This guide is intended a supplement to the Admin I and II guides, it covers procedures and tasks that some would regard as not being “core” to administration. This guide contains procedures and tasks not covered by the authorised Vmware course – whereas as the intent of Admin I and II guides is to map to the Vmware official courseware/curriculum.

Change Log from 1.1 to 1.2

Added information on how to change the status messages on the physical Service Console
Added information on how to reduce the number of logon session allowed at the Physical Service Console
Error in the section “disabling access to the service console” corrected. Wrong configuration file originally specified.
Added a method of disabling the “Add Virtual Machine” button for ROOT, while having it enabled for all other users
Added “Creating & Assigning your own Certificates for the MUI” using Windows 2003 Certificate Authority as an example

Change Log from 1.2 to 1.3

Started using ESX 2.5 distribution as the basis of any new tips and tricks
Add unattended installations of VMware Tools
Removed vmkusage/vmktree to Admin I Guide – because this material is now part of the standard course from VMware and can no longer be regarded as “Beyond the Manual”
Added how to create flp files using no floppy disk at all, and also how to do it from physical floppy disk…
Added how to sort the list of VM’s in the ESX MUI…
Added how to correct shutdown and restart problems in Windows 2003 VM’s
Add use of Cron to reboot/shutdown ESX server

Change Log from 1.3 to 1.4

Add how to clone ESX server with Ghost and Scripts to rename the Host

Change Log from 1.4 to 1.5

Added better way to regenerate SSL certificates after a ESX server rename or clone using a built in script called vmware-config-mui.pl

Change Log from 1.5 to 1.6

Added an “idiots guide” to setting up www.vmguru.com LDAP_Search
Added how to automate the shrink process within a virtual machine

Virtual Disk Management

Create Writable Floppy Images

Note:

If you have processes that need to write to a floppy disk, it is possible to allow this. Examples of this include the installations for Partition Magic and Volume Manager. Basically, you make a iso/flp/img of black disk, upload to the server, and modify the permissions to allow R/W access.

Take a floppy disk and format it with format a: /q
Take a tool like Nero or some other burning software – I used Drag'n Drop CD+DVD

e.g With Drag'n Drop CD+DVD
Insert blank floppy
Right-click the tray-icon
Choose Save boot image file
Click Save, and Choose a location for the file
Call it flp-blankdisk.img

Note:
This file becomes a template for other subsequent blank floppy disks
FTP this file up to the VMImages directory
In the MUI copy this file -
Ensure the copy has RW access for the VM Administrator

Sample Script to Import a Disk Template (with simple error checking)

Note:

We can use the classical IF THEN ELSE if statement together with command called “test” to check our variables.
In simple english this would be:

CLEAR the screen
IF variable1, is blank THEN type this error message, ELSE
          IF variable2 is blank THEN type this error message, ELSE
                   IF variable3 is blank THEN type this error message ELSE
                             otherwise run the import command
                        End IF
            End IF
End IF
End IF appears 3 time because there are 3 if statements here – one of each variable
There are more sophisticated methods of error trapping and if statement to learn more about flow of control look at one of many scripting guides online:

Mendel Cooper's: Advanced Bash-Scripting Guide
Vivek G. Gite's: Linux Shell Scripting Tutorial - A Beginner's handbook
William Shotts Jr. 's Writing shell scripts (Linux)

Copy the existing script you have with:

cp impvar.sh impvarcond.sh
Edit the script with nano –w imp.sh, make the following changes

Command	Purpose
Clear	Clears the Service Console screen – like CLS
if test "$1" = ""	This is condition – IF the string for $1 empty
Then	If this true THEN
echo Please specify a name of VMDK file	type this message to the use
Else	If $1 is not blank, then do the next IF
If test "$2" = ""	Second IF checking variable $2
Then
echo Please specify the name of DSK file
Else
If test "$3" = ""	Third IF checking variable $3
Then
echo Please specify the name of the user
Else	If neither $1, $2 or $3 are empty then do the import process
echo Beginning Import Process	Types text to the screen
vmkfstools -i /vmimages/$1.vmdk /vmfs/local/$2.dsk	Imports the argument1.vmdk file to the vmfs partition called local – renaming the file as argument2.dsk
echo Resetting Ownership...	Types text to the screen
chown $3:$3/vmfs/local/$2.dsk	Changes the Owner & User Group to argument3

Save the file and Exit nano
Execute the Script with the following command-line options:

With no arguments:                      sh imp.sh
With just 1^st argument:                 sh imp.sh w2k
With just 1^st & 2^nd arguments:         sh imp.sh w2k instructor1
With all the arguments:                 sh imp.sh w2k instructor1 lavericm

Note:
This a screen dump of the final script with tabs & returns for readability – and bit more explanation when the “user” get the command wrong. Remember this command can only be run by ROOT:

Convert a WS/GSX VMDK disk from IDE to SCSI

Note:

One problem you may have with importing disks into ESX, is that ESX expects these disk files be SCSI based – other versions of VMware product quite frequently recommend the use of IDE, and this can create problem porting the disks to ESX server at a later stage.

If you try to import an IDE disk to ESX then you will get this error message when you try to import:

However, it is not a simple task to switch from one format to another – and then import the VMDK disks to ESX. What follows below is a tried and tested method. There are other methods, but their reliability is doubtful. This method uses Symantec Ghost to clone the IDE drive to a SCSI disk, and then export the clones SCSI disk to ESX suitable to be imported to an ESX VMFS drive in a DSK format.

The following example uses VMware Workstation 4.5 running Windows 2003 Enterprise Server (un-patched) with a single IDE drive with VMware Tools already installed.

A similar procedure can be used in WS/GSX to expand the capacity of disk. See here for further details

Add in a SCSI Disk

In the menu, choose VM and Settings
Click the Add button
Choose Hard Drive as the hardware type
Choose © Create a new virtual disk
Choose © SCSI
Set the Disk Size:

Note:
This should be at least as much as the capacity currently consumed by the existing IDE drive, if not more. I personally recommending it exactly the same size
Choose © Split disk in 2GB files
Set a name for the VMDK file – perhaps indicating that it is a (SCSI) disk – so you can tell the SCSI from the IDE drive
Finish

Boot to Floppy/CD-Rom that Contains GHOST.EXE

Insert an Floppy/CD-ROM or attach an ISO file that contains ghost to the VM

Note:
You may receive this warning dialog box:

This warning is only significant if you are want to INSTALL an Windows OS using SCSI disks. If you will have to follow the instructions above. Basically, the drive is a flp image, which you provide to windows at the F6 point when you asked to provide alternative “mass storage” device drivers. In our case we should not have to worry about this, and this warning can be safely ignored. You get this warning even if the driver is installed
Start the VM, pressing F2 to enter the virtual BIO’s
Use the keyboard to move to the Boot “tab”
Use the Minus key – to rearrange the boot order, to allow the VM to boot from the floppy/CD-ROM connected
Press [ESC] to exit, and [ENTER] to save your changes, Choose [Yes] to save your changes
Start the VM, and once the machine has finish booting from the floppy/cd-rom - run Ghost

Ghost the IDE drive to the SCSI Drive

After GHOST has loaded, chose Local, Disk, To Disk as the restore option
Select the Disk which is your source of information, Click OK

Note:
In my case this is Drive 1. Drive 2 is inaccessible as it is the newly created and unformatted SCSI drive
Select the Destination Drive, in my case this was Drive 2
Click OK
Choose OK to accept the defaults for the drive destination

Note:
In here, you could reduce the size of the partition allocated to the driver. In my case the IDE drive was 4GB in size, with 1.5GB in size. I could reduce the disk partition to 3GB or 2.5GB if I wished, leaving the remainder of the disk un-partitioned. I chose to fully allocate the disk
Choose Yes, to proceed with the disk restore process
Quit Ghost and disconnect the Floppy/CD
Shutdown the VM

Test the SCSI Disk in a New Virtual Machine

Note:

It is worth testing that the newly ghosted SCSI drive is bootable, and that VM still boots and functions. If not it will save wasted time copying a VMDK file to ESX, only to discover it is bad or malfunctioning.

Create a new VM using the © Use existing disk option
Boot the VM
Windows should detect “new hardware”
Reboot
Confirm the VM functions as expected

Reading a Virtual Disk From Windows (DiskMount)

Note:
The disk mount utility is freely downloadable from VMware here. It allows you to open Virtual Disks in a VMDK format as if they were just another drive letter in Windows. It usage is not unlike the old subst command from DOS/Windows3.1 days. It is a command-line utility – however, the installation does not adjust the PATH variable in Windows to know where to find the utility

Set your Environmental Variable

After run the Install on your Workstation
In Windows XP, right-click My Computer, Properties
Select the Advanced Tab
Click the Environmental Variables button
Under “System Variables”, select Path and click the Edit button
After the last entry type ;C:\Program Files\VMware\VMware DiskMount Utility

Note:
You will have reboot for
this change to take effect

To See the Partition Table in the Virtual Disk

Type:

vmware-mount “C:\Path\To\The\Virtual\Disk.vmdk” –p
This should return this kind of information:

Volume 1: 2047MG
Volume 2: 2047MG
Volume 3: 2047MG

To Mount the 2^nd Partition in the Virtual Disk

Type:

vmware-mount x: “C:\Path\To\The\Virtual\Disk.vmdk” /v:2

Note:
/v:2 is not a required argument – if you want to just read the first partition of the virtual disk. Failure to specify it mounts the first partition anyway. There is also a /y switch for opening of virtual disks that are in a suspended mode, and /n switch for not opening virtual disks that in a suspend mode.

To View Mount Drive Letters

Type:

vmware-mount

Note:
No need for switches, should return this information, which is not unlike the way subst would show drive letter aliases

X:\ => “C:\Path\To\The\Virtual\Disk.vmdk”

To Delete a Drive Mapping to a Virtual Disk

Type:

vmware-mount x: /d

Note:
There is a /f which forcibly dismounts the drive should the Virtual Disk be moved before removing the drive letter alias

Offline Backup Of VM

Note:

These instructions are based on VERITAS Backup Exec for Windows Servers version 9.1 which was the most current at the time of publishing.
The first stage in this process is installing the Linux Veritas backup agent to the Service Console
When you install the Backup Exec UNIX agent, you are prompted to configure it as well. The agent configuration information is saved to a text file called agent.cfg that you can edit to change any configuration options.
Before installing the Backup Exec UNIX agent on a system using a network name service (for example NIS), you must modify the network’s master database /etc/services file. Make sure you have root privileges at the master server.
During the initial installation of Backup Exec, the Backup Exec UNIX Agent files are copied automatically from the Backup Exec installation CD to the Program Files\VERITAS\Backup Exec\NT\Agents\UNIX directory on the media server.

Installing Backup Exec to a Windows Machine

Important Note:

These instructions are for my personal use only in courses the assumption is we are backing up a local drive rather than tape drive. This was done to a Windows 2003 Enterprise Server using Terminal Services remotely

Unzip the Veritas evaluation CD
Run Browser.exe and Choose English as the language
Choose “Backup Exec Installation”
Choose “Start Backup Exec Installation”
Click Next and accept the usual EULA’s
Accept the defaults of a X Local Installation
Use © MSDE as the DB format
Choose Next to the License Agreement – confirm the warning about doing this
Accept the default components
Use Administrator for the Service Account
Choose © Do not use Veritas Tape Drivers
Main Installation/File copy will begin
Complete the installation, and reboot – and run the VERITAS Backup Exec for Windows Servers shortcut on the desktop – and complete the “First Time Start-up” wizards as follows:

Media Set Wizard:
Next, Next
Choose © Yes, I want to customise my media sets
Next, Next
Choose © Create a new media set
In the edit box called the D: Drive
Choose next to accept “Infinite do not allow over-write”
Choose next to accept “Infinite – Allow Append”
Next and Finish

Scratch Media Wizard
Choose © Over-write Scratch media
Choose © Full – Prevents allocated and imported media from being over-written

Device Wizard
Choose Next and bypass the Configure Device button
Click the Add Backup-To-Disk Folder
Set a name of D: Drive
and Browse to the D: drive of the Backup/Media server and Choose Ok
Next, Next and Finish

Logon Account Wizard
Choose © Add a new logon account
Accept the Administrator Account, and set the password
Next
Choose © Common logon account available to all users of this Backup Exec Server
Next and Finish

Note:
phew, and that’s all the wizards completed!!!

This creates two files in the D: drive called Changer.cfg and Folder.cfg

Updating the Service Console’s Services File

Note:

The service console needs to know what TCP port the Unix/Linux Backup Exec Agent will “listen” on for inbound requests from the Backup Console

Login to Service Console using PuTTy as ROOT
At the PuTTY prompt type: nano -w /etc/services
At the top of the file type something like # My Revisions to the Services file
Underneath add

grfs 6101/tcp # Backup Exec Agent
Press F3 to Save the File, and [Enter] to over-write the previous version
Use Control+X to exit NANO

Confirming Name Resolution to Backup/Media Server

Note:

During the installation of the agent, communication is required to the Backup/Media Server. You should test communications via ping, and then by hostname. If hostname resolution fails reconfigure the etc/hosts file or resolve your DNS issues before continuing

These notes were complied from Backup Exec’s help file – if you want something more visual this support article contains screen dumps

Installing the Backup Exec UNIX/Linux Agent to the ESX Server

From the Backup Server connect to the ESX server using Windows Secure Copy as ROOT
Browse to C:\Program Files\VERITAS\Backup Exec\NT\Agents\Unix
Drag and drop the be_agnt.tar file to the ROOT’S home directory
Change the mode to Binary, and choose Copy
Connect to the ESX server using PuTTy, and untar (unzip) the files with

tar –xvf be_agnt.tar

Note:
X extracts the file(s) and directories, V give verbose listing as the files are extracted,
To start the installation type:

./INSTALL

Note:
The installation begins by reporting the UNIX platform to which the agent is being installed. You are prompted for information to complete the installation and configuration of the Backup Exec UNIX Agent.

Choose Y to accept this detection process
Accept the default directory location by pressing [Enter] and Choose Y to create it

Note:
It copies some files, and tells you that agent.cfg is used to reconfigure the agent held in /etc/bkupexec directory
Press [Enter] to accept input of initial values
“Workstation and Password” – Accept default for the “workstation” which should be the ESX servers hostname. Choose Y, to set a password, and use whatever password you see fit
“Set IP/NIC for Communication” – Choose Y, to accept that the “workstation” has more than one NIC. Choose Y, to specify which one to use, type in the IP address of the Service Console NIC in my case 192.168.2.101
“Publishing Paths” – Use / as the “published path” – this allows the entirety of the server to be backed-up and Accept [Root] as the unique resource name
Choose Y, to allow files to be restored to this path
Choose Y, to set a password on the path,
Choose N, to not publish anymore paths
“Specify Backup/Media Server” Type in the name of the “Backup/Media” server, in my case instructor2

Note:
The install should respond with “Locating Instructor2…. Located and added to media server list” This requires a entry in the host file or DNS name resolution. If not you may receive an error
Choose N to add another “Backup/Media” server
“Service Advertisements” – Accept the default of every 30 seconds

Note:
This is how often the “workstation” hand-shakes with the Backup/Media Server to indicate it is accessible
“Symbolic Links” – Accept the default method of handling these, as it reduces the amount of data in the backup set

Enabling the Backup Exec Agent to see VMFS partitions

Note:

If you follow the instructions from VERITAS by default the Backup Exec will only see local partitions in ext3/vfat format. It will not see the VMFS partitions. These have been set as separate “published paths”. To change this behaviour you must edit the agent.cfg file and restart the Agent Service. This process could have been done when you set-up the “published paths” in the Agent’s install routine.

Login to Service Console using PuTTy as ROOT
At the prompt type:

nano -w /etc/bkupexec/agent.cfg
Scroll to the end of the file – under the first export entry add

export /vmfs/vmhba0:0:0:8 as local password vmware

Note:
Check the vmhba path in the MUI, before typing this in confirm you are setting the correct VMFS partitions – do this for any other VMFS partitions you wish to access. The reference to “local” is a friendly name through which Backup Exec will access the partition
Restart the Veritas Backup Agent with:

/etc/init.d/agent.init restart

or

service agent.init restart

Starting a Backup of ESX from Veritas Backup EXEC

Note:

This assumes the root account is used to carry out backup processes and has access to the files – and that you have shutdown the VM.
If the VM is set to use a Persistent Disk is must be shutdown first, otherwise you will receive an “access denied” message from the Backup Exec console
A 2GB dsk file which occupies 1.5GB of space in the VMDK/COW format – should come down to about 700MG as bkf file

Load the Veritas Backup EXEC Console
Choose the Backup button
Click at + Remote Selections
Click at + Unix Agents
Click at + ESXInstructor1.education.vmw

Note:
This should give you an “access denied” error message – as the System Account will not be correct
Click the New Button and complete the dialog box:

User name: ROOT
password: password
password: password
Select the Root account and Choose OK

Note:
This should give you this view Backup Exec
Navigate through the directory structure to select what you would like to backup

Online Backups of VM (Redo File)

Note:

By creative use of the redo file – you can do online backups of the VM’s dsk file
Changes go to the redo file, and the dsk file is not open in memory
Commit your changes to with the redo file
Export the dsk with the VM still powered up
From Vmware’s website – there is a perl script which can automate this whole process
There are more sophisticated ways of doing a online backup which backs both the DSK and REDO file. This document covers a simple and manual method.

Changing the Disk Type

Note:

These instructions assume you initially started with a persistent disk – as it is the default and most easily understood. The first stage therefore in this process is changing the disk to an Undoable format

Login to the MUI as Creator/Owner of the VM – in my case lavericm
Click at the hyperlink for VM in my case instructor
Click the “Hardware” tab
Click the Edit link next to Virtual Disk (SCSI 0:0)
Select the © Undoable option
Choose OK
Close the window

Note:
The redo file will not be created until you power up the VM, it will be called vm-name.REDO and will be located in the same directory as the DSK file

Committing You Changes

Make some changes – install some stuff – this will accrue in the vm-name.REDO file

Note:
In my test – took a base install of W2K3 Server and added Terminal Services & IIS – as if I was getting it ready to be Citrix server for a course
Using Remote Console – Shutdown the Guest OS gracefully
You should be confront with this dialog box:

Note:
Commit writes the REDO to the DSK file, Keep retains the info in the REDO file. Discard abandons your changes. To receive this message you must “shutdown” the VM’s Guest OS – you do not receive this message on reboots and restarts.
Choose Commit
Power back on the VM

Note:
Alternatively in the MUI you will see this icon: next to the VM
Click at the icon, and this dialog box will appear:

Choose Commit (Append and Keep are the same, for some reason they are inconsistent here)

Note:
Between the commit and the reboot. The REDO file will have gone – and when you power back up the machine it gets created again. Vmware recommend you never let this REDO file get bigger than 1GB.

Backing a VM while it is running

Note:

This assumes the root account is used to carry out backup processes and has access to the files – and that you have shutdown the VM.
If the VM is set to use a Persistent Disk is must be shutdown first, otherwise you will receive an “access denied” message from the Backup Exec console
A 2GB dsk file which occupies 1.5GB of space in the VMDK/COW format – should come down to about 700MG as bkf file

Load the Veritas Backup EXEC Console
Choose the Backup button
Click at + Remote Selections
Click at + Unix Agents
Click at + ESXInstructor1.education.vmw

Note:
This should give you an “access denied” error message – as the System Account will not be correct
Click the New Button and complete the dialog box:

User name: ROOT
password: password
password: password
Select the Root account and Choose OK

Note:
This should give you this view Backup Exec
Navigate through the directory structure to select the instructor.dsk file

Compressing Virtual Disks & Disk Templates

Note:

You may wish to backup/compress virtual disk templates there are number of ways of doing this – using gzip, tar and zip.
There is a little point in compressing ISO’s as they appear to be quite compressed anyway
This gives maximum compression, with a status over progress. Unless the dsk is an undoable or Append disk – you can only use this if the VM is shutdown
None of these processes are especially quick – so be prepared to wait around for them to complete

Gzip

Warning:

Gzip does delete the source file, after it has compressed it… It only compresses single files so might be good for monolithic DSK files

To compress:

gzip instructor4.dsk –best

Notes:
Best is the highest form of compression and –v is verbose mode information. My test took a 4GB DSK file (1.3GB in VMDK format) and compressed it to 750MG
To Uncompress:

gunzip instructor4.dsk.gr

Warning:
I have a had W2K3.dsk file corrupt on me – and gave me blue screen of deaths using this process

Tar

Note:

It is a convention to assign compressed “tarballs” a tgz extension

To Compress

A Particular VMDK set: tar –czvf /vmfs/dskbackup/w2k3.tgz /vmimages/w2k3.vmdk
Everything in the VMImages Dir: tar –czvf /zipfolder/vmimages.tgz /vmimages

Note:
This would compress all the files in /vmimages directory to a file called vmimages.tgz in the zipfolder directory

C = Create
Z = Compress
V = Verbosely list files processed
F = Folders?

Note:
It took 6.5GB of VMDK files, and compressed them to 3GB – so the compression ratio is about 50%
To Uncompress

cd /vmimages
tar –xzvf /vmfs/dskbackup/w2k3.tgz

Note:
This would unzip the w2k3.tgz file to /vmimages, creating the vmimages relative to the user location on the disk, hence changing to the / vmimages location. If they files are in COW format – and your are refreshing your view of the File Manager in the MUI tool they initially appear as single files, until this un-tar process has completed…

Zip

Note:

This is not included in the ESX server install but is a valid command in Linux. However, you can get the RPM package for zip and install it to ESX. This however, goes against the recommendation of not installing unnecessary utilities/service to the Service Console

Switching from Bus Logic to LSI Logic Controller

Note:

By default W2K3 machines ship with a LSI logic driver, and use it by default.
MS removed the buslogic driver from the OS build for W2K3
The other windows OS default to using a BusLogic Driver, have to be manually switched to LSI, and then a driver must be installed…
LSI can improve performance depending on the type/volume of disk transactions within a VM.
For more information see the white papers section at: http://www.vmguru.com/

Download the LSI LSI20320 driver on the LSI Logic web-site from this page here
Unzip this ZIP, and sometimes depending on which driver you have downloaded, the ZIP’s within the ZIP!, and Copy it to the VM
Shutdown the VM gracefully
Login to the MUI as your VM Admin account, in my case lavericm
Select the Hardware tab
Click the Add Device… link at the bottom of the page
Choose Hard Disk
Choose Blank
Change the name of the disk from untitled.dsk to instructor-data02.dsk
Change the Capacity to a be an appropriate value, I’m typing 1024
From the Virtual SCSI Node, drop-down list choose 1:0 and click OK
Click the Refresh… link in the “Hardware” page to see the new disk and controller

Note:
This will both create a new disk, and add a new SCSI Adapter called SSCI Controller 1, using the vmbuslogic driver with hard-drive above it called Virtual Disk (SCSI 1:0). You will need to refresh the hardware page view to see this properly
Next to SSCI Controller 1, choose Edit….
Next to Virtual Device, click the pull-down list and choose vmxlislogic, and then click OK

Note:
Bus sharing is covered in Admin II, and is used in “Cluster in a box” style configurations
Close the “Hardware” page, and start-up the VM
Logon to VM Windows, Windows will detect the New Device
Choose Next, in the “Found new Hardware Wizard”
Accept © Search for a suitable driver for my device (recommended)
Remove the X for Floppy disk and X CD-ROM drive
Enable the X for Specify a location – browse to the location of the unzip driver, in my case:
Choose Next, to confirm that Windows has found the driver
Finish and Close the Device Wizard

Notes:
In Device Manager you should now see the LSI Adapter likes so:
Shutdown the VM

Note:
It is now safe to switch the SCSI Adapter 0 to use the vmlsilogic driver, as it has been properly installed to the OS
Login to the MUI as your VM Admin account, in my case lavericm
Open the “Hardware” tab for the VM
Next to SSCI Controller 0, choose Edit…

Note:
Read this warning:

“The virtual machine boot device resides on this SCSI controller. If you change its virtual device (vmxbuslogic) without first installing an appropriate driver in the guest operating system, the guest will not boot”

We can safely bypass this warning as the driver has already been added in to Windows. Without the driver pre-installed it would blue-screened.
Click at the Click Here link
From the Virtual Device drop-down list, choose vmxlsilogic and Click OK
Close the Hardware page

Note:
You should be able to fire up the VM without any boot errors. Windows 2000 Server will prompt you to do a reboot after login in.

After the second reboot, re-check Device Manager you should find it shows two LSI Logic Adapters:

Shrinking Virtual Disks and Automating Shrink with the Sdelete Tool

Acknowledgement: Our Credit Where Credit Is Due:
This issue was brought to my attention by Ron Oglesby (of the Advanced Design Guide fame). The solution comes from forum user called HaveBlue. I have used some of the comments from the original forum posts to assemble this information – and put it into a slightly easier format to read – and added some clarification and some tests here and there. If you want to read the original forum post it is here

I think it’s important to state – that before Ron raised this issue and HaveBlue offered a fix – I was entirely in ignorance of the significance of this issue. All I have done is written a round-up of the issue. 

The Issue

You might know that VMware Tools has a “shrink disks” feature. This is used optimise the virtual disk file within the Guest OS - prior to exporting the disk either for:

Transferring to another VMware product
For use in ESX as a template
For use in ESX as a backup – especially for those of you use vmbk.pl which uses the export feature together with REDO files to backup a virtual disk

Significantly, the shrink process can significantly reduce the space occupied by the virtual disks in an exported format – this can significantly reduce backup time and space taken up with this format of backup. The shrink takes place over two distinct phases “Shrink Preparation” (happens within Guest OS) and “Shrink Phase” (happens outside the OS). Shrinking does require SP4 on Windows 2000 to work without errors, there is a work around for those running SP3 or older. However, this can only be done from Remote Console – and unfortunately as of yet, VMware does not offer any tools to automate this process.

What happens during the shrink process that causes this saving of disk space?

Well, when Windows deletes a file, it doesn't actually delete the data in the disk; it just deletes the references/pointers in the file allocation table. So when ESX is exporting a VMDK and is looking at the raw disk, it's seeing values that aren't empty (non-zero), and exports them as such. The result is more disk space is used and takes longer to export the disk.

The Evidence

If you want to see this phenomena create a new VMDK on a VM try this:

Create a new virtual machine with a new virtual disk
Use the VMware Tools to Shrink the disk
Export the VMDK right after you have completed the Shrink process
Fill the VMDK up with files and export again; it will be very big (most likely full size of VMDK)
Now, delete all the files in the VMDK and export again what you will find is that is still big – even though you have deleted data from it.

I tried this test out a 10GB drive that had just the base Windows 2000 Install to it – and this what I found:

Test Type	Test Results
Test1: Size of Export Disk after the shrink	4mins to export
Test2: Size of Export Disk after filling up disk and deleting the data – and empting the recycle bin – but not using the shrink feature!	6mins to Export
Test3: Size of the Exported disk after re-running the Shrink Process	4mins to export
Test4: Size of the Exported disk after running sdelete to emulate the shrink process	4mins to export

Note:
I know that there is a 146MG difference between shrink.vmdk and withshrink.vmdk. But compared to the difference between these files and withoutshrink.vmdk. I think the difference is insignificant. Obliviously, there has been other changes taking place between Test3 and Test1. You might also notice that the “usingsdelete.vmdk” file is closer in size to “shrink.vmdk” than is the “withshrink.vmdk”. These test compares VMware’s shrink process to sdeletes and might suggest that sdelete is fractionally better. I don’t think we can read too much in these slight differences. The wait times are not enormously different – but this was taken on a development server – with NO other activity on the ESX Host during the export time – this wouldn’t be the case. They offered simply for your pleasure and amusement.

The key thing to get from the table above – is that if you have a lot read/write and read/delete events – then shrinking the disk invaluable in reducing the overall file size of the exported disk.

So, when you're doing an export, if you have the time, you'll get much smaller exported VMDK (and quicker export) if you shrink the VMDK first. What the 'shrink' does is to zero-fill the VMDK, this zero-filled content then gets ignored during export process. The way that the VMware Tools achieves this is to fill the virtual disk with zero filled files. While this does work, it's quite clunky, because if you stop the shrink process, it can leave behind all the zero-filled files!

It’s good practise to separate disks where you would have amounts of R/W from disks where you get low amounts. This will allow you to “shrink” on the disks for which there is a maximum benefit. It’s also best backup practise to separate System Disks (OS+Apps) from Data Disks anyway.

The Solution

The down side of VMware Tools “shrink” is that it cannot be scripted and an operator has to be there to perform the shrink prior to export. If you using the export feature as you backup method – you may need to find another way of doing the shrink that can be scripted. One way to accomplish this is using Mark Russinovich's “SDelete”. This was originally designed to securely delete files in Windows. It can be re-compiled to do the same thing that the shrink options do in VMware Tools. I’ve used Mark’s psexec in the past with my P2V Scripts and found his tools really cool.

Link: http://www.sysinternals.com/Utilities/SDelete.html

SDelete is a great utility. It basically random-fills a hard drive to delete data securely. However, until a new version is released, you'll have to modify and re-compile the version available on the SysInternals website to accomplish the 'shrink' functionality. The trick is to modify the SecureOverwrite function. Change the code so that the cleanBuffer value is not filled with any values (so by default, is zero-filled). Next, you want to modify the code so that only one pass is done (as we're not trying to securely over-write, so it just generates unnecessary I/O). Re-compile the source and voila! You now have a CLI utility that will quickly and cleanly zero out the hard drive space, and therefore be 'shrunk'...

This sounds more complicated than really is – it’s in face a very simple process. The only catch with this utility is that right now, it's not "re-distributable" in this modified state. You will need something like Microsoft Visual C++ 6.0 to re-compile the source code. Perhaps if Mark discovers that we VMware people are using his tool in this re-compiled way – he might modify the source to allow us to use this tool directly without any of the work below…

So to make your own “custom” version of sdelete – use the following procedure

1. Acquire a copy of Microsoft Visual C++ 6.0 and install it. (I have no idea if it's possible to use an alternate compiler)

2. Go to http://www.sysinternals.com/Utilities/SDelete.html and download the program and source package

3. Unzip the package, and you get these files:

4. Double-click on sdel.dsw to load the project up in Microsoft Visual C++ 6.0

5. On the left side of the screen is the workspace panel, with 3 tabs at the bottom - click on the FileView tab

6. Up at the top of the workspace panel, expand the “sdel files” tree, then the “Source Files” tree, and double-click on sdel.c

7. We could scroll through the source manually, scanning for the SecureOverwrite() function but we can jump right to it with the WizardBar C++ Members dropdown:

8. Scroll down a little way until you're looking at this section of code:

9. What we need to do is comment out the switch statement so that the buffer always gets zero filled. You might note that the preceding double slashes on a line designate a comment, but we can block out entire areas as a comment by using /* to start a comment and */ to end it. So put a /* just before the switch(i){ line and a */ just after the closing bracket for the switch so that the code looks like this:

Note:
That the whole switch(i) block now appears in green, indicating that it is commented out.

10. This step is optional, but recommended - jump down to the _tmain() function at the bottom of the file, and add a few lines to the banner to indicate that this is a modified version of the program and is no longer suitable for secure overwrite:

Note:
We have now finished modifying the source - it's time to compile!

11. Up at the top of the screen, you'll see the Build Mini-Bar - click on the second icon on that bar (Build):

...and you'll see lines scrolling in the bottom Output window:

12. Return back to the location that you had uncompressed the files to, and you'll see that there is now a Debug directory. Have a look inside, and you'll see your very own personalized copy of sdelete.exe

13. Usage is very simple - fire up a command prompt, switch to the directory containing the executable, and invoke the sacred words sdelete.exe -z c: Naturally, replace c: with whatever drive you're clearing:

14. To run the shrink – type sdelete –z c:

Warning:
It's not a bad idea to first test this out on a non-production machine to ensure that there aren't any unwanted effects.

Note:
Once all is confirmed well, copy sdelete.exe to your target machine(s) and use the scheduler of your choice to run the program before automated snapshots are made. Naturally, the time it takes to clean a drive depends primarily on the free space available on the drive, so keep that in mind when scheduling.

Physical Disk Management

Spanning VMFS Partitions

Note:

An extremely rudimentary way of expanding VMFS partition with out backup, delete and repartition – or taking space from two different disks and making it into one addressable area
I wouldn’t recommend using or doing this – but this is how it is done…
WARNING: The source VMFS maintains its data, but the DESTINATION partition does NOT.
WARNING: Any data on the extent is lost when the VMFS volume spans to it, so it is idea to span to newly created partitions.
There is no way within the MUI to delete a spanned volume

Logon to the MUI as ROOT
Click the “Options” page
Choose Storage Management…
Using the instructions in the section just above this – create another VMFS partition called Local-2

Note:
Using File Manager… confirm the vmhba number related to Local-2. In my case it was vmhba0:1:0:7
Next to Local-1 select Edit…
Next to vmhba0:1:0:7 (VMFS-2.11, 7.51 G) enable X Span

Note:
Before you commit this change read the warning which states:

Warning: Exercise caution when selecting extent candidates to span. Any data that extent candidates may contain will be irreversibly destroyed when they are spanned
Click OK

Mount an Existing File System/Partition from the ESX Server

Note:

We don’t exactly mount a partition, but the file system on a partition which then allows us to read from that partition. On my server I have a vFAT/32 partition which stores GHOST files. If I forget to set this up as a mounted file system/partition during the ESX install – I cannot see it in the MUI or the Service Console. Here’s how I gain access to it – post-installation…

To identify the partition use:

fdisk /dev/sdb

Note:
Where sdb is the second SCSI disk in my case, sda if it was the first
Press P to display the disks partition table

Note:
By knowing the file system format, and the size of the partition – make a note of the device label, in my case this was /dev/sdb5 and the format, in my case Win95 FAT32
Press Q to quit fdisk
Type: nano –w /etc/fstab
To the end of the file add:

/dev/sdb5 /ghost vfat defaults 0 0
Create directory to act as your mount point with

cd /
mkdir /ghost
Connect to the Mounting point within current uptime type:

mount /ghost

to unmount

umount /ghost

Note:
By entering the details in the fstab file – all subsequent boots will mount this file system/partition

Unattended Installation of ESX

Create an Unattended Installation (Network)

Note:

It is possible to do an installation of ESX across the from the CD or across network with an unattended script – a wizard in the MUI guides you through the process once you have updated the MUI
The source can be the current ESX server, Separate ESX server or from CD-ROM in the drive of the destination server
You use a “floppy image” to get to the source server – if you use DHCP you need only one floppy image – if you use static you will need a floppy image per server – although it is possible to edit a cfg file to correct this (as yet untested)
You must choose your networking method – DHCP or Static
If you choose Static – you have to go through the Wizard repeatedly to create boot floppy images. You might find it easier to do the install by DHCP and then use scripts to configure them statically
In terms of scripting you have the choice of using base script floppy or “Kick Start” floppy which allows some customisation using kickstart scripts
These instructions come from this part of the Online Guide
These notes are slightly out of date – as it is now possible to:

Create and Define switches within scripted installation
Create and Name vmKernel SwapFiles

My method uses the ESX server as the deployment server hosting the files – a lot of people would quite rightly suggest that using the FTP/Http method on stand-alone server is more appropriate. I think I would probably agree with them.
Nonetheless, this is how you do it from an ESX Server

Update the MUI

Note:

This copies the ESX CD to the ESX server – and modifies the MUI to allow you to create subsequent boot floppy scripts. I recommend logon at the physical console and not remotely. Although the system gives you …. Status bars once your reach six lines of …. You don’t get anymore progress information – so your only guide then is the flashing light of the CD
To successfully carry out this operation you need about 500MG in the /VAR partition or directory. See Answer ID 1349 for more information

Logon to the Service Console as ROOT
Insert the ESX 2.1 cd into the drive of the ESX server
Mount the CD-ROM with

mount /mnt/cdrom

Note:
It is this version of mount – not mount /dev/cdrom that you need to use. Although VMware don’t say what the Perl script does – I have a feeling it is updating the source code which is on the local machine with additional files on the CD-ROM. I has normal readme information which is for the person who wrote the script – not end-users
Check the CD-ROM is mounted by typing

cd /mnt/cdrom
ls -l
Run this script from this location on the hard drive

/usr/bin/scriptedinstall-setup.pl

Note:
This will copy the contents of the ESX2.1 CD to the hard-drive. This can take a very long time…………………………………………………………………………………

Note:
This changes the port number on the VMware-MUI/Apache server to be 8555. This channel is NOT encypted
After this time – the pl script will complete with this message:

”Setup requires Apache to be restarted. This will invalidate current VMware Management Interface session. Restart Apache now? (y/n)”

Choose Y

The script will restart apache finishing with this message:

”Setup completed! You may now being creating scripted installations via the VMware Management Interface”

Confirming the Update to the MUI

Logon to the MUI as ROOT
Click at the “Options” tab
Select Scripted Installation…

Note:
The MUI will confirm that all the components are ready and installed. It will then start the wizard to create a boot floppy image.

