Home > Blogs > VMware Support Insider > Author Archives: Rick Blythe
Rick Blythe

About Rick Blythe

Social Media Program Manager for VMware, Rick Blythe manages the Twitter handle @vmwarekb and curates the Support Insider Blog.

ALERT: Bash Code Injection Vulnerability aka Shellshock

VMware Support AlertOn Sept 24, 2014, a critical vulnerability in Bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution. The VMware Security Engineering, Communications, and Response group (vSECR) has been actively investigating the impact this vulnerability may have on our products.

For further information and updates on this vulnerability, refer to KB article:
VMware assessment of Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271 CVE-2014-7169, aka “Shellshock”) (2090740)
.

Note: For information regarding VMware customer portals and web sites, see Impact of bash code injection vulnerability on VMware Customer Portals and web sites (CVE-2014-6271 and CVE-2014-7169, aka “shellshock”) (2090817).

Generating and Troubleshooting SSL certificates in View

VMware View SecurityNext up in our series of VMware View topics, we’re going to talk about security. I spoke with a couple of our top support engineers about View security and they identified three Knowledgebase articles that solve more support requests than any others in the area of security, namely SSL certificates.  They recommend customers use:

In View 5.1 and later, you configure certificates for View by importing the certificates into the Windows local computer certificate store on the View server host. By default, clients are presented with this certificate when they visit a secure page such as View Administrator. You can use the default certificate for lab environments, and one could even make the argument that it is OK for fire-walled environments, but otherwise you should replace it with your own certificate from a trusted CA (Verisign, GoDaddy, others) as soon as possible. They also told me you should use an SSL certificate from a trusted CA when setting up a Security Server for your environment when the Security Server can be used from outside your firewall (Internet) to access View desktops inside your firewall.

My engineers stressed to me the importance of following each step in these KBs one at a time when you are filling out the forms on those sites to obtain your certificate. It is easy to make a mistake and you might not receive something that will work for you.

Note: The default certificate is not signed by a commercial Certificate Authority (CA). Use of noncertified certificates can allow untrusted parties to intercept traffic by masquerading as your server.

 

When Linked Clones Go Stale

One of the biggest call drivers within our VMware View support centers revolves around linked clone pools. Some of your users may be calling you to report that their desktop is not available. You begin to check your vCenter and View Administrator portal and discover some of the following symptoms:

  • You cannot provision or recompose a linked clone desktop pool
  • You see the error:
    Desktop Composer Fault: Virtual Machine with Input Specification already exists
  • Provisioning a linked clone desktop pool fails with the error:
    Virtual machine with Input Specification already exists
  • The Connection Server shows that linked clone virtual machines are stuck in a deleting state
  • You cannot delete a pool from the View Administrator page
  • You are unable to delete linked clone virtual machines
  • When viewing a pools Inventory tab, the status of one or more virtual machines may be shown as missing

There are a number of reasons this might happen, and KB: 2015112 Manually deleting linked clones or stale virtual desktop entries from the View Composer database in VMware View Manager and Horizon View covers resolving this topic comprehensively, but let’s discuss a bit of the background around these issues.

When a linked clone pool is created or modified, several backend databases are updated with configuration data. First there is the SQL database supporting vCenter Server, next there is the View Composer database, and thirdly the ADAM database. Let’s also throw in Active Directory for good measure. With all of these pieces each playing a vital role in the environment, it becomes apparent that should things go wrong, there may be an inconsistency created between these databases. These inconsistencies can present themselves with the above symptoms.

Recently a new Fling was created to address these inconsistencies. If you’re not acquainted with Flings, they’re tools our engineers build to help you explore and manipulate your systems. However, it’s important to remember they come with a disclaimer:

“I have read and agree to the Technical Preview Agreement. I also understand that Flings are experimental and should not be run on production systems.”

If you’re just in your lab environment though, they are an excellent way to learn and understand the workings of your systems at a deeper level. Here is the Fling: ViewDbChk. For production systems we recommend following the tried and true procedures documented in KB 2015112. The KB includes embedded videos to help walk you through the steps.

