Blog focused on VMware virtualization solutions and on Amazon Web Services (AWS). Playing with vRealize Automation, vRealize Orchestrator and AWS, VMUG RO Leader, vExpert 2018. Follow this blog to get to know more on vmware virtualization.
VMware just released a new vCenter Server version: 6.7 Update 2, 22.214.171.124000, build 13010631. In this article I will cover some of the new features and resolved issues. I will also demonstrate how easy is to update from a previous version of vCenter Server 6.7 to VMware vCenter Server 6.7 Update 2.
vCenter Server 6.7 Update 2 introduces Virtual Hardware Version 15 which adds support for creating virtual machines with up to 256 virtual CPUs.
There are few changes in vCenter backups: you can use NFS v3 (Network File System) and SMB2 (Server Message Block) protocols for file-based backup and restore operations. Also it adds version details to the “Enter backup details” page that help you to pick the correct build to restore the backup file. You can create alarm definitions to monitor the backup status of your system (using email, SNMP traps or scripts as actions).
vCenter Server 6.7 Update 2 introduces the Developer Center with two new features: API Explorer and Code Capture. This update brings API Explorer (formerly accessible via https://<vCSA-FQDN>/apiexplorer) into the vSphere Client, thus removing the extra steps to authenticate prior to interacting with the REST APIs. If you ever played with the old Onyx flings, you will enjoy Code Capture. Just enable recording, do something in vSphere Client, then end recording and see the equivalent PowerCLI code generated.
You can now publish your VM templates managed by Content Library from a published library to multiple subscribers. You can trigger this action from the published library, which gives greater control over the distribution of VM templates.
vCenter Server 6.7 Update 2 Resolved Issues
VMware vCenter Server 6.7 Update 2 resolves plenty of issues with vMotion, backup, auto deploy, VMware tools, storage, management of VMs, and networking.
vSphere vMotion operations for encrypted virtual machines might fail after a restart of the vCenter Sever system
Power-on or vSphere vMotion operations with virtual machines might fail with an infinite loop error
Migrating a virtual machine might fail due to inability to access the parent disk
Migrating a virtual machine might fail due to inability to access the parent disk
VMware vSphere Auto Deploy Discovered Hosts tab might display an error after creating or editing a deployment rule
Customization of virtual machines by using Microsoft Sysprep on vSphere 6.7 might fail and virtual machines stay in customization state
The c:\sysprep directory might not be deleted after Windows guest customization
You might not see the configured CPU shares when exporting a virtual machine to OVF
vCenter Server might stop responding when adding a fault message in the vSphere Storage DRS
The vpxd service might fail when the vSphere Storage DRS provides an initial placement operation
ESXi hosts with visibility to RDM LUNs might take a long time to start or experience delays during LUN rescans
Expanding the disk of a virtual machine by using VMware vRealize Automation might fail with an error for insufficient disk space on a datastore
Provisioning of virtual machines might fail if the same replication group is used for some or all virtual machine files and disks
You cannot add permissions for a user or group beyond the first 200 security principals in an Active Directory domain by using the vSphere Client
User login and logout events might not contain the IP address of the user
The vCenter Server daemon service vpxd might fail to start with an error for invalid descriptor index
Cloning a virtual machine from a snapshot of a template might fail with a “missing vmsn file” error
An internal error might occur in alarm definitions of the vSphere Web Client
Attempts to log in to a vCenter Server system after an upgrade to vCenter Server 6.7 might fail with a credentials validation error
Migration of vCenter Server for Windows to vCenter Server Appliance might stop at 75% if system time is not synchronized with an NTP server
Upgrading vCenter Server for Windows to 6.7 Update 2 from earlier versions of the 6.7 line might fail
vCenter Server upgrades might fail due to compatibility issue between VMware Tools version 10.2 and later, and ESXi version 6.0 and earlier
You might see a message that an upgrade of VMware vSphere Distributed Switch is running even after the upgrade is complete
You cannnot migrate virtual machines by using vSphere vMotion between ESXi hosts with NSX managed virtual distributed switches (N-VDS) and vSphere Standard Switches
VMware vCenter Server 6.7 Update 2 also updates some of the internal packages used.
VMware Postgres is updated to version 9.6.11
Oracle (Sun) JRE is updated to version 1.8.202.
Apache httpd is updated to version 2.4.37
The OpenSSL package is updated to version openssl-1.0.2q.
The ESXi userworld libxml2 library is updated to version 2.9.8.
The OpenSSH is updated to version 7.4p1-7.
For full list of resolved issues you can check the Release Notes.
How to Update to vCenter Server 6.7 Update 2
I will demonstrate an online update from vCenter Appliance Management console. I logged in to https://<vCSA-FQDN>:5480/ using the root appliance password, then I navigated to Update menu. After a short check, I can see my current version is 126.96.36.19900 and I have an available update to 188.8.131.52000 (which is vCenter Server 6.7 Update 2). I will click on “Stage and install” link.
Next step is to accept the end user license agreement (EULA). Check the “I accept…” checkbox and click on “Next”.
The installer will run pre-update checks now. For example, if your root password has expired, you will receive a notice and you will not be able to proceed further before fixing the problem. If everything is allright, the wizard will jump to the next screen. You can see a downtime estimation (which proved to be waaay overestimated in my case). Confirm you have a backup of vCenter Server and click on “Finish”.
We can sit down and relax now while the vCenter Server is upgraded.
After some time we will be logged out from the appliance. Wait few minutes and then you can log back in.
Installation is now completed!
Going on the Summary page of the Appliance Management console, you can see the new version: 184.108.40.206000, build 13010631.
The advisories document the remediation of these critical issues:
VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.
VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.
