For whatever reason, when you want to shutdown the whole VMware Cloud infrastructure, you need to be considerate about the order of turning off VMs, Servers and equipments. Using common sense we can give a rule of thumb: first all operational, regular VMs hosted on VSphere ESX’s; of course VMs that are part of infrastructure (like SQL server) should be excluded. Then, it’s VMware infrastructure turn and at last (but not least!) hardware equipments. To be more specific, for a regular VMware vCloud Director environment, the shutdown order would be:
- Customers operational VMs, vApps
- Management, Monitoring Servers
- VMware vCloud Director (RedHat server)
- VMware vShield Manager
- VMware vCenter
- DNS Server
- Database Server (MS SQL Server)
- ESX Hosts
- Storages (SAN)
Apparently, the order of booting up the whole infrastructure is reverse; from 10 to 1. That’s it. Good luck with your maintenance or re-location!
Since VMware vCenter uses ports 80, 443 to provide access to management console (for both vSphere Client and Web Console), it’s important to secure these ports. Having said that, it can be limiting access to specific IP addresses in your internal network. If there is no firewall between your internal network and Cloud infrastructure, at least configure Firewall in Windows machine (if vCenter is installed on Windows) to restrict access.
Also, for a complete list of tasks to harden vCenter Security, you can see Security Advisories, Guides document from VMware.
I recently found a very useful command in Linux named ‘tcpkill’. Actually, the other day I was trying to find a way to kill a tcp connection between my server and a client. Not that it was an attack or needed firewall rule, but simply I wanted it to be killed in order to let the upper layer application to re-establish connection. There was no utility in the upper layer application to do this and it handed TCP connection management over to OS (TCP KEEPALIVE in linux kernel). So, I started looking for the solution to kill the connection.
So, the solution was easy, just issue ‘tcpkill’ command with appropriate parameters. Parameters are compliant with ‘tcpdump’ filter formats. So, if you are familiar with ‘tcpdump’ you will find it easy. For more explanation, examples see the amazing cyberciti website.
It’s nice to use Guest Customization feature in VMware vCloud Director 5.1. Some operations like IP assignment to VM’s created by template is much easier if Guest Customization is supported in the OS of virtual machine. Not all the OS’s support this feature. For a complete list of supported OS’s, see here.
Apparently, you need to install VMware-Tools on the base VM (to be used as template in vCloud Director). For a Linux machine, two important things should be considered:
- For VMware Tools to be installed automatically, you need X Server. So, if you are working in text mode, you have to do it manually. VMware Tools is mounted on cdrom and then you should issue ‘vmware-install.pl’
- Never use VMware Tools packages provided by specific Linux distribution. Install by mounting VMware Tools in vCenter.
Remember to change default value of “Highest supported hardware version” from 7 to 9 when you create a Provider vDC in VMware vCloud Director 5 or you will face some issues later on when you want to import VM’s from vCenter to your Catalogs and will get this error message:
“The selected vdc does not support required virtual hardware version”
The interesting point is that VM’s in vCenter are created compatible to Hardware Version 8 by default! In fact, there are some inconsistencies between vCenter, vSphere and vCloud Director; it is just one of them.