Re: ESXi 6.5U1 vulnerability to Spectre with unpatched BIOS

January 23, 2018, 5:48 am

Latest and popular articles on VMWare Virtualization

≪ Previous: Re: Configured scratch location doesn't work after upgrade to ESXi 6.5

The performance mitigation for Meltdown relies on the Process Context Identifier (PCID) feature on the Translation Lookaside Buffer (TLB) and the INVPCID (INValidate PCID) instruction.

The performance hit is due to the TLB being flushed out for every process context switch. With the INVPCID instruction, the OS/hypervisor can request TLB entries to be cleared for a specific process ID only. So it depends also whether the OS or hypervisor is able to take advantage of PCID and INVPCID.

PCID feature was introduced with Westmere generation CPU.

INVPCID instruction was introduced on the Haswell generation. The INVPCID is used to clear out TLB entries of a specific PCID otherwise the entire TLB needs to be flushed out.

For a Windows 10 version 1709 VM on Workstation 12.5.9 on a Skylake CPU, if I mask out the INVPCID capability from the CPU (CPUID leaf 7 EBX bit 10), the Windows 10 VM Get-SpeculationControlSettings Powershell will report "Windows OS support for PCID performance optimization is enabled" as False. So it would appear to have full PCID performance mitigation in Windows 10 OS, Haswell and later CPU is required as it relies on INVPCID instruction.

I don't know if earlier pre-Haswell Windows such as Windows 7 is capable of using INVPCID.

As for BIOS/EFI update against Spectre, looks like Intel is working on another fix after the reports of systems rebooting.

I doubt if the Skylake CPU laptop I have will also have any firmware update against Spectre, too.

But the way I look at it is that the risk of a Spectre attack so far is low (although it may not remain so in the coming years). It is a bit like you know it is inherently risky to cross the road but that shouldn't stop people from crossing the road. But the same tme I wouldn't also be crazy to cross a highway with fast moving vehicles.

As for an ESXi, I think Spectre/Meltdown risk is if a VM has an exploit and then start to jump to other VMs or to the hypervisor itself. But unless the VMs inside the ESXi is out of your control (such as many users visiting dubious websites and inadvertantly getting malware exploits planted inside the VM), or the VM is used for a public cloud with tenant VMs (which could be the avenue to get exploits in without your knowledge), you just need to practice safe computing.

But I think the computing world will have Spectre/Meltdown risk hanging over for a number of years; with or without BIOS/EFI updates.

↧

ESXi 6.5 syslog level options

January 23, 2018, 6:33 am

Latest and popular articles on VMWare Virtualization

≫ Next: Reload new ssl certificate without reboot

≪ Previous: Re: ESXi 6.5U1 vulnerability to Spectre with unpatched BIOS

possible to modify remote syslog properties on the host to filter out low priority entries?

VCSA has a nice 'Common Log Level' function to perform this task but ESXi hosts do not.

↧

Reload new ssl certificate without reboot

January 23, 2018, 6:41 am

Latest and popular articles on VMWare Virtualization

≫ Next: Re: ESXi 6.5 syslog level options

≪ Previous: ESXi 6.5 syslog level options

I use let's encrypt ssl certificates on ESXi 6.5 (ESXi-6.5.0-20170702001-standard) and it has been working well. Every few weeks when the certificates expire I just copied the new certificates to /etc/vmware/ssl/rui.{crt,key} and ran

/sbin/services.sh restart

That reloaded the certificates and everything was OK.

Not I have updated to ESXi-6.5.0-20171204001-standard (Build 7388607) and I cannot get ESXi to reload the certificates. Any ideas what is going wrong? How can I reload the certificates without rebooting the whole machine?

[root@vmwsrv1:~] services.sh restart &tail -f /var/log/jumpstart-stdout.log

2018-01-22T10:43:30.955Z| executing start plugin: lacp

2018-01-22T10:43:31.158Z| executing start plugin: memscrubd

2018-01-22T10:43:31.359Z| executing start plugin: smartd

2018-01-22T10:43:31.562Z| executing start plugin: vpxa

2018-01-22T10:43:31.765Z| executing start plugin: sfcbd-watchdog

2018-01-22T10:43:32.976Z| executing start plugin: wsman

2018-01-22T10:43:33.583Z| executing start plugin: snmpd

2018-01-22T10:43:33.986Z| Jumpstart failed to start: snmpd reason: Execution of command: /etc/init.d/snmpd start failed with status: 1

2018-01-22T10:43:33.986Z| executing start plugin: xorg

2018-01-22T10:43:34.391Z| executing start plugin: vmtoolsd

2018-01-23T14:39:01.265Z| executing stop for daemon xorg.

