Rightsizing VMs with vRealize Operations

This post was originally published on this site

Rightsizing VMs is critical to get the best performance of your vSphere infrastructure and your VMs. Rampant oversizing of VMs can cause contention at the host or cluster level, which manifest as CPU ready, CPU co-stop, VM swap, etc. Undersized VMs can cause contention inside the guest OS, which manifest as CPU queuing, memory paging,

The post Rightsizing VMs with vRealize Operations appeared first on VMware Cloud Management.

Using Ansible for Managing VMware vsphere Infrastructure

This post was originally published on this site

On this second part article of after How to install Ansible on Linux for vSphere configuration, I have written here 2 Ansible playbook files (play tasks created) to configure VMWare ESXi servers. Language for the ansible playbook files is YAML/YML format. When using Ansible to use on VMware vSphere, pyVmomi python module is required (already installed and shown in earlier article). Ansible uses vSphere API to interaction and configuration.

The first file secrets.yml is a Inventory file, first 3 dash is start of the file, I am mentioning vCenter IP, username and password. and they are self explanatory. 
In the second file playbook.yml, I have used secrets.yml, defined tasks to connect vCenter server and configuration of infrastructure. below is the break down of the playbook.yml script.

Line 01: 3 dashes are the start of file.
Line 02: All the commands/tasks will be executed from localhost (ansible host).
Line 03 to 08: I am including secrets.yml, all the information mentioned in the file will be used as variable properties, main variable name is secret created.
Line 10 to 19: This information is used to login to vCenter server, variable names will be ie: secret.vcenter, secret.username, secret.password used throughout the playbooks. It will register the output as variable login, it contains authentication info. To perform this tasks uri module is used, it connects and interact with webservices of vCenter server API. (No direct ESXi can be used as it doesn’t have APIs connect).
Line 21 to 28: Again it is using uri module. Using cached API/cookies login information in login variable, fetch the ESXi servers list information from vCenter Server and store it in by registering vchosts variable.
Line 30 to 44: This is last part to perform tasks on all the ESXi servers. vmware_host_config_manager module is used here, and configuring ESXi advanced configuration. Just for more information it is using loop for each ESXi using with_items, each ESXi server is mentioned as item.name.

You can download VMWare vSphere yaml Ansible scripts here, yml scripts are also available on github.com/kunaludapi.

secrets.yml

1
2
3
4
---
vcenter:  192.168.0.1
username: administrator@vsphere.local
password: 123456

playbook.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
- hosts: localhost
  
  tasks:
    - name: Include Secret Environment Items
      include_vars:
        file: secrets.yml
        name: secret

    - name: vCenter Login
      uri:
        url: "https://{{secret.vcenter}}/rest/com/vmware/cis/session"
        force_basic_auth: yes
        method: POST
        user: "{{secret.username}}"
        password: "{{secret.password}}"
        status_code: 200
        validate_certs: no
      register: login

    - name: Get hosts from vCenter
      uri:
        url: "https://{{secret.vcenter}}/rest/vcenter/host"
        force_basic_auth: yes
        validate_certs: no
        headers:
          Cookie: "{{login.set_cookie}}"
      register: vchosts

    - name: Set ESXi shell time out
      vmware_host_config_manager:
        hostname: "{{secret.vcenter}}"
        username: "{{secret.username}}"
        password: "{{secret.password}}"
        esxi_hostname: "{{item.name}}"
        options:
          'UserVars.ESXiShellTimeOut': 1800
          'NFS.MaxVolumes': 256
          'NFS.HeartbeatMaxFailures': 10
          'NFS.HeartbeatTimeout': 5
          'NFS.HeartbeatFrequency': 12
          'Net.TcpipHeapSize': 32
        validate_certs: no
      with_items: "{{vchosts.json.value}}"

Both of the files are kept on same folder and to execute/run this playbook use below command.

ansible-playbook playbook.yml

Playbook will start gathering facts (collecting information), and shows which tasks are ok, what is changed or failed. From below screenshot it shows the end result is successful.

vmware vsphere ansible ansible-playbook playbook.yml yaml play task gathering facts localhost esxi shell time out play recap unreachable changed failed skipped rescued ignored.png

I can confirmed on the vCenter > Esxi > Advanced System Settings, settings are applied successfully.

vmware vsphere vcenter esxi advanced system settings devops ansible yml yaml gathering facts automation configuration ansible-playbook playbook module.png

