Monthly Archives: August 2006

Uncategorized

An introduction to VMware Infrastructure 3

VMware Infrastructure 3
Recently, I’ve been working on a server virtualisation proof of concept, using VMware Infrastructure 3 Enterprise. Up until now, my virtualisation experience has all been at the low and mid-end of the market (VMware Player, VMware Workstation, VMware Server, Microsoft Virtual PC and Microsoft Virtual Server) and it’s been really good to get my hands on some enterprise-class virtualisation software (Microsoft Virtual Server 2005 R2 is pretty good, but it doesn’t have a lot of the high end features in the VMware solution, even with the forthcoming Microsoft System Center Virtual Machine Manager; having said that, Virtual Server is free and VMware Infrastructure 3 prices start off with four digits to the left of the decimal point and keep on climbing as you add processors and features – it really is like comparing chalk and cheese!).

VMware Infrastructure 3 includes:

VMware Infrastructure 3

I’ve been using a development system with an HP StorageWorks Modular Storage Array (MSA)-based fibre-attached storage system, an HP SAN Switch 4/8 fibre channel switch and two HP ProLiant DL585s to develop the design for the proof of concept, which will then be expanded with additional functionality (increased capacity and resilience) for a client’s development facilities before (hopefully) going into production. It’s been a pretty steep learning curve in places, and whilst there’s nothing too complicated about it, what follows summarises the things I learnt along the way.

Installation
Firstly, configure the fibre channel network for the SAN. Really, all that is required here is to connect to the console port on each switch, set any switch configuration parameters (date, timezone, etc.) and to confirm that all the small form factor pluggable (SFP) optical transceiver modules are working. It may also be useful to take a note of the worldwide port numbers (WWPNs) for each port. For the entry-level HP switch that I was using, this was a case of entering the following commands:

switchshow
fabricshow
date “MMDDhhmmCCYY
tstimezone 0,0

Next, the SAN storage can be configured. A serial cable connection to the MSA controller allows access to the console, from where connections to each device can be created (based on the worldwide port numbers for the various fibre channel connections) with a profile name of Linux; and the LUNs can be established to provide access to the disks, for example:

add unit 0 raid_level=5 data=disk101-disk106 cache=enable
set global system_name=”VMware Dev SAN” read_cache=70
add connection connectionname wwpn=wwpn profile=Linux

This is where I came across my first issue – I found that sometimes, if the connected server is not running (with an operating system, or at least the VMware ESX installation program), the fibre channel host bus adapters (HBAs) may not be detected making it impossible to create connections. It’s also worth knowing that VMware can manage multiple paths to SAN storage, so it’s not necessary to purchase separate multipathing software.

Once the SAN is set up (and any local server configuration is complete, such as array configuration for direct attached storage), installing ESX Server is straightforward – simply boot from the CD and follow the wizard (the process can also be automated using kickstart); however a Windows server will also be required from which to manage the virtual infrastructure, along with access to a Microsoft SQL Server database. After ESX Server is installed, the server can be accessed using a browser (http://servername/) in order to download and install the VMware Virtual Infrastructure Client v2.0.

Although the VMware Virtual Infrastructure Client allows management of a single ESX server (some limited administration is also available via the Virtual Infrastructure Web Client at http://servername/ui/), for a fully functional environment, it is still necessary to install the management component (VirtualCenter Management Server v2.0), which is licensed separately. After extracting the files from the .ZIP file on which they are provided, autorun.exe should be launched and the option to install VirtualCenter Management Server selected. Again, this installation is wizard-based with the only real configuration being the ODBC setup for database access (which needed a system DSN to be configured). Although it can also be installed separately, the VirtualCenter Management Server installation wizard also allows the installation and configuration of the VMware License Server (this will require a license file for the License Server to be configured with).

If the virtual infrastructure will span firewalls, it’s worth making a note of the main ports that will be required for access (although these, and more, are all configurable within the Virtual Infrastructure Client):

  • VirtualCenter web service (HTTP/S): TCP 80/443.
  • VirtualCenter diagnostics: TCP 8083
  • VirtualCenter: TCP 902
  • VirtualCenter heartbeat: UDP 902

At this point, installation is just about complete. The Virtual Infrastructure Client can be used to connect to each server and to perform any additional configuration (e.g. amending the security profile, or configuring DNS and routing settings); however it’s worth knowing that by connecting to the VirtualCenter Management Server (rather than an individual ESX server), it is possible to set up logical data centres and clusters/resource pools for HA and DRS.

