VMware ESX Server in the Enterprise: Planning and Securing Virtualization Servers, published December 2007, (c) 2007 Pearson Education. Available on Safari.
Where to Buy
- Available from InformIT.com
- eBook Version
- Amazon UK
- Inform IT Safari Online Version
- O’Reilly Media Safari Online Version
Links to Articles/Interviews about Book
- Excerpt from Book
- Interview with John Troyer of VMware.
- Eric Sloof’s ntpro.nl Blog
- Jae Ellers Review
- Scott Lowe’s Review of the book
- James Pyles of CertForum Review also linked from LXer Linux News.
- Mr. VMs Review
- CS Techcast (podcast)
- CertCities Book of the Week 3/27/08
- The Register (UK) Listed the book with a short review.
- Linux Journal Review
- Hoff of Rational Security mentioned the book and many of my other blogs. However, this book is not billed as a Security book but as a planning and securing book. Chapter 4 is more a primer on VMware ESX host security. There are security statements through out the book, but its is first and foremost a Planning book.
- Virtualize! Magazine Review on Page 14.
More Info about the Author
This book has an online component in the form of the Virtualization Security and Planning Blog hosted by InformIT Network. The blog posts will be based on personal experiences as well as conversations within the VMware Community Security and Compliance, Strategy and Planning, and the Installation and Upgrade Forums.
Errata and other Changes
Chapter 1Page 5, (green arrow), should read (line from CPU to L2 Cache).Chapter 2
Page 5, (yellow arrow) should read (lighter line from CPU to Main Memory).
Page 5, (red and black arrows) should read (lines from CPU to Main Memory for other CPUs).
Page 25, (see Figure 1.12), should read (see Figure 1.10).
Page 46, 2nd paragraph near the middle. The line starting ‘The snapshots could then be backed up…’ should read ‘The snapshots could then be backed up either at the file level or the the full disk level.’Page 51, Table 2.11, row starting ‘VM creation’, ’64-git’ should read ’64-bit’.Chapter 3
Page 68, Best Practice for File System Layout, the line reading ‘/boot, / and swap must be…’ should read ‘/boot must be a primary partition, while / and swap should also be a primary partition, but it is not necessary for this to be the case. The tools should assign /boot to be a primary partition but always double check.’Chapter 4
Missing from the discussion: A change to the firewall will also affect the service in question. For example, if you disable SSH via the esxcfg-firewall or VIC the service will also be disabled. This will prevent the SSH daemon from starting on boot. A current SSH session is unaffected but no further sessions can be created. The same holds true for all other daemons that use the network that can be affected by changing the default firewall.Chapter 5
Page 180, Second iSCSI/NFS Best Practice, Replace the first line with ‘The iSCSI VMKernel device and a service console device should participate in the same network. This implies that the service console should be able to reach the iSCSI target.’Chapter 8
Page 264, Item #3, there is a double comma, this is a typo it should be one comma. There should be nothing between the commas.Chapter 10
Table 10.4 add the following:
OS Installation ESX v2.x Notes ESX v3.x Notes Debian Etch Select the BUSLogic vSCSI adapter and boot using boot compact Select the LSILogic vSCSI adapter (ESX v3.5)
- Changes to the book with the introduction of ESX v3.5
Chapter 2Page 37: Add after (RHEL3-ES)., in the first paragraph of the Version Differences subsection, the following:VMware Virtual Infrastructure 3.5 is based on Red Hat Enterprise Linux Server version 3.0 Update 8.Chapter 3
Step 14: File System LayoutsPage 66: Add the following at the end of the page:In ESX v3.5 the /vmimages directory is now only used by the mounting of VMware Tools images and not as a per machine repository of general ISO images. The only data stores available as a per machine repository is any VMFS that it can see. It is recommended then that /vmimages not be resized or allowed to take up the rest of the space, but the rest of the space be assigned to the local VMFS-3. This way you still can keep local copies of the ISO images. It is not recommended, but often done, to use shared storage as that will cause SCSI Reservation Conflicts (See Chapter 6 for more discussions on SCSI Reservation Conflicts). All other aspects of Table 3.2 apply to ESX v3.5, just not the /vmimages partition.This has been changed for ESX v3.5 Update 1 to allow /vmimages to be used again. The fix for this for unpatched versions of ESX v3.5 was to edit /etc/vmware/configrules to add after this lineChapter 4
accept prefix_case "/vmfs/"
accept prefix_case "/vmimages/"
You can also use /etc/vmware/configrules to allow access to other locations on the filesystem for stored ISO or floppy images.
