Monthly Archives: July 2009

Standard

Posted by

Posted on

July 11, 2009

Posted under

ESX, Updates, vCenter, VMware

Comments

Leave a comment

vCenter 2.5 Update 5 released

VMware released vCenter 2.5 Update 5. The release notes state:

VirtualCenter 2.5 Update 5 includes significant performance and scalability improvements to VMware HA. Use VirtualCenter 2.5 Update 5 for environments with more than 35 virtual machines per host in an HA cluster.
For information on the ESX Server host settings required for this scalability improvement, see ESX Server host settings required for environments with up to 80 virtual machines per host in an HA Cluster (KB 1012002).

KB 1012002 states that with vCenter 2.5 update 5 an ESX host in an HA cluster can support up to 80 VM’s. The article continues with the specific ESX settings that are needed. The “RunningVCpuLimit” needs to be set to 192, the Service Console memory needs to be raised to 512MB and the Host Agent (hostd) memory settings in /etc/vmware/hostd/config.xml need to be increased. Note that the ESX host will need to be restarted after changing the Service Consle memory allocation.

In addition to the HA change, the release adds new http connection timeout settings:

A new advanced setting entry vpxd.httpClientIdleTimeout can be used to configure the timeout value for an idle HTTP connection. The default value for this entry is 15 minutes (900 seconds), ensuring that the VirtualCenter Server closes the idle HTTP connection after the connection has been idle for 15 minutes. If a firewall session timeout value is set to less than 15 minutes, the value for vpxd.httpClientIdleTimeout should be changed to be smaller than the firewall’s timeout value.

No updates to the vCenter Enterprise Converter or Update Manager plug-ins have been made.

Standard

Posted by

Posted on

July 5, 2009

Posted under

ESX, Updates, VMware

Comments

Leave a comment

New ESX 3.5 patches for June released

VMware released 7 patches for ESX 3.5 including:

VMware ESX 3.5, Patch ESX350-200906401-BG : Updates vmkctl and vmkernel RPMs

Issues fixed in this patch (and their relevant symptoms, if applicable) include:

  • When you power on virtual machines on ESX 3.5 hosts, many inactive VMFS volumes are opened in addition to the VMFS volume containing the virtual machine disk files. This might cause the virtual machines to take more time to boot. In a cluster environment, this issue might also cause VMotion operations to timeout on the destination host. This fix ensures that only the VMFS volumes on which the virtual machines reside are opened.
  • While performing a host rescan on ESXi, the host and virtual machines might stop responding till the end of the rescan operation. During this time, connections to virtual machines are lost, including SSH, client connections, and communication to other clustered storage modules. The virtual machines start responding after the rescan operation is completed.
  • Excessive cold migration of virtual machines between ESX hosts might cause ESX hosts to be disconnected from vCenter Server due to a memory leak on the host agent (hostd).

    • Critical update. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906402-BG: Updates NetXen Driver

    This patch fixes a NetXen driver issue where the ESX 3.5 host or a virtual machine might lose network connectivity or become unstable when using a NetXen NX2031 device.

    Critical Update. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906403-BG: Updates Kernel Source and kernel-vmnix RPMs

    This patch upgrades kernel-source and kernel-vmnix to support the bnx2x and NetXen software driver updates, which fix the following issues:

  • When virtual machines are run with older versions of VMware Tools (ESX 3.0.x) on ESX 3.5 and ESXi 3.5 hosts containing bnx2x NICs, the virtual machines might experience a network outage…
    To work around this issue, upgrade the version of VMware Tools in the virtual machines.
  • A NetXen driver issue where the ESX 3.5 host or a virtual machine might lose network connectivity or become unstable when using a NetXen NX2031 device.

    • General Patch. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906405-BG: Updates bnx2x Driver for Broadcom

    Issues fixed in this patch (and their relevant symptoms, if applicable) include:

  • On Dell PowerEdgeServers 11G installed with ESX 3.5, BCM57710 Mezzanine cards might lose network connectivity to the network switch.
  • When virtual machines are run with older versions of VMware Tools (ESX 3.0.x) on ESX 3.5 and ESXi 3.5 hosts containing bnx2x NICs, the virtual machines might experience a network outage…

    To work around this issue, upgrade the version of VMware Tools in the virtual machines.

    • Critical Patch. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906406-BG:Updates VMware Tools

    This patch adds prebuilt modules for Ubuntu 9.04 and fixes the following issue:
    When diskinfo query is run, VMware Tools installed on Solaris 10.x virtual machines reports incorrect virtual disk size information. Also, some Linux virtual machines do not report correct logical volume manager (LVM) partitions.

    General Update. No host reboot is required.

    VMware ESX 3.5, Patch ESX350-200906407-BG: Updates krb5-libs and pam_krb5

    Issues fixed in this patch (and their relevant symptoms, if applicable) include:

  • Service Console package krb5 has been updated to version krb5-1.2.7-70. This fixes a input validation flaw that was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. The Common Vulnerabilities and Exposures Project has assigned the name CVE-2009-0846 to this issue.
  • The pam_krb5 package is upgraded to pam_krb5-1.81-1. This fixes an issue where a user authentication failure occurs under certain circumstances.
    For details on this issue, refer to the Red Hat advisory at https://rhn.redhat.com/errata/RHBA-2008-0813.html.

    • Security Update. Host Reboot is required.

    VMware ESX 3.5, Patch ESX350-200906408-BG: Updates VMX RPM

    This patch fixes an issue where virtual machines that use the Virtual Machine Interface (VMI) might stop responding.

    Critical Update. No host reboot is required.

    Patches are available on the downloads page.
    One of the locations that VMware lists updates is on the VMware Knowledge Base Blog.

    Standard

    Posted by

    Posted on

    July 1, 2009

    Posted under

    ESX, Networking, Security, Storage, VMware, vSphere

    Comments

    Leave a comment

    New VMware network technical papers published

    Network Segmentation in Virtualized Environments

    As virtualization becomes the standard infrastructure for server deployments, a growing number of organizations want to consolidate servers that belong to different trust zones. The demand is increasing for information to help network security professionals understand and mitigate the risks associated with this practice. This paper provides detailed descriptions of three different virtualized trust zone configurations and identifies best practice approaches that enable secure deployment.

    DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch

    This paper tackles the subject of DMZ security and virtualization. It covers a number of DMZ security requirements and scenarios, presenting how vSphere users can implement the Cisco Nexus 1000V virtual switch in a DMZ.

    Standard

    Posted by

    Posted on

    July 1, 2009

    Posted under

    ESX, Security, Updates, VMware, vSphere

    Comments

    Leave a comment

    VMware Security Advisory 2009-0008

    VMware has released security advisory VMSA-2009-0008. The advisory is for a vulnerability in an MIT Kerberos 5 package in the service console. The advisory explains:

    An input validation flaw in the asn1_decode_generaltime function in MIT Kerberos 5 before 1.6.4 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service.
    NOTE: ESX by default is unaffected by this issue, the daemons kadmind and krb5kdc are not installed in ESX.

    The advisory goes on to state that all currently supported version of ESX (not ESXi) are affected.
    For ESX 3.5 the patch: ESX 3.5.0 ESX350-200906407-SG
    md5sum: 6b8079430b0958abbf77e944a677ac6b
    KB Article: VMware ESX 3.5, Patch ESX350-200906407-BG: Updates krb5-libs and pam_krb5

    For ESX 2.5.5, 3.0.2, 3.0.3 and 4.0 patches are pending.

    You can subscribe to VMware Security announcments here: http://lists.vmware.com/mailman/listinfo/security-announce