Configuring licensed features
Ensure that each ESX Server has obtained the relevant licenses using the Licensed Features section of each server’s configuration page within the Virtual Infrastructure Client. Pay particular attention to the License Sources, ESX Server License Type and Add-Ons.

In order to troubleshoot licenses that are not applied, it may be necessary to launch the VMware License Server Tools and perform a server status enquiry (on the Server Status page) or to perform diagnostics (on the Server Diags page). The License file in use is specified on the Config Services page. The VMware Technology Network (VMTN) VMware ESX 3.0 HA fails to accept eval license forum post gives further details of the issues that my colleague and I had with this.

Configuring VMware HA (including configuring VMotion)
To configure HA, a number of actions need to be performed:

  1. Using the Virtual Infrastructure Client, connect to the VirtualCenter Management Server and create a cluster.
  2. Ensure that the VMware HA feature is enabled (in the settings for the cluster within the Virtual Infrastructure Client).
  3. Configure VMware HA options such as the number of allowed host failures and admission controls.
  4. Add two or more hosts to the cluster.
  5. Ensure that each of the hosts can connect using a dedicated Gigabit Ethernet NIC (connection type VMkernel) with VMotion enabled (this is established in the networking section of each server’s configuration page within the Virtual Infrastructure Client).
  6. If not configured at build time, ensure that all servers in the cluster can access the same LUNs on the SAN – this is controlled in the storage (SCSI, SAN and NFS) section of each server’s configuration page within the Virtual Infrastructure Client.

Configuring VMware DRS
VMware DRS is configured in a similar manner to VMware HA – i.e. in the settings for the cluster within the Virtual Infrastructure Client. DRS settings to consider include the automation level and migration threshold as well as rules (to keep multiple virtual machines on the same or separate hosts).

Configuring VMware Consolidated Backup
VCB ought to be simple, except that I haven’t got it working yet. After installing the VCB Framework, the basic principle is that interoperability modules are provided for supported backup software to run pre- and post-backup scripts, allowing the VCB proxy to quiesce each virtual machine and mount the resulting snapshot before backing it up, dismounting and removing the snapshot then moving on to the next virtual machine. The problem is the interoperability modules, which VMware says are provided by the backup software vendors, but I can’t find one for Symantec (Veritas) BackupExec 10d.

Configuring alarms
It is possible to define alarms at various levels in the virtual infrastructure hierarchy (some sample alarms are provided out of the box for host/virtual machine CPU/memory usage and host connection state). These can be set to trigger on a variety of state changes and either send a notification e-mail, SNMP trap or to run a script. E-mail (SMTP) and SNMP settings are defined in the Server Settings from the Administration menu in the Virtual Infrastructure Client.

Creating and importing virtual machines
The creation of virtual machines from within the Virtual Infrastructure Client is straightforward enough (a wizard is provided to assist with the process); however for existing VMs, it’s necessary to use another tool (e.g. VMware Importer).

VMware Importer is a Windows-only tool for converting virtual machines between formats (including Microsoft Virtual PC/Server, VMware Workstation/Server and Symantec Livestate images) and, crucially, can import directly into ESX Server (or via a VirtualCenter Management Server). VMware Importer v1.5 was incorporated into the Windows versions of VMware Workstation v5.5 and VMware Server v1.0 and VMware Importer v2.0 beta 3 (build 28322) is in beta at the time of writing (although this expires on 31 August so hopefully there will be a general release soon).

Suggested further reading
For those who are familiar with previous versions of VMware ESX Server, or who just want to understand a bit more about the products which make up VMware Infrastructure 3, Geert Baeke’s blog has an interesting article on new features in ESX 3.0. Other sites covering virtualisation topics include OzVMs and RTFM Education and official resources from VMware include the VMware Infrastructure documentation, the VMware Infrastructure 3 Online Library and the VMTN.