2018-01-23T14:39:01.468Z| Jumpstart failed to stop: xorg reason: Execution of command: /etc/init.d/xorg stop failed with status: 3

2018-01-23T14:39:01.468Z| executing stop for daemon vmsyslogd.

2018-01-23T14:39:01.671Z| Jumpstart failed to stop: vmsyslogd reason: Execution of command: /etc/init.d/vmsyslogd stop failed with status: 1

2018-01-23T14:39:01.671Z| executing stop for daemon vmtoolsd.

2018-01-23T14:39:01.872Z| Jumpstart failed to stop: vmtoolsd reason: Execution of command: /etc/init.d/vmtoolsd stop failed with status: 1

2018-01-23T14:39:01.872Z| executing stop for daemon wsman.

2018-01-23T14:39:02.478Z| executing stop for daemon snmpd.

2018-01-23T14:39:02.884Z| executing stop for daemon sfcbd-watchdog.

2018-01-23T14:39:06.517Z| executing stop for daemon vpxa.

2018-01-23T14:39:06.718Z| executing stop for daemon vobd.

2018-01-23T14:39:06.921Z| executing stop for daemon dcbd.

2018-01-23T14:39:07.124Z| executing stop for daemon cdp.

2018-01-23T14:39:07.325Z| executing stop for daemon nscd.

2018-01-23T14:39:07.528Z| executing stop for daemon lacp.

2018-01-23T14:39:07.731Z| executing stop for daemon memscrubd.

2018-01-23T14:39:07.934Z| Jumpstart failed to stop: memscrubd reason: Execution of command: /etc/init.d/memscrubd stop failed with status: 3

2018-01-23T14:39:07.934Z| executing stop for daemon smartd.

2018-01-23T14:39:08.136Z| executing stop for daemon slpd.

2018-01-23T14:39:08.337Z| executing stop for daemon sdrsInjector.

2018-01-23T14:39:08.540Z| executing stop for daemon storageRM.

2018-01-23T14:39:08.743Z| executing stop for daemon vvold.

2018-01-23T14:39:08.945Z| Jumpstart failed to stop: vvold reason: Execution of command: /etc/init.d/vvold stop failed with status: 3

2018-01-23T14:39:08.945Z| executing stop for daemon hostdCgiServer.

2018-01-23T14:39:09.149Z| executing stop for daemon sensord.

2018-01-23T14:39:09.352Z| executing stop for daemon lbtd.

2018-01-23T14:39:09.554Z| executing stop for daemon hostd.

2018-01-23T14:39:09.755Z| executing stop for daemon rhttpproxy.

2018-01-23T14:39:09.958Z| executing stop for daemon nfcd.

2018-01-23T14:39:10.161Z| executing stop for daemon vmfstraced.

2018-01-23T14:39:10.564Z| executing stop for daemon rabbitmqproxy.

2018-01-23T14:39:10.767Z| executing stop for daemon esxui.

2018-01-23T14:39:10.970Z| executing stop for daemon usbarbitrator.

2018-01-23T14:39:11.173Z| executing stop for daemon iofilterd-spm.

2018-01-23T14:39:11.376Z| executing stop for daemon swapobjd.

2018-01-23T14:39:11.781Z| executing stop for daemon iofilterd-vmwarevmcrypt.

2018-01-23T14:39:11.985Z| executing stop for daemon SSH.

2018-01-23T14:39:12.188Z| executing stop for daemon DCUI.

Errors:

Invalid operation requested: This ruleset is required and connot be disabled

2018-01-23T14:39:12.391Z| executing stop for daemon ntpd.