Useful articles
How to install Docker on Linux
Cannot connect to the Docker daemon at unix:var run docker.sock. Is the docker daemon running
Docker Error response from daemon io timeout internet proxy
How to install Ansible on Linux for vSphere configuration
How to Setup Passwordless SSH Login on Windows
configure remote ssh extension on visual studio code
VS code remote ssh could not establish to host, connecting was canceled

VMware Cloud Foundation 3.9.1 Is Generally Available

This post was originally published on this site

VMware has announced the general availability of VMware Cloud Foundation (VCF) 3.9.1, introducing support for Application Virtual Networks, API support for multiple physical NICs and vSphere Distributed switches, and improvements to Cloud Builder and Developer Center. What’s New with VCF 3.9.1 Application Virtual Networks Application Virtual Networks (AVN) are software-defined overlay networks that lay the […]

The post VMware Cloud Foundation 3.9.1 Is Generally Available appeared first on VMarena.

Significant Transitions Coming to VMware Cloud Providers in 2020. Are You Ready?

This post was originally published on this site

Several changes are coming to you as a VMware Cloud Provider in 2020. These transitions include valuable enablement resources, a simplified partner program, and product availability updates. It’s a new decade, and it’s time to make important changes! In this blog, we’ll take a look at what’s (quickly) coming up this quarter:   WIRE Training Transitions

The post Significant Transitions Coming to VMware Cloud Providers in 2020. Are You Ready? appeared first on VMware Cloud Provider Blog.

VMware Cloud Foundation 3.9.1 Released

This post was originally published on this site

VMware has released Cloud Foundation 3.9.1. This new version has a new Bill of Materials with never versions of the software, and other fixes. Application Virtual Networks (AVNs): Enable vRealize Suite deployment in NSX overlay networks. AVNs provide benefits for portability and failover for planned migration or disaster recovery. New installations of Cloud Foundation 3.9.1 use […]

Explore vSphere + Bitfusion – The Future of AI & ML

This post was originally published on this site

We’re back with another vSphere Tweet Chat recap! In this edition, we explore vSphere and Bitfusion, and what this integration means for the future of AI and ML. To answer all of your questions, experts Jim Brogan (@brogan_record) and Don Sullivan (@dfsulliv) joined us to share the inside scoop. They answered some tough questions, and

The post Explore vSphere + Bitfusion – The Future of AI & ML appeared first on VMware vSphere Blog.

AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems

This post was originally published on this site

Original release date: January 14, 2020

Summary

New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:

  • CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
  • Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.

The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.

CISA strongly recommends organizations install these critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets.

Technical Details

CryptoAPI Spoofing Vulnerability – CVE-2020-0601

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates.

According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”[1]

A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:

  • A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
  • Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.

The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Detection Measures

The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in their Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers.[2]

Windows Remote Desktop Server Vulnerabilities – CVE-2020-0609/CVE-2020-0610

According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”[3],[4]

CVE-2020-0609/CVE-2020-0610:

  • Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
  • Occurs pre-authentication; and
  • Requires no user interaction to perform.

The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.

Windows Remote Desktop Client vulnerability – CVE-2020-0611

According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”[5]

CVE-2020-0611 requires the user to connect to a malicious server via social engineering, DNS poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server.

The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.

IMPACT

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information,
  • Disruption to regular operations,
  • Financial losses relating to restoring systems and files, and
  • Potential harm to an organization’s reputation.

 

Mitigations

CISA strongly recommends organizations read the Microsoft January 2020 Release Notes page for more information and apply critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.

General Guidance

  • Review Guide to Enterprise Patch Management Technologies, NIST Special Publication 800-40 Revision 3. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies, and also briefly discusses metrics for measuring the technologies’ effectiveness.
  • Review CISA Insights publications. Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement. Printable materials can be found by visiting: https://www.cisa.gov/publication/cisa-insights-publications.
  • Review CISA’s Cyber Essentials. CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. Essentials are the starting point to cyber readiness. To download the guide, visit: https://www.cisa.gov/publication/cisa-cyber-essentials.

References

Revisions

  • January 14, 2020: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Application Virtual Networks – Enabling Stronger Mobility and Flexibility with VMware Cloud Foundation

This post was originally published on this site

By: Nick Marshall One of the new features in the 3.9.1 release of VMware Cloud Foundation (VCF) is use of Application Virtual Networks (AVNs) to completely abstract the hardware and realize the true value from a software-defined cloud computing model. As an introduction, AVNs are software-defined overlay networks that serve as specialized purpose in the

The post Application Virtual Networks – Enabling Stronger Mobility and Flexibility with VMware Cloud Foundation appeared first on Cloud Foundation.