Uncategorized

Converting from physical to virtual machines

A few days back, I received an e-mail from someone who was trying to convert a Windows 2000 physical server to a virtual machine (VM) and had read some of the posts on this blog. He commented that today’s virtualisation software seemed to be much more complicated than the virtualisation he remembered from his mainframe days but, whilst my mainframe experience is pretty limited (one week’s work experience at the local hospital and a year compiling support statistics/coding a call stack analysis tool at ICL‘s VME System Support Centre in Manchester), I’d have to say that my understanding of the mainframe approach is probably more comparable to the concept of containers and zones in Sun Solaris rather than the virtualisation products from VMware and Microsoft.

For anyone who is trying to get a physical machine across into a VM, I’ve previously written posts about three ways to do this (an overview of Microsoft’s Virtual Server migration toolkit, my experience of using PlateSpin PowerConvert and an article I found about using disk imaging software to convert a machine); however Michael Pietroforte’s post about six ways to convert physical to virtual is probably worth a read.

Uncategorized

Avoiding compulsory website registration

I’m sick of giving out my personal details (even false ones) to websites that require me to register. A few months back I wrote about using a temporary e-mail address to avoid spammers but now (thanks to a comment on a post at 4sysops), I’ve discovered BugMeNot a site that allows ‘net users to bypass compulsory registration. Simply enter the URL for the website that requires registration and the site will tell you if it has a set of credentials on file that you can use.

Of course, there are sites that I do register with because they provide a service that I consume, but as Michael Pietroforte notes in his never sign up for ZDNet white papers post, sometimes it’s just a way to get your details (in this case from a company which has been accused of being a Spamhaus) and then refer you to a vendor’s own freely-available information.

Uncategorized

Installing the Macromedia Flash plug-in on a Linux client

If, like me, you’ve been struggling to install the Macromedia Flash plug-in for Firefox on a Linux machine (in my case it was Fedora Core 5), then you may find item 12 on the Macromedia Flash Player 7 for x86 Linux frequently asked questions useful.

For weeks now, every time I’ve accessed a page containing Flash content (like this blog, for example) Firefox has seemingly downloaded and installed the missing plug-ins but the changes haven’t been accepted. After starting a terminal session and elevating my permissions to root (su -), creating a file called /etc/yum.repos.d/macromedia-i386.repo with the following contents:

[macromedia]
name=Macromedia for i386 Linux
baseurl=http://macromedia.rediris.es/rpm/
enabled=1
gpgcheck=1
gpgkey=http://macromedia.mplug.org/FEDORA-GPG-KEY

and executing the command:

yum install flash-plugin

the Flash plug-in was installed, although it also needed a browser reset before the changes took effect.

(Now all I need to do is get the Java runtime environment to load…)

Uncategorized

Burn DVDs from the Windows command line

Sony DWG120A DVD recorder
A few weeks back, I bought myself a Sony DWG120A DVD±RW dual layer recorder. Although I picked mine up as a £29.99 brown box deal in PC World, it is available for less on the ‘net (but that would have involved shipping costs and delays).

It was a two-minute installation (open case, swap out old CD drive, insert and connect new DVD drive, close case) but I soon found out that Windows XP’s support for DVD writing is not very good – it can write CDs natively but even with a DVD burner that interface is restricted to CDs – one feature that I’d expect Microsoft to have fixed by now. I didn’t have much luck with Windows Vista beta 2 and the NEC DVD burner in my notebook PC either and my copy of Nero was no use, as I found that it is an OEM version and so is tied to that OEM’s devices – all I could do with my Sony drive was write to a generic image recorder device (which would at least allow me to create ISO images).

A couple of years back, I wrote about a utility for burning CDs from the command line and so I started googling for a DVD equivalent. A Windows FAQ article by John Savill, entitled How can I burn a DVD image from the command line? pointed me in the direction of a Microsoft resource kit tool called dvdburn.exe and that did the trick. It’s a really simple utility, that does exactly what it says – it burns DVDs (using the syntax dvdburn dvddrive filename). The result:

Media type: DVD+R
Preparing media…
- 100.0% done
Finished Writing
Waiting for drive to finalize disc (this may take up to 4 minutes)……………………
Success: Finalizing media took 22 seconds
Burn successful!

