Components of VMware vSphere 6.0 – part 2

As mentioned previously in my previous post on Components of VMware and vSphere 6.0 – Part 1, the aim of the article is to publish a continuous summary of the Data Center Virtualization exam. This article will focuss on the following points:

  • vCenter Server – Introduction
  • vCenter Server – Features

The vCenter Server – Introduction

The vCenter server is the hypervisor core management application of vSphere provides centralized management of vSphere virtual infrastructure. It allows administrators to ensure security and availability, simplifies day-to-day tasks and reduces complexity of managing virtual infrastructure.

vCenter server manages the essential functions of vSphere from any browser using vSphere web client. It provides simplified and integrated management of VMware hosts. It also simplifies management by assembling and automating out of the box work flows. In vCenter orchestrator, vCenter can restart failed virtual machines without any manual intervention. It monitors utilization across resource pools and allocates resources among VMs according to pre-defined rules. vCenter server integrates with the ecosystem partners to extend the capabilities of the virtual infrastructure.

The VMware PSC (Platform Resources Controller) is a component of vCenter server. It contains common infrastructure services such as vCenter single sign-on, VMware certificate authority, licensing and Server Reservation and Registration. This gives customers to single point to manage all vSphere roles and permissions along with licensing.

Photo credits: VMware
Photo credits: VMware

VMware PSC (Platform Resource Controller) has two models of deployments i.e; embedded and centralized. In Embedded, the PSC and vCenter server are installed on a single virtual machine. In a centralized model, the PSC and the vCenter server are installed on different virtual machine.

photo credits: VMware
photo credits: VMware

vCenter server – Features

vCenter server has the following features:

Certificate management – In vSphere 6.0, solution users (the users created) when a solution such as vCenter Server, vCenter Inventory service and so on is registered with vCenter single sign-on utilized as certificate endpoints. These users are issued certificates instead of individual services. This enables the services associated with a solution user to utilize the same certificate, substantially reducing the number of certificates required to manage in the environment. The VMware Certificate Authority (VMCA) is a root certificate authority (CA) that issues signed certificates to all vSphere 6.0 components via the solution users.

Alarms and Alerts – Alarms are notifications that are activated in response to an event, a set of conditions, or the state of an inventory object. Alarm can change state from mild warnings to more serious alerts as system conditions change, and can trigger automated alarm actions. This functionality is useful when you want to be informed or take immediate actions, when certain events or conditions occur for a specific inventory object, or group of objects.

Monitoring Features – vCenter server provides several tools to help you monitor your virtual environment and to locate the source of current and potential problems. It provides performance charts, storage reports and system log files to monitor your environment.

Template Management – The content library simplifies virtual machine template management and distribution by centrally managing virtual machine templates, ISO images and scripts. It also performs the replication of associated data from the published catalog to the subscribed catalog at other sites. As content are updated, old versions are automatically purged and replaced with a new version, offering life cycle management capabilities for virtual machine templates and related files.

Linked mode Deployment – vCenter server linked mode enables a common inventory view across multiple instances of the vCenter server. Linked mode provide a single pane of glass view across geographically separate vCenter servers. This deployment replicates licenses, permissions and roles across multiple vCenter services. Linked mode is automatically enabled for any vCenter server deployment.


Components of VMware vSphere 6.0 – part 1

Last time, I published an article on the introduction of Data Center Virtualization fundamentals. The second module continues here on this blog post which will cover part of the VMware vSphere 6.0. This module focuss on the power of virtualization to transform data centers into simplified cloud computing infrastructures and enable IT organizations to deliver flexible and reliable IT services. Part 1 will cover the following:

  • vSphere 6.0 – Overview
  • vSphere 6.0 – Architechture
  • Topology of vSphere 6.0 Data Center
  • vSphere 6.0 – configuration maximums

vSphere 6.0 – Overview

It manages large collection of infrastructure such as compute, storage and networking as a seamless operating and dynamic environment. vSphere is composed of vCenter server, infrastructure services, application services and clients.

vCenter server – It provides a single point of control for vSphere data center. It provides essential data center services such as access control, performance monitoring and configuration.