VMware View – Top 20 KB Articles

announcement Hey there VMware View implementers, here’s a top 20 VMware View specific KBs list to help you avoid issues that many of you have reported. This list is hand picked by our View Support Engineers. Keep this list handy.

  1. VMware Horizon View trending issues by product version (2089340)
  2. Manually deleting linked clones or stale virtual desktop entries from the View Composer database in VMware View Manager and Horizon View (2015112)
  3. Troubleshooting SSL certificate issues in VMware Horizon View 5.1 and later (2082408)
  4. Troubleshooting VMware Horizon View HTML Access (2046427)
  5. Troubleshooting a black screen when logging into a Horizon View virtual desktop using PCoIP (1028332)
  6. Pool settings are not saved, new pools cannot be created, and vCenter Server tasks are not processed in a Horizon View environment (2082413)
  7. VMware View Composer installation best practices and troubleshooting (2083555)
  8. Moving a persistent data disk to another View desktop (1033286)
  9. Configuring VMware View Event database on an SQL server fails with the error: An error occurred while attempting to configure the database (1029537)
  10. Enabling RSA SecurID authentication on a View Connection Server fails when there are multiple network interfaces on the Connection Server (2043055)
  11. Manually deleting replica virtual machines in VMware Horizon View 5.x (1008704)
  12. Troubleshooting Horizon View user permission issues with vCenter Server (2085142)
  13. Troubleshooting Persona Management (2008457)
  14. Investigating VMware View Composer failure codes (2085204)
  15. Generating and importing a signed SSL certificate into VMware Horizon View 5.1/5.2/5.3 using Microsoft Certreq (2032400)
  16. Managing persistent disks in VMware Horizon View 4.6 and later (2086416)
  17. Troubleshooting Agent Unreachable status in VMware Horizon View (2083535)
  18. Performing maintenance or Composer operations on the VMware Horizon View desktops fail (2086530)
  19. Connections to the Horizon View Connection Server or Security Server fail with SSL errors (2072459)
  20. Performing maintenance or Composer operations on the VMware Horizon View desktops fail (2086530)

Come see us at VMworld!

Once again this year, the folks behind Knowledge Experience are coming to VMworld to showcase all the new things we’ve been up to since last year. I am sure you are asking why it is called Knowledge Experience – we have a new mission and vision and that is to provide contextual content to the customer to ensure they can solve their issue before they need to create a service request – we are looking for your insights and feedback on how you would like to see this.

Some of you will remember the great vSphere networking posters we were handing out last year. We’re happy to announce we have another one – this time for VMware View. All the interconnecting ports/protocols… these look great on the wall! To get yours, come say hello to Rick Blythe at the VMware Communities Info Desk in the Hang Space during these times:

  • Monday: 11am – 2pm
  • Tuesday: 11am – 2pm
  • Wednesday: 1pm – 4pm

That’s not all — in the Solutions Exchange Sharon, Robyn, and Rick have two demos for you:

  1. New My VMware Web Portal prototype
  2. New My VMware iPhone App prototype

We’re really pumped to hear what you have to say about how we can provide you more contextual content to help you solve problems before creating a support request and therefore reducing your time and effort so that you can get back to your day jobs – We’ll be right next to the My VMware pod.  Our pod is titled:

Using Knowledge to Get Answers Quickly

  • Leverage online self-help support
  • Prevent or resolve problems quickly
  • Provide input to new concierge model

We hope you drop by; we’d love to hear what you think!

See you there!

ALERT: Storage Controllers for Virtual SAN that are no longer supported

VMware Support AlertAs part of VMware’s ongoing testing and certification efforts on Virtual SAN compatible hardware, VMware has decided to remove some controllers from the Virtual SAN compatibility list. While fully functional, these controllers offer IO throughput that is too low to sustain the performance requirements of most VMware environments.

For more information, see KB article: Storage Controllers previously supported for Virtual SAN that are no longer supported (2081431). If you have purchased Virtual SAN for use with these controllers, contact VMware Customer Service for next steps.

Note: Any updates to this issue will be reflected in the aforementioned KB article. To be alerted when this article is updated, click Subscribe to Document in the Actions box on the KB article page.

