As mentioned previously in my previous post on Components of VMware and vSphere 6.0 – Part 1, the aim of the article is to publish a continuous summary of the Data Center Virtualization exam. This article will focuss on the following points:
vCenter Server – Introduction
vCenter Server – Features
The vCenter Server – Introduction
The vCenter server is the hypervisor core management application of vSphere provides centralized management of vSphere virtual infrastructure. It allows administrators to ensure security and availability, simplifies day-to-day tasks and reduces complexity of managing virtual infrastructure.
vCenter server manages the essential functions of vSphere from any browser using vSphere web client. It provides simplified and integrated management of VMware hosts. It also simplifies management by assembling and automating out of the box work flows. In vCenter orchestrator, vCenter can restart failed virtual machines without any manual intervention. It monitors utilization across resource pools and allocates resources among VMs according to pre-defined rules. vCenter server integrates with the ecosystem partners to extend the capabilities of the virtual infrastructure.
The VMware PSC (Platform Resources Controller) is a component of vCenter server. It contains common infrastructure services such as vCenter single sign-on, VMware certificate authority, licensing and Server Reservation and Registration. This gives customers to single point to manage all vSphere roles and permissions along with licensing.
VMware PSC (Platform Resource Controller) has two models of deployments i.e; embedded and centralized. In Embedded, the PSC and vCenter server are installed on a single virtual machine. In a centralized model, the PSC and the vCenter server are installed on different virtual machine.
vCenter server – Features
vCenter server has the following features:
Certificate management – In vSphere 6.0, solution users (the users created) when a solution such as vCenter Server, vCenter Inventory service and so on is registered with vCenter single sign-on utilized as certificate endpoints. These users are issued certificates instead of individual services. This enables the services associated with a solution user to utilize the same certificate, substantially reducing the number of certificates required to manage in the environment. The VMware Certificate Authority (VMCA) is a root certificate authority (CA) that issues signed certificates to all vSphere 6.0 components via the solution users.
Alarms and Alerts – Alarms are notifications that are activated in response to an event, a set of conditions, or the state of an inventory object. Alarm can change state from mild warnings to more serious alerts as system conditions change, and can trigger automated alarm actions. This functionality is useful when you want to be informed or take immediate actions, when certain events or conditions occur for a specific inventory object, or group of objects.
Monitoring Features – vCenter server provides several tools to help you monitor your virtual environment and to locate the source of current and potential problems. It provides performance charts, storage reports and system log files to monitor your environment.
Template Management – The content library simplifies virtual machine template management and distribution by centrally managing virtual machine templates, ISO images and scripts. It also performs the replication of associated data from the published catalog to the subscribed catalog at other sites. As content are updated, old versions are automatically purged and replaced with a new version, offering life cycle management capabilities for virtual machine templates and related files.
Linked mode Deployment – vCenter server linked mode enables a common inventory view across multiple instances of the vCenter server. Linked mode provide a single pane of glass view across geographically separate vCenter servers. This deployment replicates licenses, permissions and roles across multiple vCenter services. Linked mode is automatically enabled for any vCenter server deployment.
Last time, I published an article on the introduction of Data Center Virtualization fundamentals. The second module continues here on this blog post which will cover part of the VMware vSphere 6.0. This module focuss on the power of virtualization to transform data centers into simplified cloud computing infrastructures and enable IT organizations to deliver flexible and reliable IT services. Part 1 will cover the following:
vSphere 6.0 – Overview
vSphere 6.0 – Architechture
Topology of vSphere 6.0 Data Center
vSphere 6.0 – configuration maximums
vSphere 6.0 – Overview
It manages large collection of infrastructure such as compute, storage and networking as a seamless operating and dynamic environment. vSphere is composed of vCenter server, infrastructure services, application services and clients.
vCenter server – It provides a single point of control for vSphere data center. It provides essential data center services such as access control, performance monitoring and configuration.
Infrastructure services – set of services provided to abstracts, aggregates and allocates hardware or infrastructure resources. It is categorized into compute, storage and network.
Application services – set of services provided to ensure availability, security and scalability of applications. Examples are High Availability and vMotion.
Clients – The vSphere client and vSphere web client are the interfaces that allow users to communicate with the vSphere data center.
vSphere 6.0 – Architechture
vSphere 6.0 represent the core of the SDDC – software defined data center by virtualizing the entire infrastructure servers, storage and network. This is group into simple and unified manageable sets of elements.
