Stuff I'm Up To

Technical Ramblings

VMWare Restart Guest from Command Line — August 16, 2017

VMWare Restart Guest from Command Line

We don’t have to do this so often. So when we do I always forget the syntax.

Login as root on the host of the guest OS. Find the numeric VMID of the guest and issue a power off/on command.

# vim-cmd vmsvc/getallvms | grep -i "[GUESTNAME]"
Vmid                   Name                                                             File                                                   Guest OS          Version                                                                                                      Annotation                                                                                                   
114    PaymentsTest                            [Datastore-1] PaymentsTest/PaymentsTest.vmx                                               windows8Server64Guest   vmx-10

# vim-cmd vmsvc/power.getstate 114
Retrieved runtime info
Powered on

# vim-cmd vmsvc/power.off 114
Powering off VM:

# vim-cmd vmsvc/power.getstate 114
Retrieved runtime info
Powered off

# vim-cmd vmsvc/power.on 114
Powering on VM:

 

References: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1038043

VCSA 6.0 U3b to 6.5 U1 — August 10, 2017

VCSA 6.0 U3b to 6.5 U1

So far this upgrade seems to frustrating straight out of the box! We already run a VCSA (vCenter Server Appliance) and the process should be to automatically deploy a new VCSA and migrate the data from the old to the new and then power down the old. All from the Windows GUI installer.

But it fails to deploy with an unknown error.

If you save and view the installer log it becomes abundantly clear what the failure is. The installer is trying to issue a ‘date’ command at the current VCSA’s command line, and fails because it’s expecting a BASH shell and instead it is getting the default vCenter shell where the BASH shell is disabled.

2017-08-10T07:56:13.446Z - info: VM Identifier for Source VC: 78
2017-08-10T07:56:13.570Z - debug: initiateFileTransferFromGuest error: ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - debug: Failed to get fileTransferInfo:ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - debug: Failed to get url of file in guest vm:ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - error: Error in getting fileData for nodeType. Error: ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - error: Failed to read the nodetype, Error: A general system error occurred: Unknown error
2017-08-10T07:56:13.574Z - info: Checking if password expired
2017-08-10T07:56:14.994Z - info: Banner from server, 
VMware vCenter Server Appliance 6.0.0.30200

Type: vCenter Server with an embedded Platform Services Controller


2017-08-10T07:56:14.995Z - info: Connection ready
2017-08-10T07:56:15.008Z - info: STDOUT: Last login: Thu Aug 10 07:55:37 UTC 2017 from pc8501.domain.local on pts/0

2017-08-10T07:56:15.008Z - info: STDOUT: Last login: Thu Aug 10 07:56:15 2017 from pc8766.domain.local

2017-08-10T07:56:15.010Z - info: STDOUT: date
exit

2017-08-10T07:56:15.246Z - info: STDOUT: Connected to service

2017-08-10T07:56:15.255Z - info: STDOUT: [?1034h
    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Enable BASH access: "shell.set --enabled True"
    * Launch BASH: "shell"


2017-08-10T07:56:15.255Z - info: STDOUT: Command> d
2017-08-10T07:56:15.256Z - info: STDOUT: ate

2017-08-10T07:56:15.270Z - info: STDOUT: Unknown command: `date'
Command> exit

2017-08-10T07:56:15.305Z - info: Stream :: close
2017-08-10T07:56:15.306Z - info: Password not expired
2017-08-10T07:56:15.308Z - error: sourcePrecheck: error in getting source Info: ServerFaultCode: A general system error occurred: Unknown error

In order to address the issue you need to change the default shell for the root user. It’s very easy to do, but will also require a password change.

Logon to the current VCSA using ssh as the root user. Enable the BASH shell and start the shell using:

shell.set --enabled True
shell

Now change the root users default shell using

# chsh -s /bin/bash root

Now the installer should at least proceed through that part to deploy the image to the specified server.

References: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2100508

Teradici PCoIP Zero Client Firmware v5.5.1 — August 9, 2017

Teradici PCoIP Zero Client Firmware v5.5.1

After downloading the PCoIP firmware update to deploy to our terminals I uploaded it to a test station using the “Admin Web Interface” (AWI) – the built in web GUI on the terminal, not from the central management console.

It seemed to go OK, but when it reset the PCoIP processor, effectively a reboot, it came up with a dialog showing the message:

Warning : Multilanguage font pack not found !
Defaulting to English only : Please update firmware to enable multilanguage support

I tried re-uploading the file and still received the same result.

Continue reading

Windows Update KB4034681 (August Monthly Rollup) —

Windows Update KB4034681 (August Monthly Rollup)

Four hours of swearing at servers, kicking switches and rebooting printers and terminals and all because of a Windows Update.

Our entire network uses 802.1X authentication with certificates and this morning I arrived in the office to find all the Teradici terminals and network printers were failing to authenticate properly.

