Remediating VMSA-2021-0002 – Potential Issues

In late February, VMware published their second security advisory for 2021. It contained contained three items:

  • CVE-2021-21972 – A remote code execution vulnerability in vCenter that has a CVSS score of 9.8
  • CVE-2021-21974 – A vulnerablity in OpenSLP, which is used in ESXi. This one has a CVSS score of 8.8
  • CVE-2021-21973 – Another vCenter vulnerability that was rated with a CVSS score of 5.3

Given the product versions affected, most organisations with relatively up to date virtualisation infrastructure would be at risk from these items. While testing and simulating the update process, I ran into some issues that might be worth publishing for a broader audience.

Read more

vRealize Automation 8 Pricing Cards

Pricing cards allows your vRA consumers make informed decisions on the costs of infrastructure they provision. The functionality is similar to what was available when vRealize Cloud for Business was integrated with vRA 7.

Enabling Pricing Cards

To enable Pricing Cards, a few prerequisites need to be undertaken. Firstly, the vRealize Operations appliance needs to be configured to use the same time zone as the vRealize Automation appliance. By default, both appliances will use UTC as their timezone setting. So as long as you haven’t changed anything on either, this is just a verification step. You also need to configure a currency in vROPS.

Read more

vRA 8 and phpIPAM

IP address management (IPAM) is one of those areas that suddenly becomes important when infrastructure automation is implemented. In the past, an IT team may have used an Excel spreadsheet for manually tracking address assignments. When the number of servers being provisioned increases due to automation, this manual approach isn’t viable anymore. An alternative could be to just allow dynamic addressing using DHCP but that raises its own issues (for example, some server-based applications insist on a static address).

There’s a lot of products out there that do IPAM. I’ve previously used the product from SolarWinds, in my home lab I use phpIPAM. In both situations, the use of the IPAM product was similar – a vRealize Orchestrator (vRO) Workflow would request an IP address during the provisioning of a virtual machine. A matching Workflow would execute when the virtual machine was decommissioned, signalling the IPAM system to release the IP address for reuse.

As part of the process in moving my home lab setup from vRA 7.x to 8.x, this is one of the functions I’d like to carry across.

Read more

vRealize Automation 8.2 Released

VMware have released the 8.2 update for their vRealize Automation product. As the release notes start, this update brings the 8.x product closer to the capabilities we had in 7.x and adds some new things. The major changes include:

  • A new version of the REST API
  • Blueprints are now called “Cloud Templates
  • More Terraform functionality
  • Multi-tenancy support
  • Custom Roles Based Access Control (RBAC)
  • More XAAS Functionality
  • More NSX feature support

In this post, I’ll have a look at some of these updates that are relevant to my background and prior use of vRealize Automation.

VMware Cloud Templates

The first item is the change from Blueprints to “Cloud Templates”. VMware have a blog post that talks about this change. At this stage, it appears to be simply a label change, as there’s no other real changes I could see in terms of functionality. However it may indicate a shift in direction going forward.

XAAS Custom Day 2 Changes

In 8.2, it’s now possible to have three types of binding for Day 2 actions. Originally there was only one binding type, “in request”. The other two options are “with binding action” and “direct”. “With binding action” is available when inputs types are of a certain sort, such as VC:VirtualMachine. Direct is available for input properties that are primitive data types.

What this can result in is a much simplified request form that is presented to the user when performing the action. The screenshot below shows the inputs for a vMotion action, using the “in request” bindings. This effectively simulates the 8.1 behaviour. The first field is obviously redundant because the action should know what Virtual Machine is being migrated.

When the binding is updated to “with binding action”, the first field. Behind the scenes, the mapping between the Cloud_vSphere_Machine object in vRA and the vCenter VM object is happening. This is a nice change that could help clean up the look of these Day 2 actions.

Approval Policies

Approval Policies has seen an increased set of functionality in 8.2 They can be applied to all catalog items including vRealize Orchestrator workflows and ABX actions. Since these are typically used for Day 2 Actions, you can now put appropriate approvals in place for these Actions.

The list of criteria for applying an Approval Policy has been expanded and can be applied to pre-provisioning of blueprints. This could allow the creation of policies that act as safeguards to requests that may be out of normal scope.

Lastly, approvers will see all the input data of the request, when reviewing the approval. This will allow them to make a more informed decision when reviewing approval requests.

Summary

Overall this seems like a good release from VMware. Two areas of the 7.x product that I always liked was the Day 2 Actions and the XAAS functionality. Both of these went hand in hand to extend the product beyond “Day 1 provision” tasks and just doing things with Virtual Machines. It meant that many things could be automated and presented as a catalog item (some of which I’ve previously written about). In 8.0, we lost a lot of that capability, but we’re getting it back.

