vSphere/VMware: failed to connect virtual device ethernet0

failed to connect virtual device ethernet0

That message said hello for every single VM after there was a major breakdown in a data center. The breakdown was seen as a welcome opportunity to upgrade everything from 4.1 to 5.1. And since everything was broken anyway (although the VMs continued to run, yeah VMware ;-)) no one bothered going the proper path but just evacuated some ESXi-Hosts, re-installed them with 5.1, created a new vCenter and tried to import the VMs.

What was happening?

The GUI gave no hint as to what was wrong. But in the ESXi host logfiles something gave away what was going on: “vShield filters cannot be found for ethernet0”. Now, that is a clue, indeed!

The old 4.1 was running with everything filtered through vShield, whereas it was decided to not use vShield in this setup for 5.1 anymore. But in every single vmx-file for every VM there had to be removed the following two lines in order for everything to work as it should:

ethernet0.filter0.param1 = “uuid=5006f477-a2df-b018-b331-b2b61f1b95f9.000”
ethernet0.filter0.name = “vshield-dvfilter-module”

So, people, beware of vShield when moving VMs from one cluster to another.

All the best,

Thomas

vShield Manager 4.1 spikes in CPU usage, acting up…

Since a couple of weeks we let vSphere monitor our VMs in addition to the nagios monitoring we have had from the beginning.

The vShield Manager VM started to show odd behavior: CPU spikes to 100% every 10 to 30 minutes, then returning to normal. Operation worked as normal, nothing showed in the log files (although: you don’t really see the system log files in the interface).

Somewhere I read something about the mySQL database having problems, and a reboot would fix that. So, reboot… After all, what could go wrong, right? The single firewall VMs are working independent from the Manager, so nobody should even notice… so far so good.

vShield Manager VM did not boot up properly again. You could not login via the web interface. On the console you’d see only the message “System startup is not complete. Please logout and log back in after a few minutes.”

After some hours still the same. On the console (you don’t get a full bash, just a stripped down management shell that does not much) not much was showing. On thing made us curious though: “show filesystems” did say something about mount file could not be read.

A bad foreboding struck my colleague and me: Filesystem corrupt? Without a bash there is not much you can do. So we downloaded a live linux cd, rebooted the VM into that livelinux, and saw it in an instance: The filesystem simply was full. 0 bytes free. Ok, that definitely is a reason for mySQL and tomcat not to start, and definitely a reason why nothing shows up in the log files.

Now with a bash at hand, we investigated, and our first thought where the log files. But we found only 20 MB worth of log files in /var/log. Everything rotated, gzipped and deleted as supposed. So what was going on?

Turns out vmware forgot about the tomcat logfiles. Tomcat saves its own logfiles into its own directory. And that directory was full of catalina-logfiles, going back to the very day the system was installed.

Simple fix: Delete the old junk no one needs, and the vShield Manager is rebooting like a charm.

So, vmware, I’d guess you have fixed that in a newer version already, although I have not checked yet. If not: Shame on you. Leaving admins out with no proper bash or other good way to determine what is going on. That is a shortfall on your side!

P.S.: No hard feelings though, vmware. I still love you 🙂

managing iptables on linux

hey there,

as you manage more and more linux servers, you might stumble upon iptables firewalls. Especially with newer distros that happens more and more often, for example Fedora 17 and CentOS 6.3 have their iptables switched on by default.

If you now start to install services and server software, you might want to disable your firewall to test if the server responds, right? wrong!

The firewall is there for a reason, and should not just be switched off. One little trick I picked up is to always have a little shell script on hand that contains all the rules you want on your server and blocks everything else.

That way you can easily add an open port or close one, can rearrange the rules to your like and then run the script and have the firewall in place exactly as you want it to be.

This is especially helpful in case you mess up your rules or something goes wrong. You are up and running with your set of rules again in no time.

So, here goes a little basic firewall file on one of my test servers that runs a media wiki and for test purposes webmin on port 4444. It even takes into account ipv6 (same rules as for ipv4) and dumps the rules to the screen for you to see whats in place now.

all the best,

maybe

#!/bin/bash

#flush all rules
iptables -F
ip6tables -F

#allow 22 (ssh)
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp –dport 22 -j ACCEPT

#allow 80 (http, the wiki)
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp –dport 80 -j ACCEPT

#allow 4444 (webmin)
ip6tables -A INPUT -p tcp –dport 4444 -j ACCEPT
iptables -A INPUT -p tcp –dport 4444 -j ACCEPT

#set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT

#set access for localhost
iptables -A INPUT -i -lo -j ACCEPT
ip6tables -A INPUT -i -lo -j ACCEPT

#accept packets belonging to established connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#save settings
/sbin/service iptables save
/sbin/service ip6tables save

#list rules
iptables -L -v
ip6tables -L -v