Why not? This is a 24 player Team Fortress 2 dedicated server running on Windows Server 2003 on top of VMware ESX 3.5.0 Update 3.
Click on the image below for a larger version:
One month CPU utilization averages:
Lostcreations, an Austin-based software company which specializes in .NET and Java solutions for the heterogeneous virtualization sector of IT, has released beta version 1 of a product they are calling Virtualization Manager Mobile (VMM).
While the product is new, the concept is not: Remote monitoring and management of your datacenter when you’re at the beach (or wherever remote management is inconvenient using traditional tools like laptops and WiFi). It’s done through a hand held device having a web browser.
Beta 1 has the ability to monitor virtual machine CPU and memory utilization, as well as stop, start, suspend, and reset the VM. The product currently supports VI3, and VMware Server 2. Expect many new features in future versions including support for Hyper-V and XenServer 5 as well as the ability to develop your own plug-ins to extend other hypervisors.
The technology behind the tool includes AJAX and the Google Web Toolkit and the application back end installs on Windows, Linux, and OS X. Lostcreations even provides a live demo to see the tool in action first hand!
After a decade of talking about it, we’re finally getting there!
Good morning! I’d like to take the opportunity to talk a bit about something that has been somewhat of a rock in my shoe as a seasoned Windows administrator from the NT 3.5 era: The VirtualCenter (vCenter Server, VirtualCenter Management Server, VCMS, VC, etc.) security model, or more accurately, its unfamiliar mechanics that can catch Windows administrators off guard and leave them scratching their heads.
Tip #1: The VCMS security model revolves around privileges, roles, and objects. The more than 100 privileges define rights, roles are a collection of privileges, and roles are assigned to objects which are entities in the virtual infrastructure as shown in the diagram borrowed below:
Windows administrators will be used to the concept of assigning NTFS permissions to files, folders, and other objects in Active Directory. It is very common for Windows objects to contain more than one Access Control Entry (ACE) which can be a group (such as “Accounting”, “Marketing”, etc.) or an explicit user (such as “Bob”, Sally”, etc.) The same holds true for assigning roles to object in VC.
In some instances, which are not uncommon at all, a user may be granted permission to an object by way of more than one ACE. For example, if both the Accounting and Marketing groups were assigned rights, and Sally was a member of both those groups, Sally would have rights to the object through both of those groups. Using this same example, if the two ACEs defined different permissions to an object, the end result is a cumulative, so long as the ACE doesn’t contain “deny” which is special: Sally would have the combined set of permissions. The same holds true in VC.
Let’s take the above example a step further. In addition to the two groups, which Sally is a member of, being ACLd to an object, now let’s say Sally’s user account object itself is an explicit ACE in the ACL list. In the Windows world, the effect is Sally’s rights are still cumulative combining the three ACEs. This is where the fork in the road lies in the VirtualCenter security model. Roles explicitly assigned to a user object trump all other assigned or inherited permissions to the same object. If the explicit ACE defines less permissions, the effective result is Sally will have less permissions than what her group membership would have provided. If the explicit ACE defines more permissions, the effective result is Sally will have more permissions than what her group membership would have provided. This is where Windows based VC administrators will be dumbfounded when a user suddenly calls with tales of things gray’d out in VirtualCenter, not enough permissions, etc. Of course the flip side of the coin is a junior administrator suddenly finds themselves with cool new options in VC. “Let’s see what this datastore button does”
Moral of the story from a real world perspective: Assigning explicit permissions to user accounts in VC without careful planning will yield somewhat unpredictable results when inheritance is enabled (which is typical). To take this to extremes, assigning explicit permissions to user accounts in VC, especially where inheritance in the VC hierarchy is involved, is a security and uptime risk when a user ends up with the wrong permissions accidentally. For security and consistency purposes, I would avoid assigning permissions explicitly to user accounts unless you have a very clear understanding of the impacts currently and down the road.
Tip #2: Beware the use of the built in role Virtual Machine Administrator. It’s name is misleading and the permissions it has are downright scary and not much different than the built in Administrator role. For instance, the Virtual Machine Administrator role: can modify VC and ESX host licensing, has complete control over the VC folder structure, has complete control over Datacenter objects, has complete control over datastores (short of file management), can remove networks, has complete control over inventory items such as hosts and clusters. This list goes on and on. I have three words: What The Hell?! I don’t know – the way my brain works is those permissions stretch well beyond the boundaries of what I would delegate for a Virtual Machine Administrator.