2018-01-23T14:39:14.549Z| executing start plugin: SSH

2018-01-23T14:39:14.752Z| executing start plugin: DCUI

2018-01-23T14:39:14.955Z| executing start plugin: ntpd

2018-01-23T14:39:15.358Z| executing start plugin: esxui

2018-01-23T14:39:15.965Z| executing start plugin: usbarbitrator

2018-01-23T14:39:16.774Z| executing start plugin: iofilterd-spm

2018-01-23T14:39:17.177Z| executing start plugin: swapobjd

2018-01-23T14:39:17.580Z| executing start plugin: iofilterd-vmwarevmcrypt

2018-01-23T14:39:17.985Z| executing start plugin: sdrsInjector

2018-01-23T14:39:18.188Z| executing start plugin: storageRM

2018-01-23T14:39:18.392Z| executing start plugin: vvold

2018-01-23T14:39:20.204Z| executing start plugin: hostdCgiServer

2018-01-23T14:39:20.407Z| executing start plugin: sensord

2018-01-23T14:39:20.813Z| executing start plugin: lbtd

2018-01-23T14:39:21.017Z| executing start plugin: hostd

2018-01-23T14:39:21.824Z| executing start plugin: rhttpproxy

2018-01-23T14:39:22.228Z| executing start plugin: nfcd

2018-01-23T14:39:22.429Z| executing start plugin: vmfstraced

2018-01-23T14:39:22.632Z| executing start plugin: rabbitmqproxy

2018-01-23T14:39:23.438Z| executing start plugin: slpd

2018-01-23T14:39:23.639Z| executing start plugin: dcbd

2018-01-23T14:39:23.842Z| executing start plugin: cdp

2018-01-23T14:39:24.045Z| executing start plugin: nscd

2018-01-23T14:39:24.246Z| executing start plugin: lacp

2018-01-23T14:39:24.448Z| executing start plugin: memscrubd

2018-01-23T14:39:24.651Z| executing start plugin: smartd

2018-01-23T14:39:24.854Z| executing start plugin: vpxa

2018-01-23T14:39:25.058Z| executing start plugin: sfcbd-watchdog

2018-01-23T14:39:26.267Z| executing start plugin: wsman

2018-01-23T14:39:26.872Z| executing start plugin: snmpd

2018-01-23T14:39:27.276Z| Jumpstart failed to start: snmpd reason: Execution of command: /etc/init.d/snmpd start failed with status: 1

2018-01-23T14:39:27.276Z| executing start plugin: xorg

2018-01-23T14:39:27.680Z| executing start plugin: vmtoolsd

↧

Re: ESXi 6.5 syslog level options

January 23, 2018, 6:41 am

Latest and popular articles on VMWare Virtualization

≫ Next: Re: AMD Ryzen для исполнения ESXi, Workstation

≪ Previous: Reload new ssl certificate without reboot

I believe all logs are configured by default to log minimum amount of informaion.

At least you can increase logging level using instruction VMware Knowledge Base

↧

Re: AMD Ryzen для исполнения ESXi, Workstation

January 23, 2018, 6:45 am

Latest and popular articles on VMWare Virtualization

≫ Next: Re: Reload new ssl certificate without reboot

≪ Previous: Re: ESXi 6.5 syslog level options

Добрый день!

1. Поскольку процессор официально не значится в списке совместимых, то могут быть проблемы.

В интернете есть упоминания о том, что у кого-то с AMD Ryzen ESXi работает. Например AMD Ryzen "Working" with VMware ESXi 6.5 to an extent

Тем не менее помимо процессора вам надо иметь работающий дисковый контроллер, чтобы ESXi видел жесткие диски для размещения виртуальных машин и совместимый сетевой адаптер, под который есть драйверы для ESXi.

2. Workstation должен работать.

↧

Re: Reload new ssl certificate without reboot

January 23, 2018, 7:11 am

Latest and popular articles on VMWare Virtualization

≫ Next: Re: Reload new ssl certificate without reboot

≪ Previous: Re: AMD Ryzen для исполнения ESXi, Workstation

You need to put the new certificates on the ESXi 6.5 and restart management agents -> not required to start services.sh

Once the management agents are restarted, pls connect to the ESXi host via browser and identify which certificate it is pulling now..

Thanks,

↧

Re: Reload new ssl certificate without reboot

January 23, 2018, 7:46 am

Latest and popular articles on VMWare Virtualization

≫ Next: Redimensionar Arquivos vmdk

≪ Previous: Re: Reload new ssl certificate without reboot

I once again checked all possibilities of reloading the certificates - still not working.

Rebooted the server - certificate is still old.

Found the error on my side: the script that copied the certificate to ESXi followed the wrong symlink and uploaded an old certificate.

Sorry for the noise, that was completely my fault.

Thanks for your help!

↧

Redimensionar Arquivos vmdk

January 23, 2018, 8:50 am

Latest and popular articles on VMWare Virtualization

≫ Next: Reset Password root host ESXI 6.5

≪ Previous: Re: Reload new ssl certificate without reboot

Olá pessoal, preciso mudar uma VM de Host mas o arquivo vmdk esta muito grande, provisionado 410 Gb e utilizado apenas 110 Gb.

Trabalho com vSphere 5.0.0.

Abracos

↧

Reset Password root host ESXI 6.5

January 23, 2018, 11:13 am

Latest and popular articles on VMWare Virtualization

≫ Next: Re: Reset Password root host ESXI 6.5

≪ Previous: Redimensionar Arquivos vmdk

Hello guys
I need to reset the root password of an esxi host. I tried to live cd but the raid virtual disk is not recognized. I have configured Array 1 + 0
My hardware is an HP DL160
ESXI 6.5
Any other way to do this?

↧

Re: Reset Password root host ESXI 6.5

January 23, 2018, 12:08 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Re: Reset Password root host ESXI 6.5

≪ Previous: Reset Password root host ESXI 6.5

From VMware Knowledge Base

ESXi 3.5, ESXi 4.x, ESXi 5.x and ESXi 6.x

Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode.

and have you read this ? => how to reset root password

↧

Re: Reset Password root host ESXI 6.5

January 23, 2018, 12:18 pm

Latest and popular articles on VMWare Virtualization

≫ Next: error codes 30

≪ Previous: Re: Reset Password root host ESXI 6.5

In my lab I followed the following steps:

How to Reset Forgotten VMware ESXi Root Password with Ubuntu Live CD

However, in the server in question I need to reset the password has arry raid 1 + 0, and when starting the server via live cd, it does not present virtual disk

↧

error codes 30

January 23, 2018, 12:32 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Re: error codes 30

≪ Previous: Re: Reset Password root host ESXI 6.5

have been expressing an error, while patching hosts an specific cluster "The host returns esxupdate error codes:30. Check the update Manager log files and esxupdate log files for more details". checked for all possibilities from the web but no luck. Please refer some stuff in fixing this.

↧

Re: error codes 30

January 23, 2018, 1:04 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Re: error codes 30

≪ Previous: error codes 30

reboot host then patch

↧

Re: error codes 30

January 23, 2018, 1:12 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Re: Reset Password root host ESXI 6.5

≪ Previous: Re: error codes 30

Hi Rajeev,

did the same thing still not working, disconnected and connected the host also not use.

↧

Re: Reset Password root host ESXI 6.5

January 23, 2018, 1:25 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Data store lost after update

≪ Previous: Re: error codes 30

is ESXI host is part of vcenter and you have domain.

have done below step to recover the root password.

Step 1: Connect to host through vCenter server,Need to click on the Configuration Tab. Then select the “Advanced Services” selection from the Software box on the lower left. Then you click on the “Properties” link that is shown in the picture below.

Step-2

Go to Directory Services Configuration window that is shown below. In the select “Service Type” drop down you will need to select “Active Directory”. The in the Domain field We need to type in the name of our domain that we will be connecting to. Next step is to click the “Join Domain” button and We will be presented with an authentication window shown in the next step.

Step 3: In this part We need to enter in credentials that will allow us to connect and join the ESXi Host to the domain. We can enter our credentials in the format listed below (Domainuser) or use this format ( administrator@test.com).

Step 4: After successfully entering our logon ID our ESXi host is added to the Domain. We can see from the image below our host was added to the default computer container since I did not specify another OU for them to be placed into.

Step-5

Now try to login through our Domain credentials .

Step6

We will reset the "Root" password.

Once you reset the password than remove the server from domain.

I have tested and it is working for me ....

↧

Data store lost after update

January 23, 2018, 2:31 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Re: error codes 30

≪ Previous: Re: Reset Password root host ESXI 6.5

Dear All,

after installing the latest update 6.5.0 Update 1 (Build 7526125) we lost one data store.

we have 3 data stores which were mounted SSD/DATA/Replica

Now we detect only SSD/DATA after we rescan the ESXI doesn't detect the 3rd Data store.

Any suggestions why guys this not detected ?

↧

Re: error codes 30

January 23, 2018, 3:14 pm

Latest and popular articles on VMWare Virtualization

≫ Next: Re: error codes 30

≪ Previous: Data store lost after update

Update error 30 is related to bootbank not found

If you can go to vmkernel.log and check for bootbank keywords, it might help if you encounter same issue. You can also check if the bootbank is accessible by cd /bootbank

I have seen this with SD cards losing connectivity

If you are using local harddrive, try to update the BIOS/driver/firmware for your localdrive

thanks,

↧