Configure rsyslog in vCAC / vRA appliance to send to a syslog server

One option not available in the vCloud Automation Center (vCAC) appliance VAMI is the ability to send logs to a syslog server, such as Splunk or LogInsight (does anyone know if this has been exposed in vRA 6.1?), thankfully since the appliance is built on linux, its just a matter of configuring rsyslog.  If you are using LogInsight you can use the LogInsight Content Pack.  While I have LogInsight, I want to do this manually to send logs as if I were using a generic syslog server.  As you can see here, none of my vCAC logs are here (my appliance is named vcacapp)

vcacapp-loginsight-search

 

Here is how to configure the vCAC appliance to send logs:

  • SSH to your vCAC / vRA appliance
  • Type vi /etc/rsyslog.conf
  • At the end of the file enter
*.*    loginsight.fqdn.tld:port
  • For example loginsight.test.lab:514
  • Save the file and restart syslog by typing
service syslog restart

Now if you go back to LogInsight or whatever syslog server you are using you can see logs being collected.  Logging, like monitoring involves a bit of science instead of just dumping logs into your syslog server.  If you have LogInsight, check out their content packs as that would be the preferred option in my opinion.

vcacapp-loginsight-search-setup

Linux Bash bug exists in at least some VMware appliances #bash #shellshock

**Update 9/29:  VMware has released KB 2090740 (http://kb.vmware.com/kb/2090740) with more information about ShellShock and affected appliances however as of this update I do not yet see updated virtual appliances available for download.**

As I actually expected, the bash bug seems to affect VMware virtual appliances such as the vCO appliance and vCAC appliance.  I’d imagine things like the vCenter server appliance and others are also vulnerable but I don’t have others in my lab right now to test.  Hopefully VMware is quick to release patches that can be applied via VAMI.

vco-bash-bug

vCenter Orchestrator Appliance

vcac-appliance-bash-bug

vCAC Appliance

vCAC / vRA Tenant Identity Store – User and Group search DN base

I am in a course this week and a question came up about how to configure the Group and User search base DN and its effect on access within vCAC / vRA.  Ultimately permission will be granted as a combination of both fields.  First and foremost when configuring vCloud Automation Center for vRealize Automation tenants this will control which users or groups you can assign tenant administrator or infrastructure administrator roles.  Let’s look at some examples; if my domain is test.lab and I set my User and Group search base DN to dc=test,dc=lab I will be able to assign either of those roles to any user or group in the entire Active Directory, regardless of what organization unit or container they may be in.  Easy enough, but that starts to open things up pretty wide.

vcac-is-tld

 

In the real world I am likely to have an OU for groups or in a large enough AD groups spread across multiple OUs so you’ll need to consider your AD structure to set the base DN appropriately.  For example if you have ou=groups,dc=test,dc=lab as your Group search base DN but you have some groups created in ou=sales,dc=test,dc=lab you will not be able to assign permissions to the groups in the Sales OU.

You may have noticed from the screenshot that only the Group search base DN is required, personally I prefer to assign permissions to groups so that is great – what happens if I leave the User search base DN empty and set a more restrictive Group search base DN such as ou=groups,dc=test,dc=lab like so?

Continue reading

Setting up Vagrant and VirtualBox on Windows with @chocolateynuget

Automate all the things – right?  Well why would I want to manually go to a webpage, download and run the installer when all I need is a few commands to do so.  For those users that have not yet seen Chocolatey, it is a command line package manager/installer; you can get more information from their website here (https://chocolatey.org/), not to dissimilar to yum or apt-get (though probably with less packages).  Installing chocolatey is easy, no need to download anything manually – there is a simple command for that (from an elevated (e.g. run as administrator) Windows command prompt):

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

chocolatey-cmd-install

The command above will download and install all of the required Chocolatey components (note it set your PowerShell Execution Policy to unrestricted, now may be a good time to set it back to something a bit more secure).  Now to install new packages, all you have to do is issue another simple command:

choco install packagename

The package name will vary, you can check out all the packages here.  In my case, I want to install Vagrant and VirtualBox so I can start (trying) to play around with CoreOS and Docker.  To install VirtualBox…you guessed it

Continue reading

EMC ViPR Authentication Providers Search: One Level vs Subtree

ViPR-logoI was setting up ViPR to use Active Directory to authenticate users and one option was a bit unclear. You use the Search Base and Search Scope options to define which AD users ViPR will authenticate.  The Search Scope option provides two choices:  One Level and Subtree.  I was a bit confused by One Level, would it search just the specified OU/CN or would it search up to one level below?