Similarly, Approval Policies is something that had been brought up in a few organisations I’ve worked in. The limited functionality of the policies in 8.0 meant that those organisations couldn’t really consider that version of vRA. With 8.2, I think Approval Policies are at a point where those organisations could consider it again.

vRA/vRO 8.1 Powershell – Peaking Under The Hood

One of the new features in vRealize Automation (vRA) and vRealize Orchestrator (vRO) 8.1 was support for PowerShell. This means there are now 4 scripting language options for Action Based Extensibility (ABX) in vRA and Workflows in vRO. In this post, I’m going to have a look at some of the technical details of the PowerShell implementation.

Why We Should Care

There’s two items that come to mind about why we should care about the PowerShell implementation. The first relates to the history of PowerShell itself. Up until 2016, PowerShell had been based upon the full .NET framework. In that year, Microsoft announced PowerShell Core, which was based on .NET Core. This allowed PowerShell to be used on non-Windows platforms like Linux. This new “branch” of PowerShell had reduced functionality, with many modules no longer working. Eventually PowerShell Core was re-branded to a 6.x version line. In March 2020, PowerShell 7 was released. This version was an attempt to close the gap in functionality between the two branches.

The second item is how PowerShell was used in vRA/vRO 7.x. In 7.x it was possible to add a PowerShell host. The PowerShell host was a Windows system configured to allow vRO to remote into it to execute commands. This created an incredible amount of flexibility because you could install any modules you liked on the host. On the down side, it added complexity (more moving parts to manage) and security issues (like ensuring the PowerShell Host had a network path to each target, and Kerberos double-hopping issues).

With this background in mind, it becomes relevant to figure out what implementation of PowerShell is used in vRA/vRO and other information about the implementation.

Read more

I’m a vExpert!

In June this year, VMware opened applications for their vExpert program. For those not familiar with it, it’s VMware’s “global evangelism and advocacy program”. A key part of it is giving back to the community. This can be via blog posts, helping people on VMware’s forums, participating in VMware user groups and so on. I threw my hat into the ring for it, without any real expectations.

Anyone who has worked with VMware products for any amount of time has ended up relying on the output created by people who are vExperts. I know I have. When viewing the list of people in the vExpert Directory, there was a lot of blog URLs that I recognised.

So when I got the email this week saying I was one of the lucky ones, it was a pleasant surprise. It’s an honor to be recognised by VMware for this. Congratulations to everyone else who got their vExpert awards this year.

Bulk Add Flavor Mappings Using vRA 8 REST API

One of the features added in vRealize Automation 8 (vRA 8) was Flavor Mappings. Flavor Mappings allow various instance types on different cloud providers to be associated with a platform-agnostic label. While it was possible to do something similar in vRA 7, it required a lot of scripting to handle the logic of the choice made. Like many of VMware’s newer products, vRA 8 has a REST API for executing most tasks, and this includes management of Flavor Mappings. Because adding these in bulk can be tedious, I looked at how it might be done with a bit of automation.

Workflow Overview

The vRealize Automation 8.1 API Programming Guide is a good starting point for looking at automating tasks in vRA 8. It has the steps relating to getting authentication done, as well as some general administrative tasks. In the case of what I was trying to achieve, the general workflow looks like this:

Flavor Mapping Workflow
Flavor Mapping Workflow

Read more

vRealize Automation 8 – cloudConfig

With the increased focus on cloud-based services in vRealize Automation (vRA) 8, VMware have added a lot of new features. One of the key ones for Infrastructure As A Service (IAAS) provisioning is initialising a machine via “cloudConfig”.

How We Used To Do It

Historically, when provisioning a Virtual Machine (VM) either via vRA or directly via vCenter, we would use a Customisation Specification. These were files that controlled certain settings when a VM booted for the first time, such as the administrator password.

Settings from a Customisation Specification

In AWS, Userdata scripts were used to perform similar tasks. This was executed via the EC2Config service/agent that was installed on the AMI templates that were used for deploying EC2 instances. Azure has similar functionality.

Read more

Home lab expansion

For a while now I’ve been hitting the capacity limit of the single server in my home lab. This is the nature of running a lot of VMware’s more recent products on it. The plan had been to get another server, shared storage and a larger switch. This week I was able to bring it all together. There were some problems.

What I already had

The original setup I had included the following items:

  • 1 Dell R710 with a Samsung 970 Evo Plus M.2 SSD (in a M.2 to PCIe adapter), a 128GB SATA SDD and a 1TB SATA SSD
  • 1 5-port Gigabit switch
  • 1 5-outlet power board

The Second Server

For the second server, I tried to get something that was as close to my current one as possible. This meant another Dell R710 with a similar model of CPU and about 128GB of RAM. Fortunately I was able to easily find one for sale on ebay. It came with 4 x 300GB SAS drives. I ended up moving 2 of these to the original server and creating a RAID 1 on each server.

Read more

Close Bitnami banner
Bitnami