Uncategorized

Installing VMware Server on Fedora Core 5

Fedora logo VMware logoA few months back, I wrote about having converted the Windows XP installation on my company-supplied notebook PC to a virtual machine and was running it quite happily on Windows Vista using VMware Player. Unfortunately, it’s been slowing down (to the point that booting the Vista host, then the XP guest and logging in was taking me 15 minutes every day), so this week I rebuilt the host system. It’s still not the Vista/Linux dual boot setup that I originally intended, but I’m running a bit short on hard disk space and consequently I’m still using a single host operating system (this time it’s Fedora Core 5 as I couldn’t get SUSE 10 to install on my Fujitsu-Siemens Lifebook S7010D) with VMware Server (I could have used the player again but the server product has now been released and it’s free too).

I don’t know what was wrong with the original setup – although it ran well at first, performance in both the host and guest operating systems became noticeably degraded at times but I was using a combination of a beta host operating system, a 5400RPM laptop hard disk and the VMware Player (which is probably not optimised for Vista either) what I can say is that running XP under VMware Server on Fedora rocks, even though Fedora is not a supported host operating system for VMware Server.

Incidentally, virtual machine (VM) performance can be improved by moving the VM to a separate disk and a colleague, Garry Martin, also suggested that improvements can be made by binding the VMnet adapters to a separate network interface; however in this case I only have one permanent Ethernet connection and do not want to have to connect an external disk each time I load my Windows XP environment.

Despite following the relevant sections in the VMware Server administration guide, because I used a Linux workstation distribution (and an unsupported one too), the installation of VMware Server was not entirely straightforward, but I got it working eventually and this is what I had to do:

  • Download VMware Server (v1.0.1 – build 29996 – server and client components) and register for a serial number.
  • In addition to the standard Fedora components, install the following (using the pirut Package Manager, yum or an equivalent method):
    • gcc (v4.1.1-1.fc5.i386)
    • gcc-c++ (v4.1.1-1.fc5.i386)
    • kernel-devel (v2.6.17-1.2174_FC5.i686)
    • xinetd (v2:2.3.13-6.2.1.i386)
  • Elevate permissions to root (su -).
  • Run the VMware Server installer (rpm -Uvh VMware-server-1.0.1-29996.i386.rpm).
  • Before running the vmware-config.pl script, Download the VMware any-any update (I used v1.04 – thanks to Jean-Pierre Wenzel for highlighting the existence of this unofficial patch and the need to install kernel-devel).
  • Extract vmware-any-any-update104.tar.gz and then execute ./runme.pl (this will call vmware-config.pl, allowing for the acceptance of the VMware end user license agreement, configuration of networking, specification of the server console port, definition of the location of virtual machine files and entry of the VMware serial number). If the patch is working correctly then all the prompts should work at their defaults; however it may be necessary to answer the question “What is the location of the directory of C header files that match your running kernel? [/usr/src/linux/include]” with /usr/src/kernels/2.6.17-1.2174_FC5-i686/include (or another version of the kernel-devel tools). Building the vmmon module will fail if gcc and gcc-c++ are not present and the configuration script will have to be re-run if it finds that inetd or xinetd are not installed.
  • Unzip the client installer (VMware-server-linux-client-1.0.1-29996.zip)
  • Install the VMware Server Console (rpm -Uvh VMware-server-console-1.0.1-29996.i386.rpm).
  • Run the vmware-config-server-console.pl script (not vmware-config-console.pl as stated in the documentation).
  • Drop back to a standard user account (exit) and run the vmware shell script (a wrapper for the real binaries) to start up the VMware Server Console.
  • Create and run virtual machines as normal although there were a couple more points worth noting:
    • After copying virtual machine files across from the original Windows Vista installation, I needed to make some edits to the configuration to reflect changes in file names (e.g. disk locations) to Unix formats (\ to / etc.).
    • I created a group called vmware and ran chgrp vmware filename against the VM files so that any user in the vmware group could run the VMs (not just root).

Some configuration items may have been carried out in a slightly different sequence as I tried various advice and encountered a number of issues before I got everything working but the image below shows the end result:

Windows XP in VMware Server running on Fedora Core 5

So far, the only issue I have found is with the guest operating system clock (which is not keeping time). This could be because I originally installed VMware Tools from a Windows version of the Virtual Server beta – I’ll install the correct version next week to see if it makes any difference. In any case, performance is very good – in fact, when running full screen, it would be very difficult to tell that the Windows XP guest is not running on native hardware.

