The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,317 other followers

Archive for the ‘VMware’ Category

Need to do some reading on local domains on the internal network

Posted by jpluimers on 2021/04/09

A long time I wondered why I saw ESXi systems on my local network have two entries in their /etc/hosts file:

[root@ESXi-X10SRH-CF:~] cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain localhost
::1     localhost.localdomain localhost
192.168.71.91   ESXi-X10SRH-CF ESXi-X10SRH-CF

Then I bumped into someone who had a different setup:

[root@ESXi-X10SRH-CF:~] cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain localhost
::1     localhost.localdomain localhost
192.168.0.23    esxi.dynamic.ziggo.nl esxi

So now I knew that the first entry can have a domain resolving it (it still makes be wonder why ziggo is using a top-level domain to resolve local stuff; but searching for  dynamic.ziggo.nl did not get me further on that).

So I installed a quick ESXi machine on that local network, and got the same.

When back home the machine still thought it was esxi.dynamic.ziggo.nl, though clearly I was outside a Ziggo network

I wanted to get rid of it, but that was hard.

Since I forgot to take screenshots beforehand, I can only provide the ones without a search domain bellow.

Reminder to self: visit someone within the Ziggo network, then retry.

Normally you can edit things like these in the default TCP/IP stack. There are two places to change this:

Neither of these allowed me to change it to a situation like this, but luckily the console did.

In the below files, I had to remove the bold parts, then restart the management network (I did keep a text dump, lucky me):

[root@esxi:/etc] grep -inr ziggo .
./vmware/esx.conf:116:/adv/Misc/HostName = "esxi.dynamic.ziggo.nl"
./resolv.conf:2:search dynamic.ziggo.nl 
./hosts:5:192.168.71.194    esxi.dynamic.ziggo.nl esxi
[root@esxi:/etc] cat /etc/resolv.conf 
nameserver 192.168.71.3
search dynamic.ziggo.nl 
[root@esxi:/etc] cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain localhost
::1     localhost.localdomain localhost
192.168.71.194  esxi.dynamic.ziggo.nl esxi

Future steps

  1. Read more on local domains, search domains and related topics
  2. Configure a local domain on my local network, so DHCP hands it out, and DHCP handed out host names are put in the local DNS
  3. Test if all services on all machines still work properly

Reading list

Read the rest of this entry »

Posted in DNS, ESXi6.5, ESXi6.7, Hardware, Internet, Mainboards, Network-and-equipment, Power User, SuperMicro, Virtualization, VMware, VMware ESXi, X10SRH-CF, X9SRi-3F | Leave a Comment »

Supermicro Single CPU Board for ESXi Home lab – Upgrading LSI 3008 HBA on the X10SRH-CLN4F | ESX Virtualization

Posted by jpluimers on 2021/04/09

This LSI 3008 HBA update to TI firmware is still on my wish list, but I could not find it when I bought the board in 2018.

[WayBack] Supermicro Single CPU Board for ESXi Home lab – Upgrading LSI 3008 HBA on the X10SRH-CLN4F | ESX Virtualization:

As you know my lab got an addition this year with Supermicro’s Single CPU board, the X10SRH-CLN4F. In this post we will be upgrading LSI 3008 HBA on the X10SRH-CLN4F.

I have learned a new way to patch via UEFI. In fact, it’s same (or easier) than through DOS-based bootable USB. The IT firmware can be reverted back to IR firmware as in the ZIP package there are both versions there. So in case you need a server with hardware RAID, you can use the IR version. I was actually wondering what it means the IT and IR and here is what I have found at LSI (Avago) website:

“IT” firmware maximizes the connectivity and performance aspects of the HBA. “IR” firmware offers RAID functionality via RAID 0, 1, and 10 capabilities.

Via:

SR-IOV?

The step afterwards is to enable SR-IOV for this LSI 3008 HBA.