Infrastructure services such as compute, storage and network will abstract, allocate and Aggregate hardware or infrastructure resources.
vSphere makes infrastructure resources resilient with features like high availability, fault tolerance, vMotion, storage Vmotion and DRS
Management layer or vSphere 6.0 consist of the vCenter server and vRealize operations.
The interface layer of vSphere 6.0 is composed of the vSphere web client that allows user to access the data center.
Topology of vSphere 6.0 Data Center
Using vSphere 6.0, administrators can simplifies management of their data center by creating Virtual Data Center (VDC) as a highly available, resilient and On-demand infrastructure that is ideal for cloud environments. It includes components to perform the following functions:
Compute – In vsphere 6.0, clusters can scale up to many as 64 hosts and support 8000 virtual machines in a single cluster. There is also expanded support for the latest x86 chip sets, devices, drivers, guest operating systems.
Storage – Fibre Channel Storage Area Network (FCSAN) arrays, Internet Small Computer System Interface (ISCSI) and Network Attached Storage (NAS) arrays are widely used storage technologies supported by vSphere 6.0 to meet different data center storage needs. Storage policy based management (SPBM) allows common management across storage tiers and dynamic storage classes of service automation. They enable exact combinations of data services (such as clones and snapshots) to be instantiated more efficiently on a per virtual machine basis.
Networking – It supports Network I/O control and multicast snooping. vSphere allows dedicated networking stack and simplifies IP address management with a dedicated default gateway for vMotion traffic.
Availability – Enhanced vMotion capabilities allow non-disruptive live migration of workloads across distributed switches and vCenter servers and provide a saving up to 95% in time and resources. There is also expanded support for software-based fault tolerance for workloads with up to 4 virtual CPUs
Management – vSphere 6.0 provides several interfaces such as vSphere content library and vSphere web client for data center management and virtual machine access. Administrators can used vRealize automation to accelerate the deployment and management of applications and compute services, thereby improving business agility and operational efficiency. For operations management, administrators can use vRealize operations that delivers intelligent operations management across physical, virtual and cloud infrastructures
vSphere 6.0 configuration maximums
vSphere 6.0 clusters can now scale to support more than 64 hosts with 8000 virtual machines in a single cluster.
Each vSphere 6.0 instance can support as many as 480 PHYSICAL CPUs, 12 TB of RAMs and 2048 VMs per host.
PS: All of these materials are available freely on the VMware website which i made a resume to have a picture of what is being introduced in this module.
The VMware Data Center Virtualization course which is freely available on the VMware website provides fundamental understanding of VMware ‘s Data Center Virtualization products. It covers features and components of vSphere 6.0, explain the need for Data Center Virtualization and explain how business can solve challenges with regard to Data Center Virtualization. Though on the VMware website the course is freely available, i decided to create a post to keep track my own future references. The free course available on the VMware website is composed of three modules which covers an introduction, VMware vSphere components and vSphere solutions to Data Center challenges. The aim of this blog post is to gather maximum interesting main points which will cover the Data Center Virtualization exam.
Virtualization: An overview
Virtualization is the process of creating virtual versions of physical components such as servers, storage devices and network devices. With virtualization, you can run multiple operating systems and applications to be run on a single server and consolidates hardware to get higher productivity from fewer servers. Virtualization can be done at all levels.
Virtualization: The foundation of Cloud Computing
Virtualization powers cloud computing and helps delivers on its potential by virtualizing, consolidating and automating your data center resources and management. VMware offers several products and service that allows you to do just that. For example
VMware vRealize Suite – is a cloud management platform purposely built for heterogeneous data centers and hybrid cloud and allows you to automate the delivery of infrastructure and applications across multiple hypervisor private and public cloud with both speed and control
VMware vSphere – is the server virtualization platform provides a robust API that simplifies infrastructure management for administrators and integrates with OpenStack APIs that enable developers to manage and run OpenStack infrastructure.
Big Data Extension (BDE) – BDE can be used on the vSphere platform to deliver a new level of efficiency and agility in handling data workloads and it supports next generation application framework such as Hadoop. BDE provides a set of management tools to deploy, run, and manage Hadoop workloads in virtual and cloud environments.