Infrastructure services – set of services provided to abstracts, aggregates and allocates hardware or infrastructure resources. It is categorized into compute, storage and network.

Application services – set of services provided to ensure availability, security and scalability of applications. Examples are High Availability and vMotion.

Clients – The vSphere client and vSphere web client are the interfaces that allow users to communicate with the vSphere data center.

vSphere 6.0 – Architechture

vSphere 6.0 represent the core of the SDDC – software defined data center by virtualizing the entire infrastructure servers, storage and network. This is group into simple and unified manageable sets of elements.

  • Infrastructure services such as compute, storage and network will abstract, allocate and Aggregate hardware or infrastructure resources.
  • vSphere makes infrastructure resources resilient with features like high availability, fault tolerance, vMotion, storage Vmotion and DRS
  • Management layer or vSphere 6.0 consist of the vCenter server and vRealize operations.
  • The interface layer of vSphere 6.0 is composed of the vSphere web client that allows user to access the data center.
Photo credits: VMware
Photo credits: VMware

Topology of vSphere 6.0 Data Center

Using vSphere 6.0, administrators can simplifies management of their data center by creating Virtual Data Center (VDC) as a highly available, resilient and On-demand infrastructure that is ideal for cloud environments. It includes components to perform the following functions:

Compute – In vsphere 6.0, clusters can scale up to many as 64 hosts and support 8000 virtual machines in a single cluster. There is also expanded support for the latest x86 chip sets, devices, drivers, guest operating systems.

Storage – Fibre Channel Storage Area Network (FCSAN) arrays, Internet Small Computer System Interface (ISCSI) and Network Attached Storage (NAS) arrays are widely used storage technologies supported by vSphere 6.0 to meet different data center storage needs. Storage policy based management (SPBM) allows common management across storage tiers and dynamic storage classes of service automation. They enable exact combinations of data services (such as clones and snapshots) to be instantiated more efficiently on a per virtual machine basis.

  • Networking – It supports Network I/O control and multicast snooping. vSphere allows dedicated networking stack and simplifies IP address management with a dedicated default gateway for vMotion traffic.
  • Availability – Enhanced vMotion capabilities allow non-disruptive live migration of workloads across distributed switches and vCenter servers and provide a saving up to 95% in time and resources. There is also expanded support for software-based fault tolerance for workloads with up to 4 virtual CPUs
  • Management – vSphere 6.0 provides several interfaces such as vSphere content library and vSphere web client for data center management and virtual machine access. Administrators can used vRealize automation to accelerate the deployment and management of applications and compute services, thereby improving business agility and operational efficiency. For operations management, administrators can use vRealize operations that delivers intelligent operations management across physical, virtual and cloud infrastructures

vSphere 6.0 configuration maximums

vSphere 6.0 clusters can now scale to support more than 64 hosts with 8000 virtual machines in a single cluster.

photo credits: VMware
photo credits: VMware

Each vSphere 6.0 instance can support as many as 480 PHYSICAL CPUs, 12 TB of RAMs and 2048 VMs per host.

photo credits: Vmware
photo credits: Vmware

PS: All of these materials are available freely on the VMware website which i made a resume to have a picture of what is being introduced in this module.


Data Center Virtualization Fundamentals – Introduction course

The VMware Data Center Virtualization course which is freely available on the VMware website provides fundamental understanding of VMware ‘s Data Center Virtualization products. It covers features and components of vSphere 6.0, explain the need for Data Center Virtualization and explain how business  can solve challenges with regard to Data Center Virtualization. Though on the VMware website the course is freely available, i decided to create a post to keep track my own future references. The free course available on the VMware website is composed of three modules which covers an introduction, VMware vSphere components and vSphere solutions to Data Center challenges. The aim of this blog post is to gather maximum interesting main points which will cover the Data Center Virtualization exam.

