Saturday, November 25, 2017

Installing Fedora 27 on a UEFI-enabled Windows 10 machine with Secure Boot enabled

I recently installed Fedora 27 on my personal laptop alongside Windows. So far Fedora 27 feels very polished and it recognized almost everything out of the box, including sleeping when I close the lid. 

There were, however, a few things I did that went beyond the usual click-click install experience, so I thought I would share:

1) The new Fedora install still boots into Windows

There's a new Fedora media installer executable that downloads the ISO and prepares a USB drive for you, and upon booting from said USB, installation is relatively straight-forward. The installation took care of creating free space from my existing NTFS partition, and automatic partitioning created a /boot, / and swap partition.

However, after rebooting my laptop ran Windows again, instead of Grub - this is typical of UEFI installations. The Fedora installation did create a new entry for itself, but it was missing one for Grub. I am not sure if this is by design, or a product of having a password on my BIOS, etc.

To fix this, we must add Grub to the authorized UEFI files. Find where your BIOS allows you to add UEFI files as "trusted for executing" and point it to 

HD / EFI / Fedora / grubx64.efi  (you must provide a name, I chose Fedora Grub)

Save the settings. You may only have an option to save and exit, like me.

Then, you must make sure that the Grub option that now appears in your boot priority list is listed before "Windows Boot Manager". Voila, it works, and this includes after updating Fedora.


2) Gnome (by default) doesn't show files in the Desktop

You can either install the gnome-tweak-tool, or just run the following in an unprivileged terminal (I think this is a per-user setting)

gsettings set org.gnome.desktop.background show-desktop-icons true


3) Touchpad does not support tap-to-click (ie, like a Mac).

In the Settings app, choose Devices, Mouse & Touchpad, and in the Touchpad section, turn on "Tap to click".


Thursday, October 19, 2017

My simple cheat-sheet of Git bash commands

This post has several assumptions!

1) You are working on a Windows machine with https://git-for-windows.github.io/ already installed.
2) You already have a Github user and have created a repository with content
3) Assumes you already have created a github ssh key and its already working - I will make a blog post about doing this easily soon!
4) This also only works when you are only working on the ONE default branch!!

Essential Github bash commands:

To clone something you have in the Github site to your PC

On the webpage:
- Go to your profile and click on the repo
- Find the "clone or download" button
- Click Get SSH if you need, and copy something like git@github.com:arielsanchezmora/arielsanchezmora.github.io.git to your clipboard.

Open Git Bash:
- Find the directory where you want to copy the repository to
- In the Git Bash Window type "cd /c/....(the path, but in linux format. use "pwd" if you get lost on how to format it)
- Git clone [what you had copied from the webpage: git@github.com....]
(type ssh key password if needed)

To return changes to Github

Change to the cloned folder (it will have a hidden .git folder) before executing the below. The other files should have changed before you run these commands.

git status to see the changes (red is unstaged changes)
git add . (the dot means all files/subfolders)
git status (green shows changes have been staged)
git commit -m "add a comment to your code change" (otherwise, hi vi!)
git status will show your local branch is ahead of the Github site
git push origin master will sync your changes back to Github :)

Wednesday, March 29, 2017

Disable TLS v1.0 and v1.1 in vSphere 6.0

This is a very rough post with the base information - I will make this part of a series soon. 

This quick post only focuses on the use of the TLS tool in vSphere 6.0 in a very simple environment (VCSA with embedded PSC, hosts in the 3 situations used in the tool) for demonstration purposes. 




Also, note that only port 443 is tested, but both vSphere and ESXi have many other ports, some even outside of the TLS tool configuration.

This post focuses on only leaving TLS 1.2 enabled. Other posts which helped me and constitute good reading are:

https://techbrainblog.com/2015/03/30/how-to-scp-files-to-vmware-vcenter-appliance-6-0-vcsa/ by GaneshSekarbabu

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2054085

http://www.justmy02centsworth.com/2016/11/pci-dss-tls-10-disablement-and-vmware.html by DanRaymond65

We will basically put in practice KB 2148819:

https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2148819

Before we start, make super sure you are running at least 6.0 Update 3 and your vCenter and hosts are on the same release! Also download the rpm version of the TLS tool from the same location where the VCSA is downloaded from.

If you are going to do the whole environment, the basic order is:

1) vCenters
2) hosts
3) PSCs

Steps needed to be able to run the tool:

#Open SSH (or use the VCSA console). You may need to follow this if it's not enabled already


#It's always a good idea to verify the SSH keys match



#Now execute these commands. Enable Bash shell:
shell.set --enable True

#Launch the "Bash" shell which is really a "pi shell":
shell

#Change shell to Bash so SCP works (doesn't otherwise, not explained in the KB)
chsh -s "/bin/bash" root



*Go copy the TLS RPM file to the VCSA now*






#I copied the file to /tmp (or wherever, but notice you have to change the directory to what you used)
cd /tmp

#U is upgrade (assumes install if no older version found), v is verbose, h is hash (progress display)
rpm -Uvh VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