Page 1 - Types of Installation (Remote)

In the “Kickstart Options” Section,
Keep the default Installation Type set as: Initial Installation
Change default Installation Method to: Remote

Note:
This option disables the Remote Server URL edit box, which is only used if you choose “Remote” for the Installation Method
Change the Network Method to be Static IP
Change the Time Zone, in my case to be Europe/London
Keep the default to be Reboot After Installation to be: Yes
In the “Root Password” section type in your preferred password twice, in my case vmware
Click Next

Page 2 - Static IP Address/Hostname

Note:
In this page you type the unique information for the server you will create. This appears because we chose Static/IP as our option

In the “Network Options” section complete the dialog box like so:
Click Next

Note:
Adjust the above to reflect your own ip ranges and hostname conventions

Page 3 – License Agreements & Numbers

Enable the X to accept the License Agreement
Type in the two licenses you have for ESX & SMP on ESX
Do NOT enable the “I would like to configure PCI Device allocation now” (EXPERTS ONLY) option – UNLESS YOU KNOW WHAT YOUR DOING!

Note:
To do this you have specify in Hex the Bus, Slot and Function of each PCI device (this should not be a worry – as your numbers will probably be less than 9 and 1,2,3,4,5,6,7,8,9 are the same in hex). I’m sure if you hardware was similar enough this would be useful. I would recommend discovering these values from your working machine, and assume that the target machines have exactly the same specification. The downside of not completing this procedure is that you will have to complete the “System Configuration” wizard on first logon.

Note:
IF you do enable this option this is how you complete the dialog. My PCI devices have the following BUS/Slot/Function IDs…

Name:                              B/S/F            In HEX
Network Card1:                  1:2.0            1:2.0
Network Card2:                  1:4.0            1:4.0
Adaptec SCSI Adapter:       1.6.0            1:6.0

I want the network card to be used by the console, the second to be used by the Virtual Machines, and the SCSI adapter to be available to both the Service Console and the VM Kernel

I would complete this page like so:

If you do complete this page – the MUI will just drop you into the System Monitor with a prompt for Swap File and Switches. You will have to manually or by a script create VMFS Core Dump Partition, and at least one VMFS partition for storage of a VM Kernel SWAP file.

If you wish reconfigure the amount of memory assigned to the Service Console
Click Next

Page 4 – Initial Partition Scheme (NO VMFS)

Note:
Follow the standard recommendation with regard to partitions. The “grow” option is used if you want the partition to take up the remained of the disk. You cannot create VMFS partitions in this interface – plus its not clear whether it would create Primary or Extended Partitions. I assume the first 3 partitions are set as Primary and all remaining partitions are logical drives in the extended partition

Complete the page like so:

Note:
These partition sizes are based on VMware’s own recommendations for partition sizes. In my case the disks are just standard SCSI disks with a Adaptec SCSI adapter. From the pull-down list you have the options for HP SCSI Controller, Compaq Smart Controller, MyLex DAC960 Controller, you even have the option for Master/Slave IDE drives – even though officially IDE drives are not supported(!?!?!)
Click Next

Page 5 – Download Boot Image File

Note:
This page allows you to download two types of floppy – one based on standard scripts the other based on Kickstart files. You can create a the bootable floppy by using the rawwrite utility – however you may have other third party systems can help you make the floppy as well.

I have also successful burned the image to a cd-rom to improve the load times.

Click at Download Floppy Image button
Save to C:\
Click at rewrite link
Save to C:\
Take a blank floppy disk and insert into drive a: of your workstation
Open a CMD prompt
Move to the root of the C:\ (c: cd/)
Type rewrite

At the prompt “Enter disk image source file name:” type c:\bootdisk.img
At the prompt “Enter target diskette drive:” type a:
At the prompt “Please insert a formatted diskette into drive A: and press -ENTER- :” press [ENTER]

Note:
Rawrite will now transfer the contents of the bootdisk.img file to the diskette

Start the Installation

Make sure you have clean machine use a partition tool to remove all partitions and the mbr record

Note:
You can use fdisk and fdisk /mbr. Alternatively, if you wish to wipe the machine entirely without concern for lost data use the delpart utility which is part of the Microsoft Resource Kit use these links to find out more:

http://www.jsiinc.com/SUBM/tip6300/rh6354.htm

http://support.microsoft.com/default.aspx?scid=kb;en-us;103049

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt31/i386/reskit.exe
Insert the BootDisk created at Stage 5 to the drive of the new server
Reboot the Server
System will boot and start the “text mode” part of the Installation
Screen will be painted blue

WARNING:
If you receive this error “File /VMware/base/netstg1.img not found on this server”. Then chances are you boot image is not correctly resolving the DNS name of your source ESX server or you your floppy disk is not correctly configured for IP/SN/DG/DNS. I have had it intermittently come up with this message. It might have something to do with my hardware and the difference between a cold and warm boot. If it doesn’t work the 3^rd time consider you have a DNS or boot floppy problem

If all things are good you should see the following on screen:

Then the message “Retrieving /VMware/base/netstg1.img” will appear

Next: It will load the drivers for you HBA

Next: You may receive a warning about wiping the hard-drive choose OK

which states “The partition table on device SDA was unreadable. To create new partitions it must be initialized, causing the loss of ALL DATA on this drive. Would you like to initialize this drive”

This occurs if you have an existing partition scheme on the hard-drive and it has not been wiped properly. You may get this twice for multiple hard-drives

Next: It Creates the partition formats the partitions specified earlier
Next: It starts its main file copy

Note:
The system cannot eject the floppy disk. The best way round this problem is to have a boot order of HD, CD, Floppy, PXE. If, initially the server has no partitions so boots to the floppy, once the install is over – it does a have a bootable hard-drive so it doesn’t boot from the floppy

Post-Installation Tasks

Note:

With a text mode installation – you get the old style “System Configuration” wizard. It contains 6 stages:

License Agreement
Start-up Profile
Storage Configuration
SWAP Configuration
Network Configuration
Security Settings

The “System Configuration” wizard pops-up automatically so do enable any pop-up stoppers in your web-browser.
If you fail to configure this the MUI will give you this repeated message:
This instructions below are taken from this part of the VMware Online Guide
With some effort these stages could be scripted…

Add in your License(s)

Note:
You should not be confronted with this in the “System Configuration” wizard if you added you license numbers in during the previous section. If you did not – acknowledge that you have X Read the license agreement – and type in your ESX and SMP license number, if you have one

Start-Up Profile

Note:

As we didn’t specify this during the installation. We have been offered a default start-up profile. For the purpose of using ESX – the default is not very useful. Firstly, it allocated all network cards to the service console, and only allows the service console to use HBA’s.

Select the second NIC (in my case 1:4:0, as the first is normally taken by the Service Console which is 1:2:0)
Change the pull-down list from Service Console to Virtual Machines

Note:
In my case I only have one SCSI adapter and no HBA that would connect me to a SAN. Therefore both the Service Console and Virtual Machines will need access to local storage
Under the Storage Group change the SCSI RAID controller to from Service Console to Virtual Machines, and enable X Share with Service Console

In my case my start-up profile looked like this:

Note:
At this point the server reboots with this message:

”Please stand by while your system reboots. Rebooting may take as long as ten minutes or more depending on your system's configuration.

Note: If Microsoft Internet Explorer is configured to "show friendly HTTP error messages," you may see the following warning message: "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" It is safe to answer Yes.

Elapsed time: 0:22 minutes. After your system reboots, you will need to log back in to continue configuring your system.”

Note:
At this stage ESX as added as a boot option in the LILO boot loader – on the reboot the VM Kernel is loaded. Keep your current window open, eventually your session will time out. You will have to re-login as root – and it will take you to the next step which is “Storage Management

Storage Configuration

Note:

Create the Core Dump Partition and at least one VMFS partition so you can create a SWAP file.

First the Core Dump Partition:

On the first disk, SDA on an area of “Logical Free Space”, click the link that says Create Volume
Choose Custom as the type
The system will default to the File System of: VMware Core Dump with a size of 100MG
Click OK

Next at least one VMFS Partition

On any local disk with “Logical Free Space” or “Free Space” click Create Volume – in my case I choose to use the remainder of space left on SDA
Choose Custom
Type in a Volume Label, such as local

Note:
As the system refreshes you will get this message:

Except this warning. All means is that the Core Dump Partition is now being put at the end of the disk which is its default location. You should have a view something like this – if you have been following this guide

Swap Configuration

Click the Create… Link

Note:
System will create a swap file called swapfile.vsmp which is the same size as the amount of RAM on the ESX server – this is recommendation. The default to activate at start-up is a good default
Click OK
In the second window click Activate – this will save you from doing an unnecessary reboot!Create and Activate your swap file

Network Connections

Scroll down the “Network Connections” Window
Choose the Click Here link
Change the Network Label to be Outbound
Enable X Outbound Adapter
Choose Create Switch
Click the Close link in the top left of the page

Note:
If you wish create a second switch which is connected to Outbound Adapter 0, and called something like external

Security Configuration

Accept the Default of © High

Clone ESX Server with Symantec Ghost

Note:

You alternatives to cloning are scripted installation with kickstart or a boot disk…
I have successfully cloned ESX 2.5.1

I cannot speak for older versions as I never backwards compatibility into my guides. But I imagine this work perfectly fine in any release
I used BartPE boot disk which uses Windows 2003 Enterprise Server as it i386 source, to which I added Symantec Ghost 8.2 as Plug-in. This allows me to clone the ESX Host to Windows share somewhere or if I have local drive with NTFS on it - I can clone to a local disk
The restore time for a disk to disk transfer of the gho file is 13mins to restore 350MG image file to 34GB disk/LUN. The longest part of this is formatting a 29GB /vmimages partition. I have relatively slow disks – old SCSI-Ultra3-160 that run at 10K

Uses

I mainly use my gho file to reset my server when I have finished messing it up during development. It saves me having to build the ESX Server by hand
You could use this as a backup method to protect your ESX Host. A separate backup strategy must be used for Virtual Disks and the User Data they may contain
I have also used this as a deployment process as well…

Some care has to be taken with disk/LUN layout

You need to separate the Service Console from any of your VMFS Partitions
There is no disk cloning software that understands VMFS so these partitions cannot be taken as part of any image
Only Symantec Ghost 8.0, Symantec Ghost 7.5, and Norton Ghost 2003 support the EXT3 file system – I have not research PQDI.
If your concerned about compatibility then consult Symantec’s Support Document ID: 1999021909463125
This does mean that formatting of VMFS volumes/partitions has to be done by hand – as does the creating of the VMKernel Swap File
In my tests I successful included the vmcore dump partition – I would recommend not including it – and again creating it manually at the end of the restore period
In my build I have one disk/lun allocated to the service console, and another disk LUN to VMFS to a local VMFS partition

Here are the stages

Build your ESX server

Do not create any VM’s partitions/VM Kernel swapfiles
Add additional features such as NTP or Active Directory Support
Set the Speed/Duplex values in /etc/modules.conf for the Service Conole and the MUI for the VMkernel as appropriate
Define your Virtual Switches
Configure any other specific settings such as DiskMaxLuns

Create a BartPE boot disk which includes Ghost32.exe and associated files from Symantec Ghost 8.2 – (alternatively, you could use Bart’s DOS Boot Disk and use the DOS version of Ghost)
Boot to the Disk
Connect to a network share
Clone the First Disk/LUN which contains the Service Console saving the gho file to the network share
Restore Clone to Target Machine – and isolate from the network – after restore to avoid IP conflict with source server (or isolate source server for that matter)

I then use the same disk to restore to another server… or else burn it to a CD
If you using ghost as a deployment, after the restore you will have to correct the identity of the ESX Host. To be perfectly frank, the issue is more about a change of identity which is covered later in this guide. But I have reproduced those instructions for clarity… (sorry about that repetition)
Fortunately, this can be easily done by editing files – or if you like write bash shell script (.sh) that over-writes the following files with correct values
The settings you may have update include:

IP Address
Subnet Mask
Default Gateway
Hostname
DNS Settings
Hosts File
Apache/MUI Server Name entry
Update MUI Certificates

You can store copies of these files that contain these to root’s home directory – and clone the server. Also in the root directory before the clone are bash scripts to copy these files over the original once they have been modified
You can use vmkfstools to format a VMFS partition and to create and activate a VMkernel Swap File

Changing the Service Consoles IP/SM

Note:

To display your current IP/SM use either ip addr or ifconfig

Note:

A restart of networking is required

Note:

You can still use the redhat utility netconfig – to change your settings – however, if you just wish to correct a minor setting this method is probably easier

Logon to the Service Console as ROOT
To find out your current IP addresses type:

ip addr
Type: nano –w /etc/sysconfig/network-scripts/ifcfg-eth0
Make your changes to:

IP:
Netmask
Restart your network services with:

ifdown eth0 ; ifup eth0

Note:
This stops and starts the network services in one fell swoop – depending on what your changing you shouldn’t be disconnected. If you are physically at the console you may prefer these other methods:

service network restart

or

/etc/init.d/network restart

Changing the Service Consoles Default Gateway

For Current Up Time

Note:

Basically, you edit the local routing table of the console.

Logon to the Service Console as ROOT
Delete the old route with:

route del –net default
Add in the new route with:

route add –net default gw w.x.y.z

For Future Up Times (/etc/sysconfig/network)

Type: nano –w /etc/sysconfig/network
Make your changes to:

GATEWAY:
Restart your network services with:

ifdown eth0 ; ifup eth0

or

service network restart

or

/etc/init.d/network restart

Changing Service Consoles Hostname

Note:

No need for a restart of network services, although you might consider a reboot. For reasons outlined later in this document.

For Current Uptime

Note:

To avoid an unnecessary reboot

Logon to the Service Console as ROOT
Type: hostname newhostname, in my case from esx1.rtfm-ed.co.uk to esx2.rtfm-ed.co.uk

For Future Uptimes (/etc/sysconfig/network)

Type: nano –w /etc/sysconfig/network
Make your changes to:

HOSTNAME: newhostname, in my case from esx1.rtfm-ed.co.uk to esx2.rtfm-ed.co.uk

Changing Service Consoles DNS

Note:

No need for a restart of network services

Logon to the Service Console as ROOT
Type: nano –w /etc/resolv.conf
Make your changes Primary and Secondary DNS

Note:
The order listed in the file is the order they are tried by ESX

Updating Hosts File

Type: nano –w /etc/hosts
Modify the entries to reflect new hostname and ip address if required, in my case from esx1.rtfm-ed.co.uk to esx2.rtfm-ed.co.uk

Updating the MUI

Type: nano –w /usr/lib/vmware-mui/apache/conf/httpd.conf
Replace: ServerName esx1.education.ctxs
With: ServerName esx2.education.ctxs

Note:
When you connect the MUI after the change in name, you will get certificate warning

Note:
You will need to update – any shortcuts in your Browser, and in your terminal emulation software. Notice there is second alert indicating that while the new name is effective – the old certificate is still being offered

Updating Certificates after Renaming the ESX Server

Note:

After renaming a server you will have one remaining problem. The public and private key which was generated at installation will no long match the new name of the server. You will get this error message. The first alert is expected, the second alert is the problem.

There is a script from Vmware which is used to regenerate the certificate under the new identity.

IMPORTANT: Improved Method:

The script below this has been superseded with a much easier method. There is a perl script called vmware-config-mui.pl which allows you to regenerate the SSL certificates based on hosts file. I have left this method in the guide for purpose of historical interest.

Note:
I got this procedure from the Community Forum. From a forum user called Anders, from this forum posting and you can download it from here. You must change the identity of the server first using the methods outlined earlier before regenerating the certificates.