Moral of the story from a real world perspective: Use the Virtual Machine Administrator role with extreme caution. There is little disparity between the Administrator role and the Virtual Machine Administrator role, minus some items for Update Manager and changing VC permissions themselves. Therefore, any user who has the Virtual Machine Administrator role is practically an administrator. The Virtual Machine Administrator role should not be used unless you have delegations that would fit this role precisely. Another option would be clone the role and strip some of the more datacenter impactful permissions out of it.
Tip #3: Audit your effective VirtualCenter permissions on a regular basis, especially if you have large implementation with many administrators “having their hands in the cookie jar” so to speak. If you use groups to assign roles in VC, then that means you should be auditing these groups as well (above and beyond virtualization conversations, administrative level groups should be audited anyway as a best practice). This whitepaper has a nice Perl script for dumping VirtualCenter roles and permissions using the VMware Infrastructure Perl Toolkit. Use of the script will automate the auditing process quite a bit and help transform a lengthy mundane task into a quicker one. While you’re at it, it wouldn’t be a bad idea to periodically check tasks and events to see who is doing what. There should be no surprises there.
Moral of the story from a real world perspective: Audit your VirtualCenter roles and permissions. When an unexpected datacenter disaster occurs from users having elevated privileges, one of the first questions to be asked in the post mortem meeting will be what your audit process is. Have a good answer prepared. Even better, avoid the disaster and down time through the due diligence of auditing your virtual infrastructure security.
For more information about VirtualCenter security, check out this great white paper or download the .pdf version from this link. Some of the information I posted above I gathered from this document. The white paper was written by Charu Chaubal, a technical marketing manager at VMware and Ph.D. in numerical modeling of complex fluids, with contributions from Doug Clark, and Karl Rummelhart.
If VirtualCenter security talk really gets your juices flowing, you should check out a new podcast launched by well known and respected VMTN community member/moderator and book author Edward Haletky that starts today called Virtualization Security Round Table. It is sure to be good!
The future of the enterprise datacenter is cloud computing. So check this out:
“CloudCamp is an unconference where early adapters of Cloud Computing technologies exchange ideas. With the rapid change occurring in the industry, we need a place we can meet to share our experiences, challenges and solutions. At CloudCamp, you are encouraged you to share your thoughts in several open discussions, as we strive for the advancement of Cloud Computing. End users, IT professionals and vendors are all encouraged to participate.
Our first event in the Twin Cities area will be held Saturday, April 18th at the University of Minnesota.”
Registration is free but there is very limited availability (about 87 tickets left as I write this).
This evening, VMware announced a new community award called VMware vExpert!
“The VMware vExpert Awards will be given to individuals who have significantly contributed to the overall community of VMware users over the past year, either online or offline. You might be contributing online to blogs, forums, wikis, or other online sites. You might be organizing VMUG meetings or otherwise getting the word out to local IT professionals. You’re helping spread the word about virtualization and making people successful in deploying this game-changing technology. We want to thank you.”
Although VMware doesn’t prefer the comparison to be made, the program is somewhat similar to the Microsoft MVP program in that it is annually renewable, provides access to exclusive VMware content, and above all provides recognition among peers for hard work.
The nomination form is available. Go ahead and nominate yourself or someone you know who has dedicated much of their time helping VMware become successful.
Nominate someone today!
If by chance you are interested in nominating me,
my email address is jason@boche.net
my VMware communities username is jasonboche.
I’m currently reading chapters of the VMware Infrastructure 3 Advanced Technical Design Guide in my spare time and I came across their recommended ESX partitioning strategy. I’d like to think I’ve got a pretty good handle on ESX partitioning. I’m quite comfortable with it, and thus normally I would breeze quickly through partitioning documentation, verifying along the way that my partitioning was still on par.
My partitioning scheme was still looking good until I came across a new recommendation of creating a dedicated /opt partition. This is something I hadn’t done before. Under normal circumstances without a dedicated /opt partition, /opt is going to be a directory off / (root). Why is this not the greatest idea? I was enlightened by the fact that some VMware HA logging as well as some hardware agent logging is stored in /opt. There are enough posts on the VMTN forums describing situations where excessive logging on /opt chewed up all available partition space on / to warrant proactive measures. As we know, running out of disk space on / is less than ideal and that’s putting it mildly.