Popular tweets

Here’s an interesting top 20 list. In the last 30 days, these were the tweets form our @vmwarekb account that got the most sharing from our customers. Perhaps you missed something on our list you’d be interested in.

Oh, and if you don’t follow us on Twitter, why not?

How to restart the Management agents on a VMware vSphere ESXi or ESX host
Poor network performance when using VMXNET3 adapter for routing in a Linux guest operating system (2077393)
Configuring the ESXi host with Active Directory authentication
Configuring the ESXi host with Active Directory authentication (2075361)
ESXi host initiates ARP Broadcast storm to NFS server (2080034)
Veeam virtual machine backups fail with the error: The host is not licensed for this feature (2080352)
Downgrading device drivers in VMware ESXi 5.x (2079279)
ESXi 5.5 … purple … screen error:#PF Exception 14 in world 33426: vmkeventd IP 0x418002c71507 addr 0×0 (2061842)
Storage Controllers previously supported for VSAN that are no longer supported (2081431)
VMware ESXi 5.1, Patch Release ESXi510-201406001 (2077640)
VM loses network connectivity during migration … in vCNS 5.1.4 and 5.5.2 and NSX for vSphere 6.0.4 (2080479)
Copying a file is slow on HTTP connections in vCenter Server (2081624)
VMware ESXi host in the vSphere Distributed Switch (vDS) are out of sync (2081052)
Preparing Windows 2008 R2 SP1 Server as a desktop to be deployed by Horizon DaaS (Desktone) (2080765)
Adding an Integrated Active Directory (IWA) Identity Source without the vSphere Web Client for vCenter SSO (2063424)
Upgrade paths and product compatibility for PowerCLI versions that feature OpenSSL security fixes (2082132)
Upgrading VMware vCenter Server 5.5 to a 5.5.x version using Simple Install fails (2074676)
VMware ESXi 5.1, Patch ESXi-5.1.0-20140604001-standard (2077642)
Dell EqualLogic Multipathing Extension Module (MEM) in View environments storage performance degradation (2078451)
Booting the ESXi host fails at Initializing scheduler (2077712)

VMware Support Options

Ever wondered what all of your options are when it came to technical support from VMware?

Listen to David Hulbert as he provides a 3 minute overview of VMware Technical Support, describing all of the levels of support options available.

 

Using vSphere ESXi Image Builder to create an installable ISO that is not vulnerable to Heartbleed

Here is a follow-up post from Andrew Lytle, member of the VMware Mission Critical Support Team. Andrew is a Senior Support Engineer who is specializes in vCenter and ESXi related support.

VMware recently released updates to all products affected by the vulnerability dubbed “Heartbleed” (CVE-2014-0160): http://www.vmware.com/security/advisories/VMSA-2014-0004.html

As per KB article: Resolving OpenSSL Heartbleed for ESXi 5.5 – CVE-2014-0160 (2076665), the delivery method for this code change in the VMware ESXi product is through an updated ESXi vSphere Installation Bundle (VIB). VIBs are the building blocks of an ESXi image. A VIB is akin to a tarball or ZIP archive in that it’s a collection of files packaged into a single archive.

Typically a new ESXi ISO file will be made available only during major revisions of the product (Update 1, Update 2, etc). If you need an ESXi 5.5 ISO which is already protected from Heartbleed, you can make your own ISO easily using vSphere PowerCLI.

The PowerCLI ImageBuilder cmdlets are designed to make custom ESXi ISOs which have asynchronous driver releases pre-installed, but it can also be used in a situation like this to make an ISO which lines up with a Patch Release instead of a full ESXi Update Release.

In this post we will cover both the ESXi 5.5 GA branch, as well as the ESXi 5.5 Update 1 branch. Choose the set of steps which will provide the ISO branch you need for your environment.

Creating an ISO based on ESXi 5.5 GA (Pre-Update 1)

These steps are for downloading the requirements for creating an ISO which is based on the ESXi 5.5 “GA” release, which was originally released 2013-09-22.

