Virtualization

The 9/21/2007 SANS NewsBites newsletter has some good commentary on the VMware updates that have shipped in the last two months. In short, if you are running any VMware product you need to be at the latest version in order to be secure against potential VM escapes. Normally virtual machines are encapsulated, isolated environments. The operating systems running inside the virtual machine shouldn’t know that they are virtualized, and there should be no way to break out of the virtual machine and alter the parent hypervisor. The process of breaking out and interacting with the hypervisor is called a “VM escape” and it is bad news. If an attacker can gain access to the hypervisor they effectively have unlimited control …

Read More

What is VM escape? Normally virtual machines are encapsulated, isolated environments. The operating systems running inside the virtual machine shouldn’t know that they are virtualized, and there should be no way to break out of the virtual machine and interact with the parent hypervisor. The process of breaking out and interacting with the hypervisor is called a “VM escape.” Since the hypervisor controls the execution of all of the virtual machines an attacker that can gain access to the hypervisor can then gain control over every other virtual machine running on the host. Because the hypervisor is between the physical hardware and the guest operating system an attacker will then be able to circumvent security controls in place on the …

Read More

One of my ESX Servers’ management NICs died today, right as I was to start upgrading to ESX 3.0.2. I don’t have the admin NICs in a redundant configuration yet, and it’s fairly inconvenient to lose management capabilities as you’re about to need VMotion. Luckily[0] I had an extra, unused NIC, esxcfg-nics, and esxcfg-vswitch. With these commands you can display and alter the settings for the NICs and virtual switches from the console. So, you find out what you have available with “esxcfg-nics -l” Then you look at the relationships between the virtual switches and the NICs using “esxcfg-vswitch -l” Since vmnic3 isn’t being used I ran: esxcfg-vswitch –unlink=vmnic0 vSwitch0 esxcfg-vswitch –link=vmnic3 vSwitch0 And back up it came. [0] Not …

Read More

I finally got registered for VMworld 2007 today. I am looking forward to it. It does look like I’ll have to sneak into a lab or two on the 10th, though (engage my l33t stealth ninja skillz). Late registration does take a toll that way. I’ll be out there from September 8th until the 15th. Anybody else going? Want to go out one night and have a beer? I want to hit Jack’s Cannery Bar at least once while I’m out there, and with 100 beers on tap I think we could find something we like… 🙂 (there’s always SFBC, too)

VMware ESX Server 3.0.2 is out. I applied it to my test environment (two Dell PowerEdge 1850s and a 650 as the VirtualCenter server) and it appears stable. It also didn’t wipe out my NTP configuration this time, which I like. I’ll run it for two weeks with artificial loads on it to make sure nothing is seriously wrong before I deploy it to production. The release notes document some of the odd behaviour we’ve been seeing. First, Red Hat Enterprise Linux 5 has a problem where filesystems go read-only. This was also a problem with Red Hat Enterprise Linux 4 and is fixed now, but the fix didn’t end up in the RHEL 5 kernel tree. That KB article …

Read More

Today I installed VMware VirtualCenter 2.0.2 in my test environment. Went okay. The release notes indicate that you need to follow KB article 4478241 before you upgrade. Despite that, VirtualCenter wouldn’t reconnect to one of my two test ESX boxes, and HA wouldn’t come up on the other. I ended up: Disconnecting (not removing) both test ESX servers from VC. Disabling HA and DRS for the cluster. SSHing into both and restarting the management daemons (/sbin/service mgmt-vmware restart). Reconnecting the ESX servers in VC. Re-enabling HA and DRS. Seems to work fine, now. I’m glad, because my next step was to slaughter a goat in sacrifice. That gets so messy. The 2.0.2 release notes also indicate that a client upgrade …

Read More

I was asked why I like virtualization and why chroot jails aren’t a better way to do things, at least on UNIX-like OSes. To figure out why I like virtualization, let’s start with what I don’t like about hardware: Failures. Something is always going wrong, whether it’s a fan, disk, power supply, etc. More servers means more failures. We buy warranties to help with this, but warranties cost money. It takes time to deal with failed components, too. Firmware. It is hard to update firmware levels. Every device is different, and a bunch of update methods end up requiring you to go out to the box with a USB stick or a floppy disk. That takes a lot of time, …

Read More

Alex Barrett over at SearchServerVirtualization.com has written about VMware’s “ESX Lite,” an unannounced product so far. My take: very interesting. The default ESX install creates about 8 GB of partitions on a host. Of that 8 GB, only about 4 GB are used, the rest being overflow for logs, etc. Even 8 GB is well within the reach of a flash drive. So you have an ESX server that doesn’t need local disk. That saves you $300 for a RAID controller and about $300 per 15K RPM 146 GB disk. For my RAID 1 + hot spare configurations that’s $1200. No moving parts equals theoretical better reliability, though flash drives have a limit to the number of read/write operations they …

Read More

A big thank you goes out to the LOPSA Madison folks for letting me talk last night. There was a variety of expertise in virtualization in the room, and the crowd was incredibly friendly, which made for a good experience. I tried a different approach to my slides this time. I usually try using the 10/20/30 rule for my slides, but my slides become useless later on for notes. So this time I have some slides with a lot of data on them. Sorry! PDF version is online.