virtual grind thoughts from the virtual world

10Nov/120

Quickly Reset Equallogic Group Membership Password

I have run in to situations where I need to add new Equallogic members to groups that did not have the password documented. On an initial group configuration, settings such as group IP, grpadmin password, and membership password are chosen. Unfortunately, there is not an easy way to recover or see the membership password via the Group Manager.

Anyway, you can safely change the password to something new and NOT affect any existing settings to get a new member in.

To do this, simply ssh in to your group IP, and issue the grpparams and passwd commands:

GROUPNAME>grpparams
GROUPNAME>passwd
Password for adding members: 1234
Retype password: 1234
Password change succeeded.

15Oct/120

Using Likewise To Integrate Ubuntu Into Active Directory

Just thought I would share a quick post on adding your Ubuntu servers to Active Directory. Using Active Directory for centralized and distributed management of computers and users is a common practice. Allowing Linux machines to interact with the Active Directory extends this functionality into the Linux world, allowing administrators to use things like security groups and permissions for easy access.

Fortunately, in today's times, this process is a lot easier than it was years ago with the use of Likewise. To install Likewise, simply add the package via apt:

sudo apt-get install likewise-open

Once the package is installed, you have to join your Ubuntu installation to the Active Directory:

sudo domainjoin-cli join virtualgrind.local Administrator

In the above line, you are joining an Active Directory domain with a name of "virtualgrind.local" with the user "Administrator". Note that you will need to enter your domain name and a user account that has permissions to join the domain, if you do not use the Administrator account.

Once you enter the domainjoin-cli command, you will be prompted for the Active Directory account's password that was specified. If all goes well, you will see a "SUCCESS" message. You will also see the Ubuntu machine added as a computer in your Active Directory.

At this point, any Active Directory account will be able to ssh into the server. You can test this by creating a ssh session to the machine with an Active Directory account:

ssh virtualgrind\\johndoe@ubuntu-server
or
ssh 'virtualgrind\johndoe'@ubuntu-server

In the above example, you are providing the standard UNC naming convention as the username for your ssh connection, or DOMAINNAME\USERNAME. In this particular example, the domain name is "VIRTUALGRIND" and the user name is "johndoe". Also note that the hostname of this example is "ubuntu-server". You could also use the IP address of the server as well.

To limit the groups of users that are able to ssh into the server, you will then need to use the "lwregshell" command:

sudo lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\]' RequireMembershipOf "virtualgrind\\SSH^Users" "virtualgrind\\Linux_Admins"

...then, to apply the changes and restart the service:

sudo lwsm refresh lsass

In this example, the lwregshell command is requiring that ssh users are members of the Active Group "SSH Users" or "Linux_Admins". I included two groups to show how to deal with spaces in a group name, or by using something like an underscore for your group names in Active Directory.

Finally, if any of the users that are accessing the system from Active Directory need to use the sudo command, you will also need to provide the UNC style name to the sudoers file:

%VIRTUALGRIND\\Linux_Admins ALL=(ALL)ALL

In this example, we are adding a line to the /etc/sudoers with the UNC name of the domain and group. For this instance, we are allowing the "Linux_Admins" group from the domain "VIRTUALGRIND" full sudo access. Remember to use the visudo command when performing this versus using something like pico or vi.

9Oct/120

Restarting DRAC Interface

I recently ran in to a few situations where the DRAC web interface was acting funny.

In one event, when I would log in to the DRAC web interface, despite having the correct username and password, the web interface would just bring me back to the main login page. The second scenario would let me in the main DRAC admin page, but I could not launch a remote console.

Anyway, there is a very simple fix. Simply ssh into your DRAC ip address with the same username and password you use to access the web interface. Once you ssh in, you will be at the main DRAC admin prompt. To reset DRAC and NOT lose any settings, simply enter the command:

racadm racreset soft

23Apr/120

VMware vExpert 2012

I am honored to be chosen as a VMware vExpert for 2012. To find out more about the vExpert program, check it out here:

http://communities.vmware.com/vexpert.jspa

Justin Giardina vExpert

Justin Giardina vExpert

17Mar/121

Forcing VMware Tools To Cancel

I have run in to a few occasions recently where a customer will initiate a VMware Tools install via vCD and not complete the installer. If this virtual machine needs to be moved in vCenter due to something like HA, DRS, etc., vCenter will report that the machine cannot migrate because the .iso that is mounted to the virtual machine cannot unmount.