Step 1: Download the Required Files

When creating a custom ESXi image through Image Builder, we need to start by downloading the required files:

Install PowerCLI through the Windows MSI package, and copy the zip files to a handy location. For the purposes of this example, I will copy these files to C:\Patches\

Step 2: Import the Software Depot

  • Add-EsxSoftwareDepot C:\Patches\ESXi550-201404020.zip
    1-1

Step 3: Confirm the patched version (optional)

If you wish to confirm the esx-base VIB (which includes the Heartbleed vulnerability code change) is added correctly, you can confirm the VIB has Version of 5.5.0-0.15.1746974 and the Creation Date of 4/15/2014.

  • Get-EsxSoftwarePackages –Name esx-base
    1-2

Step 4: Export the Image Profile to an ISO

  • Export-EsxImageProfile –ImageProfile ESXi-5.5.0-20140401020s-standard –ExportToISO –FilePath C:\Patches\ESXi5.5-heartbleed.iso
    1-3

Creating an ISO based on ESXi 5.5 Update 1

These steps are for creating an ISO which is based on the ESXi 5.5 “Update 1” release, which was originally released 2014-03-11.

Step 1: Download the Required Files

When creating a custom ESXi image through Image Builder, we need to start by downloading the required files:

Copy the zip files to a handy location. For the purposes of this example, I will copy it to C:\Patches\

Step 2: Import the Software Depot

  • Add-EsxSoftwareDepot C:\Patches\ESXi550-201404001.zip
    2-1

Step 3: Confirm the patched version (optional)

If you wish to confirm the esx-base VIB (which includes the Heartbleed vulnerability code change) is added correctly, you can confirm the VIB has the Version of 5.5.0-1.16.1746018 and Creation Date of 4/15/2014.

  • Get-EsxSoftwarePackages –Name esx-base
    2-2

Step 4: Export the Image Profile to an ISO

  • Export-EsxImageProfile –ImageProfile ESXi-5.5.0-20140404001-standard –ExportToISO –FilePath C:\Patches\ESXi5.5-update1-heartbleed.iso
    2-3

Installing the ESXi ISO

The ISO file which was created in this steps can be used in exactly the same manner as the normal VMware ESXi 5.5 ISO. It can be mounted in a remote management console, or burned to a CD/DVD for installation.

Top 20 Articles for April 2014

Here is our Top 20 KB list for April 2014. This list is ranked by the number of times a VMware Support Request was resolved by following the steps in a published Knowledge Base article.

  1. Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: “Heartbleed” (2076225)
  2. VMware ESXi 5.x host experiences a purple diagnostic screen mentioning E1000PollRxRing and E1000DevRx (2059053)
  3. Installing Windows in a virtual machine using VMware Fusion Easy Install (1011677)
  4. Installing async drivers on VMware ESXi 5.0, 5.1, and 5.5 (2005205)
  5. Re-pointing and re-registering VMware vCenter Server 5.1 / 5.5 and components (2033620)
  6. Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5 (2076692)
  7. Resolving OpenSSL Heartbleed for ESXi 5.5 – CVE-2014-0160 (2076665)
  8. Purging old data from the database used by VMware vCenter Server 4.x and 5.x (1025914)
  9. Troubleshooting Fusion virtual machine performance issues (1015676)
  10. Investigating virtual machine file locks on ESXi/ESX (10051)
  11. Unmounting a LUN or detaching a datastore/storage device from multiple VMware ESXi 5.x hosts (2004605)
  12. Uninstalling and manually installing VMware Tools in VMware Fusion (1014522)
  13. Determining Network/Storage firmware and driver version in ESXi/ESX 4.x and ESXi 5.x (1027206)
  14. Resetting the VMware vCenter Server 5.x Inventory Service database (2042200)
  15. Installing VMware Tools in a Fusion virtual machine running Windows (1003417)
  16. Permanent Device Loss (PDL) and All-Paths-Down (APD) in vSphere 5.x (2004684)
  17. Manually deleting linked clones or stale virtual desktop entries from the View Composer database in VMware View Manager and Horizon View (2015112)
  18. Upgrading to vCenter Server 5.5 best practices (2053132)
  19. Installing or upgrading to ESXi 5.5 best practices (2052329)
  20. Installing vCenter Server 5.5 best practices (2052334)