These links should help with that:

 

 

–jeroen

Posted in Power User, VMware, Hardware, VMware ESXi, Virtualization, Mainboards, ESXi6.5, SuperMicro, X10SRH-CF, ESXi6.7 | Leave a Comment »

The tale of [SSH into ESXi 6.7 box resulting in “debug1: expecting SSH2_MSG_KEXDH_REPLY”, delay and after entering password “Permission denied, please try again.”]

Posted by jpluimers on 2021/04/02

A similar ESXi 6.5 box worked well to ssh into, but on ESXi 6.7 it failed:

SSH into ESXi 6.7 box resulting in “debug1: expecting SSH2_MSG_KEXDH_REPLY“, delay and after entering password “Permission denied, please try again.

I had a hard time figuring out why: Login with the same user+password on the web user interface, DCUI and console shell work fine (see [WayBack] Enable SSH on VMware ESXi 6.x – VirtuBytes).

Searches that led me to EBCAK:

It almost felt like the /etc/passwd file thought the user had an empty password, but in fact it did not.

Adding an AllowUsers clause to ESXi in /etc/ssh/ssd_config, then performing /etc/init.d/SSH restart failed as well, and should not be needed anyway (default is all users having a valid shell can login, including root as on ESXi,  by default has PermitRootLogin yes) (via [WayBack] server – Permission denied please try again ssh error – Ask Ubuntu).

Setting LogLevel debug from LogLevel info in /etc/ssh/ssd_config did not change anything (not even after restarting sshd, or rebooting): it did not even add any more logging in /var/log/syslog.log or any of the log files under /var/log or /scratch/log.

Ruling out lock-down mode:

# vim-cmd vimsvc/auth/lockdown_is_possible
false
# vim-cmd vimsvc/auth/lockdown_is_enabled
false

See [WayBack] New vSphere 4.1 CLI Utilities Marketing Did Not Tell You About Part 3 and [WayBack] HOW TO: Enable or Disable Lockdown Mode on VMware vSphere ESXi host | vStrong.info

Q: What is Lockdown Mode?
A: Lockdown Mode prevents users from logging directly to the host. The host will only be accessible through local console or vCenter Server. None of remote management options e.g. vCLI, PowerCLI script, SSH will work. When it is enabled, only vpxuser () has authentication permissions and can connect to the host remotely.

No password login also means no passwordless login

The above rules out easy uploading my public keys for doing passwordless login in [WayBack] ssh root@host – Permission denied, please try again. – Tarran Jones.

Delay annoyance

There is also an annoyance: it takes about 10 seconds before you can enter the password (adding -v -v -v reveals the wait is on debug1: expecting SSH2_MSG_KEXDH_REPLY).

Disabling/enabling SSH from the DCUI: not fully disabled

After disabling SSH from the DCUI, I could still connect over SSH.

So then I disabled the TSM-SSH service from the web interface (despite DCUI telling SSH was disabled, TSM-SSH was still active, strange!) as it hosts the SSH service. I could still perform my ssh command!

Then it occurred to me: the IP address in the web browser was one off from the IP address in my ssh command.

By sheer coincidence, the IPMI IP address was one lower than the LAN1 IP address. I had been ssh-ing into the IPMI interface all the time, never realising IPMI had support for the first place!

Restring the TSM-SSH service now suddenly did get me LogLevel debug output in /var/log/auth.log (backed by /scratch/log/auth.log and duplicated in /vmfs/volumes/<<ssd-volume>>/.locker/log/auth.log).

Learned three things

So learned three things the hard way:

  1. Be more careful with IP-addresses
  2. IPMI does ssh (but it is very undocumented)
  3. DCUI enable/disable of SSH is not complete; TSM-SSH is

Some references:

–jeroen

Posted in ESXi6.5, ESXi6.7, Hardware, IPMI, Mainboards, Power User, SuperMicro, Virtualization, VMware, VMware ESXi | Leave a Comment »

Disable ESXi Password Complexity – Perfect Cloud

Posted by jpluimers on 2021/03/29

Sometimes you have a long enough password, that matches with the confirmation, but pressing “Enter” to continue gives “Password does not have enough character types”:

From [WayBack] Disable ESXi Password Complexity – Perfect Cloud:

A part of my job as a VMware Certified Instructor is to update our lab systems whenever new vSphere versions come out.   After upgrading from 5.5 to 6.0 I decided we should change passwords, h…

This is the workflow:

  1. Make a backup of /etc/pam.d/passwd.
  2. Use vi to edit /etc/pam.d/passwd, and:
    1. Put a # in front of the lines starting with password requisite
    2. Remove the use_authtok bit of the line starting with password sufficient
    3. Put a # in front of the line starting with password required
    4. Quit vi while saving (press Esc, then enter :wq on the prompt)
  3. Change the password to a less secure one
  4. Restore the original /etc/pam.d/passwd.

Via: esxi 6 force short password – Google Search

Working around this on during ESXi installation fails

I tried this:

  1. Press Alt-F1 to go from the installation screen to the console screen
  2. Logon as root, with no password at all to get to the command-prompt:

  3. Perform the /etc/pam.d/passwd editing steps above
  4. Press Alt-F2 to go back to the install screen
  5. Enter root password

The password requirements stayed.

(more screenshots at [WayBack] ESXi 6.7 installation Guide – Let We-i Go)

Related

On my ESXI 6.5 system where the italic bit is removed, besides the two lines being commented out:

  1. original /etc/pam.d/passwd:
    #%PAM-1.0
    
    # Change only through host advanced option "Security.PasswordQualityControl".
    password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
    password   sufficient   /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
    password   required     /lib/security/$ISA/pam_deny.so
    
  2. modified /etc/pam.d/passwd:
    #%PAM-1.0
    
    # Change only through host advanced option "Security.PasswordQualityControl".
    #password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
    password   sufficient   /lib/security/$ISA/pam_unix.so nullok shadow sha512
    #password   required     /lib/security/$ISA/pam_deny.so
    

On my ESXI 6.7 system (which adds the bold lines below):

  1. original /etc/pam.d/passwd:
    #%PAM-1.0
    
    # Change only through host advanced option "Security.PasswordQualityControl".
    password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
    
    # Change only through host advanced option "Security.PasswordHistory"
    password   requisite    /lib/security/$ISA/pam_pwhistory.so use_authtok enforce_for_root retry=2 remember=0
    
    password   sufficient   /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
    password   required     /lib/security/$ISA/pam_deny.so
    
  2. modified /etc/pam.d/passwd:
    #%PAM-1.0
    
    # Change only through host advanced option "Security.PasswordQualityControl".
    #password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
    
    # Change only through host advanced option "Security.PasswordHistory"
    #password   requisite    /lib/security/$ISA/pam_pwhistory.so use_authtok enforce_for_root retry=2 remember=0
    
    password   sufficient   /lib/security/$ISA/pam_unix.so nullok shadow sha512
    #password   required     /lib/security/$ISA/pam_deny.so
    

–jeroen

Posted in *nix, ESXi6, ESXi6.5, ESXi6.7, Power User, Virtualization, VMware, VMware ESXi | Leave a Comment »

Supermicro | Products | Motherboards | Xeon® Boards | X9SRi-3F

Posted by jpluimers on 2021/03/12

I still like this board: Supermicro | Products | Motherboards | Xeon® Boards | X9SRi-3F.

It has been in a storage solution for a while, uses OK power, has not many SATA ports, but enough slots for expansion cards, and comes with two network connections and 8 slots which I fitted with a total of 256 gibibyte of memory.

Some links, as SuperMicro tends to hide them behind POST requests:

Note that IPMI over je Java Web Start.app runs into certificate signing issues, so better use Supermicro IPMIViewer for this:

IPMIView links via:

The errors when running the KVM Console from your web browser are waved away by SuperMicro, but more and more people bump into them:

–jeroen

Posted in Development, Hardware, Mainboards, Power User, Software Development, SuperMicro, Virtualization, VMware, VMware ESXi, X9SRi-3F | Leave a Comment »

 
%d bloggers like this: