We are scanning our VCSA v6.7 with Tenable using SOAP and are getting hits against various packages within Photon. However, the available patches from VMware seem to be woefully behind the vulnerability publication dates. I'm looking on VMware vCenter Server Appliance Photon OS Security Patches for what's available. Case in point: Tenable plugin 132526 is complaining that postgresql-9.6.14-1.ph1 should be at postgresql-9.6.14-2.ph1; however, looking at the VMware link above, the latest version of postgresql was 9.6.14-1 released on 5 December 2019 in build 15132721. Per Tenable, this vulnerability was identified/published back on 29 October 2019. Seems like v9.6.14-2 would've made the cut for that build but if nothing else, would have been included in a subsequent release (the last being 30 January 2020). We've found info online about updating individual packages using tdnf; however, this is an overly arduous process especially since the VCSA in question has no Internet access (or more accurately, its repo doesn't). It would be much more desirable for VMware to release this patches in their update bundles. Am I missing something here? Thanks
↧
Why do available VCSA Photon OS Security Patches appear to be so behind
↧
Unable to start service vmware-invsvc
INFO:root:Service: vmware-invsvc, Action: start
Service: vmware-invsvc, Action: start
2020-02-27T02:59:15.474Z Running command: ['/sbin/chkconfig', u'vmware-invsvc']
2020-02-27T02:59:15.546Z Done running command
2020-02-27T02:59:15.547Z Running command: ['/sbin/service', u'vmware-invsvc', 'status']
2020-02-27T02:59:15.724Z Done running command
2020-02-27T02:59:15.724Z Running command: ['/sbin/chkconfig', '--force', u'vmware-invsvc', 'on']
2020-02-27T02:59:15.799Z Done running command
2020-02-27T02:59:15.800Z Running command: ['/sbin/service', u'vmware-invsvc', 'start']
2020-02-27T02:59:27.762Z Done running command
2020-02-27T02:59:27.763Z Invoked command: ['/sbin/service', u'vmware-invsvc', 'start']
2020-02-27T02:59:27.763Z RC = 1
Stdout = Starting VMware Inventory Service...
Waiting for VMware Inventory Service..............
WARNING: VMware Inventory Service may have failed to start.
Stderr =
2020-02-27T02:59:27.763Z {
"resolution": null,
"detail": [
{
"args": [
"Command: ['/sbin/service', u'vmware-invsvc', 'start']\nStderr: "
],
"id": "install.ciscommon.command.errinvoke",
"localized": "An error occurred while invoking external command : 'Command: ['/sbin/service', u'vmware-invsvc', 'start']\nStderr: '",
"translatable": "An error occurred while invoking external command : '%(0)s'"
}
],
"componentKey": null,
"problemId": null
}
ERROR:root:Unable to start service vmware-invsvc, Exception: {
"resolution": null,
"detail": [
{
"args": [
"vmware-invsvc"
],
"id": "install.ciscommon.service.failstart",
"localized": "An error occurred while starting service 'vmware-invsvc'",
"translatable": "An error occurred while starting service '%(0)s'"
}
],
"componentKey": null,
"problemId": null
}
Unable to start service vmware-invsvc, Exception: {
"resolution": null,
"detail": [
{
"args": [
"vmware-invsvc"
],
"id": "install.ciscommon.service.failstart",
"localized": "An error occurred while starting service 'vmware-invsvc'",
"translatable": "An error occurred while starting service '%(0)s'"
}
],
"componentKey": null,
"problemId": null
}
↧
↧
update , patch
I want to ask a general question. I'm using vcenter 6.5. How do I know when a new update or upgrade, patch is released about the product? How do I know when a new feature comes? will i check the vmware website every day ? How do you do when you manage a large infrastructure ?
how should i follow ?
thanks.
↧
Is it possible to create a role in vcenter, which has the ability to grant console access permission on vm's ?
Is it possible to create a role in vCenter, which has the ability to grant console access permission on vm's ? i.e. the user which is assigned this role should be able to grant console access to any vm in a folder.
vCenter version - 6.5
↧
First Post: Can't get smart card authentication working for vSphere 6.7
We're running vSphere 6.7.0.42000 with the PSC embedded in the vCenter appliance. I'm trying to get smart card authentication working. We've got it joined to our Active Directory domain, and we can use username/password of domain accounts no problem. I've enabled smart card authentication, while leaving password and windows session enabled as well. I've uploaded the root CA of the issuer for all our smart cards, as well as intermediate CAs in my specific chain for testing. I also followed the instructions here. I've since rebooted the vCenter appliance, but anytime I try to logon with a smartcard, with either Chrome or Internet Explorer, after choosing my correct certificate, and providing my PIN, it won't let me in, and I get 'User name and password are required.'
Has anyone seen this?
↧
↧
Rsyslog in vCenter 6.7U3 (Photon OS) stops working ~10min after starting
Hello,
We have upgraded our vCenter appliance (VCSA) to 6.7U3 a few days ago and we noticed a gap of logs in our syslog server (kiwi) since then.
I did a bit of troubleshooting but Rsyslog (the syslog client running on VCSA) is completely new to me.
I use this command to restart Rsyslog:
systemctl restart rsyslog
Right after starting up Rsyslog, logs are being sent to our syslog server.
~10min later, no more logs are sent.
The vCenter log file in our syslog server stops getting updated.
I did a tcpdump in our vCenter and I see that the vCenter stops sending logs.
Using UDP or TCP doesn't fix the issue.
I looked for errors in various log files in the vCenter but can't find anything.
This is what /var/log/vmware/rsyslogd/rsyslogd-syslog.log looks like after restarting Rsyslog:
2019-09-11T11:53:12.812087+02:00 info rsyslogd [origin software="rsyslogd" swVersion="8.37.0" x-pid="21203" x-info="http://www.rsyslog.com"] exiting on signal 15.
2019-09-11T11:54:42.617065+02:00 warning rsyslogd environment variable TZ is not set, auto correcting this to TZ=/etc/localtime [v8.37.0 try http://www.rsyslog.com/e/2442 ]
2019-09-11T11:54:42.617568+02:00 info rsyslogd imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.37.0]
2019-09-11T11:54:42.618409+02:00 info rsyslogd [origin software="rsyslogd" swVersion="8.37.0" x-pid="22235" x-info="http://www.rsyslog.com"] start
Rsyslog is still running based on this command
systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-09-11 11:54:42 CEST; 39min ago
Docs: man:rsyslogd(8)
Main PID: 22235 (rsyslogd)
Tasks: 12
Memory: 5.7M
CPU: 191ms
CGroup: /system.slice/rsyslog.service
└─22235 /usr/sbin/rsyslogd -n
Sep 11 11:54:42 vcenter.domain.local systemd[1]: rsyslog.service: Main process exited, code=killed, status=9/KILL
Sep 11 11:54:42 vcenter.domain.local systemd[1]: Stopped System Logging Service.
Sep 11 11:54:42 vcenter.domain.local systemd[1]: rsyslog.service: Unit entered failed state.
Sep 11 11:54:42 vcenter.domain.local systemd[1]: rsyslog.service: Failed with result 'signal'.
Sep 11 11:54:42 vcenter.domain.local systemd[1]: Starting System Logging Service...
Sep 11 11:54:42 vcenter.domain.local systemd[1]: Started System Logging Service.
Sep 11 11:54:42 vcenter.domain.local rsyslogd[22235]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime [v8.37.0 try http://www.rsyslog.com/e/2442 ]
Sep 11 11:54:42 vcenter.domain.local rsyslogd[22235]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.37.0]
Sep 11 11:54:42 vcenter.domain.local rsyslogd[22235]: [origin software="rsyslogd" swVersion="8.37.0" x-pid="22235" x-info="http://www.rsyslog.com"] start
(real hostname has been replaced by vcenter.domain.local)
I created a ticket at VMware support, but the agent wasn't able to find any errors as well and she suggested to take a backup of our vCenter and reinstall with a restore to get a fresh install of Photon OS since Rsyslog is integrated in Photon OS. I'm not going to do that now, maybe as a last troubleshooting step.
In the meantime, do you guys have an idea? Wrong Rsyslog config?
Thx for your help.
↧
vCenter 6.5 to 6.7
I'm a VMware newbie trying to wrap my head around all the different components. I have vSphere Client 6.5 and I need a feature that's in 6.7. If I upgrade vCenter to 6.7 that will upgrade the vSphere Client as well?
And any hard-won words of wisdom in doing an upgrade would be much appreciated.
Thank you!
↧
vCenter Server Appliance versus vCenter
Hello,
I am getting an alert in vCenter that is giving me a memory alert with Reading: 2. However, VCSA says the health is good. Which should I trust?
I have been out of using VMware for a few years and am getting back into it so please disregard my ignorance.
thanks for any help,
Reezie
↧
VCSA 6.7 Database Maintenance
For larger VCSA footprints, have you had to do any manual database maintenance? Any db space issues?
On page 64 of the vSphere 6.7 Performance Best Practices PDF, it mentions the following:
1) Update statistics of the tables and indexes on a regular basis for better overall performance of the
database.
2) As part of the regular database maintenance activity, check the fragmentation of the index objects and
recreate indexes if needed (i.e., if fragmentation is more than about 30%).
Or are these tasks completed automatically with the embedded Postgres database on Photon?
↧
↧
Secure LDAP with Active Directory (Integrated Windows Authentication)
I've been reading this VMware blog post:
VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023) - VMware vSphere Blog
According to it, because I'm using "Active Directory (Integrated Windows Authentication)" my vCenters should not be affected by Microsoft's forthcoming changes to LDAP authentication.
However, when I've turned on extra monitoring of LDAP connections on my domain controllers, it is seeing my Platform Services Controller logging into LDAP insecurely with their machine accounts.
This is on VSCA 6.5 U3f, with external PSCs.
Anyone know what's going on here?
↧
vCSA 6.5.0 U2G 13638625 webclient working too slow and giving query timeout dataservice adapters errors
In our environment we have vCSA 6.5.0 U2G 13638625 with 100 ESXi host and around 600 VMs. Webclient is running too slow and gives timeout errors (See attached) while trying to pull out any inventory details such as datastores, performance charges, VMs running on the datastores etc. The refresh sign keep spinning and then it results in query timeout errors. This issue is recurring after very 2 to 2.5 months. As a workaround, we planned a reboot every 2 months and it was working as after reboot of appliance, webclient performance seems to be better for few days. But, this time even after rebooting, it is giving same issue. The query time out errors are very annoying and end users are unable to work properly due to this.
Raised a support case with VMware and they tried to increase the memory size of vmware-vpxd-svcs and vsphere-client service to 2048 but it didnt resolve the problem. Any suggestions on this ? Has it got something to with this - We still have previous vCSA 6.0 appliance server in powered off mode in this inventory. (Just considering) or anything else. We take a daily clone of appliance but we stopped that also in order to check, but it didn't work out. 
↧
All status icons wrong after updating VCSA to 6.7.0.42200
I updated our vCenter Server Appliance yesterday from 6.7.0.40000 to 6.7.0.42200, which I saw was just released this week.
Everything seems to be working after the update, but the status icons of almost everything are wrong.
For example, running VMs show an icon with a pause symbol on them.
When a task completes successfully it shows the red circle with a white exclamation mark in it.
Has anyone else ever seen this issue? Is there a quick fix for it?
Thanks
-Pete
↧
vCenter 6.7 - Health warning - vc.health.error.dbjob3
Hi,
Today i realized i have this warning on my vCenter:
Anyone has any idea what it might be?
↧
↧
Decreasing Tasks and Event retension in Database settings
Hi. I am considering dropping the Task and Event retention from the default 30 days, to 7 days. In order to try to speed up our backups. We get a lot of these generating due to our backup system being configured as snapshots with vCenter. I am just checking if there is any downside to this, other than not being able to go back further than 7 days to look at things. I assume VCSA will automatically clean the database once we make the change. Could that pose any risk? Maybe its too aggressive doing it or something? Thanks,,,
↧
Changing vCenter to different IP address/subnet
I need to change the IP address of our vCenter server as its moving to a different subnet. Has anyone had experience doing this? I assume ones the network details are changed all ESXi/VMs should reconnect to vCenter because it uses DNS and IP. I did see one article where its mentioned it isnt supported from VMware either.
↧
Vcenter Server UI not opening & showing DNS_PROBE_FINISHED_NXDOMAIN
Hi,
Having problem to open vCenter UI (LAUNCH VSPHERE CLIENT (HTML5)) after I clicked on it.
But VMware Appliance Management working properly.
I am getting below error:
This site can’t be reached
vcsa.vmlab.local’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN
Any Help would be appreciated.
Thanks.
↧
Database Use
What is the most popular Database for VCenter?
↧
↧
Get-TagAssignment fails with status code 429
When we run Get-VM | Get-TagAssignment | Select Entity,Tag in PowerCli we get this error:
HTTP response with status code 429 and no content (enable debug logging for details)
We have installed latest Powershell and PowerCli, but same problem.
429 means that vCenter gets to many requests, but we only have 1500vm´s, so can that really be true?
The above cmd, is quiet normal, and we use to be able to run it without errors.
Is there a place where i can see logs regarding PowerCLI calls to vCenter (logs on vCenter)?
Wow can i fix the problem?
Maybe an other way to get the same result?
↧
VCSA 6.5 to 6.7 Upgrade pre-check warning
I have two embedded VCSA appliances in embedded linked mode. They are 6.5 U3a. I'm trying to upgrade them to 6.7. I'm using the 6.7 ISO 15132721 build. On both of them I get
warning - Unable to retrieve replication status of the partners
resolution - Make sure vmdir service is reachable and started in partner nodes and this node before continuing
I've checked, and the vmdir service is running on both of them. ./vdcrepadmin -f showpartnerstatus indicates Partner is 0 changes behind on both. I've restarted both VCSAs. I've not opened a support ticket on this yet
JB
↧
Vcenter 6.7 active directory user connection problem: Invalid credentials
Hello,
Current vcenter version : 6.7.0 build-14070654 . I updated to 6.7.0.42000 version. But I have a problem with active directory user login. I tried leave and rejoin active directory. But problem is continues.
Username and password correct. I test different user connected successfully. But some user not connect. If I re back old vcenter version. All user can connecting.
INFO auditlogger] {"user":"VM\\ozgur","client":"IP","timestamp":"03/03/2020 11:32:09 UTC","description":"User VM\\ozgur@IP failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException com.vmware.identity.samlservice.impl.SAMLAuthnResponseSender] Responded with ERROR 401 message Invalid credentials
INFO com.vmware.identity.BaseSsoController] End processing SP-Initiated SSO response. Session was created.
Do you have any idea.
↧