Site notices

New bookmarking links

This blog is overdue for redesign, but I barely have time to write posts at the moment so a new layout (using improved CSS and standards-compliant XHTML) will be a while coming yet; however I have been tinkering a little bit with the template and I just added bookmark links on the bottom of each post.

The trouble with social bookmarking sites and customised start pages is that there are so many of them – I used start.com (now renamed Windows Live) for a while, I have a Google personalised home page (that I don’t really use) and last night I had a play around with Protopage.

3spots has provided icons and details for over a hundred bookmark buttons but for now I’ve just put in del.icio.us del.icio.us, Digg Digg, Google Google Bookmarks, Technorati Technorati Favorites, Windows Windows Live and Yahoo Yahoo MyWeb.

Note that the 3spots site uses a Creative Commons attribution non-commercial sharealike licence and, even though I haven’t got around to switching this site over to Creative Commons yet, any reuse of the del.icio.us, Google, Technorati, Windows and Yahoo icons above is subject to the same terms (I got the Digg one from Digg).

It looks a bit messy right now so I may adjust the layout slightly over time but please let me know if there is another one that you’d really like to see and, if there is enough interest, I’ll add it.

Finally, if I write something that you think might be interesting to others, please click on the Digg Digg It! link.

Uncategorized

The IBM PC – 25 years old today

After reporting on the 15th anniversary of the world wide web earlier this week, there’s another important milestone in computing history to highlight today – the 25th birthday of the original IBM PC – the 5150.

IBM PC

Whilst the 5150 was not the first personal computer, the use of components that were available to other manufacturers led to the development of IBM-compatible PCs and today’s PCs and PC servers are direct descendents from the original IBM PC, albeit much more powerful than the 4.77MHz Intel 8088 with between 16 and 640KB of RAM.

Amstrad PPC640

I didn’t get my first IBM-compatible PC until 1988 when my parents bought me an Amstrad PPC640 portable computer (it’s still in my loft at home) with an NEC V30 8MHz processor, 640KB of RAM, a full-size 102-key keyboard, two 720KB 3.5″ floppy disk drives and a 2400 baud modem (which my secondary school let some of my friends and I use for short periods of time to access bulletin boards). It was best described as “luggable” but, paired with the Citizen 120D dot matrix printer (that I also still have at home), it was more than adequate for word processing and saw me through my first year at Uni’ until I used all my childhood savings to buy an Intel 80386-based PC clone with a 1MB graphics card, MS-DOS 5.0, and Windows 3.0.

Fast forward 15 years and you can pick up a PC for just a couple of hundred pounds – or, if you’ve got a few thousand to spend then it’s possible to specify some very high specification PC servers! Earlier this week I was specifying some servers for a virtualisation solution that I’m working on. Each of these servers is an HP DL585 with 4 dual-core 2.6GHz AMD Opteron 64-bit CPUs, 32GB of RAM and has a fibre-channel connection to an HP Modular Storage Array with many terabytes of data storage. How mighty oaks from little acorns grow.

Uncategorized

Delegation of Active Directory administration (using Quest ActiveRoles Server)

Recently, I’ve been working with a client who has an extraordinarily high number of users with domain administrator rights (i.e. those who are members of the Domain Admins group). The problem is historic and they are in the process of moving from Windows NT to Active Directory (AD); whilst AD allows for delegation of control over objects (although best practice dictates that delegation occurs at organisational unit level), under NT the limit for delegation was the domain.

In order to reduce the number of Domain Admins, I’ve been producing a delegation model for AD administration that is intended to provide a pragmatic balance between the granular control that AD can provide and the access requirements of each support team, yet still remains realistic from a management perspective. One major issue is that, whilst Microsoft provides several-hundred pages of documentation and a delegation of control wizard, there are no native tools to keep track of the objects over which control has been delegated. Consequently it’s often necessary to resort to third party tools.

