Remote Console Bug in ESXi Host Client

I recently moved my virtualization lab from a hosting company to an Intel NUC cluster here at home.

While I was experimenting around with my naming convention and my internal DNS, I had to rename one of my ESXi hosts. At that point, I did not have set up a vCenter Server Appliance, so I decided to rename the host as it was described in KB 1010821. I then re-generated new self-signed certificates and rebooted the host.

After that everything seemed to work fine. Everything but the web console. I tried to to use the Remote Console with VMware Fusion and got the following error message:

At first I thought that the SSL certificate was cached, or that somewhere in the system the old certificate was not replaced. But the error shows, that the server name was still the old one, the cert was new and matched with the new hostname. Then I realised that the username in the top right corner was using the old hostname as well.

Second thought was some kind of caching error. So I cleared my cache and cookies and tried two other browsers, to no avail. After I spent some time one the console, I was not able to find a database or a configuration file that would contain the old value. I was ready to give up, ready for a reinstall.

As a last attempt I went to the web site of the Host Client Fling and looked for a new version. Maybe a bug? I removed the old version 1.23 and installed 1.28, but the error was still the same. I began reading the comments and the bug section, and after a while I eventually found this bug description that matched with what I experienced.

I checked my 1Password entry and finally found the culprit. 1Password did the same LastPass did for the bug reporter. It saved the FQDN which was within a hidden field on the login page. And every time I logged in, it would fill out the hidden form with the old FQDN and mess up the ESXi Host Client. Problem solved. Now I can continue installing and configuring the new lab environment!

VMware vCSA 6.5 firewall – A closer look

I finally had the time to upgrade my lab environment to VMware vSphere 6.51. My lab setup and requirements have not changed, so I was still in need of a firewall that lets me block all traffic and only allow certain whitelisted IP addresses.
A lot was improved in vCSA 6.5, so I had high hopes that I could use the onboard firewall UI this time. Sadly, it seems that I still cannot use the UI to block everything by default and only allow exceptions from a whitelist2.

A new base

The VMware Virtual Center Server Appliance (vCSA) 6.5 has been improved quite a lot under the hood compared to its predecessor. Instead of continuing to use SuSE Enterprise Linux, VMware decided to use Photon OS, a “minimal Linux container host, designed to run on VMware platforms”. This change makes total sense as you can tailor the base system completely to your needs, minimize the amount of “clutter” in your OS, improve the performance without impacting other use cases, and last but not least develop everything independently in-house.

Slightly modified firewall script

I would have expected more changes, but as vCSA 6.5 is the first iteration of the appliance after the switch to Photon OS, so its only logical that all other components are more or less the same. I would guess that there will be more changes and improvements in the upcoming releases.

That being said, the firewall system is still the same as described in my old post. The only difference is that the firewall-reload.py script now checks for an additional source parameter when reading the json formatted firewall service rules. This enables configurations which only allow certain source IP addresses to access certain services3.

I have modified the firewall-reload.py script, added a “whitelist” tuple that contains white-listed addresses and/or subnets (IPv4 or IPv6), added a “for loop” and changed the sourceParam parameter to always add a source IP address to all firewall rules. This now only allows access from the whitelisted IP address space. My modifications are available on Github.

Debian 8.3 VMware Guest Customization

I wonder if anyone has experiences with customizing Debian 8.3 in VMware vSphere 6.x. Officially, Guest OS Customization is not supported for Debian, but Ubuntu is supported, and the difference is not that severe.

Error message

I will experiment myself a little bit with Debian, Ubuntu and CentOS but would be highly interested in some feedback, either via eMail or in the coments section below.

© 2018 Virtualize This!

Theme by Anders NorénUp ↑