One Level will search JUST the specified base DN, so for example to allow only users in ou=corp,dc=domain,dc=local you would use that as the search base and set the search scope to one level.  If you wanted users in all OU’s under corp you would just set the search scope to Subtree.

There is another very useful option when setting up the Authentication Provider; Group Whitelist.  You can populate the Group Whitelist with only those groups (and thus group members that you want to be able to log in.  Say for example you wanted all users except sales to have access to log into ViPR, and sales was in an OU nested under corp.  If you set your search base to ou=corp,dc=domain,dc=local and search scope to subtree they could log in.  However, if you added/created in AD group that did NOT include sales and placed it in the group whitelist field those user accounts that were not in the group, in this case sales, would not be able to authenticate.

vipr-ad-search

There you go, easy peasy AD integration in ViPR!

evo-header

Hands on (lab) with EVO:RAIL

It looks as though the VMware Hands-On Labs from VMworld are starting to roll out.  Short of having a physical EVO:RAIL to work on, I decided to do the next best thing and get some experience with it via the VMware Hands-On labs..  If you want to get some hands on yourself, head over to http://labs.hol.vmware.com/HOL/catalogs/lab/1503.

The HOL starts with the assumption that you have a working network and IP scheme, your top-of-rack switch is configured and your EVO:RAIL is connected and powered on (likely also assumes you have NTP and DNS working since those are critical to any environment and should never be skipped).

  •  Open a browser and navigate to the EVO:RAIL home page.  Click the Yes, Let’s Go! button and accept the EULA by clicking the Yes, I do button

evo-rail-start

 

Continue reading

The Under $800 VMware Quad-Core 32GB Home Lab

Because I am a geek, and my needs change, and this is what I like to do I often check out new hardware, cost features etc.  One of the things I wish I did on my 8-core lab was go for a smaller form factor case.  Pricing, as always is subject to change.  I actually prefer to buy most of my hardware on Amazon because I seem to have an easier time returning items that are defective but I’ll link to NewEgg.  You may be able to find a part or two for a bit less somewhere else which is always good.

Here is a run down on the parts for this VMware home lab build which should be capable of booting nested 64-bit VMs or as a stand alone ESXi host running other VMs since it is cheap (you can get almost 2 of these for the price of my 8-core build).  My goal was a slim line case, the In Win case comes equipped with a power supply and 2x internal 3.5″ drive bays.  The 2x drive bays gives you the option to add 2x of the ICY drive caddys so you can mount a total of 4 drives inside this small form factor case.  In this build I opted for a single SSD and HDDs so if you build several of these you could do a VSAN lab.  Originally I had 3x HDDs in here so if you go the nested build route you can use the on-board RAID controller to configure the 3x HDDs in a RAID-0 for a total of about 1.5TB of usable datastore space stripped across the 3 drives an single SSD datastore (think “gold” and “bronze” tier – OS’s on the SSD and everything else on the HDDs?).  Of course the drive configurations are just an example, I went with a single drive here for cost reasons.  You could also drop the drives all together if you were using a NAS/SAN in your home lab and just boot via USB.  The on-board NIC will need drivers, however best I can tell the Siig 2-port card uses an Intel i350 chipset which appears to be on the HCL.  You could also go with a used HP NC7170 as I did in my original build and drop almost $70 of the price via Amazon (http://www.amazon.com/HP-NC7170-network-adapter-383738-B21/dp/B0009MWAI4) to get a working lab setup under $750, in fact you can get down almost to $700 if you drop the drive caddys as well!  One caveat with the used NICs, they may not come with the low profile face plate, so that may send you on a bit of a hunt to find one.  According the Siig site, those NICs ship with the low profile face plate.