Fortunately, there is an easy way to cancel the install using vim-cmd:

First, you can get the list of all VM's on your host with the following command:

vim-cmd vmsvc/getallvms

You will see that each VM is identified with a number, which is the VM ID. To cancel the tools install, simply use vim-cmd again with the vm number you found above:

vim-cmd vmsvc/tools.cancelinstall (number from above)

or

vim-cmd vmsvc/tools.cancelinstall 777

Tagged as: , , 1 Comment
21Feb/120

Clearing Equallogic Lost Raid Blocks

When there are issues with a lost block condition on a RAID volume on an Equallogic member, you may receive a "RAIDset lost blocks error" via the Group Manager or via an email/smtp message.

To get more info on the lost block(s), simply ssh in to an IP address of the member with the error and issue the following commands:

su exec 'raidtool'

Look for an error similar to *!! RAID LUN contains 8 lost blocks. !!* in the output:

RAID LUN 1 Ok.
*!! RAID LUN contains 8 lost blocks. !!*
(raidtool -W 1) clears blocks.
(raidtool -w 1) lists blocks.
14 Drives (14,15,16,46,18,19,20,21,22,23,24,25,26,27)
RAID 50 (64KB sectPerSU)
Capacity 23,489,351,516,160 bytes

In this example, we see that LUN 1 contains 8 bad blocks. To list the the bad blocks, we will use a -w (followed by LUN number) switch in the raidtool utility and to clear the lost blocks, we will use the -W (followed by LUN number).

List bad blocks:

su exec 'raidtool -w 1'

Clear bad blocks:

su exec 'raidtool -W 1'

19Feb/120

Manually Remove vCloud Director Agent From Hosts

I recently ran in to an issue in a lab where I had to manually remove the vCD agent from an ESXi host. The command to manually do this on an ESXi5 host is:

esxcli software vib remove -n vcloud-agent

Note that this is vCloud Director 1.5.

8Oct/110

Using vim-cmd to Power On and Power Off Virtual Machines

To get a list of all virtual machines on a host:

vim-cmd vmsvc/getallvms

To power on a specific virtual machine (from above):

vim-cmd vmsvc/power.on vmnumber

To power off a specific virtual machine (from above):

vim-cmd vmsvc/power.off vmnumber

3Oct/110

Unable to Create or Restart Networks After vCloud Director Upgrade to 1.5

I recently ran in to an issue with a vCloud Director upgrade. After the vCD cells and database were upgraded, I had to upgrade the existing vShield Manager to version 5. The update is simple, you basically provide an upgrade package (in .tgz format) via the VShield Manager UI. From here, the software uploads, installs, reboots, etc. Please note that this process takes a few minutes, the UI is not the best at letting you know exactly what is going on. I simply opened the console to the vShield Manager to watch the progress.

After rebooting, everything seemed okay, but I noticed that when I tried to create new networks or reset existing networks, the process failed. I kept getting the following message in vCD:

Cannot create vShield Edge Device for network: [Unique ID Number].
- edge error: Creating/configuring the VR failed: vShield Edge Device on network: [Unique ID Number] is not ready for initialization after 180 seconds.

After digging around a bit, it seems that even though the vSM upgrade went well, the version change was not recorded in the vCD database. This was confirmed as a bug with VMware Engineering and the workaround is very simple. Simply log in to vCD as an administrator, go to the Manage & Monitor tab, highlight the vCenter server in question, right click, and choose Properties. From there, choose the vShield Manager tab and re-enter only the username that is specified. Once you clear out and re-enter only the username, click OK.

You can see my response on this issue here:

Unable to create or reset networks in vCD 1.5 after upgrade from 1.0

8Sep/110

Restarting vShield Manager Web Interface

Sometimes vCD cells lose connectivity to vShield Manager. Instead of rebooting the vShield Manager virtual machine, the web service of vShield Manager can simply be restarted.

To accomplish this, you can open the console of your vShield Manager virtual machine, log in, and enter enable mode. From there, enter configure mode and issue the command "no web-manager" and then "web-manager".

manager# configure terminal
manager(config)# no web-manager
manager(config)# web-manager

This will restart the web and hopefully clear any web service connectivity issues.