DCV exam paths- Photo credits VMware
DCV exam paths – Photo credits VMware

Virtualization: An overview

Virtualization is the process of creating virtual versions of physical components such as servers, storage devices and network devices. With virtualization, you can run multiple operating systems and applications to be run on a single server and consolidates hardware to get higher productivity from fewer servers. Virtualization can be done at all levels.

Photo credits: VMware.com
Photo credits: VMware.com

Virtualization: The foundation of Cloud Computing

Virtualization powers cloud computing and helps delivers on its potential by virtualizing, consolidating and automating your data center resources and management. VMware offers several products and service that allows you to do just that. For example

VMware vRealize Suite – is a cloud management platform purposely built for heterogeneous data centers and hybrid cloud and allows you to automate the delivery of infrastructure and applications across multiple hypervisor private and public cloud with both speed and control

VMware vSphere – is the server virtualization platform provides a robust API that simplifies infrastructure management for administrators and integrates with OpenStack APIs that enable developers to manage and run OpenStack infrastructure.

Big Data Extension (BDE) – BDE can be used on the vSphere platform to deliver a new level of efficiency and agility in handling data workloads and it supports next generation application framework such as Hadoop. BDE provides a set of management tools to deploy, run, and manage Hadoop workloads in virtual and cloud environments.

Data Center Virtualization

It is the conversion of the hardware devices in a data center into software resources. Virtualization softwares enable several operating system to run on one  physical host. Here are the benefits of Data Center Virtualization:

Reduce Capital and Operating Costs – Server consolidation allows you to get more out of your existing hardware by running multiple machines on a single physical server. Fewer servers result in lower capital and operating costs.

Deliver High Application Availability – Availability and high tolerance features are an integral part of Data Center Virtualization tools and help protect all your virtualized applications. Using this feature, if a node or a server fails, all of its virtual machines are automatically restarted or continued on another machine, with no downtime or data loss.

Improve business continuity – Virtualization makes it easier to survive potential IT disasters, where one virtual machine can be moved to one location to another different location without data loss.

Increase productivity – Streamlined and automated task allows you to spend less time on maintenance and more time on innovation.

Improve responsiveness – Virtualization lets your business scale rapidly because you can deploy desktops, applications and servers quickly and flexibly.

Virtual Machines, its capabilities and benefits

In brief, a virtual machine is a tightly isolated software container with its own virtual hardware, a guest operating system and one or more applications. It is also a collection of virtualized hardware resources that constitute a physical computer on a native environment. Virtual machines share the hardware of the physical server on which they are mounted. It allows you to quickly replace or upgrade components. It allows you to add components without rebooting the virtual machine.

Virtualization helps organizations to increase their data center availability whether as a protection schemes as common hardware failures or complete site-level disaster. Virtual machines are easy to move, copy and restore which makes disaster recovery simple. Snapshots features enable administrators to capture the entire state of a running machine. There are also other features such as restoration from bare-metal backup, hot add virtual hardware when upgrading.

Here are three benefits of using virtual machines:

Multiple applications on each host : As each virtual machine encapsulates an entire machine, many applications and operating systems can run on a single host at the same time.

Machine host utilization, minimum host count : Every physical machine is used to its full capacity, allowing you to significantly reduce costs by deploying fewer server overall.

Faster and easier provisioning of applications and resources : As self contained software files, virtual machine can be manipulated with copy and paste ease. Virtual machine can even be transferred from one physical server to another while running, via a process called live migration or better knows as vMotion. You can also virtualize business-critical applications to reduce cost and increase performance, reliability and scalability.

The hypervisor and the ESXi hypervisor

A hypervisor provides the virtual hardware and physical resources on which you can create virtual machines. It is managed by vCenter server and is installed on the server to allow multiple, unique and isolated virtual machine to run on the same physical server. There are two types of hypervisor:

Bare metal hypervisor – It is installed on a physical device without an operating systems. They perform the functions of an operating system and have resource management capabilities. Example is VMware ESXi. Data Center Virtualization is typically performed using bare metal hypervisors because the dependency on another operating system is low. There is also less resource overhead as these hypervisors perform both roles.