For the CPU I went cheapest quad-core available that is 64-bit with virtualization support with RVI – the Athlon X4 740 Trinity CPU with 2x 16GB RAM kits (each kit containing 2x 8GB memory modules) to finish out the build.  According to AMD, all Trinity series processors have the VT/RVI feature to allow you to boot 64-bit VMs in a nested hypervisor (http://goo.gl/jPkUMC) I’ll assume you will boot from USB, and that you have plenty of them from conferences past to keep my price under $800 :)

Part TypeNewEgg URL / Part NumberPrice (As of 9/5/14)
In Win BL631 SFF mATXCase - In Win BL631 SFF mATXN82E16811108065$64.99
GIGABYTE GA-78LMT-USB3Motherboard - GIGABYTE GA-78LMT-USB3N82E16813128565$58.99
AMD Athlon X4 740CPU - AMD Athlon X4 740N82E16819113329$74.99
AMD Radeon R3 Value Series 16GB RAM (qty 2 kits of 2) - AMD Radeon R3 Value Series 16GB Kit (2x 8GB)N82E16820403053$319.98
ICY Drive CaddyDrive caddy (qty 2)N82E16817994141$25.98
Kingston SSDNow V300 240GB SSDSSD - Kingston SSDNow V300 240GB SSDN82E16820721108$99.99
SAMSUNG Spinpoint M8 ST500LM012 500GBHDD - SAMSUNG Spinpoint M8 ST500LM012 500GBN82E16822152289$49.99
SIIG Dual Port Gigabit Ethernet Server PCIe x4 NICN82E16822152289$102.99

Total

$797.90

My VMworld Cisco Roving Reporter chat with Lauren Malhoit (@malhoit)

While running about at VMworld from the community hang space supporting the #vBrownBag and checking out EMC sessions and talks I had the honor of being asked to chat with Lauren Malhoit about the conference – this years Cisco Roving Reporter.  For those that haven’t seen them before, they are quick talks – just a few minutes long.  We chatted a bit about VMware:EVO and the #vBrownBag podcast.  You can check out mine below:

 

My First VMworld Experience – It’s all about the people

2014 marked my first VMworld, quite an amazing event.  Leading up to the event I booked sessions to attend and made note of Hands on Labs I wanted to take.  I was fortunate enough to fly into San Francisco (also my first time in SF) with a great friend, Luigi Danakos, and then met up with Shawn Cannon as he landed just about the same time we did.  We hopped a cab to Moscone, dropped our stuff off and registered for the event.  Once we hit the VMunderground Opening Acts put on by the #vBrownBag crew, I knew why I was here.

It wasn’t for the keynote, that was a great experience and I am very excited about EVO:Rail and EVO:Rack.  It wasn’t for the sessions, though I surely enjoyed the How to Build a Well Run Hybrid Cloud session with Rick Scherer and Tyler Britten.  It was the experience of meeting, talking and just hanging out with the community.  The EMC Hybrid Cloud session was so much more fun and interesting with Erin Banks and Tommy Trodgen, whom I met for the first time.  Supporting the #vBrownBag Tech Talks would have just felt like work had it not been for meeting, working with and having fun with Cody BunchAlastair Cooke, Gregg Robertson, Anthony Hook, Kyle Murley and Jon Harris and then talking off Monday night to catch a San Francisco Giants game, over looking the bay with Gregg (his first American baseball game!), Anthony and Jon.

vmworld-baseball

I was watching the keynote on day 2, chatting with a guy next to me; turns out that I often interact with him on the Spiceworks forums. I got to meet Rene Van Den Bedem and Larry Smith.  Then Kellan Damm, Byron Schaller, Mike PrestonEric Wright, Angelo Luciani and Melissa Palmer.  Lest I forget meeting Frank Denneman and Scott Lowe.

IMG_0309

There are so many wonderful people who I met at VMworld that have been a huge help to me I can’t possibly list them all.  And just when you get to the point where you think, what more could I possibly do – you end up at dinner with Phoummala Schmit, Emad Younis, Kyle Ruddy, James Green, and Alexander Nimmannit.  You get a text from your friend and head out to vBeers Hans De Leenheer, Kasia Lorenc and Stephen Foskett before packing up and flying out with another friend you shared an apartment with all week and have an awesome Lyft to the airport and breakfast – thank you Matthew Brender.

My one tip for anyone that hasn’t been to a VMworld, go and leave plenty of time to meet the community, that was the most amazing experience of VMworld.