What is CVE-2018-3646 or L1 Terminal Fault and why a vSphere admin should care ?

Have you come across an error on your Vmware Web client with the message
" The Host is Potentially vounarable to issues discussed in CVE-2018-3646 " then you should read this . 

It is a vulnerability that was reported in Intel CPUs. A local user can obtain potentially sensitive information from system memory. what worries us is that VMware ESXi is affected.

A local user can conduct a speculative execution side-channel attack against the L1 cache to infer potentially sensitive information from L1 cache memory on the target system.

This method is referred to as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack.

Microprocessors that support Intel Software Guard Extensions (SGX) are affected [CVE-2018-3615].

Other Intel microprocessors that use speculative execution and address translations may be affected [CVE-2018-3620].

Other Intel microprocessors that use speculative execution and address translations and that host virtual systems may be affected [CVE-2018-3646].

The end result is that  A local user can obtain potentially sensitive information from L1 cache memory on the target system.

Anyway VMware has issued a fix for CVE-2018-3646 for VMware ESXi.

Check this Link for updates https://www.vmware.com/security/advisories/VMSA-2018-0020.html

Blog post Sources :  https://securitytracker.com/id/1041456
                                 https://kb.vmware.com/s/article/55636

If you are not aware about this issue before and if you reached this article to read about it , Please leave a comment here and share this link to your IT professionals groups so that we can fight it together .

unhandled exception when trying to connect to host client

most probably you are here because you tried to login to host client in vsphere 6/ 6.5 and got an error message "  unhandled exception when trying to connect to host client "

Please watch this video and it will give solution to your problem . Please comment if it fixed your issue 

Please share it with your friends too.
If your organization need a corporate training session on VMware DCV , Please click this link below to reach us
http://vmwaretraining.in 

Power CLI primer

Just like many of the network professionals out here , I too believe that life is too short to learn all those command prompt tools and stick on to a graphical version of any tool if it is available . But some times the command prompt based tools can be indispensable if you have to do things repeatedly . For creating a single VM per day , I will surely use vsphere client , but for 50 VM per day , I prefer some method by which I can automate the process. That is the role the power CLI is playing in a vSphere environment .

This post is just a basic introduction in to the basic aspects of power CLI. Personally I am preparing this as a reference to me itself so that I will not miss any of the concepts of power CLI for my VCAP-DCA exam .

to begin your experiment with powerCLI , install it to any windows machine on your network . You can download it here 

installation is pretty straightforward . Finish it and open power CLI from all programs --vmware --vmware power CLI . but  wait , if you try to do it , you will be greeted with an error message like this .

Now try to open the same program with administrative privileges , ie right click and select run as administrator , you will find that the same error repeats this time also . But it is now time for us to set the execution policy of the PowerCLI to " remoteSigned " it will allow us to run scripts that have written on the local computer . That is exactly what we need to do . The default mode is restricted and that is why we are getting all those red colored scary messages . so go ahead and type this

set -executionPolicy Remotesigned

next time when you bring the powerCLI up , it will greet you in a much more pleasant manner . Remember that you don't have to run it in administrative mode anymore for normal operations .

Now let us start by connecting to an ESXi host  or a vCenter Server . use the command   connect-Viserver  < ipadress or FQDN >

it will pop up a message asking for the user name and password . There are two option to avoid  it and specify it along with the commands

connect-viserver < ipaddress>  -user root -password P@ssw0rd  or you can use the credential variable  $Credential=Get-Credential and using the value $credential along with the command like  connect-viserver< ipaddress>  -credential $credential 

connect-VIserver -Menu is a nice option to list all your previously connected servers and you can choose one to which you wish to connect .

SSD tagging a Normal hard disk

There will be some situations where you need to tag your regular local drive attached to your ESXi host as SSD drive. Your ESXi host is capable of detecting the SSD drive and tag it accordingly . But some specific models of  SSD drives will not show up as SSD. Since SSD is essential for your vSAN implementations and experiments , we may have to do the process manually .

The second scenario for doing this process is for your home lab with a nested virtualization where you need to fake an SSD for your lab experiments . Which ever may be the situation , we can use the following procedure .

select the data store option from the configuration tab of the host  , note down the device name as shown below

As you can observe from the figure , the name of my datastore is FakeSSD and device label is

mpx.vmhba2:C0:T1:L0

so I am performing an esxcli procedure which will make my ESXi host belive that he is using an SSD drive .

esxcli storage nmp satp rule add - - satp VMW_SATP_LOCAL - -device mpx.vmhba2:C0:T1:L0 --option "enable_local enable_ssd"

esxcli storage core claiming reclaim -d mpx.vmhba2:C0:T1:L0

Now check the device type after a refresh , the system now believes that I am having an SSD disk on its controller .

