vCenter Server Appliance (vCSA) 6.0 - What's New

What’s new in the vCenter Server Appliance (vCSA) 6.0:

• ISO with an easy guided Installer
• Different deployment options possible during the guided installer such as:
  • Install vCenter Server
  • Install Platform Services Controller
  • Install vCenter Server with an Embedded Platform Controller (default)
• Scripted install. Values can be specified in a template file
• Embedded vPostgres database. As external database Oracle is supported.
• IPv6 Support
• Enhanced Linked mode support
• VMware Data Protection (VDP) support for backup and recovery
• Based on a hardened Suse Linux Enterprise 11 SP3 (64-bit)
• The minimum (Up to 20 hosts and 400 VMs) appliance requirements for the VCSA are:
  • 2 vCPU
  • 8 GB memory
  • ~ 100 GB diskspace
• Is has the same feature parity as vCenter Windows:

What are we missing:

• Still no Microsoft SQL database support.
• Possibility to separate roles of the vCenter
• VMware Update Manager is not included in the appliance. Still need an additional Windows Server for VMware Update Manager (VUM)
• Clustering of the vCenter Server Appliance

RHELAH

Red Hat also saw the technical advantages of a lean, mean Linux. They started working on it in Project Atomic. This open-source operating system is now available as variations on Fedora, CentOS, and RHEL.

From this foundation, Red Hat built RHELAH. This operating system is based on RHEL 7. It features the image-like atomic updating and rollback. Red Hat has committed to Docker for its container technology.

According to Red Hat, RHELAH has many advantages over its competitors. This includes being able to run "directly on hardware as well as virtualized infrastructure whether public or private." In addition, Red Hat brings its support and SELinux for improved security.

VMware Fault Tolerance (FT) in Vsphere 6.0

VMware Fault Tolerance (FT) is being one of my favorite feature but because of its vCPU limitation, It was not helping to protect the Mission Critical applications. With vSphere 6.0, VMware broken the limitation lock of Fault Tolerance. FT VM now Supports upto 4 vCPUs and 64 GB of RAM (Which was 1 vCPu and 64 GB RAM in vSphere 5.5). With this vSMP support, Now FT can be used to protect your Mission Critical applications. Along with the vSMP FT support, There are lot more features has been added in FT with vSphere 6.0, Let’s take a look at what’s new in vSphere 6.0 Fault Tolerance(FT).

Graphic thanks to VMware.com

Benefits of Fault Tolerance

• Continuous Availablity with Zero downtime and Zero data loss
• NO TCP connections loss during failover
• Fault Tolerance is completely transparent to Guest OS.
• FT doesn’t depend on Guest OS and application
• Instantaneous Failover from Primary VM to Secondary VM in case of ESXi host failure

What’s New in vSphere 6.0 Fault Tolerance

• FT support upto 4 vCPUs and 64 GB RAM
• Fast Check-Pointing, a new Scalable technology is introduced to keep primary and secondary in Sync by replacing “Record-Replay”
• vSphere 6.0, Supports vMotion of both Primary and Secondary Virtual Machine
• With vSphere 6.0, You will be able to backup your virtual machines. FT supports for vStorage APIs for Data Protection (VADP) and it also supports all leading VADP solutions in Market like symantec, EMC, HP ,etc.
• With vSphere 6.0, FT Supports all Virtual Disk Type like EZT, Thick or Thin Provisioned disks. It supports only Eager Zeroed Thick with vSphere 5.5 and earlier versions
• Snapshot of FT configured Virtual Machines are supported with vSphere 6.0
• New version of FT keeps the Separate copies of VM files like .VMX, .VMDk files to protect primary VM from both Host and Storage failures. You are allowed to keep both Primary and Secondary VM files on different datastore.

 Graphic thanks to VMware.com

Difference between vSphere 5.5 and vSphere 6.0 Fault Tolerance (FT)

vCenter Server 6.0

In vSphere 6.0, you will notice considerably new terms, when installation vCenter Server 6.0. As similar to the previous versions of vCenter Deployment, You can install vCenter Server on a host machine running Microsoft Windows Server 2008 SP2 or later or you can deploy vCenter Server Appliance (VCSA). With vSphere 6.0, There are 2 different new vCenter Deployment Models.

