Wednesday, September 7, 2011

The new esxi firewall

Esxi introduces a brand new service oriented firewall (not based on iptables).
It can be manipulated with the gui or the cli. It also allows new rules to be added if necessary via the implementation of xml files.

Demo:

# grep firewall /etc/vmware/esx.conf

# more /var/log/esxcli.log

# esxcli network firewall get

# esxcli network firewall ruleset list

# vi /etc/vmware/firewall/fake-ftp.xml
<configroot>
<service>
<id>fake-ftp</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<port>21</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
</configroot>

# esxcli network firewall refresh
# esxcli network firewall ruleset list
# esxcli network firewall ruleset rule list | grep fake-ftp

Note:
If you prefer to edit the default file, back it up first and add a sticky bit to it.
# chmod 1777 service.xml

How to Install and Use the Vsphere 5 Syslog Collector

10 Steps to configure the Syslog Collector

01. Using the vcenter server cd, install the syslog collector
02. Connect to your vcenter server and click on Home
03. Click on the new Syslog Collector icon to verify its installation
04. Go to Hosts and Clusters
05. Select your esxi host
06. Go to the Configuration tab
07. Under Software, click on Advanced Settings
08. Click on Syslog, select Remote
09. Input the ip address of the syslog collector (ex: tcp://10.1.1.1:514)
10. Go to home, click on the syslog icon and verify functionality

Using Image Builder

What it can do:

Image Builder allows the administrator to create unique esxi iso images that can contain additional vibs (software packages with extra drivers) or remove some of the default packages if they are not needed. Since additional vibs are usually provided by third party vendors, this demo removes drivers not needed in this particular server. Vibs typically contains a descriptor xml, a digital signature file and the actual package of software with additional drivers.

How to create your own iso image:

Step # 1: Connect to the vcenter server using powercli

set-executionpolicy unrestricted
connect-viserver vcenter.acme.com

Step # 2: Add a software depot and verify the results

add-esxsoftwaredepot C:\Depot\mydepot.zip
get-esxsoftwaredepot

Step # 3: Clone the original iso image and modify the new one by removing the vib called net-bnx2 (for broadcom nics)

get-esximageprofile
new-esximageprofile -cloneprofile "Name of Standard Image from Previous Command" -name myprofile
get-esxsoftwarepackage
remove-esxsoftwarepackage -imageprofile myprofile -softwarepackage net-bnx2

Step # 4: Create a new, modified iso image

export-esximageprofile -imageprofile myprofile -exporttoiso -filepath C:\Depot\myprofile.iso