We hadn’t changed anything in the NPS policies so has a certificate expired? The errors in the event logs were constant

Event ID 36887 – A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 42.

Continue reading

Old School FTP — August 7, 2017

Old School FTP

Having recently replaced the firewall we found one of the external sites used for FTP file transfers was failing periodically. Turns out this was a simple problem. We just weren’t allowing enough of a range for the FTP data ports needed. We’d allocated a range of 1,000 ports, but looks like they use more.

So how did we find this out? I could have trawled the firewall logs, but was just easier to see what the FTP log file was telling me.

The log file generated the error “425 Unable to open the data connection”. After looking at the previous passive mode response I decoded the port that it required.

ftp> 227 Entering Passive Mode (192,168,0,250,109,116)

It’s a simple calculation. The first four numbers are the remote servers IP address and the last two specify the TCP data port required. In order to determine the port take the 5th number and multiply by 256 then add the 6th number.

eg.

109 x 256 + 116 = 28020

So now I’ve extended the allowed port range to include 28000-28999 to make the connection.

Ideally it would be best to get the remote server administrator to tell you what range they require. But if you have to resort to guessing at least you know how to calculate their requirement.

 

References: https://www.ietf.org/rfc/rfc959.txt

SMB mount error(112): Host is down — August 3, 2017

SMB mount error(112): Host is down

Whilst trying to mount a Windows (cifs) volume onto my Linux workstation I encountered the following error:

$ sudo mount -t cifs -o user=mylogon //myserver/myshare /mnt/mountpoint 
Password for mylogon@//myserver/myshare: ***********
mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

As ever with Windows I suspected the SMBv1 disabled problem and wasn’t disappointed to discover this was precisely the issue.

Continue reading

SRX SSH Ciphers, Algorithms & Key Exchange — July 31, 2017

SRX SSH Ciphers, Algorithms & Key Exchange

When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.

So to remedy this we need to set the acceptable levels of ciphers etc.

Using the CLI a simple change to the config for the SSH service is required, under system services ssh.

# edit system services ssh
# set ciphers [ aes256-ctr "aes256-gcm@openssh.com" "chacha20-poly1305@openssh.com" ];
# set macs [ hmac-sha2-256 "hmac-sha2-256-etm@openssh.com" hmac-sha2-512 "hmac-sha2-512-etm@openssh.com" ];
# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]

Commit the changes and rescan and all is good.

Continue reading

Disaster Recovery Site and VRRP —

Disaster Recovery Site and VRRP

We’re currently working at putting in a new SIP based phone system that is externally hosted. As we already have a disaster recovery (DR) site with a network that routes out to it we figured we’d host the backup link for the phone system out there too.

The phone provider has installed 2 routers for us, one locally and the other at the DR site. They’ve then configured their routers to handle failovers using some active technology like BGP or VRRP. We don’t know the specifics and that really doesn’t matter to us. As long as we can route traffic out to them to their gateway address, then the rest is up to us to handle.

Continue reading

JunOS SRX too clever for it’s own good! — July 28, 2017

JunOS SRX too clever for it’s own good!

Today the planned migration from a Juniper ScreenOS SSG to a JunOS SRX didn’t quite go as smoothly as I’d have liked.

We spent many hours last night and this morning trying to figure out why numerous services that worked fine through the SSG firewall failed through the SRX. This despite me having triple checked the rule sets matched exactly from one system to the other.

We ended up making changes to connected systems to resolve the problems as workarounds but this was far from ideal. The eventual culprit turned out to be a default feature that is enabled on the SRX within the default application junos-dns-udp.

Continue reading

OpenSSL and Subject Alternative Names — July 27, 2017

OpenSSL and Subject Alternative Names

Now that Google chrome has started bitching about certificates not having Subject Alternative Names because the practice of using Common Names in certificates has changed.

So in order to get the SAN into a CSR you need to edit the OpenSSL config file you’re using for the request. You can spend time scripting something, but for the few times I do it I’ll just copy the base openssl.cnf file to one specific to the CSR I need to create. After all you’ll already have customised the req_distinguished_name section so you don’t have to put in the country and company name all the time. eg.

$ cp /etc/ssl/openssl.cnf ~/myserver.cnf

Then I just use that new cnf file as part of the command line to create the CSR.

$ openssl req -out myserver.csr -new -newkey rsa:2048 -nodes -keyout myserver.key -config ~/myserver.cnf

Continue reading

Squid Kerberos Nightmare — July 25, 2017

Squid Kerberos Nightmare

What a terrible sequence of events we suffered today. Took quite a bit of head scratching, log reading and plenty of Google fu to resolve.

We use Squid with an LDAP and authenticated lookup to establish if a user is a member of an AD group to allow them through the proxy. For some very strange reason the authentication and lookup began failing today.

Continue reading

Owncloud 10.0 Upgrade — July 24, 2017