• vCenter with an embedded Platform Services Controller
• vCenter with an external Platform Services Controller

One of the Considerable Change, you will notice with vCenter Server installation is deployment models and embedded database. Embedded database has been changed from SQL express edition to vFabric Postgres database. vFabric Postgres database embedded with vCenter installer is suitable for the environments with up to 20 hosts and 200 virtual machines and vCenter 6.0 continuous to support Microsoft and Oracle Database as external database. with vCenter Upgrades, where SQL express was installed will be converted to vPostgres. Let’s review the System requirements to install vCenter 6.0:
Supported Windows Operation System for vCenter 6.0 Installation:

• Microsoft Windows Server 2008 SP2 64-bit
• Microsoft Windows Server 2008 R2 64-bit
• Microsoft Windows Server 2008 R2 SP1 64-bit
• Microsoft Windows Server 2012 64-bit
• Microsoft Windows Server 2012 R2 64-bit

 Supported Databases for vCenter 6.0 Installation:

• Microsoft SQL Server 2008 R2 SP1
• Microsoft SQL Server 2008 R2 SP2
• Microsoft SQL Server 2012
• Microsoft SQL Server 2012 SP1
• Microsoft SQL Server 2014
• Oracle 11g R2 11.2.0.4
• Oracle 12c

Components of vCenter Server 6.0:

There are two Major Components of vCenter 6.0:

• vCenter Server: vCenter Server product, that contains all of the products such as vCenter Server, vSphere Web Client,Inventory Service, vSphere Auto Deploy, vSphere ESXi Dump Collector, and vSphere Syslog Collector

• VMware Platform Services Controller: Platform Services Controller contains all of the services necessary for running the products, such as vCenter Single Sign-On, License Service and VMware Certificate Authority

vCenter 6.0 Deployment Models:

vSphere 6.0 introduces vCenter Server with two deployment model. vCenter with external Platform Services Controller and vCenter Server with an embedded Platform Services Controller.

vCenter with an embedded Platform Services Controller:

All services bundled with the Platform Services Controller are deployed on the same host machine as vCenter Server. vCenter Server with an embedded Platform Services Controller is suitable for smaller environments with eight or less product instances.

vCenter with an external Platform Services Controller:

The services bundled with the Platform Services Controller and vCenter Server are deployed on different host machines.You must deploy the VMware Platform Services Controller first on one virtual machine or host and then deploy vCenter Server on another virtual machine or host. The Platform Services Controller can be shared across many products. This configuration is suitable for larger environments with nine or more product instances.

How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204

A serious security problem has been found and patched in the OpenSSL Library. Multiple vulnerabilities have been discovered in OpenSSL on 19/March/2015. The Common Vulnerabilities and exposures project identifies the following issues:

1. OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
2. Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
3. Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
4. Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
5. Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
6. Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
7. ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
8. PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
9. Base64 decode (CVE-2015-0292) - Severity: Moderate
10. DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
11. Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
12. Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
13. Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) Severity: Low
14. X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Severity: Low

How bad will this actually be?

It is not bad as the heartbleed openssl bug disclosed in April 2014 in the OpenSSL cryptography library. But, new bug can cause "Denial of Service" and crash your services. It is good security practice, to quickly apply the patched version on your system and restart the affected services.

How to find openssl version on a Linux?

The syntax is as follows:

Find openssl version on a CentOS/RHEL/SL/Fedora Linux

openssl version
## or ##
sudo yum list installed openssl
 

Sample outputs:

Fig.01: How to RHEL/CentOS/Fedora Linux Find OpenSSL Version Command

A list of affected Linux distros

I recommend that you upgrade your openssl packages ASAP to avoid any security issues on both client and server systems powered by Linux based distro.

• RHEL version 6.x
• RHEL version 7.x
• CentoS Linux version 6.x
• CentoS Linux version 7.x
• Debian Linux stable (wheezy) 7.x
• Ubuntu Linux 14.10
• Ubuntu Linux 14.04 LTS
• Ubuntu Linux 12.04 LTS
• Ubuntu Linux 10.04 LTS

How to patch on a Linux?

Type the following commands as per your distro version/type:

## how do I find out my distro version? ##
lsb_release -a
## or use ## 
cat /etc/*-release

Sample outputs:

Gif 01: HowTo: Find Out My Linux Distribution Name and Version

CentOS/RHEL/Fedora Linux

Type the following yum command to patch openssl as root user to patch openssl:

sudo yum clean all

To install the updates, use the yum command as follows:

sudo yum update

To only update the OpenSSL package and its dependencies, use the following yum command:

sudo yum update openssl

Debian/Ubuntu Linux

Type the following apt-get commands to patch openssl as root user to patch openssl:

sudo apt-get update
sudo apt-get upgrade

Sample outputs:

Fig.04: OpenSSL patched on a Ubuntu Linux

Do I need to reboot my server/laptop/computer powered by Linux?