#Change directory to where TLS Reconfigurator was installed to
cd /usr/lib/vmware-vSphereTlsReconfigurator/


vCenter and PSC steps

#Switch to vCenter tool directory 
cd VcTlsReconfigurator

#Take a backup as per the KB
./reconfigureVc backup




*Go copy the backup directory to a safe place. Why? WHY NOT?*




Note a scan of port 443 before running the tool using sslscan (from a windows executable) shows TLS 1.0 and 1.1 are active:




#Do some damage! I mean, set TLS v1.2 as the only accepted protocol
./reconfigureVc update -p TLSv1.2

#Type a "y" to proceed. It doesn't really re-start the whole appliance, just the services



#Note it actually takes another backup. Gotta protect GSS :)



#Finally you will get a status report which confirms that only TLS v1.2 is configured




#The vSphere Client service takes a little longer to start than the rest. You can monitor it via the shell with
service vsphere-client status



#Note a scan of port 443 after running the tool shows only TLS 1.2 is now enabled:




ESXi steps

#Hosts MUST be rebooted after these commands for all changes to take effect!!

#Switch to ESX tool directory 
cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator




You have 3 options for host changes - by cluster, by host joined to this vCenter, or standalone hosts.

#If you are doing hosts joined to a vCenter inside a Cluster (this does the whole cluster)

#./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
./reconfigureEsx vCenterCluster -c MyCluster -u administrator@vsphere.local -p TLSv1.2

#It asks for the user's passwords and executes



#Don't forget to reboot the host!
#Scan before change



#Scan after change and reboot




#If you are doing one host joined to a vCenter

#./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
./reconfigureEsx vCenterHost -h 192.168.1.102 -u administrator@vsphere.local -p TLSv1.2

#It asks for the user's passwords and executes



#Don't forget to reboot the host!

#Scan before change




#Scan after change and reboot




#If you are doing a host that is not joined to a vCenter

#./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.2
./reconfigureEsx ESXiHost -h 192.168.1.103 -u root -p TLSv1.2

#Note this uses a local ESXi account since this host is not in this vCenter


#Don't forget to reboot the host!

#Scan before change



#Scan after change and reboot



Hope this helps. I'll go into a bit more detail as soon as I have some time! Ping me on twitter if you have any comments please.

Tuesday, February 28, 2017

PowerShell and PowerCLI - scripted addition to "getting started"

In my first post on Powershell/PowerCLI I had ventured the guess that many of the tasks to setup PowerShell/PowerCLI could be scripted. Today I present the script:



Set-ExecutionPolicy Bypass -force

mkdir $env:userprofile\Documents\WindowsPowerShell

mkdir "C:\PowerCLI codes"

$fixPS = @"

Set-Location "C:\PowerCLI codes"

if (`$psISE)

{

Clear-Host

Write-Host 'You can do this!'

}

"@

$fixPS | Out-File -FilePath $env:userprofile\Documents\WindowsPowerShell\profile.ps1 -Encoding ASCII



You can change the directory for your codes and the startup message, and add or remove things, but this will at least create the proper file to set your working directory, and write all lines to the profile.ps1 file.

So to use this:
1) Find powershell on your computer
2) right click, run as administrator
3) paste and execute. This should not prompt you for any questions
4) close that window
5) Use ISE or powershell like your normally would from now on

Let me know if you found this useful. I needed it since I have several jumpboxes and create new VMs, and figuring out where stuff needs to be changed takes much more time than copy pasting my setup in a script :)

Tuesday, January 24, 2017

Learning about vSphere Flash Read Cache

I'm looking at vSphere Flash Read Cache in case that Pernix FVP does not release an update for vSphere 6.5 (after being bought by Nutanix). Using vFRC is a bit different right off the bat, since it doesn't do write acceleration, but since I already have the required vSphere licensing and hardware, there is no cost to enable.

The biggest problems I see so far are:

1) not a lot of reported users, at least that I could find, although it's been kept as a feature by VMware since it was announced so there has to be quite a few. However, I didn't find lots of operational blogs, just feature announcement types.
2) more rigid implementation steps compared to Pernix FVP, which takes some reading to figure out

Biggest differences with Pernix FVP apart from the obvious:



Known KB’s
There are two known issues, and they are easily avoidable as patches were released already, so just make sure you are running latest before enabling

https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2114498&sliceId=1&docTypeID=DT_KB_1_1&dialogID=381661788&stateId=0%200%20381669816
https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2072392&sliceId=1&docTypeID=DT_KB_1_1&dialogID=381647699&stateId=0%200%20381651933 

Documentation
http://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.storage.doc/GUID-07ADB946-2337-4642-B660-34212F237E71.html 
http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-vsphere-flash-read-cache-faq.pdf << particularly useful
http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-vfrc-performance-vsphere55-white-paper.pdf  << cool read

Blog posts

http://cormachogan.com/2014/02/14/a-closer-look-at-vsphere-flash-read-cache-vfrc/ 
http://nolabnoparty.com/en/vmware-vflash-read-cache-setup/ 
http://everything-virtual.com/vmware-study-guides/vcap-dca-study-guide/configure-and-manage-vsphere-flash-read-cache/ 
http://www.settlersoman.com/what-is-and-how-to-configure-vmware-vsphere-flash-read-cache-vfrc/ 
http://www.vladan.fr/vmware-vflash-read-cache-vfrc/