Other ESX Security ConsiderationsChapter 5
Page 155: Add the following to the end of the page:
Virtual Center 2.5 allows one to cut-n-paste from one VM to another by default. The isolation tools settings will disallow this behavior.
Page 200: How to Unlock a LUNChapter 6
vmkfstools -D now works only on files. So reference How to find host that holds the file lock and free the lock.
However to discover LUN locks you should use
esxcfg-info -s | grep -i -B 12 pending
Page 215: Add the following before Conclusion:Chapter 8
Patch Management for ESX and VI3 has been done by hand or using various third party tools like VMTSPatchManager, or Dominic Rivera’s esx-autopatch.pl script. The issue has always been what order to apply the patches as they were order specific. These tools alleviated the need to determine the order yourself. Now built into VMware Virtual Center 2.5 is the VMware Update Manager. Simply put the Update Manager uses the capabilities of VMware Virtual Center to automate the patching of your VMware ESX Servers.
The steps are follows:
- Goto Plugins->Manage Plugins and select the plugins to install. Install both the Update Manager and Converter plugins
- Select the Installed tab and Enable all the plugins
- Create a baseline or use the ones pre-downloaded when the Update Manager queries VMware for updates. It will also query an external source for VM updates it can apply.
- Right click on the Host in question and select Scan for Updates
- Click on the host in question and then the Update Manager Tab and select the Attach Baseline… link
- Select the Baselines to attach to the host
- Migrate VMs to another host or shutdown all VMs on the host. This step alleviates some timeout failures. You could also enter maintenance mode then exit maintenance mode as the next step will reenter maintenance mode.
- Right click on the Host in question and select Remediate…
Now if you have VMware DRS the VMs will be moved to another host and the system will enter maintenance mode where the patches will be applied. Be careful if a VM can not normally be moved to the other host due to a vMotion limitation (i.e. connected CDROM/Floppy, using a Private network, or CPU considerations) the VM should be moved by hand or powered off. Remediation will could timeout if a VM can not be shutdown in time or if the host could not be placed into Maintenance Mode then the remediation step will fail.
If during the Scan for Updates step above you receive the error metadata for patch missing then the ESX Server can not reach the Update repository on your Update Manager server. The Update Manager requires that this server allow port 80 to connect. If you have another service running on port 80 instead of the Update Manager, this will also cause the error.
If you receive a failure due to a missing package or library find the offending package and exclude it from the baseline. Samba security updates is an example of this. The Samba package is not included by default on any ESX server.
Page 263: Add the following:
NTP can now be configured using the VIC, please note that in order to do so, you will have to place the ESX server into Maintenance Mode in order for the changes to take effect. You can still use the following steps as well.
Creating a VMotion vSwitchChapter 10
Page 316 Add the following:
To setup vMotion from the command line there is a change to the way the hostsvc.xml file is created. Instead of using the portgroup number (i.e portgroup6 represented by $vMotion in the script on page 315) in the … clause below, you now use the portgroup alias (i.e vMotion as used by the script on page 315. Therefore the changes to the hostsvc.xml file are as follows and can be substituted in the script on page 315.
cat >> /etc/vmware/hostd/hostsvc.xml < vMotion EOF
Grab the vmknic name i.e. vmk1 and use below
vimsh -e "hostsvc/vmotion/vnic_set vmk1"Add before the conclusion of chapter 10:
Modification of VM settings within VIC
It is now possible to change the size of a virtual disk by Editing the Settings of the VM. This does not grow the filesystem, but will grow the size of the virtual disk.