One such tool is ActiveRoles Server (ARS) from Quest Software. Quest inherited this technology with their acquisition of Aelita Software (they had previously inherited another product, now known as ActiveRoles Direct, when they purchased FastLane Technologies). Installed onto a Windows server (which should be secured as any domain controller would be), the current incarnation of the product, uses a SQL Server database for configuration data (rather than schema extensions as some previous products did) and publishes itself as a connection point object within AD. The configuration database can be mirrored via SQL replication for redundancy, with one server acting as a publisher and one as a subscriber whilst the connection point model allows for load balancing between the two servers.

In terms of management, ARS can be administered using a Microsoft management console (MMC) snap-in, a browser interface, or using AD services interface (ADSI). By default, ARS will bind to the first AD domain controller that it finds, although this can be overridden in the management toolset.

Despite not extending the AD schema, ARS allows additional attributes to be stored for an object. These attributes are placed within the ARS configuration database and can be used for provisioning (e.g. conditional filtering on attributes) or for storing additional information on a user (e.g. staff ID number). Propagation of directory data to other LDAP directories and Microsoft Identity Integration Server (MIIS) are supported via Quick Connect for ActiveRoles Server and Unix support can be provided using through a support pack for Vintela Authentication Services. ARS can also expose attributes that are not normally visible in the standard Active Directory Users and Computers MMC snap-in.

In order to allow for user rights to be elevated as required, user access is proxied via the ARS service account, which should be given the highest level of permissions that will be allowed (e.g. Domain Admins). This means that all access is via ARS, allowing for auditing and reporting of rights use. Quest’s recommendation is that users are not assigned native rights within Active Directory (beyond the standard read-only permissions given to an authenticated user). In this way, all rights can be managed via ARS (otherwise privileged users could circumvent ARS, avoiding any auditing of their actions); however there is also an option for ARS-delegated rights to be propagated to Active Directory if required.

Some ARS terminology includes:

  • Access templates: pre-defined role descriptions controlling what a user can/cannot do. ARS allows further granularity than native AD rights – for example controlling which attributes a particular user can edit on an object (e.g. allowing for self service of certain directory attributes via a web interface).
  • Managed units: query-based filters for management of roles (effectively a virtual OU). This avoids issues whereby best practice recommends delegation at OU level but the OU structure is generally designed with group policy in mind.
  • Policy objects: rules applied to objects as they are created (e.g. when creating a user in a particular OU, add them to certain security groups).
  • Script modules: bespoke code that allows policy objects to be extended beyond the standard capabilities of AD OUs and group policy (e.g. when creating a user account, e-mail the telephone system administrator and ask them to populate the user’s telephone number in AD).

ARS seems pretty powerful but it does have some limitations:

  • Firstly, it operates at the domain level, so delegation of forest-level tasks does not seem to be supported.
  • Secondly ARS is used to provide delegation of control over directory objects – not the resources protected by the directory itself (e.g. file systems). This means that ARS can be used to control the administration of the groups that allow access to a particular resource; but there is nothing that it can do to prevent a sufficiently-privileged user from bypassing ARS and accessing a resource directly.

In reality, this has meant that my client has built part of the delegation model for AD using the Quest tools (the translation of the IT policy and procedures to a provisioning model built around ARS) whilst I have based the administration model for the servers and computers within the domain (as well as forest-wide operations) around Windows groups, with procedural control over the use of privileged and non-privileged accounts.

Although I’ve been working with Active Directory since Windows NT 5.0 beta 2 (about 8 years now), this is the first time I’ve really looked at the administration model. It’s been a difficult process for me – to do it properly requires business analysis skills as well as (and probably more than) technical knowledge. The following links might be useful to anyone else who is looking at delegating AD administrative control:

Waffle and randomness

How to make the web sound interesting

A few days back, I wrote about the 15th anniversary of the world wide web. Robert Cailliau, who worked with Sir Tim Berners-Lee on the creation of the web, commented that, at the time, his only reservation about the name was that “it is difficult to pronounce in French“.

Since then, those of us whose native tongue is English have grown used saying “double-you-double-you-double-you”, to the point where there are now a number of abbreviations (I tend to say “dub-dub-dub” – a habit I picked up from antipodean radio adverts a few years back), or often the www gets dropped entirely. This topic has been discussed at length on the back pages of IT Week over the last couple of months and one suggestion for reducing the number of syllables was “wibble”. Of course, once you change the language it starts to get more interesting… apparently the Welsh version is “ooh-ooh-ooh”.

%d bloggers like this: