afokkema VMware

Find all VMs with XHCI USB controller


Just a quick heads up about VMSA-2020-0026 and especially about (CVE-2020-4004) concerning the XHCI (USB3) Controller.

Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)

Description
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

The following PowerCLI one-liner searches for all virtual machines and templates that are configured with the XHCI (USB3) controller.

Get-View -ViewType VirtualMachine -Property Name, Config.Hardware | Where-Object {$_.Config.Hardware.Device.DeviceInfo.Label -match "xhci"} | Select -ExpandProperty Name

Just connect to your vCenter of choice via Connect-VIServer and see if your environment has VMs or templates that uses the XHCI controller and apply the patch or workaround described in the advisory when needed.

– Happy Scripting –

afokkema Powershell

Update-Module VMware.PowerCLI – Unable to find repository


On one of my development machines (old school Windows 2012 R2 with PowerShell 5.1) I tried to upgrade the VMware.PowerCLI module to the latest version. But this time it was not just type the “update-module VMware.PowerCLI” command and you’re ready. Instead I received the following error:

Unable to find repository ‘https://www.powershellgallery.com/api/v2′. Use Get-PSRepository to see all available repositories.

image

I remembered this post from Przemyslaw Klys describing the same issue. Recently PowerShellGallery disabled support for TLS 1.0 and is now requiring TLS 1.2 So you have to enable TLS 1.2 support on your “old” servers.

The quick fix, if you want to enable TLS 1.2 for the current PowerShell session is to run the following command:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

After enabling TLS 1.2 it’s time to upgrade to the latest version of the VMware.PowerCLI module.

Or you can just enable TLS 1.2 on your system by checking this guide from Microsoft.

– Happy scripting –

afokkema Automation, VMware

PowerCLI: Reconfigure for vSphere HA


Sometimes when you change something to the vSphere HA configuration like an Advanced Option, you have to reconfigure vSphere HA on each host inside that particular cluster. You can do that by hand via the Reconfigure for vSphere HA.. option inside the vSphere (Web) Client:

Screenshot 2016-01-22 13.11.47

Or you can use the following PowerCLI one-liner to perform this step on every host inside that cluster.

Get-Cluster <clusterName | Get-VMhost | Sort Name | %{$_.ExtensionData.ReconfigureHostForDAS()}

Just change the to the name of the cluster en open PowerCLI, connect to the vCenter server and run the one-liner.

afokkema VMware

HP’s September VMware driver bundle and issues with Emulex CNA’s


Update 08/10/2014: HP support recommends to install the following versions of the Emulex firmware/drivers.

Install the following driver and firmware version for the NIC and install on server and check

As it is a ESX 5.1 we would use BE2NET driver

Driver: 4.9.488.0 – http://www.hp.com/
Firmware: 4.9.416.0 – http://www.hp.com/

You can read more about the issues here at http://www.techazine.com. I saw the same symptoms on brand new HP BL460 Gen8 and vSphere 5.1 update 2, the latest build: VMware-ESXi-5.1.0-Update2-2000251-HP-5.68.30-Sep2014.iso released on 2014-09-08.  Hosts randomly disconnects from vCenter, even if those hosts are in maintenance mode (lucky me).

The driver causing the issues is version: net-be2net 10.2.293.0-1OEM.510.0.0.802205 Emulex VMwareCertified 2014-08-25. More information about the drivers included in the latest custom ISO can be found here: http://vibsdepot.hp.com/hpq/recipes/September2014VMwareRecipe16.0.pdf

To solve this issue, you need to downgrade the driver to the previous version. I had no issues with the 4.6.247.10 drivers so I used this one.

I created a PowerCLI script to verify the installed version of the net-be2net on all the BL460c Gen8 blades.

$be2netlist = @()
foreach($vmhost in (Get-VMhost | ?{$_.Model -eq "ProLiant BL460c Gen8"}| sort name)){
    Write-Host "Checking host $($vmhost.name)" -ForegroundColor Yellow
    $esxcli = Get-EsxCli -VMHost $vmhost
        $be2net = New-Object PSObject -Property ([ordered]@{
            vmhost = $vmhost.name
            driver = ($esxcli.software.vib.list() | ?{$_.Name -eq "net-be2net"}).name
            version = ($esxcli.software.vib.list() | ?{$_.Name -eq "net-be2net"}).version        
        })
        $be2netlist += $be2net
}
$be2netlist | ft -AutoSize

The output:

image

Now we wait for a fix from HP and Emulex.

afokkema VMware

PowerCLI: enable SSH and configure ESXi Firewall


It’s a long time ago when I posted a new article on my blog so it’s time to write some new content. I want to start with a post about configuring SSH to start automatically, hide the Shell warning message and configure the ESXi firewall to allow the connection from a certain IP address. Of course all this is done by running a PowerCLI script.

But first I want to show you where you can change the ESXi firewall settings. Go to the configuration tab and select the Security Profile. Select the rule you want to change and click on firewall.. Select the option “Only allow connections from the following networks” and add the IP address or IP range you want to allow.

image

But like I mentioned before this is not a job do by hand when you have a large vSphere environment so I want to share the PowerCLI script below to perform this task for you. The only things you need to change are the $cluster and $ip variables. Then copy the script to your PowerCLI session and run it.

$cluster = "<clusterName>"
$ip = "192.168.1.1"

foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){
    write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
        Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
        Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
    }

    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
        Write-Host "Starting SSH service on $($vmHost.Name)"
        Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
    }    
    
    $esxcli = Get-EsxCli -VMHost $vmHost
    if($esxcli -ne $null){
        if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
            Write-Host "Changing the sshServer firewall configuration"        
            $esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
            $esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
            $esxcli.network.firewall.refresh()
        }    
    }
    
    if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
        Write-Host "Suppress the SSH warning message"
        $vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
    }    
}

The script checks if the SSH Service is running or not and will change the setting is necessary. This is also the case with the Firewall configuration and the part to suppress the Shell warning message.

afokkema VMware

PowerCLI: Automatic expand the available ports for a dvPortgroup


Last year William Lam wrote a blog post on the VMware vSphere Blog about automatic expand a dvPort group port. You can find his post here: http://blogs.vmware.com/vsphere/.  There is also a KB article about this subject. You can find it here: KB1022312

Just a quote from the KB article KB1022312 to explain the auto expand feature and how you can enable it without using Perl of PowerCLI scripting:

Note:  vSphere 5.0 has introduced a new advanced option for static port binding called Auto Expand. This port group property allows a port group to expand automatically by a small predefined margin whenever the port group is about to run out of ports. In vSphere 5.1, the Auto Expand feature is enabled by default.

In vSphere 5.0 Auto Expand is disabled by default. To enable it, use the vSphere 5.0 SDK via the managed object browser (MOB):

  1. In a browser, enter the address http://vc-ip-address/mob/.
  2. When prompted, enter your vCenter Server username and password.
  3. Click the Content link.
  4. In the left pane, search for the row with the word rootFolder.
  5. Open the link in the right pane of the row. The link should be similar to group-d1 (Datacenters).
  6. In the left pane, search for the row with the word childEntity. In the right pane, you see a list of datacenter links.
  7. Click the datacenter link in which the vDS is defined.
  8. In the left pane, search for the row with the word networkFolder and open the link in the right pane. The link should be similar to group-n123 (network).
  9. In the left pane, search for the row with the word childEntity. You see a list of vDS and distributed port group links in the right pane.
  10. Click the distributed port group for which you want to change this property.
  11. In the left pane, search for the row with the word config and click the link in the right pane.
  12. In the left pane, search for the row with the word autoExpand. It is usually the first row.
  13. Note the corresponding value displayed in the right pane. The value should be false by default.
  14. In the left pane, search for the row with the word configVersion. The value should be 1 if it has not been modified.
  15. Note the corresponding value displayed in the right pane as it is needed later.
  16. Go back to the distributed port group page.
  17. Click the link that reads ReconfigureDvs_Task. A new window appears.
  18. In the Spec text field, enter this text:
    <spec>
    <configVersion>1</configVersion>
    <autoExpand>true</autoExpand>
    </spec>
    where configVersion is what you recorded in step 15.
  19. Click the Invoke Method link.
  20. Close the window.
  21. Repeat Steps 10 through 14 to verify the new value for autoExpand.

If you need to change this setting for hundreds of dvPortgroups this will not be one of your favorite changes in your VMware environment. Well you know me. Let’s see if we can PowerCLI this job.

$dvPG = Get-VirtualPortGroup -Name "VM Network"
$dvPGview = get-view $dvPG
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.AutoExpand = "True"
$spec.ConfigVersion = $dvPGview.Config.ConfigVersion
$dvPGview.ReconfigureDVPortgroup_Task($spec)
$dvPGview.UpdateViewData()

if you want to change all the dvPortgroups at one. You can use the following script:

Update: Thanks to Rafael Schitz from http://www.hypervisor.fr/ for the tip to filter out the dvUplink Portgroups. I have also added a check to find out if the dvSwitch is running the correct version to enable the autoExpand feature. Copy the script below and change de $dvSwitchName variable to the name of your dvSwitch.

$dvSwitchName = "dvSwitchName"
$dvSwitch = Get-VirtualSwitch -Distributed -Name $dvSwitchName
if($dvSwitch.ExtensionData.Config.ProductInfo.Version –notmatch "4.*"){
    foreach($dvPG in (Get-View -ViewType DistributedVirtualPortgroup|?{!($_.Tag|?{$_.Key -eq "SYSTEM/DVS.UPLINKPG"}) -and !$_.Config.autoExpand})){
        $spec = New-Object VMware.Vim.DVPortgroupConfigSpec
        $spec.AutoExpand = "True"
        $spec.ConfigVersion = $dvPG.Config.ConfigVersion
        $dvPG.ReconfigureDVPortgroup_Task($spec)
        Write-Host "Enable auotExpand for dvPortgroup: $($dvPG.Name)" -ForegroundColor Yellow
        $dvPG.UpdateViewData()
    }
}
else{
    Write-Host "dvSwitch: $($dvSwitch.Name) is not configured with version 5 or higher. Please upgrade.." -ForegroundColor Red
}

If the dvPortgroup has 0 available ports and a VM wants to connect a network adapter to the dvPortgroup, The total ports variable will be automatically expand with 10 ports. After a couple of tests I can confirm that it works.

My VM Network dvPortgroup had 70 ports. When al these ports where claimed by VM’s and a new VM was deployed or an existing VM was configured with a new network adapter, the Available ports variable was expanded with 10 ports without any impact for the running VM’s.

image

Sources: KB1022312, http://blogs.vmware.com/vsphere/, http://www.hypervisor.fr/?p=4633

afokkema Automation

PowerCLI: Easy NFS datastore setup vSphere 5.x


For vSphere 4.1 I wrote a PowerCLI script to attach NFS shares. You can find the script here.

In vSphere 5 the properties has changed so I had to change the script. In fact the script is much simpler because all the properties can be found in $nfs.info.nas:

image

The RemoteHost presents the IP address, The RemotePath presents the Share and the Name property presents the name of the share. Now we have the correct variables so it’s time to fix the old script. You can find the result below:

$REFHOST = Get-VMHost "<esxi hostname>"
foreach($NEWHOST in (Get-Cluster <cluster> | Get-VMhost | Where {$_.Name -ne $REFHOST.Name}) | Sort Name){
    foreach($nfs in (Get-VMhost $REFHOST | Get-Datastore | Where {$_.type -eq "NFS"} | Get-View)){
        $share = $nfs.info.Nas
        if($share.Remotehost -match "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"){
            $remotePath = $share.RemotePath
            $remoteHost = $share.Remotehost
            $shareName = $nfs.Name            

            if ((Get-VMHost $NEWHOST | Get-Datastore | Where {$_.Name -eq $shareName -and $_.type -eq "NFS"} -ErrorAction SilentlyContinue )-eq $null){
                Write-Host "NFS mount $shareName doesn't exist on $($NEWHOST)" -fore Red
                New-Datastore -Nfs -VMHost $NEWHost -Name $Sharename -Path $remotePath -NfsHost $remoteHost    | Out-Null
            }
        }
    }
}
afokkema Automation

PowerCLI: Get-VirtualPortgroup -Distributed VlandId value is empty


Today I was busy with PowerCLI and dvPort groups.  I started to use the Get-VirtualPortgroup –Distributed cmdlet and parameter to retrieve some information about the dvPort group. But the default output doesn’t show the VlanId. See the screen shot below for the default output.

image

I don’t know if this is a known issue between PowerCLI 5.1 release 1 and vSphere 4.1 update 2. So I have to test it in a vSphere 5 environment.

But how can you find the vlanid of a distributed portgroup? You can use a PowerCLI script which I created  to fix this little “bug” and I have also added the PortsFree column to the output of the script.