Data Center Virtualization
It is the conversion of the hardware devices in a data center into software resources. Virtualization softwares enable several operating system to run on one physical host. Here are the benefits of Data Center Virtualization:
Reduce Capital and Operating Costs – Server consolidation allows you to get more out of your existing hardware by running multiple machines on a single physical server. Fewer servers result in lower capital and operating costs.
Deliver High Application Availability – Availability and high tolerance features are an integral part of Data Center Virtualization tools and help protect all your virtualized applications. Using this feature, if a node or a server fails, all of its virtual machines are automatically restarted or continued on another machine, with no downtime or data loss.
Improve business continuity – Virtualization makes it easier to survive potential IT disasters, where one virtual machine can be moved to one location to another different location without data loss.
Increase productivity – Streamlined and automated task allows you to spend less time on maintenance and more time on innovation.
Improve responsiveness – Virtualization lets your business scale rapidly because you can deploy desktops, applications and servers quickly and flexibly.
Virtual Machines, its capabilities and benefits
In brief, a virtual machine is a tightly isolated software container with its own virtual hardware, a guest operating system and one or more applications. It is also a collection of virtualized hardware resources that constitute a physical computer on a native environment. Virtual machines share the hardware of the physical server on which they are mounted. It allows you to quickly replace or upgrade components. It allows you to add components without rebooting the virtual machine.
Virtualization helps organizations to increase their data center availability whether as a protection schemes as common hardware failures or complete site-level disaster. Virtual machines are easy to move, copy and restore which makes disaster recovery simple. Snapshots features enable administrators to capture the entire state of a running machine. There are also other features such as restoration from bare-metal backup, hot add virtual hardware when upgrading.
Here are three benefits of using virtual machines:
Multiple applications on each host : As each virtual machine encapsulates an entire machine, many applications and operating systems can run on a single host at the same time.
Machine host utilization, minimum host count : Every physical machine is used to its full capacity, allowing you to significantly reduce costs by deploying fewer server overall.
Faster and easier provisioning of applications and resources : As self contained software files, virtual machine can be manipulated with copy and paste ease. Virtual machine can even be transferred from one physical server to another while running, via a process called live migration or better knows as vMotion. You can also virtualize business-critical applications to reduce cost and increase performance, reliability and scalability.
The hypervisor and the ESXi hypervisor
A hypervisor provides the virtual hardware and physical resources on which you can create virtual machines. It is managed by vCenter server and is installed on the server to allow multiple, unique and isolated virtual machine to run on the same physical server. There are two types of hypervisor:
Bare metal hypervisor – It is installed on a physical device without an operating systems. They perform the functions of an operating system and have resource management capabilities. Example is VMware ESXi. Data Center Virtualization is typically performed using bare metal hypervisors because the dependency on another operating system is low. There is also less resource overhead as these hypervisors perform both roles.
Hosted hypervisor – Operate as an application on top of pre-existing operating system. The separation of roles can be helpful if the underlying hardware is not supported by a bare metal hypervisor. Example is VMware workstation.
The ESXi hypervisor is a bare metal hypervisor that performs resource management while directly accessing the underlying physical hardware. It improves resource efficiency because of low operating system overhead. ESXi is not dependant on other operating system. ESXi hosts virtual machine provides management functions to help, deploy and control them.
ESXI is commonly installed directly on hard drives of the physical server, in flash drives, SD cards and USB drives. Network boot is also possible using PXE or TFTP servers.
VMware vSphere 6.0, its capabilities and benefits.
vSphere 6.0 empower users to virtualize scale-up and scale-out applications with confidence predefined availability and simplifies the data center. The result will provide a high availability, resilient and on-demand infrastructure. It drives down data center costs, increases system and application uptime, simplify the way IT runs the data center. It is purposely built for next generation applications and serves as the core foundation block for SDDC (Software Defined Data Center).
The capabilities of vSphere 6.0 are that it delivers enhances scale, performance and availability to enables you to easily virtualized applications. You can simplifies virtual data center management to manage the creation, sharing, deployment and migration of virtual machine with powerful and simple tools.It provides the capabilities to perform live workload migration.It provides the capabilities to data center maintenance with zero downtime. It also allows you to transform storage for virtual machines by enabling external storage arrays to operate in a more virtual machine centric manner. You can also built and operate cloud environment with VMware stack or open source frameworks such as OpenStack or the VMware integrated stack addon. vSphere is available in three editions i.e; Standard, Enterprise and Enterprise Plus editions.