Logon to the Service Console as ROOT
Backup the old key and crt files by using:

mv /etc/vmware-mui/ssl /etc/vmware-mui/ssl-old
Use CD to make sure you are in the ROOT directory
Use nano –w enableSSL.pl to create the perl script to regenerate the certificates
Copy the following text between the two bold markers, and cut and paste this into the script:

[FROM HERE…]

#!/usr/bin/perl -w

# enableSSL -- Creates the SSL certificates for the remote console.

# usage:

# enableSSL.pl hostname user password

BEGIN {

if ( $^O eq "MSWin32" ) {

my $PREFIX_PATH;

if (-d 'C:\Program Files\VMware\VMware GSX Server') {

$PREFIX_PATH = 'C:\Program Files\VMware\VMware GSX Server';

} else {

$PREFIX_PATH = 'C:\Progra~1\VMware\VMware~1\Programs';

}

@INC = ("$PREFIX_PATH/perl5/site_perl/5.005",

"$PREFIX_PATH/perl5/site_perl/5.005/MSWin32-x86",

'.'

);

}

# VMware internal development -- redirect Perl to find devel modules

if (defined($ENV{TEST_TREE})) {

if (-d $ENV{TEST_TREE} . "/apps/perl-control/blib/arch") {

#print STDERR "Using TEST_TREE for Perl API: $ENV{TEST_TREE}\n";

unshift(@INC, $ENV{TEST_TREE} . "/apps/perl-control/blib/lib");

unshift(@INC, $ENV{TEST_TREE} . "/apps/perl-control/blib/arch");

} else {

print STDERR "** Warning: TEST_TREE Perl API not found: $ENV{TEST_TREE}\n";

}

# Attempt to load the VMware::VmPerl Perl libraries

eval {

require VMware::VmPerl;

import VMware::VmPerl;

require VMware::VmPerl::Server;

require VMware::VmPerl::VM;

require VMware::VmPerl::ConnectParams;

require VMware::VmPerl::Question;

};

if ($@) {

print STDERR

"$@ $0 requires the VMware::VmPerl Perl libraries to be installed.\n";

print STDERR "Check that your installation did not encounter errors.\n";

exit(255);

}

use VMware::Control;

use VMware::Control::Server;

use strict;

if (@ARGV != 3) {

print "Usage $0: server user password\n";

exit(1);

}

my ($serverName, $user, $passwd) = @ARGV;

my $port = 902;

my $server = VMware::Control::Server::new($serverName,$port,$user,$passwd);

if (!$server->connect()) {

my ($errorNumber, $errorString) = $server->get_last_error();

die "Cannot connect to server: Error $errorNumber: $errorString\n";

}

# Make exec call to serverd to create rui certificate.

$server->exec("<exec><op>Security_ActivateConfig</op><in><pref><name>muissl</name><value>yes</value></pref></in></exec>");

$server->disconnect();

[TO HERE]

Run the script with

perl enableSSL.pl esx2.rtfm-ed.co.uk root vmware
Verify that the directory /etc/vmware-mui/ssl was recreated with a new key and crt file
Restart Apache with:

services httpd.vmware restart
TEST

Connect to the ESX server with FQDN and the error will have gone

Creating & Assigning your own Certificates for the MUI

Note:

From the official admin guide PDF:

“With SSL enabled, security certificates are created by ESX Server and stored on the server. However, the certificates used to secure your management interface sessions are not signed by a trusted certificate authority; therefore they do not provide authentication. If you intend to use encrypted remote connections externally, you should consider purchasing a certificate from a trusted certificate authority. If you prefer, you can use your own security certificate for your SSL connections.

The VMware Management Interface certificate must be placed in /etc /vmwaremui /ssl (directory). The management interface certificate consists of 2 files: the certificate itself (mui.crt) and the private key file (mui.key). The private key file should be readable only by the root user. When you upgrade the management interface, the certificate remains in place and, in case you removed the management interface, the directory is not removed from the service console.”

My guide assumes that the Certificate of Authority (CA) has already been installed, and that the CA you are using is based in Windows 2003 in an Enterprise Mode. Enterprise Mode gives good integration with Active Directory. For example clients which are part of the Active Directory domain automatically trust the Enterprise CA. It also assumes that you happy using things like cd, nano or vi, and Windows Secure Copy

We can use openssl which is already installed to the Service Console to generate a new private key, and request file.

WARNING: WARNING: WARNING: WARNING: WARNING: WARNING:

When you upgrade ESX from one version to another (in my case 2.1 to 2.5) your mui.key and mui.crt files get replaced by new one’s generated by the system/installation. So before doing an upgrade always back-up you key/crt files beforehand like I did

At the Service Console

Logon on the Service Console as ROOT
Navigate to /etc/vmware-mui/ssl
Create a backup directory for the old key/crt files with

mkdir backup
Move the existing key/crt files to this backup directory with

mv *.* ./backup
Restart the MUI with

service httpd.vmware restart

Note:
If you try to connect to the MUI now using https – you will receive a failure – because the certificate can no longer be found
Generate a new private key with

openssl genrsa 1024 > mui.key
We can generate a certificate request in a text file format with:

openssl req -new -key ./mui.key > request.csr

Note:
When you run this you will be prompted for information which will be incorporated into your certificate request. Complete this form/wizard with information like so – remember to type you DN (Distinguished Name or FQDN to Windows people correctly!)

Note:
You can change the default answers to this form by editing in the [REQ] section of the /usr/share/ssl/openssl.cnf file.

If you wish to set the default for the Organisational Unit Name – remember to remove the # next to organizationalUnitName_default

If you wish to create a default entry for “Email Address” just add emailAddress_default = mikelaverick@rtfm-ed.co.uk.

If you wish to create a default entry for the server name just add
commonName_default = SERVERNAME.rtfm-ed.co.uk
That way you merely have to enter the name of the server, and cut and paste the domain name after it to complete the FQDN
Open the request.csr file with your preferred editor such as:

nano –w request.csr
Highlight all the text and copy

Note:
Make sure you include ALL the text including ----BEGIN CERTIFICATE REQUEST---- and ----END CERTIFICATE REQUEST----

At Windows 2003 Certificate Authority

Navigate to http://yourCAservername/certsrv and login if prompted
Choose Request a Certificate
Choose Or, submit an advanced certificate request.
Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
In the Saved Request edit box – use control+v to paste the contents of the request.csr file
Underneath Certificate Template select Web Server and click the Submit button

Note:
If you are logged on as the Administrator of the CA, it will be automatically issued to you. It is assumed you trust yourself. If you are not the CA administrator. You will have to inform them that you have made a request, wait for them to “issue” it using the Certificate Authority admin tool – and return to the certsrv website to check on your “pending” request and download it.

You may wish at this point to check if you workstation has the Enterprise ROOT CA certificate (Internet Explorer 6.1, Tools, Options, Content, Certificates, Trusted Root Certification Authorities – and look for a name known with in your organisation, rather than a third party one)

If it is not installed then, revisit the http://yourCAservername/certsrv and click Download a CA certificate, certificate chain, or CRL and choose Download CA Certificate
Click the Download Certificate link
In the dialog box choose Save calling it mui.crt
WARNING:

Make sure ALL File types are being displayed and rename the mui.crt.cer file to be mui.crt
Using something like WinSCP copy the mui.crt to /etc/vmware-mui/ssl

Back at the Service Console

Logon to the Service Console as ROOT
Restart the MUI with

service httpd.vmware restart

TEST:

You should be able to load up your web-browser
Type in the FQDN of you server
Login
If you double-click at the “Lock in your browser” it would look something like this the Certificate Path tab in the dialog box

Restart VMKstatus

Note:

If you wish to avoid a reboot you must restart vmkstatus
Vmkstatus is responsible, at the end of the boot process, for presenting the Status Screen at the physical console
With a restart or reboot the servers old name will be displayed

Logon to the Service Console, as ROOT
Type

Killall -9 vmkstatus

Note:
If you wish to learn more about the killall command see this manual page

Scripting the Server Rename Procedure

Note:

These are sample bash scripts used to correct the identity of a cloned server. They are nothing fancy and I’m sure some one could write a better script either in bath or in perl. If you do, send and share it with us.

Files Used:

rename.sh - Main script which does the rename procedure
1httpd.conf - 1^st part of httpd.conf
3httpd.conf – 3^rd part of httpd.conf – with the 2^nd created by script
fdisk.src – Answer file for questions for fdisk
yes.src – Answer file for format of vmfs format
enableSSL.pl – Perl Script to regenerate certificate of rename ESX Host

Note on 1httpd.conf, 3httpd.conf and 3httpd.conf:

The 1httpd.conf and 3httpd.conf were taken from an ESX 2.5.1 server…
Basically 1httpd.conf is the contents of httpd.conf taken all the way up to the ServerName variable.
3httpd.conf is contents of httpd.conf after the ServerName variable.
I then use the echo command to create 2httpd.conf on the fly and then cat the whole lot together to make httpd.conf.
I did try using echo to create the whole of httpd.conf but it just wouldn’t work. This seemed the safest and quickest way of doing
You can download the files here…
Below is sample and brief explanation of rename.sh
The part that is in italics could be removed if you would rather partition and create the vmkernel swap file manually…
The “splash” screen which appears at the ESX Service Console prompt does not update until next reboot

# syntax

# sh rename.sh <ip> <sn> <gwip> <dnsip> <hostname> <domain> <rootpwd>

# sh rename.sh <$1> <$2> <$3> <$4> <$5> <$6> <$7>

Sample:

sh rename.sh 192.168.2.102 255.255.255.0 192.168.2.1 192.168.2.199 esx3 rtfm-ed.co.uk Passsword1

echo Generating the Configuration Files

echo ifcfg-eth0, network, resolv.conf, hosts, httpd.conf

echo Creating IP and Subnet Mask File - ifcfg-eth0

echo > ifcfg-eth0

echo >> ifcfg-eth0 DEVICE=eth0

echo >> ifcfg-eth0 BOOTPROTO=static

echo >> ifcfg-eth0 IPADDR=$1

echo >> ifcfg-eth0 NETMASK=$2

echo >> ifcfg-eth0 ONBOOT=yes

echo Creating the Network File to set Default Gateway/Hostname

echo > network

echo >> network NETWORKING=yes

echo >> network HOSTNAME=$5.$6

echo >> network GATEWAY=$3

echo Creating RESOLV.CONF DNS configuration file

echo > resolv.conf

echo >> resolv.conf search $6

echo >> resolv.conf nameserver $4

echo Creating HOST File...

echo > hosts

echo >> hosts "# Do not remove the following line, or various programs"

echo >> hosts "# that require network functionality will fail."

echo >> hosts 127.0.0.1 localhost.localdomain localhost

echo >> hosts $1 $5.$6

echo Creating the HTTPD.CONF Apache configuration file...

echo > 2httpd.conf

echo >> 2httpd.conf ServerName $5.$6

cat 1httpd.conf > httpd.conf

cat 2httpd.conf >> httpd.conf

cat 3httpd.conf >> httpd.conf

echo Setting the Default Gateway...

route del -net default

route add -net default gw $3

echo Setting the Hostname...

hostname $5.$6

echo Changing this ESX Hosts ID...

cp /root/ifcfg-eth0 /etc/sysconfig/network-scripts -r

cp /root/network /etc/sysconfig -r

cp /root/resolv.conf /etc -r

cp /root/hosts /etc -r

cp /root/httpd.conf /usr/lib/vmware-mui/apache/conf -r

rm /root/ifcfg-eth0 -r

rm /root/network -r

rm /root/resolv.conf -r

rm /root/hosts -r

rm /root/httpd.conf -r

rm /root/2httpd.conf -r

echo Restarting Network and Services

echo Restarting the echo

service network restart

Network Adapter...

echo If you are connected remotely running the script

echo Your not now....!!!!

echo Restarting the MUI..

service httpd.vmware restart

echo Generating the SSL Certificate

rm /etc/vmware-mui/ssl/mui.* -f

perl enableSSL.pl $5.$6 root $7

clear

echo Creating the VMFS Partition

fdisk /dev/sdb < fdisk.src

echo Formating the VMFS Partition...

vmkfstools -C vmfs2 vmhba0:1:0:1 < yes.src

vmkfstools -S local vmhba0:1:0:1

echo Creating the VMKernel Swap File of 2047MG

vmkfstools -k 2047m /vmfs/local/SwapFile.vswp

echo Activating the VMKernel Swap File

vmkfstools -w /vmfs/local/SwapFile.vswp

echo >> /etc/vmware/hwconfig swapfile.enable = "yes"

echo >> /etc/vmware/hwconfig swapfile.filename = "SwapFile.vswp"

echo >> /etc/vmware/hwconfig swapfile.sizeMB = "2047"

echo >> /etc/vmware/hwconfig swapfile.volume = "vmhba0:1:0:1"

echo Restarting the MUI... with new certificate

killall -9 vmware-serverd

service httpd.vmware restart

echo Restarting VMKstatus…

killall -9 vmkstatus

echo ---------------------------------------

echo --- This servers ID has changed ---

echo ---------------------------------------

Use the echo command to create IP configuration file based on <ip> in the /root directory. Most of the configuration files are created this way

Httpd.conf is long file. echo didn’t work so used echo to create file which contains ServerName and cat the 3 parts into the httpd.conf file

Clears any current gateway and establish new one. No reboot!

Sets hostname, No reboot!

Overwrites the old configuration files with the new ones…

Removes the files created a moment ago as they are only needed during the rename process…

Restart eth0 and MUI to allow rename to take effect…

Generate new MUI certificates – mui must be restarted before this Perl script can run…

Creates an VMFS partition. fdisk.src is text file that answers the questions. The same with formatting the disk with VMFS. Then set label VMFS label…

Creates and activates a vmkernel swap file…

Changes HWConfig to force the ESX to remember swap file after reboots…

Does another restart to update MUI for Certificate, Storage and Swap File changes. Kill helps stop MUI remembering other configurations…

Vmkstatus provides the splash screen to the physical console – and needs to be restarted to update the server name that is displayed there

Controlling the ESX User Interfaces

Changing ESX Servers Hostname

Note:

No need for a restart of network services, although you might consider a reboot. For reasons outlined later in this document.

In the clone ESX section – I have a script for a complete change of the identity of an ESX server including changing of

IP settings
Hostname
Regenerating Certificates

For Current Uptime

Note:

To avoid an unnecessary reboot

Logon to the Service Console as ROOT
Type: hostname newhostname, in my case from esxinstructor1.education.vmw to esxinstructor2.education.vmw

For Future Uptimes (/etc/sysconfig/network)

Type: nano –w /etc/sysconfig/network
Make your changes to:

HOSTNAME: newhostname, in my case from esxinstructor1.education.vmw to esxinstructor2.education.vmw

Edit the Host File to Reflect Change in Name (/etc/hosts)

Type: nano –w /etc/hosts
Modify the entries to reflect new hostname and ip address if required, in my case from esxinstructor1.education.vmw to esxinstructor2.education.vmw

Edit the HTTP.conf file to Reflect Change in Name in the MUI

Type: nano –w /usr/lib/vmware-mui/apache/conf/httpd.conf
Replace: ServerName esxinstructor1.education.ctxs
With: ServerName esxinstructor2.education.ctxs

Note:
When you connect the MUI after the change in name, you will get certificate warning

Note:
You will need to update – any shortcuts in your Browser, and in your terminal emulation software. Notice there is second alert indicating that while the new name is effective – however, the old certificate is still being offered

Regenerate Certificates after Renaming the ESX Server

Note:

There is a script from Vmware which is used to regenerate the certificate under the new identity. In the past there was a length perl script released through the forum for regenerating your certificates. This has now been replaced with:

vmware-config-mui.pl

I have kept the old script here for purposes of interest

Note:
I got this procedure from the Community Forum. From a forum user called Anders, from this forum posting. Alternatively, you may wish to create your own certificates from your own Certificate Authority – this is covered later in this guide in the section entitled “Controlling ESX Interfaces”

Logon to the Service Console as ROOT
Backup the old key and crt files by using:

mv /etc/vmware-mui/ssl /etc/vmware-mui/ssl-old
Use CD to make sure you are in the ROOT directory
Use nano –w enableSSL.pl to create the perl script to regenerate the certificates
Copy the following text between the two bold markers, and cut and paste this into the script or download from my website here

[FROM HERE…]

#!/usr/bin/perl -w

# enableSSL -- Creates the SSL certificates for the remote console.

# usage:

# enableSSL.pl hostname user password

BEGIN {

if ( $^O eq "MSWin32" ) {

my $PREFIX_PATH;

if (-d 'C:\Program Files\VMware\VMware GSX Server') {

$PREFIX_PATH = 'C:\Program Files\VMware\VMware GSX Server';

} else {

$PREFIX_PATH = 'C:\Progra~1\VMware\VMware~1\Programs';

}

@INC = ("$PREFIX_PATH/perl5/site_perl/5.005",

"$PREFIX_PATH/perl5/site_perl/5.005/MSWin32-x86",

'.'