Hosted hypervisor – Operate as an application on top of pre-existing operating system. The separation of roles can be helpful if the underlying hardware is not supported by  a bare metal hypervisor. Example is VMware workstation.

The ESXi hypervisor is a bare metal hypervisor that performs resource management while directly accessing the underlying physical hardware. It improves resource efficiency because of low operating system overhead. ESXi is not dependant on other operating system. ESXi hosts virtual machine provides management functions to help, deploy and control them.

Photo credits: VMware
Photo credits: VMware

ESXI is commonly installed directly on hard drives of the physical server, in flash drives, SD cards and USB drives. Network boot is also possible using PXE or TFTP servers.

VMware vSphere 6.0, its capabilities and benefits.

vSphere 6.0 empower users to virtualize scale-up and scale-out applications with confidence predefined availability and simplifies the data center. The result will provide a high availability, resilient and on-demand infrastructure. It drives down data center costs, increases system and application uptime, simplify the way IT runs the data center. It is purposely built for next generation applications and serves as the core foundation block for SDDC (Software Defined Data Center).

The capabilities of vSphere 6.0 are that it delivers enhances scale, performance and availability to enables you to easily virtualized applications. You can simplifies virtual data center management to manage the creation, sharing, deployment and migration of virtual machine with powerful and simple tools.It provides the capabilities to perform live workload migration.It provides the capabilities to data center maintenance with zero downtime. It also allows you to transform storage for virtual machines by enabling external storage arrays to operate in a more virtual machine centric manner. You can also built and operate cloud environment with VMware stack or open source frameworks such as OpenStack or the VMware integrated stack addon. vSphere is available in three editions i.e; Standard, Enterprise and Enterprise Plus editions.

Some benefits of vSphere 6.0 are that is improves efficiency through utilization and automation, maximise uptime in cloud infrastructure, reduces on planned downtime. It lowers IT costs by reducing capital expenditure by 70% and operational expenditure by 30%. vSphere 6.0 provides agility with control and allows quick response to changing business needs without sacrificing security. You can also use a common standard based platform to leverage existing IT assets alongside next generation IT services and enhanced vSphere through open API with solution from global eco systems of leading technology providers. It helps several organizations to address challenges related to availability, scalability, optimization, management, application upgrade and cloud challenges.

PS: All of these materials are available freely on the VMware website which i made a resume to have a picture of what is being introduced in this module.The second module is related to the components of VMware vSphere 6.0


What goes on behind the Network Time Protocol ?

Several times, I had discussions with friends on how NTP works! What is the logic behind NTP and its configurations? We noticed that there are several terms and calculations to grasp especially when it comes to debugging. Well, I decided to make a research on it and shed some ideas on NTP – Network Time Protocol. These recent days, we have noticed several vulnerabilities and attacks going on the NTP servers. NTP is a protocol designed to synchronize the clocks of computers over a network.

Photo credits: networktimefoundation.org
Photo credits: networktimefoundation.org

NTP is a utility where timestamps are used. Examples are logs, database replications, the time packets  exchanged in a network. NTP uses its own binary format and runs on port 123 UDP. RFC 1305 and RFC 2030 give detailed explanations of NTP.

The logic behind NTP

In brief, packets are exchanged between the NTP server and the client in the following order. It is to be noted that latency is an important issue when it comes to NTP:

  1. The NTP client will send a request with a timestamp.
  2. The NTP server will return the packet with 3 timestamps.
    • echo of the client timestamp
    • The timestamp of the received timestamp by the server
    • The timestamp response sent by the server.
  3. The client will then estimate the offset (the difference in timestamps between the client and the server)

A client may have several NTP servers configured, but will synchronize with only one NTP server. A server may also take some time to respond to a client depending when it is not busy. NTP packets are exchanged between 64 – 1024 seconds for each server. – This configurations are called “minpoll” and “maxpoll”

Some basic configuration on a CentOS 7 machine

The command timedatectl can be used to check if NTP is enabled or not

[[email protected] ~]# timedatectl | egrep -i ntp
     NTP enabled: yes
NTP synchronized: yes

You can also check if the service is running using the following command;

systemctl status chronyd.service

The configuration file is located by default at /etc/chrony.conf . You will notice that the NTP servers are configured by default in that file.

