kool blog

Appendix A – ESX Technical Support Commands
Command Purpose
esxcfg-advcfg advanced options
esxcfg-auth Configures authentication
esxcfg-boot bootstrap settings
esxcfg-dumppart Configures a diagnostic partition
esxcfg-firewall service console firewall ports
esxcfg-info Information about the state of the service console, VMkernel, various subsystems in the virtual network, 220 701 and
storage resource hardware.
esxcfg-init Internal initialization routines. Used for the bootstrap process you should not use it under any circumstances.
esxcfg-module Sets driver parameters and modifies which drivers are loaded during startup.
esxcfg-mpath multipath settings for your Fibre Channel or iSCSI disks.
esxcfg-nas Manages NFS mounts
esxcfg-nics physical network adapters
esxcfg-resgrp resource group settings
esxcfg-route default VMkernel gateway route
esxcfg-swiscsi software iSCSI software adapter.
esxcfg-upgrade Upgrades from ESX Server 2.x to ESX.
esxcfg- scsidevs Prints a map of VMkernel storage devices to service console devices.
esxcfg-vmknic VMkernel TCP/IP settings for VMotion, NAS, and iSCSI.
esxcfg-vswif service console network settings.
esxcfg-vswitch virtual machine network settings.
Appendix B – Linux Commands Used with ESX
Appendix C – Using vmkfstools
o vmkfstools utility is used to create and manipulate virtual disks, file systems, logical volumes, 220 702 and physical storage devices.
Fibre Channel SAN Configuration Guide
o Zones define which HBAs can connect to which SPs.
o Zoning is similar to LUN masking, which is commonly used for permission management. Usually, LUN masking is performed at the SP or server
level.
o WWPN (World Wide Port Name) is a globally unique identifier for a port.
o Port ID (or port address) enables routing. FC switches assign the port ID when the device logs in to the fabric.
o When N-Port ID Virtualization (NPIV) is used, a single FC HBA port (N-port) can register with the fabric by using several WWPNs.
o active-active - access to the LUNs simultaneously through all the storage ports that are available, without significant performance degradation.
o active-passive - one port is actively providing access to a given LUN. The other ports act as backup
o Disk shares are relevant only within a given ESX/ESXi host.
o Virtual 220 701 machine I/O might be delayed for up to sixty seconds while path failover takes place. I/O delays might be longer on active-passive
arrays.
o On virtual machines running Microsoft Windows, increase the value of the SCSI TimeoutValue parameter to 60.
o Only one VMFS volume per LUN.
o Unless you are using diskless servers, do not set up the diagnostic partition on a SAN LUN.
o ESX/ESXi does not support FC connected tape devices.
o You cannot use virtual machine logical-volume manager software to mirror virtual disks. Dynamic disks on a Microsoft Windows virtual
machine are an exception, but require special configuration.
o You should not mix FC HBAs from different vendors in a single server.
o Use a dedicated SCSI adapter for any tape drives that you are connecting to an ESX/ESXi system.
o You should not use boot from SAN in the following situations:
o If you are using Microsoft 220 702 Cluster Service.
o If I/O contention might occur between the service console and VMkernel.
o Proper LUN masking is critical in boot from SAN mode.
o Runtime Name - the name of the first path to the device. Created by the host. Is not a reliable identifier for the device, and is not persistent.
o vmhba#:C#:T#:L#, where:
o vmhba# is the name of the storage adapter
o C# is the storage channel number.
o T# is the target number.
o L# is the LUN number
o If a target has only one LUN, the LUN number is always zero (0).