);

}

# VMware internal development -- redirect Perl to find devel modules

if (defined($ENV{TEST_TREE})) {

if (-d $ENV{TEST_TREE} . "/apps/perl-control/blib/arch") {

#print STDERR "Using TEST_TREE for Perl API: $ENV{TEST_TREE}\n";

unshift(@INC, $ENV{TEST_TREE} . "/apps/perl-control/blib/lib");

unshift(@INC, $ENV{TEST_TREE} . "/apps/perl-control/blib/arch");

} else {

print STDERR "** Warning: TEST_TREE Perl API not found: $ENV{TEST_TREE}\n";

}

# Attempt to load the VMware::VmPerl Perl libraries

eval {

require VMware::VmPerl;

import VMware::VmPerl;

require VMware::VmPerl::Server;

require VMware::VmPerl::VM;

require VMware::VmPerl::ConnectParams;

require VMware::VmPerl::Question;

};

if ($@) {

print STDERR

"$@ $0 requires the VMware::VmPerl Perl libraries to be installed.\n";

print STDERR "Check that your installation did not encounter errors.\n";

exit(255);

}

use VMware::Control;

use VMware::Control::Server;

use strict;

if (@ARGV != 3) {

print "Usage $0: server user password\n";

exit(1);

}

my ($serverName, $user, $passwd) = @ARGV;

my $port = 902;

my $server = VMware::Control::Server::new($serverName,$port,$user,$passwd);

if (!$server->connect()) {

my ($errorNumber, $errorString) = $server->get_last_error();

die "Cannot connect to server: Error $errorNumber: $errorString\n";

}

# Make exec call to serverd to create rui certificate.

$server->exec("<exec><op>Security_ActivateConfig</op><in><pref><name>muissl</name><value>yes</value></pref></in></exec>");

$server->disconnect();

[TO HERE]

Run the script with

perl enableSSL.pl esxinstructor3.education.vmw root vmware
Verify that the directory /etc/vmware-mui/ssl was recreated with a new key and crt file
Restart Apache with:

/etc/rc.d/init.d/httpd.vmware restart

or

service httpd.vmware restart
TEST

Creating & Assigning your own Certificates for the MUI

Note:

If you merely wish to generate a new certificate for a ESX server you have renamed – like the one after a install of ESX – use the command vmware-config-mui.pl

Note:

From the official admin guide PDF:

We can use openssl which is already installed to the Service Console to generate a new private key, and request file.

WARNING: WARNING: WARNING: WARNING: WARNING: WARNING:

At the Service Console

Logon on the Service Console as ROOT
Navigate to /etc/vmware-mui/ssl
Create a backup directory for the old key/crt files with

mkdir backup
Move the existing key/crt files to this backup directory with

mv *.* ./backup
Restart the MUI with

service httpd.vmware restart

Note:
If you try to connect to the MUI now using https – you will receive a failure – because the certificate can no longer be found
Generate a new private key with

openssl genrsa 1024 > mui.key
We can generate a certificate request in a text file format with:

openssl req -new -key ./mui.key > request.csr

Note:
When you run this you will be prompted for information which will be incorporated into your certificate request. Complete this form/wizard with information like so – remember to type you DN (Distinguished Name or FQDN to Windows people correctly!)

Note:
You can change the default answers to this form by editing in the [REQ] section of the /usr/share/ssl/openssl.cnf file.

If you wish to set the default for the Organisational Unit Name – remember to remove the # next to organizationalUnitName_default

If you wish to create a default entry for “Email Address” just add emailAddress_default = mikelaverick@rtfm-ed.co.uk.

If you wish to create a default entry for the server name just add
commonName_default = SERVERNAME.rtfm-ed.co.uk
That way you merely have to enter the name of the server, and cut and past the domain name after it to complete the FQDN
Open the request.csr file with your preferred editor such as:

nano –w request.csr
Highlight all the text and copy

Note:
Make sure you include ALL the text including ----BEGIN CERTIFICATE REQUEST---- and ----END CERTIFICATE REQUEST----

At Windows 2003 Certificate Authority

Navigate to http://yourCAservername/certsrv and login if prompted
Choose Request a Certificate
Choose Or, submit an advanced certificate request.
Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
In the Saved Request edit box – use control+v to paste the contents of the request.csr file
Underneath Certificate Template select Web Server and click the Submit button

Note:
If you are logged on as the Administrator of the CA, it will be automatically issued to you. It is assumed you trust yourself. If you are not the CA administrator. You will have to inform them that you have made a request, wait for them to “issue” it using the Certificate Authority admin tool – and return to the certsrv website to check on your “pending” request and download it.

You may wish at this point to check if you workstation has the Enterprise ROOT CA certificate (Internet Explorer 6.1, Tools, Options, Content, Certificates, Trusted Root Certification Authorities – and look for a name known with in your organisation, rather than a third party one)

If it is not installed then, revisit the http://yourCAservername/certsrv and click Download a CA certificate, certificate chain, or CRL and choose Download CA Certificate
Click the Download Certificate link
In the dialog box choose Save calling it mui.crt
WARNING:

Make sure ALL File types are being displayed and rename the mui.crt.cer file to be mui.crt
Using something like WinSCP copy the mui.crt to /etc/vmware-mui/ssl

Back at the Service Console

Logon to the Service Console as ROOT
Restart the MUI with

service httpd.vmware restart
TEST:

You should be able to load up your web-browser
Type in the FQDN of you server
Login
If you double-click at the “Lock in your browser” it would look something like this the Certificate Path tab in the dialog box

Controlling Access to the MUI

Note:

By default any user can login to the MUI and also create new VM’s which can give certain security dilemmas.
To enable/disable access for a specified user to the MUI you have to change the login.js file that is handling the login request of the website.
These script produce dialog boxes – for these to appear the account must exist on the ESX server

Allow ALL Users except (Username)

1. Logon to the Service Console as ROOT

2. Type nano –w /usr/lib/vmware-mui/apache/htdocs/vmware/src/login.js

3. At the top of the file, after the part that ends:

return false;
}

4. Add:

if (document.u.v.value == "root") {
alert("You are restricted to using the Remote Console only");
document.u.v.focus();
return false;
}

5. Save the File and Close Nano

Note:
You can repeat the line more than once, to deny more than one user

6. Test:

Try a logon as root, you should get the pop-up box
Try a logon as lavericm – or any other user you should be able to gain access

Deny ALL Users except (Username)

1. Logon to the Service Console as ROOT

2. Type nano –w /usr/lib/vmware-mui/apache/htdocs/vmware/src/login.js

3. At the top of the file, after the part that ends

return false;
}

4. Add:

if (document.u.v.value == "root") {
return true;
}
alert("Only root can login to the MUI");
document.u.v.focus();
return false;
}

5. Remove end of the line that reads:

return true;
}

6. Test

Try a logon as any user but ROOT, you should get the pop-up box
Try a logon as ROOT – you should be able to gain access

Disable Access to the MUI Completely for ALL users

Note:

Effectively we make the maximum session duration be Zero

1. Logon on to the Service Console as ROOT

2. Type: Nano -w /usr/lib/vmware-mui/apache/conf/access.conf

3. Edit the line that states PerlSetEnv vmware_SESSION_LENGTH 60, do one of the following

Type: 0 for nothing

4. Save the File and Exit Nano

5. Restart the MUI with:

/etc/init.d/httpd.vmware restart

or

service httpd.vmware restart

6. When you go to access the MUI you should receive this at the logon page:

Disable Access to the MUI by IP Range/Address

Note:

This denial is done by only allowing access by certain IP address or range – which stops access by any other IP range. In this step we will make modifications to Linux INETD to restrict access to the INETD services. This means modifying two files hosts.allow and hosts.conf. The ALL keyword blocks all INETD protocols, primarily for ESX this restricts access to SSH. All other services like FTP and TELNET are disabled because ESX is by default in High Security mode anyway

Logon to the Service Console, as ROOT
nano –w /etc/hosts.allow

To Restrict on a single IP:
ALL: 192.168.2.254 192.168.1.254

To Restrict on a range of IP Addresses:
ALL: 192.168.2.0/255.255.255.0

Note:
The next step is to set deny all in hosts.deny
Next, nano –w /etc/hosts.deny
Type:

ALL: ALL

Note:
Next we need to make changes to MUI Apache Daemon
Edit the main apache configuration file with

nano –w /usr/lib/vmware-mui/apache/conf/httpd.conf
Next locate the line that begins Directory "/usr/lib/vmware-mui/apache/htdocs" using [control]+w
Scroll down until you find the line that begins # Controls who can get stuff from this server
Remark out the line with a # that begins:

Allow from all
Directly underneath this line type:

To allow access by a single IP
Allow from 192.168.2.254/255.255.255.0

To allow access by a range of IP Addresses
Allow from 192.168.2.0/255.255.255.0

Note:
If you have vmkusage installed search for Directory "/usr/lib/vmware-mui/apache/htdocs/vmkusage" a repeat the same settings
Restart the MUI with:

service httpd.vmware restart

Disabling the “Add Virtual Machine” button for ROOT

Note:

VMware recommends that you never use root to create virtual machines
This encourages casual use of the ROOT account
Introduces potential ownership issues
However, the “Add Virtual Machine” button is still displayed to ROOT – this can be disabled by modifying a few files
sxMonitor.html is main page you see after login where the button is loaded
A java script file called main.js controls the loading and building of the page
Basically, we can create a copy of sxMonitor, remove the button, and instruct main.js if ROOT logs on to use the copy, otherwise use the standard version
Main also includes the standard MUI messages for if no switches, swap file or virtual machine have been added (such is the case when a server has just been built) you might like to modify these messages to reflect the changes
Warning: Such changes would not survive an upgrade!

Stage One: Duplicate and Modify sxMonitor.html

Logon to the Service Console as ROOT
change into the directory where sxMonitor.html exists with:

cd /usr/lib/vmware-mui/apache/htdocs/vmware/en
Duplicate the file sxMonitor.html file with:

cp sxMonitor.html sxMonitorROOT.html
Edit the new file with nano –w /sxMonitorROOT.html
Scroll down to almost the very end of the file, and locate the lines that begin, just after the hyperlinks to the Remote Console packages…. and remove

      <div class="btn" onclick="addWndw();">
        <table>
          <tr>
            <td class="icon" nowrap="1"><img src="../imx/config-16x16.png"></td>
            <td class="ilbl" nowrap="1"><a href="javascript:;">Add Virtual Machine</a></td>
          </tr>
        </table>
      </div>

Note:
If you wish you can add some information in between the <td> or </td> or add different image such as a copy of the original button with a red-X through it…

Note:
If you have an ESX server with no virtual machines, operators will see this message in the in status area underneath Virtual Machines (0)

" No virtual machines are registered with this system. Click Add Virtual Machine to create one"

You can search for this string and modify it to something more appropriate… I changed mine to:

” No virtual machines are registered with this system. ROOT's right to create virtual machines has been disabled. To create a Virtual Machine, please log out and login as your VM Administrator account.”

Stage Two: Modify main.js to include an IF Statement

Move to the location of the main.js file with:

cd /usr/lib/vmware-mui/apache/htdocs/vmware/src/
Backup the default main.js file with:

cp main.js main.js.bak
Edit the file with, nano –w main.js and locate the section which begins:

if (tabs.win().ready == null || ! tabs.win().ready())
tabs.doc().location.replace("/vmware/en/sxTabs.html");
if (page.win().ready == null || ! page.win().ready())
page.doc().location.replace("/vmware/en/sxMonitor.html");
Delete the line that reads

page.doc().location.replace("/vmware/en/sxMonitor.html");
Add replace with

{if (user == "root")
                {page.doc().location.replace("/vmware/en/sxMonitorROOT.html");}
        else
                {page.doc().location.replace("/vmware/en/sxMonitor.html");}}
Save the File and Exit Nano

Configuring the Time Out Values to the MUI

Note:

By default you get timed out the console in 60mins if you are inactive. We can reduce this value to protect your workstation from walk-away breaches

Logon on to the Service Console as ROOT
Type: nano -w /usr/lib/vmware-mui/apache/conf/access.conf
Edit the line that states PerlSetEnv vmware_SESSION_LENGTH 60, do one of the following

Type: 480 for 8 hours…
Save the File and Exit Nano
Restart the MUI with:

/etc/init.d/httpd.vmware restart

or

service httpd.vmware restart

Configuring the Statistics Interval for the MUI

Note:

By default, ESX provides statistics about the server and virtual machines that reflect the past five minutes of activity. The statistics get updated every 20 seconds.
You can configure this setting for a period of one minute to see more usage details or you can configure it for a period of 15 minutes to smooth out short-term spikes. Increasing the statistics period changes the update frequency to every minute instead of every 20 seconds; it also reduces the amount of load on the service console, improving the performance of a server running a large number of virtual machines.
To configure the statistics period for the management interface, do the following.

Logon on to the Service Console as ROOT
Type: Nano -w /usr/lib/vmware-mui/apache/conf/access.conf
Under the line that states PerlSetEnv vmware_SESSION_LENGTH 60, do one of the following.
To set the period to one minute, add this line:

PerlSetEnv vmware_STATS_PERIOD 1

To set the period to 15 minutes, add this line:

PerlSetEnv vmware_STATS_PERIOD 15
Save and close the file
Restart Apache for the change to take effect with

/etc/init.d/httpd.vmware restart

or

service httpd.vmware restart

Sorting the List of VM’s in the MUI

Note:

By default the list of VM’s in the MUI is sorted by the order of the VM’s created
Or by the order they are registered (which can be the same thing)
We can sort the VM’s alphabetically or re-order them based on your own preference by using the Service Console

Logon to the Service Console as ROOT
Sort the vmlist – by using the sort command piped to a new file, and then copy over sorted vmlist over the original vmlist with:

sort /etc/vmware/vm-list > /etc/vmware/vm-listsorted

and

cp /etc/vmware/vm-listsorted /etc/vmware/vm-list

Press [ENTER] to over-write the original file
Restart the vmware-serverd and vmware httpd services with

service vmware-serverd restart
service httpd.vwmare restart

Note:
If you are using vCenter restart the ccagent service instead from the vCenter client using

Right-click the ESX Host
Properties
Click the Advanced Tab, and click the Restart button

Alternatively, kill the ccagent process from the Service Console (ESX will automatically restart it…) with:

ps -ef | grep ccagent

and then

kill pidno, in my case kill 27023

Note:
If you have the vCenter client open this should force a “reconnecting…” event
If you log on to the ESX MUI you should find the VM list is sorted alphabetically…

Note:
If this fails to generate the list you require – simply edit the vmlist with nano – and reorder… be sure to backup the file before you do this.

ESX Server & Active Directory Synchronisation with VMguru.com’s LDAP_Search

Warning:

This guide used Windows 2000 Active Directory

Credits & Acknowledgements:

LDAP_Search is a script available from www.vmguru.com
I’d like to personally thank Steve Beaver for creating the script and assisting me in setting it up for the first time on a test server
With this in mind decided to write a step-by-step guide to setting it up

Requirements

To use LDAP_Search you must configure Active Directory authentication between ESX and your Domain Controllers
Consult my ESX Admin Guide II for further details
Or VMware’s PDF on NT4 and Active Directory Authentication

What does LDAP_Search Do?

If you have ever setup authentication between ESX Server and Microsoft Active Directory – you will know that for it to work – you must create users with the same login ID on Active Directory AND the Service Console
Using VMware’s implementation of PAM it is possible to rig these together – and allow you to centralise the authentication requests, password changes and the disabling of user accounts.
The Achilles heel remains how ever that while authentication is synchronised – the creation of user accounts is not.
So if you had 50 VMware Administrators, and had 50 ESX servers you would have to create 50 users in Active Directory – but on each ESX server you would have to create 50 users, with 50 ESX servers – that’s 2,500 individual “useradds” you would have to do.
LDAP_Search solves this problem for FREE!
Alternatively, you can spend money on software to achieve this such as www.centrify.com

How does it do it (roughly)

Well, I am not the author of this script
But this a general overview
LDAP_Search periodical communicates (using cron) to directory services – looking for new users you have created using OpenLDAP
By default it uses an LDAPUSER account to read an OU called VMware
Within this VMware OU there is a ESX_ADMIN, ESX_OP and ESX_VIEW Groups – these groups roughly equate the user model within vCenter…
Where:

ESX_ADMIN who have root “like” access
ESX_OP who have control just over Virtual Machine
ESX_VIEW who have only Read-Only access to the MUI

These defaults can be modified by using vi or nano –w to edit LDAP_Search

How do you set it up (Roughly)

Create these Active Directory objects
One group has to be created on the ESX Server
Some OpenLDAP RPM packages have to be installed and ldap.conf has to be modified
LDAP_Search needs editing to input LDAPUSERS password and location in the directory service using the “Distinguished Name” format
LDAP_Search needs setting up with cron

Step 1: Create the Active Directory Objects

Note:

My domain name which exists into DNS spaces (private and internet) is rtfm-ed.co.uk
And I created a OU called VMware of the root of Active Directory
Like so:

Mike Laverick, was made a member of ESX_Admin (for ROOT like access)

Trevor Baverstock, was made a member of ESX_OP (for VM Administrator access)

Stephen Beaver, was made a member of ESX_VIEW (for Read-Only access)

LDAPUSER was created to allow LDAP_Search read-access to the rtfm-ed.co.uk domain. No special rights are required

Step 2: Create ESXAdmin group

Logon on to the Service Console, as ROOT
Type:

groupadd ESXAdmin

Step 3: Download and Install the OpenLDAP RPM’s

Note:

You need the following packages:

cyrus-sasl-1.5.24-20.i386.rpm
cyrus-sasl-md5-1.5.24-20.i386.rpm
openldap-2.0.11-13.i386.rpm
openldap-clients-2.0.11-13.i386.rpm
krb5-workstation-1.2.4-4.i386.rpm
You can download these packages by searching on google.com or http://rpm.pbone.net or http://www.rpmseek.com when you come to download the files make sure you get the installer not the developers source code (which commonly contains the src extension somewhere in the file name)
Alternatively you can save yourself the heart ache and download this tar from my site which contains all five packages.

Click Here to Download
Install the each of the RPM’s in any order with….

rpm -Uvh –nodeps nameofpackage.rpm

Step 4: Configure the ldap.conf file

Logon to the Service Console, as ROOT
Type:

nano -w /etc/openldap/ldap.conf
Add the BASE and URI lines:

Note:
My domain name is rtfm-ed.co.uk. Note the two lines for ldap and ldaps. Notice how the sample text reads 666 (yes, the number of the beast!).

Secure LDAP/SSL Windows Active Directory listens on 636.

The MS Support Article outlines how this LDAP SSL communication is enabled in Active Directory

KB 247078 - How To Enable Secure Socket Layer (SSL) Communication over LDAP for Windows 2000 Domain Controllers
Save the file, and exit nano

Step 5: Configure and Test the LDAP_Search File

Download LDAP_Search from www.vmguru.com website
Save it to your ESX Server – for the moment /root is fine while we configure it
nano –w /root/LDAP_Search
Edit:

base="-b DC=gtlaw,DC=com"
user="-D CN=LDAPUSER,OU=VMWare,DC=gtlaw,DC=com"

to reflect your domain context for example my LDAP_Search reads:

base="-b DC=rtfm-ed,DC=co,DC=uk"
user="-D CN=LDAPUSER,OU=VMWare,DC=rtfm-ed,DC=co,DC=uk"
Save the file and exit nano

Note:
At this stage you can actually run LDAP_Search script manually with

sh LDAP_Search

Note:
This window shows the LDAP_Search script scanning the ESX_ADMIN, ESX_OP, and ESX_VIEW group – and finding each of the three users within

Step 6: Set LDAP_Search to at an Regular Intervals

Note:

Once you are happy that the script is running you can change location of the script to make it run at periodic intervals using cron

cp LDAP_Search file /etc/cron.hourly

Enforcing Traceability in the Service Console – Deny SSH Access to ROOT

Note:

By default if you know the ROOT password – you can login as root – however, it as this is a “shared” account (albeit with trusted individuals) you loose traceability. That is to say you have no idea who actually logged in as ROOT.
To remedy this we can disable the ROOT logon, and force users to use SU – to switch to the root account – your initial logon as an ordinary user, and then the switch to ROOT would appear in log files.
This enforcement of traceability does not affect people logon to the physical console at the physical server.

Login as ROOT to the Service Console
Run nano –w /etc/ssh/sshd_config
Scroll down to the # Authentication: section
Change #PermitRootLogin yes to be

PermitRootLogin no

Note:
Remember to remove the # sign which makes the current text just a remark
Save the file and Exit Nano
Restart the SSH service for changes to take effect with:

/etc/init.d/sshd restart or service sshd restart
TEST:

Try to login as ROOT you should be “kicked” out
Try to login as VM Administrator account
Use SU -

Note:
Always use SU with the minus switch – this switches to the ROOT and also gives you ROOT’s environment settings – without it you may find certain commands give you a “command not found” message because of path errors

use nano –w /var/log/messages to see you first logon as ordinary user, and then your switch to ROOT. You should see something like this:

Aug 15 01:53:17 esxinstructor1 sshd(pam_unix)[2324]: session opened for user lavericm by (uid=509)
Aug 15 01:53:22 esxinstructor1 su(pam_unix)[2363]: session opened for user root by lavericm(uid=509)

Changing the Services Consoles Status Screen

Note:

The Service Console is really a modified version of Redhat Linux 7.2
Up-to 6 “Bash” sessions are available
The first is used to “splash” a status screen to the physical console – this created by a text file which contains both static strings and variables
The first section declares variables which are used further down the page such as product version and hostname.
Then it defines some variables to format the text.
The first line that is seen by the operator begins $TITLE.
After that there are sections which begin like “# VMnix is not running” or “# VMnix is running but vmware-config has not been run yet”.
These represent different status events – and the text information associated with them
If the Service Console and the VM Kernel has been successfully loaded it uses the section “# VMnix is running and so is the vmkernel”. VMnix is VMware terminology for the Service Console

Logon to the Service Console as ROOT
Type: nano –w /usr/sbin/vmkstatus
Locate the line that begins “# VMnix is running and so is the vmkernel”, you can use Control+W in nano to search for the string
Underneath $TITLE and “Your system is configured properly and the vmkernel is loaded.” add:

===========================================
${BOLD_RED}Do Not Logon On Unless Your Are An Authorised Member Of Staff!${NORMAL}
===========================================

Note:
The BOLD_RED and Normal will put your message in red text in bold. You may wish to type your text in first, then add your formatting – so the there is the correct number of ==== for your message
Save the File and Exit Nano
Reboot ESX

Reducing the Number of Physical Service Console Sessions

Note:

By default 6 physical console sessions can be opened – using ALT+2,3,4,5,6. You may wish to reduce this to just two. One for the Status Message, and one through which you can logon

Logon to the Service Console as ROOT
Type: nano -w /etc/inittab
Locate the line which begins “# Run gettys in standard runlevels”
REM out the session you don’t wish to support with the # character with:

# 3:2345:respawn:/sbin/mingetty tty3
# 4:2345:respawn:/sbin/mingetty tty4
# 5:2345:respawn:/sbin/mingetty tty5
# 6:2345:respawn:/sbin/mingetty tty6
Save the File and Exit Nano
Reboot ESX

Disabling the Service Console

Note:

You may wish to create a VM administrator but stop them from accessing the Service Console, while allowing access to more controllable areas like the MUI and Remote Console. One way of doing this is when you create the user on the command-line you give them NULL as a shell. I think a more efficient method is a access control list in the ssh_config file

Login to the Service Console as ROOT
Run nano –w /etc/ssh/sshd_config
Scroll down to the # Authentication: section
Add DenyUsers piked

Note:
You can separate users by a comma. In the notes I have read apparently there is a entry called DenyGroup – but when I tried it I was flagged by the service as being bad entry. Can anyone help on this?
Restart the SSH service with:

/etc/init.d/sshd restart

or

service sshd restart
Test

Try to login as piked – you should get an access denied
another attempt is allowed
Then your kicked out of the login process with this error dialog from PuTTy

Creating a shortcut to connect to a specific VM

Note:

The Remote Console does support switches – to specify name of ESX server, username, password, port number for Remote Console Communication, and a path to the VMX file to load. This can be all put behind a shortcut so the VM Administrator can connect to the VM quickly

Sample Syntax:

“C:\Program Files\VMware\VMware Remote Console\vmwareconsole” -h esxinstructor1.education.vmw -u lavericm -p vmware -c /home/lavericm/vmware/instructor1/instructor1.vmx

Note:

If you miss out –P vmware – the users password, the system will pause – wait for password input – and then proceed to connect to the VM

Disabling Power On/Off Options in Remote Console

Note:

You may wish to give Remote Console to your VM Administrators – but the power options at the top of the application are somewhat dangerous.
One accidental click and you could forcibly power of a VM without shutting down the Guest OS properly.
This would cause possible “chkdsk” events in Windows 2000 and dialog box pop-ups about bad shutdowns from Windows 2003.
We can disable these buttons by two methods

By modifying the VMX file that defines the VM. This restriction affects all users including ROOT.
By modifying the permission system to allow access to Remote Console, but at the same denying Power Cycle options

Once disabling power down/off rights – there is OS rights to consider – so either restrict these uses by User Rights in Windows or by GUI restrictions which remove the shutdown options from a Windows

On a Specific VM

Shutdown the Guest OS and Close any Remote Console sessions
Logon the Service Console as the VM Administrator – responsible for the VM
Type:

nano –w /vmware/virtualmachinename/virtualmachinename.vmx
To the end of the file add the entry:

gui.restricted = "True"

Note:
All entries in the VMX file have spaces between the value name and the value data – all value data must have quotes regardless of it’s a string or piece of text. From this point onwards, the only way to power up the VM is via the MUI, and “advanced” functions such as Suspending can only be done from the MUI as well. You could consider this a “back-door” unless you disable access to the MUI
Reload Remote Console and should find the power buttons have gone, as well as the Power Options in the Power menu

For ALL VM’s by changing the Default Permission Scheme

Note:

· By default Execute is a right required to give Delegated Uses (users who have rights to other people’s VM under what is called the “Flagship Model”) - the ability to use the Remote Console.

· However, this right also gives them the ability to power cycle the VM.

· We can change the authentication policy such that they only need the Read permission to the VMX run Remote Console, thus removing the requirement to have the Execute right – which means they won’t be able to power cycle the machine.

· This method is more sophisticated than the previous method, as it does not affect ROOT, and handles access by group membership and permissions

· These instructions come from the Admin Guide online on page 205 or search for string “authd.policy” in the PDF file

Seeing the Behavior:

In the MUI add a VM Administrator to the User Group of another user, in my case I add a user called piked to a user group called lavericm
Logon to the Service Console as ROOT
Set the permission so the User Group can have access with

chmod 754 /home/lavericm/ –R

Note
This the User Group RX rights to all the files of lavericm. You can set these permission via the MUI, but as there is no inheritance or copy these permission down the directory structure this is the quickest and most painless method
Login as the Delegate VM Administrator, in my case piked
You should see the VM’s

piked cannot change the hardware of the VM’s because there is no W set
piked can connect to them with the Remote Console
piked can power cycle the VM’s

Correcting the Behavior:

Logon to the Service Console as ROOT
Type: nano –w /etc/vmware/config
To the end of the file add the line:

authd.policy.AllowRCForRead = “TRUE”

Note:
This entry is case-sensitive!
Save the File and Close Nano
Restart the Authentication Engine by using

/etc/init.d/xinetd restart

or

service xinetd restart

Note:
This moves the Remote Console right to the Read Permission – so now only Read rights to the VMX files are required to use Remote Console
Reset Permission on the VMX file(s)

BY the MUI or Service Console
Change the Permissions for the User Group to Read-Only on the each of VMX files

For example:

chmod 744 /home/lavericm/vmware/workstation1/workstation1.vmx

Note:
The permission of RX down the directory structure must remain to find the VM and enumerate from the vmlist the VM’s. However, the Delegated VM Administrator now only needs Read rights to the VMX
To Test:

Login to the MUI as the Delegated Administrator, in my case piked
Connect Remote Console to on of the VM’s belonging to the VM Owner
This should get a dialog box like this:

You should find the Power Buttons are grayed out and inaccessible
In the MUI, you should find the Power Options are disabled too
Only the Owner and ROOT can now control the power options

Stopping Concurrent Logons with Remote Console

Note:
Remote Console emulates the functionality of KVM to a workstation – and works not unlike VNC. It is possible for two VM Administrator to connect to the SAME VM. They each see each others mouse and keyboard movements. This could be a source of both irritation and administrative conflicts. We can stop this by editing the VMX, and adding a concurrency restriction. This restriction affects all users including ROOT.

To confirm you are the only the VM Administrator using the Remote Console use:

In the menu of Remote Console choose, Settings
Connected Users

Note:
Here this screen grab shows two users ROOT and Lavericm at workstations 192.168.2.254 and 192.168.2.201 are connected to the same VM.
To stop this default behaviour
Shutdown the Guest OS and Close any Remote Console sessions
Logon the Service Console as the VM Administrator – responsible for the VM
Type:

nano –w /vmware/virtualmachinename/virtualmachinename.vmx
To the end of the file add the entry:

gui.maxconnections = "True"

Note:
All entries in the VMX file have spaces between the value name and the value data – all value data must have quotes regardless of it’s a string or piece of text.
Reload the Remote Console, and start up the VM. Try to connect another Remote Console Session from another machine – you should find – that allow it “advertises” the VM – it immediately drops your connection with this error dialog box:

Lost Root Password Recovery

Note:

If you set and forget the ROOT password (or more likely someone does this for you!) there is a method of gaining access
You will need a Redhat CD 7.2 or higher, and physical access to the Service Console
You may need a new version of Redhat – if you have newer hardware and drivers are not recognised
These instructions are modified version of what appears in Vmware’s Authorised Manual for “System Administration II”
Technically you do not need a recovery CD to recover the root password
However, if you needed to replace missing or a corrupted file – this would require a boot CD.

With a Recovery CD

1. Insert the Redhat CD to server

2. Power cycle the Server

3. After the system has booted from the CD, at the boot: prompt type:

linux rescue [ENTER]

4. Choose your language, in my case English

5. Choose your keyboard type, in my case UK

6. Choose Continue, to allow the system to load /mnt/sysimage (which is the Redhat installation

7. Choose OK, to the “Rescue” message

Note:
The prompt about using chroot /mnt/sysimage to make your system the “Root Environment”

8. At the sh-2.05# prompt type:

chroot /mnt/sysimage [ENTER]

Note:
This loads “Hush” the “humble shell v0.01. You now at a “Bash” style environment similar to the Service Console. Commands like ls –l will work…

9. Type: passwd [ENTER]

Note:
Type two examples of your password. Obvious passwords like vmware will be flagged up as a “dictionary word” but the system will not stop you from using them

Caution:
Do not power cycle down. Don’t use the reboot command from this environment

10. Type:

exit [ENTER]

Note:
This safely exits the “Hush” shell

11. Type:

logout [ENTER]

Note:
This should eject the CD, and reboot the server. You password will now be whatever you reset it to be

Without a Recovery CD

At the LILO boot prompt type

esx 1 [ENTER]

Note:
This puts the Service Console into a single user mode. The VM Kernel will not load. In fact you can use any boot option with 1
At the sh-2.05# prompt type:

passwd

Note:
Type two examples of your password. Obvious passwords like vmware will be flagged up as a “dictionary word” but the system will not stop you from using them
Then type:

exit [ENTER]

Note:
System will continue to boot at run-level 3, and load the kernel. You ROOT password has now been reset

Scheduling Reboots/Shutdowns of ESX with CRON

Note:

Crond is service which is used to schedule scripts of hourly/daily/weekly/monthly events. VMware utilises this to run their own scripts which can be seen in /etc/cron.daily, /etc/hourly and so on..
Cron can also handle events such as: on reboot run this script with its @reboot syntax
Along side these system wide cron configurations you can also have per-user cron configurations…
In my example I’m using a per-user cron configuration to shutdown my servers at 9.30pm every evening… my development environment is accessible to some people – but due to physical limitations I cannot run my servers 24/7. So I need them to start-up in the morning and shut them down in the evening…

Logon to the Service Console as ROOT
Create a cron configuration file in ROOT’s home directory with

nano –w crontab
Type in this configuration:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
30 21 * * * shutdown -h now

Note:
The path statements allow cron to find the shutdown utility which is held in /sbin. The command shutdown –h now – causes ESX to do a full shutdown. The –h forces a halt which stops the swap file and un-mounts the drives. 30 21 is 9:30pm…

For more information about setting the time value see this link
Save the contab file…
Register this configuration file with crontab with:

crontrab /root/crontab

Note:
Confirm this has been registered with crond by Listing the crontabs for root with:

crontab –l

If you wish to remove a scheduled event use:

crontab –r
Restart the crond service with:

service crond restart

MISC

Automating the Shrinking of Disks

This issue was brought to my attention by Ron Oglesby (of the Advanced Design Guide fame). The solution comes from forum user called HaveBlue. I have used some of the comments from the original forum posts to assemble this information – and put it into easier format to read – and added some clarification here and there. If you want to read the original forum post it is here

You might know that VMware Tools has a “shrink disks” feature. This is used optimise the virtual disk file within the Guest OS - prior to exporting the disk either for:

Transferring to another VMware product
For use in ESX as a template
For use in ESX as a backup – especially for those of you use vmbk.pl which uses the export feature together with REDO files to backup a virtual disk

What happens during the shrink process that causes this saving of disk space?

If you want to see this phenomena create a new VMDK on a VM try this:

Create a new virtual machine with a new virtual disk
Export the VMDK right after you've created it - The exported files will be very small.
Fill the VMDK up with files and export again; it will be very big (most likely full size of VMDK)
Now, delete all the files in the VMDK and export again what you will find is that is still big – even though you have deleted data from it.

One way to accomplish the same goal faster, and cleaner, using Mark Russinovich's “SDelete”. This was originally designed to securely delete files in Windows.

Link: http://www.sysinternals.com/Utilities/SDelete.html

SDelete is a great utility. It basically random-fills a hard drive to delete data securely. However, until a new version is released, you'll have to modify and re-compile the version available on the sysinternals website to accomplish the 'shrink' functionality. The trick is to modify the SecureOverwrite function. Change the code so that the cleanBuffer value is not filled with any values (so by default, is zero-filled). Next, you want to modify the code so that only one pass is done (as we're not trying to securely over-write, so it just generates unnecessary I/O).

Re-compile the source and voila! You now have a CLI utility that will quickly and cleanly zero out the hard drive space, and therefore be 'shrunk'...

This sounds more complicated than really is – it’s in face a very simple process. The only catch with this utility is that right now, it's not "re-distributable" in this modified state.

So to make your own “custom” version of sdelete – use the following procedure

15. Acquire a copy of Microsoft Visual C++ 6.0 and install it. (I have no idea if it's possible to use an alternate compiler)

16. Go to http://www.sysinternals.com/Utilities/SDelete.html and download the program and source package

17. Unzip the package, and you get these files:

18. Double-click on sdel.dsw to load the project up in Microsoft Visual C++ 6.0

19. On the left side of the screen is the workspace panel, with 3 tabs at the bottom - click on the FileView tab

20. Up at the top of the workspace panel, expand the “sdel files” tree, then the “Source Files” tree, and double-click on sdel.c

21. We could scroll through the source manually, scanning for the SecureOverwrite() function but we can jump right to it with the WizardBar C++ Members dropdown:

22. Scroll down a little way until you're looking at this section of code:

23. What we need to do is comment out the switch statement so that the buffer always gets zero filled. You might note that the preceding double slashes on a line designate a comment, but we can block out entire areas as a comment by using /* to start a comment and */ to end it. So put a /* just before the switch(i){ line and a */ just after the closing bracket for the switch so that the code looks like this:

Note:
That the whole switch(i) block now appears in green, indicating that it is commented out.