[[email protected] ~]# head -n 7 /etc/chrony.conf 

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

You can check if your machine are synchronised from the sources with the following command. The column Name/IP address are the location from where the time is being synchronized.

[[email protected] ~]# chronyc sources


210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ cpt-ntp.mweb.co.za            2   6   367    40    +29ms[  +29ms] +/-  151ms
^* cpto-afr-01.time.jpbe.de      2   7   377    43    +69ms[  +66ms] +/-  178ms
^+ ntp2.inx.net.za               2   6   377    43    +64ms[  +64ms] +/-  181ms
^+ ns.bitco.co.za                3   7   377   107    +79ms[  +77ms] +/-  199ms

A drift means a deviation. A drift happens when  the hardware clock is either fast or slow compared to the NTP server clock. The drift file contains 2 values. If it’s a positive number, it means the clock is fast from the NTP server whereas if it is a negative number, it means the clock is slow compared to the NTP server. Here i have a slow clock.

[[email protected] ~]# cat /var/lib/chrony/drift 

         -870.203668          1484.980507
The Maths - How the NTP client adjust its response from the NTP server

Now, we will get into the math behind the logic as discussed previously what happens when the NTP client request the time from the NTP server.

  1. NTP Client A send request to server X – Let’s assume A=100 where 100 is the time of the client
  2. NTP Server X received the request after some secs. – Let’s assume X= 150 where 150 is the time of the server.
  3. Being given that, the request from NTP client is not necessarily served immediately, there is lapse of time at this point. let’s assume that X is now 160
  4. We now have 3 values i.e; The time the client sent the request, the time (real time) the server received the request and the time the server want to respond back.
  5. Now the NTP client gets the request back at 120. This is because the NTP client has its own time.
  6. Client will now determine the time using the formulae B-A – (Y-X) which means 120-100-(160-150) = 10 seconds
  7. Client assumed that the time it took to get the response from server to client is 10/2 = 5 seconds. Assuming 5 seconds is the latency.
  8. Now the client adds 5 seconds to  the server time at the time it received the response which makes 160 +5 = 165 seconds.
  9. The client knows it needs to add 45 seconds to its clock. This is done by subtracting 165 – 120 = 45 seconds where 45 seconds is the difference between the client and the server clock to which the client will set forward its clock by 45 seconds. This indication will be given in the drift file in PPM – Parts Per Million.

TIPS:

  • If the iburst parameters are removed, communication between the server will 8 times faster.
  • You can also increase the verbosity of the command chronyc sources by adding the parameter -v to it and detailed explanation of the values will be given i.e; chronyc source -v
  • You can pick up different NTP servers from the NIST website and restart the NTP service (chronyd).
  • NTP was invented by David L. Mills in 1981 and it is based on Marzullo’s algorithm to get accurate time from several sources.
  • Timestamps of NTP are stored in seconds and it is 64 bit in size – 32 bit for number of seconds and 32 bit for fraction of seconds.
  • Number in drift file is measured in PPM – Parts per million
  • Offset – The difference in timestamps between the client and the server
  • Burst – The speed of communication between NTP client and NTP server will be 8 times more if “burst” is used.
  • The drift value is in PPM – Parts Per Million.
  • To convert into PPM is easy. Since we have 86,400 seconds in a day, therefore, 86,400 / 1,000,000 = 0.0864 PPM
  • If my drift file shows a value of Z  where Z = 30.3 simply do (30.3 x 0.0864) to get the drift file into milliseconds.

How i optimised my WordPress website ?

Some days back, I was brewing up some plans to optimise my website source codes, HTTP headers, latency and other security aspects. I had to carry out some analysis and research using some tools available on the internet. I should admit that, at first, it looked pretty simple, but it was not. For instance, I did not permit myself to directly modify the production environment. So, I had to migrate it on a pre-production environment. Page caching was yet another issue which could trick oneself after modifications.

Since my website is behind Cloudflare, which is already an advantage in terms of security, performance, reliability and insight, it does not mean that the website cannot be hacked. According to sucuri.net, websites using WordPress CMS are constantly being hacked. Of course, it depends on the mode of attack and the infection impact.

Photo credits: sucuri.net
Photo credits: sucuri.net

Migrating to TLS

Migrating a CMS which already has several articles posted can be an issue as the URLs are already recorded in the database as well as in the source code itself. Also, there were links on the website which were not pointed on HTTPS. After moving to the HTTPS version, errors such as “Mixed content” could be noticed when accessing the website. One of the interesting free feature of Cloudflare is that everyone can have a free SSL certificate issued by Comodo. You will have to generate your certificate and your private key from Cloudflare and point it on your Virtual Host.

Some corrections on WordPress source code needed to be added in the wp-config file as follows:

define('WP_HOME','https://tunnelix.com/');

define('WP_SITEURL','https://tunnelix.com/');

On top of that, there seemed to be lots of URLs on the database itself that needed corrections using the following commands:

update wp_options set option_value = replace(option_value, ‘http://www.tunnelix.com’, ‘https://www.tunnelix.com’) where option_name = ‘siteurl’;


update wp_posts set guid = replace(guid, 'http://www.tunnelix.com', 'https://www.tunnelix.com');

update wp_posts set post_content = replace(post_content, 'http://www.tunnelix.com', 'https://www.tunnelix.com');

However, there are some tricks to identify those non-HTTPS URLs by making a dump of the database and do a “Grep” in it, followed by a “Sed” to eliminate those unwanted parameters. Once the “Mixed Content” errors have been identified, I launched a scan on the Qualys SSL Labs website. The result was an “A+”. You can also use the Htbridge free SSL server test which is pretty fascinating especially to verify PCI DSS Compliance, HIPAA compliance, NIST guidelines and industry best practice in general. If all those criteria have been met, then you would score an “A+” rather than an “A” or worse a “F”.

Source code optimisation and Page speed verification

This can be verify using the GTmetrix tool available for free online. I noticed that my rank was a “C”. This was caused due to lack of minified HTML and CSS, and Image dimension. To handle the minify HTML errors, I enabled the plugin Minify HTML Markup on WordPress itself which corrected these errors. To tweak the Image dimension i downloaded the tool Optipng from Epel repository:

optipng.x86_64                  0.7.6-1.el6                        @epel        

For example, if you want to optimize a specific image, use the following command:

optipng -o2 Screen-Shot-2016-12-24-at-1.04.45-AM.png

Another verification was made on GTmetrix website and i noticed that the result was then an “A”

from GTMETRIX.COM

Tweaking the Web server HTTP headers

Htbridge will surely give you an overview of the web server security and will accompany you step by step to get a better result.

Of course, since the website is behind cloudflare,  it is limited to certain security tweaks such as Public-key-pins.The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man-in-the-Middle (MITM) attacks with forged certificates. I found an interesting article on https://raymii.org which explained how to activate the HPKP. 

Once you are in possession of your certificate and Private key, you can create the public key and a token will be received to activate the HPKP extension. The following commands can be used to get the token and the public key.

# openssl x509 -noout -in certificate.pem -pubkey | openssl asn1parse -noout -inform pem -out public.key;

# openssl dgst -sha256 -binary public.key | openssl enc -base64
 4vr+koFuogsfghGjgvpsqQIIikg5KowHTIGNQ5Prspc=

However, it looked that HPKP is not supported on Cloudflare. But, there are other issues such as HSTS. HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. I enabled it as per recommendations by Cloudflare.

A curl on the url https://tunnelix.com now prompts the following headers :

No system is perfectly secure, but I believe that these modifications are worth to adventure around. I should say I was really impressed by free tools such as the Qualys SSL test, HTbridge free SSL and Web security test and Gtmetrix in terms of page speed.

 Hello Tunnelers, this is my first article for the year 2017, I seize this opportunity to wish my readers a Happy New Year 2017 and wish you all lots of prosperity. – TheTunnelix