Blabbity blab

Nothing specific to talk about, but I felt like writing anyway.

Don’t multihome vmk ports in ESXi

Multihoming vmk ports on ESXi 5 (?) and later is not kosher. It’ll allow you to make the config, and it’ll even work, for a random period of time. You probably want separate physical ports for management and vMotion, so you’re bound to have two vmk ports, don’t put them on the same subnet/vlan. This was supported in ESX 4 and earlier, perhaps, but not in any later versions of the VMware hypervisor. This KB-article helped out a lot, as well as this quickhand on ESXi shell network commands. The setup was roughly the following:

• vmk0 – management – vSwitch0 – 10.10.10.1
• vmk1 – vmotion – vSwitch1 – 10.10.10.2

One host with this config dropped off the network, and the management port wouldn’t respond. The other vmk interface still responded perfectly, and the machines were on separate vmnics and vSwitches so they were unaffected as well. But vCenter lost connectivity to the host. Obviously, migrating the vm’s off the host was not an option, as there was no way to reach it through the vSphere client. The cluster did not have HA enabled.

To fix it, the steps were roughly:

1. Enable ESXi Shell, if it isn’t already, through the DCUI -> Troubleshooting options -> Enable ESXi Shell
2. Hit Alt-F1 to go to the shell
3. Disable the vmnic that is not the management vmnic (in our example, vmk1, for vmotion) using esxcli network nic down -n vmnic   ##make sure you get the right vmnic, doublecheck in DCUI
4. You can Alt-F2 back to DCUI and check out the network settings to verify that it’s down. Once the conflicting vmk is down, the primary one should start working, and you’ll have management back. If necessary, restart management agents / network from DCUI.
5. There’s also esxcfg-vmknic -d (for delete, -D for disable) portgroup. To list the portgroups, use esxcfg-vmknic -l (and locate the conflicting, non-management vmk, and check the name of it)
6. When management is restored (you can verify by running the Test Management Network in DCUI, and ping your management IP), do the rest from the vSphere Client (restoring what ever vmk you disabled, and the functionality it had (be it vmotion or so)). This time, make sure you use a separate subnet/vlan (not the same as for management)
7. Also NOTE that if you used the ESXi Shell to disable a NIC, you have to enable it from there as well. I’ve found no way to say “vmnic up” in vSphere Client. If you know of a way please let me know in the comments. I had to make an extra trip to the data center to get the interface up, and then finalize the config in vSphere client.

Considering a Soekris or Mikrotik

For years (uh say, 8 years?) I’ve used an older workstation PC with two Intel 1Gbps NICs and lately, an SSD, plus OpenBSD & pf as my network firewall/router. It’s a rather clunky solution for a simple task, but it has served me well for years, without too many problems. After listening to TechSNAP (the latest couple of episodes, I guess), I’ve been thinking about replacing that box with a smaller solution, such as hardware from Soekris or Mikrotik. Soekris are a bit expensive, but they are perhaps.. more fully fledged than the Mikrotik. Both, as I understand, allow for your own choice of OS. I would still be running BSD (be it Free or Open), because that’s what I sort of trust with these matters. The other option is to buy an Atom board, slap on 2-4GB memory, two NICs (or a multiport NIC), and the SSD that I already have, and then run that in a smaller form factor case. I’m more of a do-it-yourself kind of guy, so I might end up going that route anyway.

Reading stuff

I’ve been reading a lot lately. Well the past 10 years maybe. My dad tends to remind me that back in school I didn’t like reading too much (perhaps because I didn’t usually need to work too hard to pass courses (except for math), or maybe I just hadn’t found my thing yet. Or maybe I was an immature brat? Perhaps. Anyway. What I’m reading right now is the Bridge Trilogy, by William Gibson. No big shocker here, I’ve read his works multiple times. I think this trilogy is the one I’ve read the least. That’s not to say it isn’t good, but it’s just gotten less attention from me. I’m on the final book now, ‘All tomorrow’s parties”. After that I’ll hop away from Gibson, and move on to James Bamford’s “The Shadow Factory”, a book on the NSA.

Since I misplaced (probably lent it out to someone who doesn’t remember or really liked the book) my copy of Stealing the Network – How to own a Shadow, I ordered a used copy from amazon. The condition was listed as very good, and it came exactly in that shape….

.. only it smells like weed. You know? Mary jane? Now it might just be from hemp-scented incense, or maybe just a pot-head security guy. I don’t mind really, but I still put the book outside for a while to get the worst fumes out. Luckily nobody had ripped pages to roll their joints in. I guess the book would then have been listed as.. Cannabilized. Get it!?!