What started off as a good idea, quickly snowballed into my home lab being jacked up for about 3 weeks. I often refer to these things as “life lessons” and unfortunately I usually experience these things a lot. I normally just chalk it up to my ADD and move on !! Hopefully this blog post will help others that might run into this issue as well.
VMworld 2011 is/was fast approaching and I was asked to work with Erin Banks (Rockstar RSA vSpecialist –@banksek blog: http://www.commondenial.com) to help get vShield 5 added into our VMworld Hands on Lab. Specifically we wanted to show off vShield’s new embedded RSA Data Loss Prevention tool. Since I’d never really messed with it I jumped all over the chance to do it. My first thought was, “I guess I should install it just to see how everything works” so I did that on my home lab. vShield 5 installs from a OVF – Which I LOVE !!! So I figured, “how hard can it be to setup, who needs the manual” 🙂 (the install guide to the right is for 4.1 – as soon as 5.0 is published I’ll update it with the proper link) That’s where everything started to go south. I skimmed the first couple of pages of the install guide, mostly to see what the default username and password was and then went about setting it up. It was pretty easy and once you have the OVF deployed and setup its IP you do a lot of the management/install from the vShield 5 Manager webpage. I decided that I would protect all 3(ea) of my vSphere ESXi 5 home hosts and went about installing vShield 5 App, vShield 5 End Point on each system using the vShield Manager 5 Web interface.
That part of the install is pretty much “click and walk away” process.
The net-net is it setups firewalls, rules and a new vSwitch with no physical nic’s assigned to them so that they can communicate with each other.
What I failed to realize was that it’s a bad idea to protect the host that has vCenter installed. When it does that, it treats that VM just like every other VM and locks it down. When that happens, vCenter is not very happy and all hosts show inactive 😦
The first time you see this, or at least the first time I noticed something wrong was when I tried to connect to vCenter 5 with the vSphere 5 Client. It timed out. So I tried to RDP into that server and it timed out. Then I logged into each of the vSphere hosts to figure out which one had my vCenter in it. I opened up the console and everything looked fine. I thought maybe something hung so I bounced the server. I then opened up IE in the VM and noticed I couldn’t get out. I might not be the sharpest tool in the shed but I figured out pretty quickly that I did something wrong. Google confirmed and that’s when the life lesson began 🙂
That drove me to the following KB article and the first thing I did for my vCenter 5 .vmx file – http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028151
That allowed my vCenter VM to surf the web and get a around a bit. I still had issues with vCenter seeing the 3(ea) hosts. I spent a couple of days trying to figure out if it was possible to brute force remove it from the host directly as well as to see if I could uninstall using vShield manager but unfortunately it looks like the protected hosts or the protected vShield 5 VM wouldn’t give me the option to uninstall. It would just give me a status of them (the status was “installed” see “Host Information” screen shot above). I then remember reading a recent blog post called “How to enable & disable ESXi Host SSH via the vSphere Client in vSphere 5” from Simon Seagrave and it dawned on me that maybe I could see if the DVfilter and the vShield stuff could simply be “unchecked” from the firewall rules so off I went and sure enough, it was listed.
Once I unchecked those 2 boxes things started to get back to normal. I could now RDP into my vCenter VM and when I launched the vShield5 Manager I had the option to uninstall.
Now, I did run into some sort of issue on the 2nd host during the uninstall. I’m not sure if it was a bug or what but it didn’t go as smoothly as the first one went. Here is a run down of the steps it takes to uninstall:
Step 5 (rebooting ESX host) was the issue. It would just hang. I thought that since it looked like everything was uninstalled and it was just doing a reboot I could just hard cycle it and call it good. When I did that, it showed up in vShield Manager as still having vShield App and vShield Endpoint installed. So I ran through the process again. It went a little faster but it still hung on rebooting the ESXi host. This time I decided to see if anything stood out on the host’s screen so I connected a monitor to my vSphere 5 ESXi host and the following error was splashed across the screen. “Error Loading /vmware-f.v00 Fatal Error: 33 (inconsistent data)
It made no sense to me why that was happening. Google wasn’t really any help either (that our I was losing patience with googling the issue 🙂 ) I went back into the firewall settings and it looked like the check boxes were checked again so I unchecked them and re-ran the uninstall and everything sailed through. I’m not sure if that really fixed the issue or not but I decided not to press my luck and spend time troubleshooting it more. I was happy it was uninstalled !!
The net-net is RTFM !! It will save you a ton of heartburn. I also think this is a HUGE issue that VMware needs to address. More and more customers are virtualizing vCenter and a sentence in the install guide warning you against doing this is probably not enough. Mike Foley with RSA Security (And honorary vSpecialist) suggested in an e-mail exchange helping me with this blog post that vShield install should:
1) detect the vCenter VM
2) automatically create a firewll ruleset that doesn’t “hose you” (Thats a Foley Techincal Term)
3) using 2, install with “Allow” set on everything by default.
I couldn’t agree more with him. If nothing more, it should flash a huge warning during the install that say “If you run vCenter as a VM, please read the install guide before proceeding” and then require a checkbox, or accept to be pushed before moving on !! Finally this should be a great reminder that VMware’s guidance is to not put management VM’s on production ESX hosts (thanks for the reminder Mr Drummonds). I hate when I help validate, the wrong way, these types of rules !!
So allow me to be the example others follow on what NOT to do when installing vShield 5 for vSphere 5. R T F M !!!!