Short answer - yes, you need to reboot your computer/server to make all the necessary changes. Sysadmin should plan on updating as soon as possible or use maintenance reboot window:

sudo reboot

Long answer - It depends. You can avoid reboot by restarting required services. Fist, find all services that depend on the OpenSSL libraries, and restart them one-by-one using the service command:

### Debian/Ubuntu find out if service needed reboot ##
checkrestart -v
 
## Generic method ##
lsof | grep libssl | awk '{print $1}' | sort | uniq
 

Sample outputs:

hhvm
mysqld
nginx
php5-fpm

Restart the above services one-by-one, run:

sudo service restart hhvm restart
sudo service restart mysqld restart
sudo service restart nginx restart
sudo service restart php5-fpm restart

SRX 100, 110, 210 H2 models are unable to directly upgrade to Junos 12.3X48 release

SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE running with Junos OS :

• 12.1X44-D10/D15/D20/D30/D35
• 12.1X45-D10/D15/D20/D25
• 12.1X46-D10/D15/D20

Alert Description:

On SRX100, SRX110, SRX2210, SRX220 devices with H2 model numbers, an upgrade to 12.3X48 will fail when attempting to upgrade from the following releases:

• Junos 12.1X44-D10 - Junos 12.1X44-D35
• Junos 12.1X45-D10 - Junos 12.1X45-D25
• Junos 12.1X46-D10 - Junos 12.1X46-D20

The models affected by this are SRX-Branch100, 210 and 220 models that have 2GB flash with the following model numbers.

• SRX100H2
• SRX110H2-VA, SRX110H2-VB
• SRX210HE2, SRX210HE2-POE
• SRX220H2, SRX220H2-POE

The error message indicating the issue when attempting the upgrade is shown in the following example:

root@srx210HE2> request system software add /var/tmp/junos-srxsme-12.3X48-D10-domestic.tgz
WARNING: Package 12.3X48-D10 is not compatible with this hardware.
WARNING: Please install an SRX image supported for 2G

This issue is tracked via PR 987067.

Solution:

There are two possible solutions available to work around this issue:

Solution 1) Use release 12.1X44-D40, 12.1X45-D30, 12.1X46-D25, 12.1X47-D10 or later releases as an interim release.

To use this solution, follow these steps:

1. Install one of the above interim releases
2. Reboot
3. Install 12.3X48 release

Note: You may use regular means of installing the Junos software, e.g. the cli command request system software add or J-web or NSM/Space management platforms for this process.

Solution 2) Upgrade directly from an affected release to 12.3X48-D10 and above using a special script.

To use this solution perform the below steps:

1. Download install script
https://download.juniper.net/software/junos/specials/JTAC/script/package.tar.gz


2. Place install script on SRX


3. Open shell prompt and move to directory where install script was placed
root@srx210HE2>start shell
root@srx210HE2%cd /var/tmp


4. Optionally verify integrity of install script placed on SRX
root@srx210HE2%md5 package.tar.gz
MD5 (package.tar.gz) = 29d1bb47845647aae1cec6b69fc6fb44


5. Un-compress script
root@srx210HE2% tar zxf package.tar.gz    (A new folder will be created called package)


6. Change directory to new folder labeled package
root@srx210HE2% cd package


7. Install script
root@srx210HE2% sh ./manifest.loader
Verified manifest signed by PackageDevelopment_9_6_0


8. Install 12.3X48 using install script, using optional -no-copy, -no-validate, -reboot commands
   
     NOTE: This step cannot be done using normal CLI 'request system software upgrade' commands.
                If using -reboot option, for automatic device reboot after upgrade, skip Steps 9 & 10


root@srx210HE2%./package <–no-copy> <–no-validate> <–reboot> add <image location/name>
Example: root@srx210HE2%./package -no-copy add /var/tmp/junos-srxsme-12.3X48-D10-domestic.tgz


9. Exit Shell
root@srx210HE2%exit
root@srx210HE2>



10. Reboot system at your convenience
root@srx210HE2>request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!


11. Verify upgrade version post reboot
root@srx> show version
Hostname: srx
Model: srx210he2
JUNOS Software Release [12.3X48-D10]

DDoS (Distributed Denial of Service) Protection - RHEL 7

• Netfilter: iptables target SYNPROXY

• DDoS attacks are increasingly becoming commonplace as more and more products and services become dependent

on delivering services over the Internet.

• SYNPROXY module is designed to protect against common SYN-­floods and ACK-­floods, but can also be adjusted to

protect against SYN-­ACK floods.

• Works by filtering out false SYN-­ACK and ACK packets before the socket enters the “listen” state lock (otherwise

preventing new incoming connections)

• Significant step for fighting DDoS and protecting critical system services.

• Example configuration (intended for a web server):

sysctl: net.netfilter.nf_conntrack_tcp_loose=0 [DEFAULT=1]

# iptables -­t raw -­A PREROUTING -­i eth0 -­p tcp -­-­dport 80 -­-­syn -­j NOTRACK

# iptables -­A INPUT -­i eth0 -­p tcp -­-­dport 80 -­m state UNTRACKED,INVALID \

-­j SYNPROXY -­-­sack-­perm -­-­timestamp -­-­mss 1480 -­-­wscale 7 –ecn

DDoS