Solution: When building the ESX host, create a dedicated partition for /opt.
Now I’ll be honest, I’ve never run into a situation of excessive logging on /opt, but this is one of those strategies that falls into the category of “an ounce of prevention is worth a pound of cure”. Learn from the experiences of other VI administrators who I’m sure suffered some downtime as a result. Don’t wait for this happen to you when it doesn’t need to. The ESX host and its health is critical for datacenter and production operations. When the ESX host isn’t happy, the VMs running on it usually aren’t happy either.
That said, here is my updated partitioning scheme for ESX 3.5.0.
Create the following partitions in the following order:
| Mount Point | Type | Size | Primary? | Notes |
| /boot | ext3 | 250MB | Yes | The default from VMware is 97MB. When we migrated from ESX 2.x to ESX 3.x the partition size grew from 50MB to nearly 100MB. I came up with 250MB to leave breathing room for future versions of ESX which may need an even larger /boot partition. This is all a moot point because I don’t do in place upgrades. I rebuild with new versions. |
| <swap> | 1600MB | Yes | Twice the maximum amount of allocatable service console memory. My COS memory allocation is 500MB but if I ever increase COS memory to the 800MB max in the future, I’ve already got enough swap for it without having to rebuild the box to repartition. | |
| / | ext3 | 4096MB | Yes | The default from VMware is 3.7GB. We want plenty of space for this mount point so that we do not suffer the serious consequences of running out. |
| /home | ext3 | 4096MB | Not really needed anymore except as home directory storage for local and the default from VMware is that this partition no longer is created. For me this is just a carryover from the old ESX days. And disk space is fairly cheap (unless booting from SAN). I’ll put this and other custom partitioning out to pasture when I convert to ESXi where we are force fed VMware’s recommended partitioning. | |
| /tmp | ext3 | 4096MB | The default from VMware is that it doesn’t exist, rather it creates the /tmp folder under the / mount point. This is not a great idea. VMware uses a small portion of /tmp for the installation of the VirtualCenter agent but my philosophy is we should have plenty of sandbox space in /tmp for the unpacking/untarring of 3rd party utils such as HP Systems Insight Manager agents. | |
| /var | ext3 | 4096MB | The default from VMware is 1.1GB and additionally VMware makes the mount point /var/log isolating this partition strictly for VMware logs. We want plenty of space for this mount point so that we do not suffer the serious consequences of running out. In addition, we want this to be a separate mount point so as not to risk the / mount point by consuming its file system space. VMware logs and other goodies are stored on this mount point. | |
| /opt | ext3 | 4096 | The default from VMware is that it doesn’t exist, rather it creates the /opt folder under the /mount point. We want enough space for this mount point so that we do not suffer the consequences of running out. In addition, we want this to be a separate mount point so as not to risk the / mount point by consuming its file system space. VMware HA logging and sometimes hardware agent logging are stored on this mount point. This is a VI3 ATDG recommendation. | |
| <vmkcore> | 110MB | The default from VMware is 100MB. I got the 110MB recommendation from Ron Oglesby in his RapidApp ESX Server 3.0 Quick Start Guide (this book is a gem by the way; my copy is worn down to the nub). Although I asked Ron, he never explained to me where he came up with 110MB but let’s just assume the extra 10MB is cushion “just in case”. This is the VMKernel core dump partition. The best case scenario is you rarely if ever have a use for this partition although it is required by ESX whether it’s used by a purple screen of death (PSOD) or not. | ||
| Leave the remaining space unpartitioned. This can be partitioned as VMFS-3 later using VirtualCenter for maximum block alignment. |
New readers of my blog may not be aware of Hyper9 and their Google-like Hyper9 VI insight and infiltration product that is being diligently tested in a controlled beta program.
Hyper9 is back from their brief holiday slumber and has announced that they would like to widen their audience of beta testers. This is your opportunity to provide feedback and request features of a hot new product that is a pioneer in VI management tools. If you are interested in joining the beta program, please contact me.
There are a few guidelines and requirements to becoming full members of the Beta experience, and I hope you are able to meet these.
Beta Participant Minimum Environment Requirements
· (20) Virtual Machines
Additional Requirements
boche.net - VMware Virtualization Evangelist by Jason Boche is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
© 2025 boche.net – VMware vEvangelist · Proudly powered by WordPress & Green Park 2 by Cordobo.
Valid XHTML 1.0 Transitional | Valid CSS 3