24. This step is optional, but recommended - jump down to the _tmain() function at the bottom of the file, and add a few lines to the banner to indicate that this is a modified version of the program and is no longer suitable for secure overwrite:

Note:
We have now finished modifying the source - it's time to compile!

25. Up at the top of the screen, you'll see the Build Mini-Bar - click on the second icon on that bar (Build):

...and you'll see lines scrolling in the bottom Output window:

26. Return back to the location that you had uncompressed the files to, and you'll see that there is now a Debug directory. Have a look inside, and you'll see your very own personalized copy of sdelete.exe

27. Usage is very simple - fire up a command prompt, switch to the directory containing the executable, and invoke the sacred words sdelete.exe -z c: Naturally, replace c: with whatever drive you're clearing:

28. To run the shrink – type sdelete –z c:

Warning:
It's not a bad idea to first test this out on a non-production machine to ensure that there aren't any unwanted effects.

Note:
Once all is confirmed well, copy sdelete.exe to your target machine(s) and use the scheduler of your choice to run the program before automated snapshots are made. Naturally, the time it takes to clean a drive depends primarily on the free space available on the drive, so keep that in mind when scheduling.

Using Screen at the Service Console

Note:

A useful and neat utility not included in ESX server is “screen”
You can connect to SSH multiple times using PuTTy, but each is a separate session – so if you have 5 simultaneous tasks to do – you would have to open 5 SSH sessions (login in to each)
Each SSH session must be left open while a process is taking place. So you cannot connect, start a long process, and then disconnect (as you would say using Microsoft RDP and Citrix)
Screen allows you to do have many “windows” in a single PuTTy sessions – and allows you to close your SSH Session – while leaving processes running.
To install screen you have to download these packages from Redhat Linux website. If found clicking at these links did not work – instead I had to crank-up a FTP client and connection anonymously to access the FTP site:

ftp://ftp.redhat.com/pub/redhat/linux/7.2/en/os/i386/RedHat/RPMS/screen-3.9.9-3.i386.rpm

ftp://ftp.redhat.com/pub/redhat/linux/7.2/en/os/i386/RedHat/RPMS/utempter-0.5.2-6.i386.rpm

Installation Procedure

Download the packages above
WinSCP them to your ESX server
Install utempter-0.5.2-6.i386.rpm first with:

rpm -Uvh --nodeps utempter-0.5.2-6.i386.rpm
and then screen with

rpm -Uvh --nodeps screen-3.9.9-3.i386.rpm

Note:
Screen is now installed – its not a service so it shouldn’t be a burden on the service console

Creating “Windows” and Toggling Between Them

Note:

Best to show you this by illustration

Type the command:

screen
You will get a welcome screen… Press [Enter] to clear this screen

Note:
This you first window. Typing screen –ls lists the windows open and socket name allocated to each
Start esxtop
Type control+a followed by c to create a new console window within the screen you have created.

Note:
You can do this multiple times for multiple processes
Start top

Note:
We now have two screen one running esxtop and the other top.
To switch to the next screen (like Alt+Tab in Windows) type:

control+a followed by n

Note:
You can use control+a followed p for the previous screen
Now close your PuTTy session and re-open a brand new session with PuTTy
Type screen –ls to list your screens sockets
To reconnect to your screen:

screen –r 2014.pts-0.esx1

Note:
So what we have seen here – is how to create multiple screens – switch between screens, disconnect and reconnect to running screens. Its not a tool I use that much myself – but I imagine others might find it useful…

To exit the screens you are in – just type exit as you would in PuTTy…

If you want a list of command type control+a followed by ?

If you want to read another guide on screen – see:

http://www.rackaid.com/resources/tips/linux-screen.cfm

Create a bootable Windows ISO which contains a Service Pack

Note:

This how to covers the complete process to integrating a Service Pack to a Microsoft Windows OS, making that integrated install bootable from a CD, and then lastly ripping that CD to an ISO file. This example uses Service Pack 4 for Windows 2000 Advanced Server – but it should work well with any NT still OS from Microsoft.

To complete this task you will need the following software:

The Current Service Pack in this example Service Pack 4 for Windows 2000 -
Smart Project’s ISObuster – http://www.smart-projects.net/
Nero 6 CD Burning Software – http://www.nero.com
WinImage - http://www.winimage.com

Slipstreaming the Service Pack (Sp4 Code)

Create a new directory on your Hard Drive (this example uses c:\win2000cd) and copy the entire contents of the Windows 2000 CD into it - checking that the directory structure, number of files and file sizes are identical to the CD.
Download the SP4 package, and extract it to a directory such as C:\SP4 directory using W2KSP4_EN.EXE –X
Open a command prompt and CD in to c:\sp4\i386\update\
Run update –s:c:\win2000cd\i386

Note:
This starts the slipstreaming process of copying the service pack over the top of the Win2000 CD files. Once done you will receive a confirmation message that Integrated install has completed successfully

Note;
The slip-stream /s switch does change for time to time. For example with Windows XP Service Pack 2, the switch is now called /integrate:

Extracting the Boot Files (ISObuster)

Note:

Before we burn the code to a cd, we need to extract the “boot” files that makes the original CD a bootable drive – these can be burnt to the CD along with our slipstreamed code

Download and Install, Smart Project’s ISObuster
Insert the original Windows 2000 CD in the drive
Load ISObuster
Click at the disk icon for Bootable CD
In the left hand pane, right click the two files bootcatalog.cat and Microsoft Corporation.img

Note:
These files can sometime have different name. Such as Arnes Boot Record.img and BootCatalog.cat
Choose Extract Object
Save the files, where you can easily find them

Note:
Make an exact note of the volume label of the CD – you will need it later.
Close ISObuster

Burning the Boot files and the Slipstreamed Data (Nero 6)

Load Nero (instructions here are based on version 6)
Click File, New and select CDRom (Boot).
On the Boot tab, click on the image file button and change the file type to *.* and browse to the location of IsoBusters extracted Microsoft Corporation.img file.
Under Expert Settings, change to No Emulation and Set Number of loaded sectors to 4.
Click the ISO tab and check set the format type to be Mode 2/XA
Ensure that the 3 boxes under Relax ISO restrictions are enabled
Under the Label tab, make sure that you set the Volume Label to be exactly the same as the label on your Windows 2000 CD (noted under the last stage)
Click New, select the folder containing the updated Windows 2000 (c:\win2000cd\) then Drag 'n' Drop the files into your compilation.
Click the 'Write CD' button
Test, the CD to make sure it boots properly

Creating an ISO file for ESX VM’s (WinImage)

Note:

Some version of Nero will create the ISO file for you. So, there maybe no need for this secondary piece of software.

Install WinImage
Insert your newly burnt CD
In the menu, choose Disk, Create a CD-ROM image
Specify a path and file name for you ISO such as c:\w2ksp4.iso
Click OK

The file is now ready to be transferred to you ESX server vmimages directory

Note:
Alternatively, ISO files can be created at the Service Console with the DD command. However, although this fast and easy, it does no error-checking:

dd if=/dev/cdrom of=\vmimages\w2ksp4.iso bs=32k

The DD command refers to Device-to-Device

Recommendation:
Try testing your ISO with a copy of VM workstation on the machine where you created the ISO. It’s worth checking the ISO works before spending time copying the file.

How to Create a Blank floppy for a VM/Service Console

Note:

You may wish to create a blank floppy disk in a flp format suitable for a VM to write to…
Perhaps a process requires it such as the recovery disks as does an install of Partition Magic or Volume Manager…
This method does not require a physical floppy disk

Logon to the Service Console as ROOT
Create an empty file which is 1440KB in size with:

dd if=/dev/zero of=/vmimages/blankdisk.flp bs=1k count=1440
Then build a vfat file system for the flp file:

mkfs.vfat /vmimages/blankdisk.flp

Note:
Browse to, and connect to the flp file within the VM.

Note:
If you wished to access this floppy file from the Service Console use:

mount -t vfat -o loop /vmimages/blankdisk.flp /mnt/floppy

How to Convert a Floppy Disk into a Flp File

Note:

Perhaps you have a boot disk
Or some software on a floppy that needs to be read in a VM – such a driver disk for LSILogic etc
Or you simply want to take a blank floppy disk and make a flp file from it (as in the previous example)

Logon to the Service Console as ROOT
Insert the floppy disk – blank or otherwise
Mount the floppy disk with:

mount /dev/fd0
Transfer the contents of the disk to a flp file with:

cat /dev/fd0 > /vmimages/floppydisk.flp

Note:
This flp can now be accessed in the same ways as in the previous example

Removing the LILO Boot Loader/ESX

Note:
If you do wish to remove LILO or ESX – you have a number of choices:

delpart (lite version only)
fdisk
Linux Method

Not documented here – you could easily boot of another OS CD – and use its partition tools to wipe the partitions and over-write the MBR with a different loader. However, you more likely to end up with a dual-boot configuration. Another method is find the MS tools SYS.COM and use sys c: to transfer the MBR from a MS-DOS/Win9x disk to the hard-drives MBR.

If your struggling to find these tools, or would prefer other methods visit, http://www.bootdisk.com/utility.htm and the “Partitioning” section for copies and alternatives

With DELPART

Warning:
I found the unattended delpart did the job fine, but the full delpart (which is part of the old NT3.51 resource kit) didn’t get rid of the partitions, and seemed to have no effect what so ever… Perhaps the old version from the old resource kit is not up to the job. So avoid the full delpart utility (which is 124KB in size) and download instead the smaller lite version (1KB in size) which does work

Note:

DELPART is by far the quickest painless method – but the lite version is dangerous as it has no prompts and just wipes the partition table…

Read advice from a Third Party Tipster: http://www.jsiinc.com/SUBM/tip6300/rh6354.htm

Read a Microsoft KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;103049

Download DELPART from Microsoft
Copy to any boot disk of MS-DOS/Win98 type
Type: delpart
Reboot without floppy and the system will not find an OS Boot Loader

With MS-DOS/Win98 FDISK

Note:

This method works fine, but can leave an MS-DOS boot sector/Master Boot Record on the disk. If you re-install ESX it will give you an erroneous DOS option in the LILO. However, it is relatively easy to recompile this out of the LILO menu. These instruction were created with a Win98 start-up disk and fdisk from Win98

Boot from a floppy which contains FDISK
Type FDISK
Choose Y to enable large disk support
Choose Y to allow fdisk to treat all NTFS partitions as large drives
Choose 3, to delete partitions or logical drives
Choose 4, to delete Non-DOS partitions

Note:
Delete all the partitions we need this to be able to delete the EXT3 and VMFS partitions on the disk
Reboot with the floppy still in the drive
Type:

fdisk /mbr

Note:
This will transfer the Master Boot Record of the floppy to the disk, thus removing the LILO boot loader

Linux Method

Note:
We can use LILO to uninstall itself, and then a disk partitioning tool like fdisk/partition magic to delete the remaining partitions. Or if we come to install another OS we could use its partitioning options to delete the partitions from the disk. These instructions came from Microsoft KB article

Logon to the Service Console as ROOT
Type:

lilo –u /dev/sda1

Note:
This removes lilo from the first drive on the first partition by replacing it with the previous boot loader stored in /boot/boot.0300. If the disk was a virgin disk from the beginning – there will be no boot.nnnn file and the –U will have no effect
If the above does not work you can try to find out the name of the boot.nnnn and use the device-to-device (DD) command with it:

cd /boot
dir
dd if=boot.nnnn of=/dev/sda bs=445 count=1

Warning:
This can wipe out your partition table completely!
If the above does work you can use this most dangerous solution, which completely erases your partition table and boot sector

dd if=/dev/zero of=/dev/sda bs=512 count=1

Warning:
This does wipe out your partition table completely and has the same effect as delpart lite

Using VMware-cmd

Note:

This tool is available to the Service Console, and to a local workstation (be it Windows or Linux) as long as you have installed the COM engine (Windows) or the Perl engine (Linux) to the respective OS
It works by manipulating the VMX and sending instructions to the VM via the VMX file.
There is lots you can do with this command. Beyond what is feasible in this document. For further information look at the Scripting Guide for ESX

To List Registered VMS

Type:

vmware-cmd –l

Note:
List paths and names of VMX files. Useful for when you have type long paths to the VMX file

To Register and Un-register a VM

Type:

vmware-cmd –s unregister

/home/lavericm/vmware/instructor1/instructor1.vmx

Note:
Also includes register as a command. S stands for set… You do have to refresh the MUI to make the VM’s appear and disappear

Power Options on a VM

Note

If you use trysoft, the Guest OS will be shutdown gracefully.
The trysoft is a “mode” option – it tries to run the normal scripts but uses a hard shutdown/startup if the VM is not behaving properly.
There are two other “modes” – soft which runs scripts but never does a hard start or stop or “hard” which powers off/on a VM as if you had hit the power switch

To a virtual machine type:

vmware-cmd /home/lavericm/instructor1/instructor1.vmx start trysoft
To a virtual machine type:

vmware-cmd /home/lavericm/instructor1/instructor1.vmx stop trysoft
To a virtual machine type:

vmware-cmd /home/lavericm/instructor1/instructor1.vmx suspend trysoft
To a virtual machine type:

vmware-cmd /home/lavericm/instructor1/instructor1.vmx start trysoft

Note:
There is no resume switch on vmware-cmd – just a power-up which retrieves the suspend file, and resumes the machine
To a virtual machine type

vmware-cmd /home/lavericm/instructor1/instructor1.vmx reset trysoft

Note:
The system will pause the Service Console session while the reboot occurs
To find out the Power Status of a VM use:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx getstate

Note:
It will return “On”; “Off”; “Suspend” and “Stuck” if the VM is waiting for interaction. If you VM requires some kind of interaction (for example you are shutdown a VM which has an undoable disk and you get this prompt:

Then use the command:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx answer

This will appear in the Service Console

Question (id = 156003594) :Select an action for the redo log of undoable disk local:instructor1.dsk.REDO.

        0) Commit
        1) Discard
        2) Keep

Select choice. Press enter for default <0> :

Type 0 and the System will commit changes to the DSK file and reboot/shutdown

Finding the Heartbeat

Type:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx getheartbeat

Note:
You should see a number. Repeat the command. If the number increments the machine is alive. It stays the same it is dead. It doesn’t have a heart beat!

Committing the REDO file to DSK

Type:

vmware-cmd /home/lavericm/instructor1/instructor1.vmx commit scsi0:0 0 0 1

Note:
This commits the redo log of the machine to the first SCSI adapters first disk (in this case the boot disk of the OS). The last 3 parameters 0 0 1 control the level, freeze and wait values.

Level is used when you have one or more REDO file. 0 indicates use the 1^st REDO, and 1 would indicate using the 2^nd REDO. Freeze controls if you going to freeze the machine while the redo file is played against the DSK. 0 means no, and 1 means yes. It’s quicker to freeze the machine, while applying the redo – but it means the server is offline. IF you use Level 0, then freeze is ignored. Wait 1 means that the system returns to operation as soon as commit begins, not waiting for it complete. 0 means wait for the completion of the commit before continuing

If you look at the DSK file before you run this command. You should see a REDO file. If view it after running the command – then the file has gone

Finding the Status Of Devices

Note:

The Vmware-cmd tools is able to find the configuration of the VMX file, and also change entries in the file. To find out what the status is of the CD-ROM you would use:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx getconfig ide0:0.deviceType

Note:
The CD-ROM is emulated (but not Virtualized) IDE 0:0 channel. This is how the CD-ROM is addressed in a Windows Environment. A safe way of learning the VMX variables is just print the VMX file to the console with:

cat /home/lavericm/vmware/instructor1/instructor1.vmx | more

Configuring & Connecting a Device

Note:
As long as you know the name of the variable in the VMX file you can change anything you like from the command line. For example there is a variable called ide0:0.fileName = which controls the path for the CD-ROM be it physical or an ISO image. There is a variable called ide0:0.deviceType = which controls if it is the physical or ISO image (atapi-cdrom for the physical and cdrom-image if it is an ISO file). In this example we will attach an ISO to the CD-ROM and Connect the CD-ROM to the VM. You may wish to have Remote Console open whilst your doing this – to see visually the effect of your changes.