Some benefits of vSphere 6.0 are that is improves efficiency through utilization and automation, maximise uptime in cloud infrastructure, reduces on planned downtime. It lowers IT costs by reducing capital expenditure by 70% and operational expenditure by 30%. vSphere 6.0 provides agility with control and allows quick response to changing business needs without sacrificing security. You can also use a common standard based platform to leverage existing IT assets alongside next generation IT services and enhanced vSphere through open API with solution from global eco systems of leading technology providers. It helps several organizations to address challenges related to availability, scalability, optimization, management, application upgrade and cloud challenges.
PS: All of these materials are available freely on the VMware website which i made a resume to have a picture of what is being introduced in this module.The second module is related to the components of VMware vSphere 6.0
Several times, I had discussions with friends on how NTP works! What is the logic behind NTP and its configurations? We noticed that there are several terms and calculations to grasp especially when it comes to debugging. Well, I decided to make a research on it and shed some ideas on NTP – Network Time Protocol. These recent days, we have noticed several vulnerabilities and attacks going on the NTP servers. NTP is a protocol designed to synchronize the clocks of computers over a network.
NTP is a utility where timestamps are used. Examples are logs, database replications, the time packets exchanged in a network. NTP uses its own binary format and runs on port 123 UDP. RFC 1305 and RFC 2030 give detailed explanations of NTP.
The logic behind NTP
In brief, packets are exchanged between the NTP server and the client in the following order. It is to be noted that latency is an important issue when it comes to NTP:
The NTP client will send a request with a timestamp.
The NTP server will return the packet with 3 timestamps.
echo of the client timestamp
The timestamp of the received timestamp by the server
The timestamp response sent by the server.
The client will then estimate the offset (the difference in timestamps between the client and the server)
A client may have several NTP servers configured, but will synchronize with only one NTP server. A server may also take some time to respond to a client depending when it is not busy. NTP packets are exchanged between 64 – 1024 seconds for each server. – This configurations are called “minpoll” and “maxpoll”
Some basic configuration on a CentOS 7 machine
The command timedatectl can be used to check if NTP is enabled or not
You can also check if the service is running using the following command;
systemctl status chronyd.service
The configuration file is located by default at /etc/chrony.conf . You will notice that the NTP servers are configured by default in that file.
[[email protected] ~]# head -n 7 /etc/chrony.conf
# Use public servers from the pool.ntp.org project.# Please consider joining the pool (http://www.pool.ntp.org/join.html).server 0.centos.pool.ntp.org iburstserver 1.centos.pool.ntp.org iburstserver 2.centos.pool.ntp.org iburstserver 3.centos.pool.ntp.org iburst
You can check if your machine are synchronised from the sources with the following command. The column Name/IP address are the location from where the time is being synchronized.
A drift means a deviation. A drift happens when the hardware clock is either fast or slow compared to the NTP server clock. The drift file contains 2 values. If it’s a positive number, it means the clock is fast from the NTP server whereas if it is a negative number, it means the clock is slow compared to the NTP server. Here i have a slow clock.
The Maths - How the NTP client adjust its response from the NTP server
Now, we will get into the math behind the logic as discussed previously what happens when the NTP client request the time from the NTP server.
NTP Client A send request to server X – Let’s assume A=100 where 100 is the time of the client
NTP Server X received the request after some secs. – Let’s assume X= 150 where 150 is the time of the server.
Being given that, the request from NTP client is not necessarily served immediately, there is lapse of time at this point. let’s assume that X is now 160
We now have 3 values i.e; The time the client sent the request, the time (real time) the server received the request and the time the server want to respond back.
Now the NTP client gets the request back at 120. This is because the NTP client has its own time.
Client will now determine the time using the formulae B-A – (Y-X) which means 120-100-(160-150) = 10 seconds
Client assumed that the time it took to get the response from server to client is 10/2 = 5 seconds. Assuming 5 seconds is the latency.
Now the client adds 5 seconds to the server time at the time it received the response which makes 160 +5 = 165 seconds.