$dvPortgroup = get-virtualportgroup -Distributed -Name "vlan1"
$dvPortgroupInfo = New-Object PSObject -Property @{            
    Name = $dvPortgroup.Name
    Key = $dvPortgroup.Key
    VlanId = $dvPortgroup.ExtensionData.Config.DefaultPortConfig.Vlan.VlanId
    Portbinding = $dvPortgroup.Portbinding
    NumPorts = $dvPortgroup.NumPorts
    PortsFree = ($dvPortgroup.ExtensionData.PortKeys.count - $dvPortgroup.ExtensionData.vm.count)
}  
$dvPortgroupInfo | ft -AutoSize

The output of the script:

image

If you want to create a report of all the dvPort groups. You can use the following script to achieve that goal:

$info = @()
foreach($dvPortgroup in (Get-VirtualPortgroup -Distributed | Sort Name)){
    $dvPortgroupInfo = New-Object PSObject -Property @{            
        Name = $dvPortgroup.Name
        Key = $dvPortgroup.Key
        VlanId = $dvPortgroup.ExtensionData.Config.DefaultPortConfig.Vlan.VlanId
        Portbinding = $dvPortgroup.Portbinding
        NumPorts = $dvPortgroup.NumPorts
        PortsFree = ($dvPortgroup.ExtensionData.PortKeys.count - $dvPortgroup.ExtensionData.vm.count)
    }  
    $info += $dvPortgroupInfo
}
$info | Export-Csv -UseCulture -NoTypeInformation C:\tmp\dvportgroup_info.csv
afokkema VMware

PowerCLI: dvSwitch info


In one of my previous posts you can find a PowerCLI script to report the dvPortgroup ports usage. In this post you’ll find a PowerCLI script to report the overall status of the dvSwitches in your environment. The script will report the dvSwitch Name, Version, Total ports maximum, Total ports in use and the total ports left on the dvSwitch.

Just copy the script below:

$dvSwitchInfo = @()
foreach($dvSwitch in (get-virtualSwitch -distributed |Sort Name)){
    $details = "" | Select Name, Version, Totalports, Portsinuse, Portsleft
    
    $totalPorts = $dvSwitch.ExtensionData.Config.MaxPorts
    $Portsinuse = $dvSwitch.ExtensionData.Config.NumPorts
    $portsleft = ($totalPorts - $Portsinuse)
        
    $details.Name = $dvSwitch.name
    $details.Version = $dvSwitch.ExtensionData.Summary.ProductInfo.Version
    $details.Totalports = $totalPorts
    $details.Portsinuse = $Portsinuse
    $details.Portsleft = $portsleft   
    
    $dvSwitchInfo += $details
}    
$dvSwitchInfo

The output will look like this:

image

I will create another script to combine the information of the dvSwitch and the dvPortgroups available on the dvSwitch to a complete html report like the vCheck.

afokkema Automation, VMware

PowerCLI: dvPortgroup ports report


In this post I will show you how you can generate a simple report of your dvPortgroups. The report shows the Name of the dvPortgroup, The portbinding configuration, The total ports configured, The total ports in use and last but not least the total ports left on the dvPortgroup.

The script below will search for all distributed portgroups in your vCenter where you’re connected to with PowerCLI.

$pgInfo = @()
foreach($pg in (get-virtualportgroup -distributed | Sort Name)){
    $details = "" | Select Name, PortBinding, Totalports, Portsinuse, Portsleft
    
    $totalPorts = $pg.ExtensionData.PortKeys.count    
    $Portsinuse = $pg.ExtensionData.vm.count
    $portsleft = ($totalPorts - $Portsinuse)
        
    $details.Name = $pg.name
    $details.PortBinding = $pg.PortBinding
    $details.Totalports = $totalPorts
    $details.Portsinuse = $Portsinuse
    $details.Portsleft = $portsleft   
    
    $pgInfo += $details
}    
$pgInfo | Export-Csv -UseCulture -NoTypeInformation C:\Scripts\dvPortgroupInfo.csv

The CSV output will look like this:

Name PortBinding Totalports Portsinuse Portsleft
vlan1 Static 32 4 28
vlan2 Static 32 0 32
vlan3 Static 32 7 25
vlan4 Static 32 1 31
vlan5 Static 32 12 20
vlan6 Static 32 0 32

With a simple PowerCLI script you can create a report of all your dvPortgroups. I am going to create another PowerCLI script to use as a Nagios plugin to see witch of the dvPortgroups have less than <X> ports left. So to be continued.