Book Review : VMware vSphere Design

I have seen the book named VMware vSphere Design by sybex publications in the amazon stores for a while but stayed away from it due to the title of the book itself. I correlated the title to VMware Design expert level of certification and decided that this stuff is not for me for some years . But one month back I ordered the paperback from amazon and kept it in my shelf for all these days .

Just two days back I opened this book and took a glance through the topics and I regretted for not reading this before .  It is a nice book for everyone who is interested in learning vmware data center virtualization and all the sys admins who is working in the VMware environment .

Starting from the basic concepts this book clearly explains all the aspects in a practical manner and also covers in depth in to the  background of each technology . It is clearly written for a designer in mind because it cover each topic from the very basics . You will be disappointed only if you are searching for a quick one word solution for your specific issue ( hope that kind of search can be done with Google , is it )

As a virtualization trainer , I can say for sure that this book is a must read for anyone who is interested in learning vmware .

meet the authors at their blogs here  Kendrick Coleman  , Forbes Guthrie   and   Scott Lowe 

purchase it from the following link  if you are an indian customer     VMware vSphere Design   for international customer use this link  VMware vSphere Design

Get ready for vSphere 6

It is really fast , is it ?  when the virtual world is trying to grasp all the new terms and terminologies associated with the vSphere 5.5 , vmware has released the beta 2 of their new product with lot of great features .

Click Join Now to join the vSphere Beta. If you have not already done so, you will be asked to log into MyVMware or register for a My VMware account. You also will be asked to acknowledge the MSBTA and/or vSphere Program Rules if this is your first time.

Please remember that  you will be under a Non disclosure agreement with vmware by participating on the beta program . you are not permitted to blog about all the insider news right now . Still it is really great to be part of the effort from vmware . Contribute your share to it

Tips for vMA deployment

Installing  the vMA appliance is a straightforward affair . But the same can not be told about configuring the vMA and put it to use for your command prompt based management of vSphere environment . Here I am sharing some of the tips to make your life easier with vMA.

let us start with link to download your vMA  , find the 5.1 version here and 5.5 version here 

Once downloaded , install vMA as an appliance from your vSphere Client software . It is a configured Linux box which will be installed to your ESXi host as a VM .

The first issue you will face  when you try to power up your vMA is related to IP pools . Make sure you defined an IP pool at datacenter level and associate your network portgroup with that IP pool

Remember that root is not the login user for this appliance for us . You have to use the account v-admin for the login . The initial password is blank and you can faceset a password which must be really complex.

once you manged to power on the vMA , you can reach the console to configure the ip , subnet , gateway and DNS for the appliance . But if you did not set the additional parameters like gateway and DNS , setting it from the command prompt of vMA appliance is challenging for a non-Linux guy.  In that case the " system-config-network-tui"  is a great help  . just run this command as the super user and it will guide you through the step by step process of setting up the ip parameters once gain . type

sudo system-config-network-tui  

once you enter  the DNS information , you can connect the vMA to an active directory . for that type

                                        sudo domainjoin-cli join example.com  administrator 

it will ask for the ADS admins password and will join the domain

The next issue normally faced by a virtual admin is to access the vMA remotely using putty  . When I tried it for the first time , it showed me a message like this .

It is the issue with the default settings of the hosts.allow file in the etc folder of vMA , ie  /etc/hosts.allow file

edit this file using vi editor and all line  sshd:  ALL:ALLOW and save the file .

Since this is a read only system file , the vi editor wil not be able to save it even if you try to  override the read only option with w! option. so make sure you run vi editor using sudo command .

ie , sudo vi /etc/hosts.allow  ,  press i to enter insert mode , add line sshd: ALL:ALLOW   , press escape , press full colon , type w! to save it .

and now you can login to vMA using putty as shown below

hope these tips will act as a reference to some  issues normally facing when installing vMA . You can share your experience also using the comment system .

Some additional thoughts :

when we add esxi host as a fp target server , vi-fastpass creates two users on the target server and stores the password information on vMA. users are vi-admin  and vi-user