The client knows it needs to add 45 seconds to its clock. This is done by subtracting 165 – 120 = 45 seconds where 45 seconds is the difference between the client and the server clock to which the client will set forward its clock by 45 seconds. This indication will be given in the drift file in PPM – Parts Per Million.
If the iburst parameters are removed, communication between the server will 8 times faster.
You can also increase the verbosity of the command chronyc sources by adding the parameter -v to it and detailed explanation of the values will be given i.e; chronyc source -v
You can pick up different NTP servers from the NIST website and restart the NTP service (chronyd).
Some days back, I was brewing up some plans to optimise my website source codes, HTTP headers, latency and other security aspects. I had to carry out some analysis and research using some tools available on the internet. I should admit that, at first, it looked pretty simple, but it was not. For instance, I did not permit myself to directly modify the production environment. So, I had to migrate it on a pre-production environment. Page caching was yet another issue which could trick oneself after modifications.
Since my website is behind Cloudflare, which is already an advantage in terms of security, performance, reliability and insight, it does not mean that the website cannot be hacked. According to sucuri.net, websites using WordPress CMS are constantly being hacked. Of course, it depends on the mode of attack and the infection impact.
Migrating to TLS
Migrating a CMS which already has several articles posted can be an issue as the URLs are already recorded in the database as well as in the source code itself. Also, there were links on the website which were not pointed on HTTPS. After moving to the HTTPS version, errors such as “Mixed content” could be noticed when accessing the website. One of the interesting free feature of Cloudflare is that everyone can have a free SSL certificate issued by Comodo. You will have to generate your certificate and your private key from Cloudflare and point it on your Virtual Host.
Some corrections on WordPress source code needed to be added in the wp-config file as follows:
On top of that, there seemed to be lots of URLs on the database itself that needed corrections using the following commands:
update wp_options set option_value = replace(option_value, ‘http://www.tunnelix.com’, ‘https://www.tunnelix.com’) where option_name = ‘siteurl’;
update wp_posts set guid = replace(guid, 'http://www.tunnelix.com', 'https://www.tunnelix.com');update wp_posts set post_content = replace(post_content, 'http://www.tunnelix.com', 'https://www.tunnelix.com');
However, there are some tricks to identify those non-HTTPS URLs by making a dump of the database and do a “Grep” in it, followed by a “Sed” to eliminate those unwanted parameters. Once the “Mixed Content” errors have been identified, I launched a scan on the Qualys SSL Labs website. The result was an “A+”. You can also use the Htbridge free SSL server test which is pretty fascinating especially to verify PCI DSS Compliance, HIPAA compliance, NIST guidelines and industry best practice in general. If all those criteria have been met, then you would score an “A+” rather than an “A” or worse a “F”.
Source code optimisation and Page speed verification
This can be verify using the GTmetrix tool available for free online. I noticed that my rank was a “C”. This was caused due to lack of minified HTML and CSS, and Image dimension. To handle the minify HTML errors, I enabled the plugin Minify HTML Markup on WordPress itself which corrected these errors. To tweak the Image dimension i downloaded the tool Optipng from Epel repository:
For example, if you want to optimize a specific image, use the following command:
Another verification was made on GTmetrix website and i noticed that the result was then an “A”
Tweaking the Web server HTTP headers
Htbridge will surely give you an overview of the web server security and will accompany you step by step to get a better result.
Of course, since the website is behind cloudflare, it is limited to certain security tweaks such as Public-key-pins.The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man-in-the-Middle (MITM) attacks with forged certificates. I found an interesting article on https://raymii.org which explained how to activate the HPKP.
Once you are in possession of your certificate and Private key, you can create the public key and a token will be received to activate the HPKP extension. The following commands can be used to get the token and the public key.
However, it looked that HPKP is not supported on Cloudflare. But, there are other issues such as HSTS. HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. I enabled it as per recommendations by Cloudflare.
A curl on the url https://tunnelix.com now prompts the following headers :
No system is perfectly secure, but I believe that these modifications are worth to adventure around. I should say I was really impressed by free tools such as the Qualys SSL test, HTbridge free SSL and Web security test and Gtmetrix in terms of page speed.
Hello Tunnelers, this is my first article for the year 2017, I seize this opportunity to wish my readers a Happy New Year 2017 and wish you all lots of prosperity. – TheTunnelix