VMware Workstation and Fusion contain an out-of-bounds write vulnerability in the e1000 virtual network adapter. This issue may allow a guest to execute code on the host.
VMware Workstation and Fusion updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters. Exploitation of this issue may lead to code execution on the host from the guest but it is more likely to result in a denial of service of the guest.
Four months after the previous VMUG Romania meeting, we invite you to a new event dedicated to VMware technologies. Journey Pub in Bucharest will be our host for 12 February 2019. We will have presentation sessions, demos, networking and hopefully some interesting announcements. As we did last time, we will be live on Facebook on VMUG RO page.
This is the first full-day meeting for VMUG Romania, so be patient till the end for a non-virtual craft beer tasting session.
Next to VMware presentation (Cristian Radu – “Deep Dive VMware NSX-V”) and those of the sponsors Dell EMC (Cristian Stan – The Power of Hyper-Converged) and Bitdefender, we will have no less then 4 community sessions.
Victor Homocea returns with his second vSAN presentation: “How to maintain your vSAN cluster(s)”. For Victor’s first vSAN presentation you can check the recordings from our previous meeting. Victor has an experience of over 15 years working for enterprise companies. He is focused on End User Computing with experience on application virtualization, HyperConverged infrastructure and Enterprise Security. Victor holds multiple related certifications, like Citrix Certified Expert and VMware Double VCP (DCV and DTM). You can find Victor on Twitter, Linkedin and on his personal blog: blog.ogs.ro.
For the second community session, we will have Bogdan Mitu with “vRealize Operations Manager v6.x Day2: Troubleshoot cluster components”. Bogdan holds a virtualization engineer position with Adobe and has more than 11 years experience in IT industries.
Corneliu Lefter from Neverfail continues our presentations with “Migrating ESXi hosts between vCenters with powered on VMs”. Corneliu is a technology nerd, passionate about virtualization and datacenters. Corneliu is VCAP-DCV certified.
Last but not least, Mihai Huica will talk to us about “DCLI – New(est) CLI in the block”. Mihai has over 15 years experience with virtualization, replication, high availability, private cloud and automation. Mihai is also one of VMUG Romania leaders.
Registration is mandatory and free of charge on vmug.com portal. Places are limited!
In this article I will show you how to install VCSA 6.7 (VMware vCenter Server Appliance).
To start, you need an installation kit of vCenter Server Appliance 6.7. For this article, I will use the VCSA 6.7 Update 1 version – VMware-VCSA-all-6.7.0-10244745.iso (the latest available at the time I wrote this article).
Install VCSA 6.7 (VMware vCenter Server Appliance) – Stage 1
To launch the installer I will use a Windows virtual machine (alternatively you can use a Mac or a Linux system). Unzip the archive and navigate to VMware-VCSA-all-6.7.0-10244745\vcsa-ui-installer\win32 folder. Launch installer.exe and begin to install VCSA 6.7.
vCenter Server Appliance 6.7 Installer will start. Click on Install.
The installation process consists in two separate stages. At the end of the first stage we will deploy the appliance, then in the second stage we will configure it. Let’s start with first stage: click Next.
Read the End user license agreement, check “I accept the terms of the license agreement” checkbox and click Next.
We now must choose the deployment type. I will show a simple installation, so I will choose “vCenter Server with an Embedded Platform Services Controller”. Read more on vCenter 6.7 available deployment types. Click Next.
We now have to enter the details of the ESXi server where we will deploy the VCSA 6.7 appliance. If you don’t have any available ESXi server, you can read my article How to Install VMware vSphere 6.7. Click Next.
Installer will connect now to the ESXi server. If you don’t have trust relationship configured, you will receive a certificate warning. Click Next.
We need now to set up the appliance name (this is the name of the virtual machine that you will see in vSphere Client, and not the FQDN of the vCenter) and the root password. Click Next.
For next step we need to select the deployment size. You can see the resources allocated for different deployment sizes. As I deploy this vCenter in a home lab, I chose Tiny deployment with a default storage size. Click Next.
Select on which ESXi datastore you want to deploy the appliance. You have also the option to enable thin disk mode. Last option allows you to configure a new vSAN cluster and deploy the appliance on this cluster. I will not treat vSAN deployment in this article.
You need to decide on DNS records of the vCenter appliance. Before moving on, make sure you already have A and PTR records for VCSA in your DNS server (if you miss this one, deployment will fail). I check below for forward and reverse name resolution.
We need now to configure networking details. Pay attention to the system name (you will not be able to change it afterwards). To avoid deployment failure, double-check the FQDN and the IP address. Click Next.
Review all the settings and if everything is correct, click Finish.
This advisory documents the remediation of one critical issue: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) contains a SAML authentication bypass vulnerability which can be leveraged during device enrollment. This vulnerability may allow for a malicious actor to impersonate an authorized SAML session if certificate-based authentication is enabled. If certificate-based authentication is not enabled the outcome of exploitation is limited to an information disclosure (Important Severity).
The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6979 to VMSA-2018-0019 issue.
VMSA-2018-0024 – Affected Products and Resolutions
AirWatch Console 9.7.x – update to version 220.127.116.11 or above
AirWatch Console 9.6.x – update to version 18.104.22.168 or above
AirWatch Console 9.5.x – update to version 22.214.171.124 or above
AirWatch Console 9.4.x – update to version 126.96.36.199 or above
AirWatch Console 9.3.x – update to version 188.8.131.52 or above
AirWatch Console 9.2.x – update to version 184.108.40.206 or above
AirWatch Console 9.1.x – update to version 220.127.116.11 or above
As per VMware KB, if patching your environment is not feasible in a timely manner, you can take mitigation steps by disabling SAML authentication for enrollment located under System > Enterprise Integration > Directory Services.
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.