o Set up a separate VLAN or virtual switch for vMotion and network attached storage.
o The iSCSI initiator relies on being able to get MAC address changes from certain types of storage. If you are using ESX iSCSI and have iSCSI
storage, set the MAC Address Changes option to Accept.
o A legitimate need for more than one adapter to have the same MAC address, is if you are using Microsoft Network Load Balancing in unicast
mode. When NLB is used in the standard multicast mode, adapters do not share MAC addresses.
o ESX uses the Pluggable Authentication Modules (PAM) structure 640 802 Dumps for authentication. The PAM configuration in /etc/pam.d/vmware-authd, ESX
uses /etc/passwd authentication, but you can configure ESX to use another distributed authentication mechanism.
o CIM transactions also use ticket-based authentication in connecting with the vmware-hostd process.
o Management functions with username/password > vmware-hostd > Service Console
o VM console with ticket > vmkauthd > vm in VMkernel
o vicfg commands do not perform an access check.
o The vpxuser is used for vCenter Server permissions.
o The root user and vpxuser permissions are the only users not assigned the No Access role by default.
o ESX supports SSL v3 and TLS v1.
o All network traffic is encrypted as long as:
o Did not change the Web proxy service to allow unencrypted traffic for the port.
o Service console firewall is configured for medium or high security.
o The default location for your certificate is /etc/vmware/ssl/ on the ESX host. The certificate consists of two files: the certificate itself (rui.crt)
and the private-key file (rui.key).
o The ESX host generates certificates the first time the system is started.
o Each time you restart the vmware-hostd process, the mgmt-vmware script searches for existing certificate files (rui.crt and rui.key). If it cannot
find them, it generates new certificate files.
o SSL timeout settings are set in /etc/vmware/hostd/config.xml.
o Do not set up certificates using passphrases.
o For certificates in a location other than the default location, set the location in /etc/vmware/hostd/proxy.xml.
o If you are performing activities that require root privileges, log in to the service console as a recognized user and acquire root privileges
through the sudo command, which provides enhanced security compared to the su command.
o The 640-802 service console firewall is configured to block all incoming and outgoing traffic, except for ports 22, 123, 427, 443, 902, 5989, 5988, pings
(ICMP) and communication with DHCP and DNS (UDP only) clients.
o Medium security - All incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not
blocked.
o Low security - There are no blocks on either incoming or outgoing traffic. This setting is equivalent to removing the firewall.
o Password aging restrictions are enabled for user logins by default.
o Maximum days - By default, passwords are set to never expire.
o Minimum days - The default is 0, meaning that the users can change their passwords any time.
o Warning time - The default is seven days.
o To change this for hosts use esxcfg-auth. Change for users use the command chage.
o By default, ESX uses the pam_cracklib.so plug-in. There is no restrictions on the root password, but the defaults for non-root users is:
o minimum password length is nine
o password length algorithm allows shorter passwords if the user enters a mix of character classes. M – CC = E where the Character Classes
are upper, lower, digits and other.
o retries is set to three
o The pam_passwdqc.so provides a greater number of options for fine-tuning password strength and performs password strength tests for all
users, including the root user.
o setuid allows an application to temporarily change the permissions of the user running the application.
o setgid changes the permissions of the group running the application.
o Default setuid applications: 640 802 braindumps crontab, pam_timestamp_check, passwd, ping, pwdb_chkpwd, ssh-keysign, su, sudo, unix_chkpwd, vmkload_app,
vmware-authd, vmware-vmx. Default setgid Applications: wall, lockfile.
o Virtual Machine Recommendations:
o Install Antivirus Software
o Disable Copy and Paste Operations Between the Guest Operating System and Remote Console
o Removing Unnecessary Hardware Devices
o Limiting Guest Operating System Writes to Host Memory
o Configuring Logging Levels for the Guest Operating System
o Host profiles eliminates per-host, configuration and maintain configuration consistency and correctness across the datacenter.
o Only supported for VMware vSphere 4.0 hosts.
o Host Profiles are only available when the appropriate licensing is in place.
o You can export a profile to a file that is in the VMware profile format (.vpf).

o Key contents of the metadata in the mapping file include the location of the mapped device (name resolution), the locking state of the
mapped device, permissions, and so on.
o You cannot perform vMotion or Storage vMotion between datastores when NPIV is enabled.
o VMware protects the service console with a firewall. It also mitigates risks using other methods:
o Only services essential to managing its functions.
o By default, installed with a high-security setting. All outbound ports are closed.
o By default, all ports not specifically required for management access to the service console are closed.
o By default, weak ciphers are disabled and all vcp 4 communications from clients are secured by SSL. Default certificates created on ESX use
SHA-1 with RSA encryption as the signature algorithm.
o The Tomcat Web service, has been modified to run only those functions required.
o VMware monitors all security alerts (for the RHEL5 distribution and 3rd party software).
o Insecure services such as FTP and Telnet are not installed.
o The number of applications that use a setuid or setgid flag is minimized.
o ESX can automate whether services start based on the status of firewall ports, but this only applies to service settings configured through the
vSphere Client or applications created with the vSphere Web services SDK. Doesn’t apply to changes made with the esxcfg-firewall utility or
configuration files in /etc/init.d/.
Port Purpose Interface Traffic type
22 SSH Server Service Console Incoming TCP
80 HTTP access and WS-Management Service Console Incoming TCP
123 NTP Client Service Console Outgoing UDP
427 The CIM client SLPv2 to find CIM servers. Service Console Incoming and
outgoing UDP
443 HTTPS access - vmware-hostd
vCenter vmware vcp 4 Server access to ESX hosts
Client access to vCenter Server and ESX hosts
WS-Management
Client access to vSphere Update Manager
Converter access to vCenter Server
Web Access to vCenter Server and ESX hosts
Service Console Incoming TCP
902 Host access to other hosts for migration and provisioning
Authentication traffic for ESX (xinetd/vmware-authd)
Client access to virtual machine consoles (UDP) Status update (heartbeat)
connection from ESX to vCenter Server
Service Console Incoming TCP,
outgoing UDP
903 Remote console traffic from VI client & Web Access (xinetd/vmware-authd-mks) Service Console Incoming TCP
2049 Transactions from NFS storage devices VMkernel Incoming and
outgoing TCP
2050-2250 Between ESX hosts for HA and EMC Autostart Manager Service Console Outgoing TCP,
incoming and
outgoing UDP
3260 Transactions to iSCSI storage devices VMkernel &
Service Console
Outgoing UDP
5900-5964 RFB protocol, which is used by management tools such as VNC Service Console Incoming and
outgoing TCP
5989 CIM XML transactions over HTTPS Service Console Incoming and
outgoing TCP
8000 VMotion requests VMkernel 640 802 Incoming and
outgoing TCP
8042-8045 Between ESX hosts for HA and EMC Autostart Manager Service Console Outgoing TCP,
incoming and
outgoing UDP
8100, 8200 Between ESX hosts for Fault Tolerance Service Console Outgoing TCP,
incoming and
outgoing UDP
PLUS installed management agents and supported services such as NFS.
o Create a separate VLAN for communication with the service console.
o Configure network access for connections with the service console through a single virtual switch and one or more uplink ports.