Archive for October, 2011
As we know that SSH by default will use port 22 but it is possible to change it to another port when required. Below are the steps need to be taken when I want to change it from port 22 to 2200. The steps can be divided to four parts. First, we need to do some changes on the Network service. Second is the SSH configuration. Then firewall and the last part is rc.local so that the changes is persistent after reboot.
This is where all valid network services should be listed including SSH. Just locate SSH service and change both TCP and UDP ports to port 2200.
2. SSH Configuration:
Go to SSH directory (/etc/ssh) and open sshd_config file using vi editor. Change the port to 2200.
3. ESXi Firewall:
Go to Firewall directory (/etc/vmware/firewall) and create new ruleset configuration file eg. ssh.xml as below.
Then refresh the firewall with this command “#esxcli network firewall refresh“. You can check the new firewall state with this command “#esxcli network firewall ruleset rule list | grep sshnew”
a. Copy sshnew.xml from /etc/vmware/firewall to one of available datastore (eg.datastore1)
#cp /etc/vmware/firewall /vmfs/volumes/datastore1
b. Open /etc/rc.local file and then add below lines,
#Create custom SSHNEW rule
cp /vmfs/volumes/datastore1/ssh.xml /etc/vmware/firewall
#Refresh Firewall Rules
/sbin/esxcli network firewall refresh
Just want to share something basic about firewall in ESXi 5.0. By default the firewall has been configured to block all incoming or outgoing connection for ESXi 5.0 except for some default services. You can make some changes but a very limited in security profile configuration (host -> configuration -> security profile -> firewall).
This firewall configuration file (Rule Set Configuration File) for default services (service.xml) can be found in /etc/vmware/firewall folder. It’s read only file (444) and we are not allow to touch even though after we chmod it to 755(operation not permitted). As per VMware the configuration file should be installed using VIB package and the file will be loaded automatically.
The other thing that you must know is, firewall command which can be used in ESXi “esxcli”. We can load, refresh, set and etc with the command. Please go read the documentation for the details.
To include your custom firewall, I advise you to create your new Rule Set Configuration file in firewall folder and load it via esxcli command “#esxcli network firewall refresh” manually after you create it. I will write a tutorial on how to change your SSH default port by creating a new rule set configuration later.
Well, while figuring out what is new in the /var/log structure for ESXi5.0, I found out one of new file there called “shell.log”. So, what file actually is this?. When I’m opened it and to my surprise, all commands issued in ESXi shell will be logged into this file, providing a full audit trail so that a nasty thing done through ESXi shell can be prevailed. Small thing but a good one though.
You can view the differences of /var/log structure between ESXi 4.1 & 5.0 as following:
Another video tutorial that i made in Bahasa just been uploaded. Remember, this tutorial is for someone who want to test the installation of ESXi 5.0 on ESX/i 4.x virtual machine. VM which is running on ESXi5.0, you have to use the other method which has been well explained in here.
First of all, too bad there is no solution for this issue at this moment. As per VMware, the only workaround is to minimize the number of network portals and iscsi targets so that the time for discovering the target can be reduced. You can read the explanation from VMware here on why this issue happened to v5 and not to v4. I’ve personally tested it out and to be honest, although with ONLY one iscsi target configured, the delay is noticeable.
No matter how many times we explain this to end users, they tend to forget it too easily. In fact, I think some of my colleagues being obsessed with the snapshot too. Weird is, they went for the training and they have learned from their mistakes but to remove the snapshot?. No, they would not. Not until the snapshot fill up their entire datastore space and bring down all the VMs. Nevertheless, below KB should give us a better understanding on what need to be considered when working with snapshots in virtual environment.