployment as those properties are required for the initial setup.

A great example of this is trying to run the vCenter Server Appliance (VCSA) on either Fusion or Workstation. Today, the only workaround is to manually edit the VMX file and supplying the correct OVF properties which I have blogged about here. With the latest TP release of Fusion/Workstation, when you import an OVF/OVA that contains OVF properties, the UI will automatically render the required information directly into the UI without needing users to manually touch the VMX files.

Here is a screenshot of deploying the latest VCSA 6.5d OVA (jump to bottom for some additional VCSA tidbits when deploying to Fusion/Workstation):

Visualizing live network traffic on the vCenter Server Appliance using net-glimpse

07/17/2017 by William Lam 1 Comment

Last week I came across a really interesting OSS project called net-glimpse which allows you to easily visualize your network traffic in real-time and making that available using any standard web browser. I thought it would be neat to see what this might look like running on the vCenter Server Appliance (VCSA). I got it up in running in just a couple of minutes and even shared the results on Twitter as you can see from the tweet below:

Thought it be interesting to see the network traffic visualization on VCSA by running net-glimpse https://t.co/xyznnHnmkx #NotSupported pic.twitter.com/IjeoCV2QTx

— William Lam (@lamw) July 14, 2017

I had couple of folks ask about the setup and I figure I would post a quick write up. While looking at the project, I found that net-glimpse includes quite a bit of customizations in the colors, data collection and how data is displayed. Specifically, rather than relying on the well-known ports that have already been pre-defined, you can also add additional custom ports and specify the label that it should automatically used. This gave me an idea, instead of a generic visualization of the VCSA, we could get specific service information and have those label automatically get displayed.

How to automate the deployment of an un-configured VCSA 6.5 (Stage 1 only)?

12/19/2016 by William Lam 2 Comments

In vSphere 6.5, the VCSA deployment has changed from a "Single" monolithic stage where a user inputs all of the required parameters up front and then the installer goes and deploys/configures the VCSA. In the new VCSA UI Installer, we still continue to provide a "Single" monolithic user experience but behind the scenes, the deployment is now actually composed of two distinct stages, creatively called Stage 1 and Stage 2.

Stage 1 - Initial OVA deployment which includes basic networking + OS password
Stage 2 - Applying the VCSA specific configurations (e.g. External Platform Services or Embedded VCSA)

One reason why this is so useful is that in previous releases of the VCSA, if you had fat fingered say the DNS entry or wanted to change the IP Address/Hostname before applying the actual application configurations, your only option was to re-deploy the VCSA, not a very good user experience. With this new deployment model, customers now have the ability to either go through both Stage 1 and Stage2 or they can stop just after Stage 1 which would allow them to make necessary edits before continuing to Stage 2. If you decide to stop after Stage 1, then to complete the deployment, you will need to open a browser and finish the configuration using the VCSA's Virtual Appliance Management Interface (VAMI) at https://[VCSA-HOSTNAME-OR-IP]:5480

Once on the VAMI UI, you will want to select the "Set up vCenter Server Appliance" which will then launch the configuration wizard. From here, you will have the option of changing some of the settings that you had provided in Stage 1 such as the IP Address or things like NTP or enabling SSH access as shown in the screenshot below. Once you have confirmed these settings, it will be saved and then you will move onto Stage 2 to complete the configuration of your VCSA deployment.

vCenter Server High Availability (VCHA) PowerCLI 6.5 community module

12/08/2016 by William Lam 10 Comments

As some of you may know, I have been spending some time with the new vCenter Server High Availability (VCHA) feature that was introduced in vSphere 6.5. In fact, I had even published an article a few weeks back on how to enable the new vCenter Server High Availability (VCHA) feature with only a single ESXi host which allowed me to explore some of the new VCHA APIs without needing a whole lot of resources to start with, obviously, you would not do this in production 🙂

For those of you who are not familiar with the new VCHA feature which is only available with the vCenter Server Appliance (VCSA), Feidhlim O'Leary has an excellent write up that goes over the details and even provides demo videos covering both the "Basic" and "Advanced" workflows of VCHA. I highly recommend you give his blog post a read before moving forward as this article will assume you understand how VCHA works.

In playing with the new VCHA APIs, I decided to create a few VCHA functions which I thought would be useful to have as a PowerCLI module for others to use and also try out. With that, I have published my VCHA.psm1 module on the PowerCLI Community Repo on Github which includes the following functions:

Name	Description
Get-VCHAConfig	Retrieves the VCHA Configuration
Get-VCHAClusterHealth	Retrieve the VCHA Cluster Health
Set-VCHAClusterMode	Sets the VCHA Cluster Mode (Enable/Disable/Maintenance)
New-VCHABasieConfig	Creates a new "Basic" VCHA Cluster
Remove-VCHACluster	Destroys a VCHA Cluster

vCommunity “shorts” on their experiences w/the VCSA Migration

12/06/2016 by William Lam 2 Comments

The feedback from our customers on both the initial release of the vCenter Server Appliance (VCSA) Migration Tool (vSphere 6.0 Update 2m) as well as the updated version included in the release of vSphere 6.5 has just been absolutely fantastic! The feedback has not only been positive in terms of customers experience with using the Migration Tool to go from a Windows-based vCenter Server to the VCSA, but also with their experience with the VCSA itself which has come a long from when it was first released back with vSphere 5.0.

As with any customer feedback (good as well as the bad), I share this feedback directly with the Engineering/Product teams so that they know which areas customers have found useful and which areas we can still improve upon. One source of customer feedback which I see quite a bit of discussions on regarding the VCSA Migration Tool is on Twitter and being an active user myself, it is also makes it quite easy to collect and share this feedback internally. I even created the #migrate2vcsa hashtags a few years back to make it easy for customers to provide feedback for all things related to the VCSA Migration.

Most recently, I was looking for a better way to share as well as aggregate some of the feedback from Twitter regarding the VCSA Migration Tool. Instead of manually tracking individual tweet links via an email or document, I wanted to anyone to be able to get a quick glance at the overall feedback. I started to look around and came across an interesting SaaS solution called Storify which allows you to tell "stories" by using content from various Social Media sources such as blog posts, Youtube or Twitter for example.