I assume that initially the CD-ROM is connected to the physical CD

First, Disconnect the current device with:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx disconnectdevice ide0:0
Change to the system to use a ISO file instead of a physical CD with:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx setconfig ide0:0.deviceType cdrom-image

Then set the image file to use with:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx setconfig ide0:0.fileName /vmimages/w2k3.iso
To Refresh the OS - Reconnect the device with:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx connectdevice ide0:0

Note:
Now that the CD is set as an ISO file. You merely need to stages 2 and 3 to switch from one ISO file another. The whole process could be put in SH script like so:

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx disconnectdevice ide0:0

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx setconfig ide0:0.deviceType cdrom-image

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx setconfig ide0:0.fileName /vmimages/w2k3ent.iso

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx connectdevice ide0:0

Notes: To Undo and go back to the physical CD-ROM

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx disconnectdevice ide0:0

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx setconfig ide0:0.deviceType atapi-cdrom

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx setconfig ide0:0.fileName /dev/cdrom

vmware-cmd /home/lavericm/vmware/instructor1/instructor1.vmx connectdevice ide0:0

Moving the ESX Server Log Files

Note:

ESX has 3 main log files normally held in /var/log called vmkernel, vmksummary, and vmkwarning. You can relocate them to different place on the hard-drive of the server by the following procedure

Logon to the Service Console as ROOT
Type: nano -w /etc/syslog.conf
Cursor to the bottom of the file where you see:

/var/log/vmksummary
/var/log/vmkwarning
/var/log/vmkernel
Change the paths to the new location
Save the File and Exit Nano
Restart the syslog service with:

/etc/init.d/syslog restart or service syslog restart

which should respond like so:

Shutting down kernel logger:                                       [ OK ]
Shutting down system logger:                                     [ OK ]
Starting system logger:                                                       [ OK ]
Starting kernel logger:                                               [ OK ]

Unattended Installations of VMware Tools

Note:

As VMware Tools installs drivers and they have NOT been “signed” by Microsoft, you will need to lower the security of Windows to allow the install to proceed successfully
Two methods are outlined below

Method One: Scripting

Does not use AD at all, and sets these “driver signing” settings manually, and uses scripts to call the installation – you may require this because either you don’t use AD or you have Windows VM’s which are not fully AD aware such as NT4
Method Two: Active Directory Software Policies
MSI package for VMware Tools in conjunction with Microsoft msiexec utility, and Active Directory policies

Both methods will work with upgrades – you can see the success of upgrades by checking the Build numbers from one version of VMware Tools to another. In my case my ESX 2.1 VM’s have a build number of 7728 whereas my ESX 2.5 VM’s have a build number of 11343
Both methods will require you to get hold of the VMTools Installation files
Many ask why bother with an unattended install of VMware Tools. After all we can include VMware Tools into our Templates/Clones. But what if you have a hundred VM’s already deployed and you upgrade from one version of ESX/vCenter to another?
You will probably want to upgrade because Remote Consoles will report errors:
And so will vCenter will report errors:

On the Summary Page of a VM

On the Summary Page of VM Group
The first stage (whatever your method – scripted or AD) requires getting hold of the VMware Tools source files

Getting hold of the VMTools Installation Files (MSI)

1. Within a VM, Choose Install VMTools and Click the Install button on the dialog box (do not complete the installation)

Note:
This should connect the VM’s Virtual CD to an VMware Tools ISO file

2. Within the VM, browse to the CD-ROM using Windows Explorer

3. On the ROOT of the drive you should see the contents of the CD…

4. Copy ALL of the CD to another location (local or network the choice is yours)

Note:
Do not just take the MSI. It will not work isolation, and requires the other files.

Method One: Scripted

Lower the driver signing security level of the server with:

Properties of My Computer, (System Properties Dialog)
Hardware Tab
Driver Signing Button
Choose © Ignore

Note:
You can change this through the registry (HKLM\Software\Microsoft\Driver Signing). You could lower the security by using regini or a importing a REG file.

Beware that in Windows 2003 Microsoft disabled this “Registry” method on security grounds, because too many vendors were using a registry hack to suppress the warning message.

Microsoft KB article Q298503 outlines why this change was introduced to W2K3 and WinXP. If you are using W2K you can use the registry hack.

The only way to change the Driver Signing feature programmatically in W2K3 and WinXP to do by hand or by a policy – see AD method for more information
Write a batch file or script that calls the MSI (perhaps using the runonce key in Windows, for example

This version, allows a reboot:
msiexec -i "c:\vmtools\vmware tools.msi" addlocal=all /qn

This version suppresses the reboot:
msiexec -i "c:\vmtools\vmware tools.msi" addlocal=all /qn REBOOT="ReallySuppress"

Note:
Script and install must run in under the context of Administrator account for this to be successful. –i switch does an installation; addlocal=all switch instructs the msiexec tool to install all the available features locally;/qn does a quiet install with no UI. For more information about using msiexec consult MS KB Q314881

Method Two: Active Directory Method

Note:

In this example AD was running in Windows 2003 – but I’m sure these settings would work in Window 2000 AD
I realized that an administrative installation would be required after reading a MS document on System Management 2.0 which stated:

” When you use SMS 2.0 to distribute a Windows Installer setup package, you must first set up the package source directory using Windows Installer's administrative installation. An administrative installation installs a source image of the application that is similar to a source image on a CD-ROM, but that can be installed directly from a network location. An administrative installation also prepares an application so that it can be run directly from the network location.

You perform an administrative installation by using the Windows Installer /a command-line option.

MSIEXEC /a setup.msi

An administrative installation performs all actions (such as expanding compressed files) that are required to either install or run the package directly from the network location. The package author determines the exact operations to be performed for a package during an administrative installation.”
Overview of Procedure

o Copy VMware Tools to a File Server

o Create an Administrative Installation of VMware Tools

o Create an OU for all the VM’s, Create a GPO that weaken the Driver Signing Security and Computer Software policy to allow the installation to occur

Create an Administrative Install of VMware Tools
Open a command prompt and change into the directory where you copied the install of VMware Tools
Type, msiexec /a "VMware Tools.msi"
Choose Next

Note:
Notice how the dialog box states “The installation will create a server image of VMware Tools at a specified network location”
Type a path to where you want your admin installation to be created such as C:\VMare-Tools-W2K and click the Install button
Click Finish
Share out the directory created, in my case C:\VMware-Tools-W2K
Weakening the Driver Signing Security using a AD Policy

Note:
These instructions come from MS KB article Q298503.

In Active Directory Users & Computers
Create an OU which contains all your VM’s
Move all you computer accounts for those VM’s to the New OU
Right-click the OU, Select the Group Policy Tab
Click New, and type in a name such as VMware Tools Software Policy
Expand + Computer Configuration, Windows Settings, Security Settings, Security Options
Locate the policy called:

Device: Unsigned Driver Installation Behavior
Choose X Silently Succeed
Choose OK and Close all Windows
Creating a Computer Software Installation Policy
Expand + Computer Configuration, Software Settings
Right-click Software Installation
Choose New, and Package
Browse to your file server, and select the MSI File, in my case \\fileserver1\VMware-Tools-W2K\VMware Tools.msi
Choose © Assigned

Note:
If you have Virtual center, like me, you can schedule a reboot which should force it to refresh the policy and install the VMware Tools. When the reboot happens you will see a dialog like this:

or

The VM will automatically reboot itself as is required in the new version of VMware Tools 3.0

Windows 2003 “Shutdown Event Tracker” Error

Note:

An error appears when using the “Virtual Machine Start-Up and Shutdown” feature with W2K3 – which automatically starts and shutdown VM’s when ESX Server is shutdown and restarted
I believe this error may have been written out of the ESX product after 2.5
This does not happen if an operator manual shutdowns the W2K3 through the Remote Console or via the MUI
After login on with the Remote Console or with RDP the operator receives this dialog box:
To correct this problem you need to manually edit the VM’s VMX configuration file

Logon to the MUI using VM Admin account, in my case lavericm
Power down the VM gracefully
Select the properties of the VM
Click the Options Tab, and underneath Verbose Options, select the click here link
Click the Add… link
In the 1^st dialog box create an option name called autostop
Choose OK
In the 2^nd dialog box set a value of softpoweroff
Choose OK
Choose OK in the Options page
Choose Close in the Properties page

Note:
If you have a large number of W2K3 VM’s and would prefer to do this via the command-line at the Service Console. You can do this while the VM is powered up – but I found I had do to boots of ESX to remove stop the “Shutdown Event Tracker” dialog box appearing.

Use this command (one continuous string)

echo autostop = softpoweroff >> /lavericm/vmware/instructor1/instructor1.vmx

Creating ESX Hardware Report

Note:

There are two methods of creating or viewing a hardware report
The first method uses kudzu command at the service console like so:

kudzu –s –p > esxhwreport.txt
Much better than this is the information from the “old” MUI for ESX 1.0 days
Navigate to:

Logon to the MUI as ROOT
Navigate to https://esxserverhostname/hstatus

You will get a page like so:

Firewall Tutorial

Note:

This is a tutorial of how to set-up Vmware ESX to acts as a firewall. In my configuration there is a router which ADSL based connected to the internet,A Microsoft ISA Server (2000) and Network Address Translation Server. See diagram below…

Define the Switches

Note:
In this scenario there are 3 networks as consequence we need 3 switches (2 internal/inbound and 1 External/Outbound)

Internal/inbound network between Workstation1 and the NAT using 192.168.4.0 as the IP network ID
Internal inbound network between the NAT and the ISA server – populated with just one workstation configured to communicate to the ISA Server using a 192.168.3.0 as the IP network ID
External/Outbound network from the ISA server to the ADSL router which is listening on the IP network ID of 192.168.2.1

Logon to the MUI as ROOT
In Options, Network Connections
Create three switches I will name them after the network ID’s used for ease of identification

External (192.168.2.0) – and enable X Outbound Adapters
192.168.3.0 – do not enable outbound adapters
192.168.4.0 – do not enable outbound adapters

Define the Virtual Machines

Note:
This design calls for 4 virtual machines – two off them running any client OS you like called Workstation1 and Workstation2 (I used Windows 2000 Professional) and two of them run Windows 2000 Server called NAT and ISA

Workstation1:

Name: Workstation1 (behind NAT)
Network Adapter connected to Switch 192.168.4.0

Workstation2:

Name: Workstation2 (behind ISA)
Network Adapter connected to Switch 192.168.3.0

NAT

Name: NAT
Network Adapter connected to Switch 192.168.3.0
Add a second network adapter
Network Adapter 2 connected to Switch 192.168.4.0

ISA

ISA
Network Adapter connected to Switch External (192.168.2.0)
Add a second network adapter
Network Adapter 2 connected to Switch 192.168.3.0

Note:
At the end of this process your view should look something like this:

Set the IP’s

Note:
We will use the principle of using low numbers for servers/routers and high numbers for workstations. The workstations are easier to setup – because they only have one network card. The NAT/ISA servers are trickier – as it isn’t easy to identify the relationship between the Virtual NIC and which switch they are connected to. The first NIC is seen by Windows as Local Area Connection and the Network Adapter 2 is seen as Local Area Connection2.

Workstation1

IP: 192.168.4.100/24
DG: 192.168.4.1
Rename Adapter to be called 192.168.4.0

Workstation2

IP: 192.168.3.100/24
DG: 192.168.3.1
Rename Adapter to be called 192.168.3.0

NAT

On Local Area Connection

IP: 192.168.3.2/24
DG: NONE
Rename to be called 192.168.3.0

On Local Area Connection2

IP: 192.168.4.1/24
DG: NONE
Rename to be called 192.168.4.0

ISA

On Local Area Connection

IP: 192.168.2.2/24
DG: 192.168.2.1
P DNS: 217.79.96.163
S.DNS: 217.79.11.7
Rename to be called (External) 192.168.2.0

Note:
Substitute these values for your values on your router/ASDL

On Local Area Connection2

IP: 192.168.3.1/24
DG: NONE
Rename to be called 192.168.3.0

Confirming IP Communication

Note:

Before going any further it is worth while doing some simple PING tests before continuing. If this doesn’t work – its not worth setting up the NAT or ISA server. If these don’t work – it could be mainly 3 issues – you machine is connected to the wrong switch or the machine your pinging is connected to the wrong switch – or alternatively – the IP is set incorrectly. In case of the NAT/ISA server you may have got the IP’s the wrong way round…

Test From Workstation1

Ipconfig
Ping 192.168.4.1

Note:
At this stage the workstation should not be able to connect to the internet (as there is no proxy server address) and shouldn’t be able to ping 192.168.3.100 or 192.168.3.1 as the NAT is not set up yet.

Test From Workstation2

IPconfig
Ping 192.168.3.1
Ping 192.168.3.2

Note:
These are the ISA and NAT IP address which are on the same network as Workstation2

Test From NAT

IPconfig
ping 192.168.3.1

Note:
No need to ping workstation1 – as that has already been done.

Test ISA Server

IPconfig
ping 192.168.2.1
Browse the internet

Note:
Prior to the ISA server install – as this machine has the correct IP’s for the ADSL router, and has DNS address as well – you should be able to get to the internet. After the ISA install you will no be able to do this!

No need to ping NAT – as that has already been done. No need to ping Workstation2 as that has already been done.

Setting up the NAT (Windows 2000)

From Administrative Tools, run Routing and Remote Access Server
Right-click the Server Icon and choose Configure Routing and Remote Access
Choose Next
Select © Use the selected internet connection and choose 192.168.3.0 (192.168.3.2)

Note:
This is the network which is “foreign” to Workstation1 to which the NAT with translate IP’s with 192.168.4.0 to 192.168.3.0. This translation is one-way from 4.0 to 3.0 – not in the other direction
Choose © I will set up name and address services later

Note:
In my example everything is statically configured. You can use real DNS and DHCP servers to provide name resolution for internal names – my concern is just getting it up and running
Next and Finish
Expand the + IP routing node and select Network Address Translation icon

Node:
you should see two interfaces listed – 192.168.4.0 and 192.168.3.0. If you double click 192.168.3.0 it should be set to be a © Public interface connected to the internet. If you double click 192.168.4.0 I should say © Private interface connected to a Private Network
TEST

From Workstation1 you should now be able to ping
192.168.3.1 (the ISA server)
192.168.3.100 (workstation2 on the 3.0 network)
Packets should decrement by factor of one – so the TTL will be 127

Setting Up ISA Server (Windows 2000/ISA 2000)

Note:
I set up with ISA Server 2000 – mainly because I don’t have a copy of Checkpoint or ISA 2004 – but I would have thought the setup would be much the same

Run the setup program
Type in your license number
Agree the EULA
Choose Full Installation
Choose Yes, to continue to the message about not having an updated schema – my install doesn’t use AD and the boxes are just in a workgroup
Choose OK, to defaults for caching on the ISA Server
Setting up the LAT (Local Address Table)

From: 192.168.3.1
To: 192.168.3.254

Note:
The LAT tells the server which IP address are internal – and therefore should be sent to the internet. Notice how I am NOT including the IP of the ISA server itself.
Click Add and Next

Note:
You may get a warning about “Message Screener” not working properly – due to the lack of SMTP on the box – just click OK
Remove the X for “Starting ISA Server getting started wizard” and Click OK

Note:
We now need to configure one rule to allow outbound http/ftp access…
From the Start Menu, Programs, Microsoft ISA Server – runthe ISA Management tool
Expand + Servers and Arrays, and the + The name of your server
Choose + Access Policy, Protocol Rules
Click the link that states “Create a protocol rule for Internet Access”
In the edit box type: HTTP/FTP Allowed and Click Next
Remove the X next to the Gopher Protocol (which is now redundant)
Next your way through the remaining dialog boxes – which just allow you to restrict access by time and client side IP address

Configure Clients

Note:

Now that ISA server is set-up we should be able to reconfigure the workstations to use the ISA server in IE. It is best in this example to begin with Workstaion2, and then Workstation1. If workstation2 works but Workstation1 does not – this will indicate a problem with the NAT

Open IE
Tools, Options, Connections
Click the LAN Settings button
Type in the IP of the ISA server – 192.168.3.1 and port number of 8080
Start UP IE, and see if you can get to the internet

Note:
Repeat this for Workstation1

Purpose of this guide

Change Log from 1.1 to 1.2

Change Log from 1.2 to 1.3

Change Log from 1.3 to 1.4

Change Log from 1.4 to 1.5

Virtual Disk Management

Add in a SCSI Disk

Boot to Floppy/CD-Rom that Contains GHOST.EXE

Ghost the IDE drive to the SCSI Drive

Test the SCSI Disk in a New Virtual Machine

Set your Environmental Variable

To See the Partition Table in the Virtual Disk

To Mount the 2nd Partition in the Virtual Disk

To View Mount Drive Letters

To Delete a Drive Mapping to a Virtual Disk

Installing Backup Exec to a Windows Machine

Updating the Service Console’s Services File

Confirming Name Resolution to Backup/Media Server

Installing the Backup Exec UNIX/Linux Agent to the ESX Server

Enabling the Backup Exec Agent to see VMFS partitions

Starting a Backup of ESX from Veritas Backup EXEC

Changing the Disk Type

Committing You Changes

Backing a VM while it is running

Gzip

Tar

Zip

Shrinking Virtual Disks and Automating Shrink with the Sdelete Tool

The Issue

The Evidence

The Solution

Physical Disk Management

Unattended Installation of ESX

Update the MUI

Confirming the Update to the MUI

Page 1 - Types of Installation (Remote)

Page 2 - Static IP Address/Hostname

Page 3 – License Agreements & Numbers

Page 4 – Initial Partition Scheme (NO VMFS)

Page 5 – Download Boot Image File

Start the Installation

Post-Installation Tasks

Add in your License(s)

Start-Up Profile

Storage Configuration

Swap Configuration

Network Connections

Security Configuration

Clone ESX Server with Symantec Ghost

For Current Up Time

For Future Up Times (/etc/sysconfig/network)

For Current Uptime

For Future Uptimes (/etc/sysconfig/network)

At the Service Console

At Windows 2003 Certificate Authority

Back at the Service Console

Controlling the ESX User Interfaces

For Current Uptime

For Future Uptimes (/etc/sysconfig/network)

Edit the Host File to Reflect Change in Name (/etc/hosts)

Edit the HTTP.conf file to Reflect Change in Name in the MUI

Regenerate Certificates after Renaming the ESX Server

At the Service Console

At Windows 2003 Certificate Authority

Back at the Service Console

Allow ALL Users except (Username)

Deny ALL Users except (Username)

Disable Access to the MUI Completely for ALL users

Disabling the “Add Virtual Machine” button for ROOT

Stage One: Duplicate and Modify sxMonitor.html

Stage Two: Modify main.js to include an IF Statement

Step 1: Create the Active Directory Objects

Step 2: Create ESXAdmin group

Step 3: Download and Install the OpenLDAP RPM’s

Step 4: Configure the ldap.conf file

Step 5: Configure and Test the LDAP_Search File

Step 6: Set LDAP_Search to at an Regular Intervals

Enforcing Traceability in the Service Console – Deny SSH Access to ROOT

On a Specific VM

For ALL VM’s by changing the Default Permission Scheme

To Mount the 2^nd Partition in the Virtual Disk