Settings vSwitch Security Policies in an ESX scripted install

0

This is an old post that I never really finished and now it seems a little pointless since everything is moving to ESXi however we still have 3.0 and 3.5 scripted builds in our environment so I figure others would too and as such may be of use to others.

As part of a scripted ESX build I was attempting to set the vSwitch Security Policies. I found a command that seemed to do what I wanted:

/usr/bin/vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-forgedxmit=false

Now the first vSwitch worked but the second one didn’t. Now how do I determine if it has been set, for example “MAC Address Changes” (macChanges)?

First of tried to see if there might be a vswitch_getpolicy

vmware-vim-cmd hostsvc/net/

No. Maybe there is a switch on vswitch_getpolicy that will return the info. No again, so I am left with:

vmware-vim-cmd hostsvc/net/vswitch_info

Which is good as it gives a whole bunch of info for all vSwitches

[root@esx6 tmp]# vmware-vim-cmd hostsvc/net/vswitch_info vSwitch0
(vim.host.VirtualSwitch) {
   dynamicType = <unset>,
   name = "vSwitch0",
   key = "key-vim.host.VirtualSwitch-vSwitch0",
   numPorts = 64,
   numPortsAvailable = 58,
   mtu = 1500,
   portgroup = (vim.host.PortGroup) [
      <vim.host.PortGroup:key-vim.host.PortGroup-Service Console>,
      <vim.host.PortGroup:key-vim.host.PortGroup-VMotion>
   ],
   pnic = (vim.host.PhysicalNic) [
      <vim.host.PhysicalNic:key-vim.host.PhysicalNic-vmnic1>,
      <vim.host.PhysicalNic:key-vim.host.PhysicalNic-vmnic0>
   ],
   spec = (vim.host.VirtualSwitch.Specification) {
      dynamicType = <unset>,
      numPorts = 64,
      bridge = (vim.host.VirtualSwitch.BondBridge) {
         dynamicType = <unset>,
         nicDevice = (string) [
            "vmnic1",
            "vmnic0"
         ],
         beacon = (vim.host.VirtualSwitch.BeaconConfig) {
            dynamicType = <unset>,
            interval = 1,
         },
      },
      policy = (vim.host.NetworkPolicy) {
         dynamicType = <unset>,
         security = (vim.host.NetworkPolicy.SecurityPolicy) {
            dynamicType = <unset>,
            allowPromiscuous = false,
            macChanges = false,
            forgedTransmits = false,
         },
         nicTeaming = (vim.host.NetworkPolicy.NicTeamingPolicy) {
            dynamicType = <unset>,
            policy = "loadbalance_srcid",
            reversePolicy = true,
            notifySwitches = true,
            rollingOrder = false,
            failureCriteria = (vim.host.NetworkPolicy.NicFailureCriteria) {
               dynamicType = <unset>,
               checkSpeed = "minimum",
               speed = 10,
               checkDuplex = false,
               fullDuplex = false,
               checkErrorPercent = false,
               percentage = 0,
               checkBeacon = false,
            },
            nicOrder = (vim.host.NetworkPolicy.NicOrderPolicy) {
               dynamicType = <unset>,
               activeNic = (string) [
                  "vmnic0",
                  "vmnic1"
               ],
            },
         },
         offloadPolicy = (vim.host.NetOffloadCapabilities) {
            dynamicType = <unset>,
            csumOffload = true,
            tcpSegmentation = true,
            zeroCopyXmit = true,
         },
         shapingPolicy = (vim.host.NetworkPolicy.TrafficShapingPolicy) {
            dynamicType = <unset>,
            enabled = false,
            averageBandwidth = <unset>,
            peakBandwidth = <unset>,
            burstSize = <unset>,
         },
      },
      mtu = <unset>,
   },
}

Now that’s great but how do I get just the info I want to see?

vmware-vim-cmd hostsvc/net/vswitch_info | grep forgedTransmits

Returns:

               forgedTransmits = false,
               forgedTransmits = true,

Now that’s great but which vSwitch are the settings for? And clean it up a little:

vmware-vim-cmd hostsvc/net/vswitch_info | grep -i -E '(name|forgedTransmits)' | sed 's/,//g' | awk '{print $3}'

Returns something like:

"vSwitch0"
false
"vSwitch1"
true

Now the additional problem that the command returns the information for all the vSwitches on this host. Is there a switch on vswitch_info that I can use. Yes, simply add the vSwitch name, like so:

vmware-vim-cmd hostsvc/net/vswitch_info vSwitch0 | grep forgedTransmits | sed 's/,//g' | awk '{print $3}'

This simply returns true or false. So now I can use this as a test and repeat for “Promiscuous Mode” (allowPromiscuous) and “Forged Transmits” (forgedTransmits)

if [ "`vmware-vim-cmd hostsvc/net/vswitch_info vSwitch0 | grep forgedTransmits | sed 's/,//g' | awk '{print $3}'`" = "true" ]; then
  echo "true";
fi

Now back to the question at hand, I had seen some examples around that have sleeps in them when setting these options waiting for hostd-vmdb service to start properly and allow the vmware-vim-cmd to run. One example (http://www.dailyhypervisor.com/wp-content/plugins/downloads-manager/upload/simple_deployment_script_1.txt) is waiting four (4) minutes. That doesn’t seem very, what’s the word, flexible or dynamic to me. What happens if on occasion the services take longer than 4 minutess to start properly before vwmare-vim-cmd will run. I would like a way to test the setting, sleep for a time and retry again.

Now I can add the above test to a while loop:

while [ "`vmware-vim-cmd hostsvc/net/vswitch_info vSwitch0 | grep forgedTransmits | sed 's/,//g' | awk '{print $3}'`" = "true"  ]; do
  sleep 30
  /usr/bin/vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-forgedxmit=false vSwitch0
done

Note to the young at linux, like myself, spaces in the while command in the correct place are important!

Ok cool, that works. How set it for every vSwitch? First I need to capture all the vSwitchs with a little cleanup:

esxcfg-vswitch -l | grep -i "num ports" -A 1 | grep -i -v "uplinks" | awk '/vSwitch/ {print $1}'

Returns:

vSwitch0
vSwitch1

So now I can wrap the loop in a for loop for each vSwitch, like so:

for VSWITCH in $(esxcfg-vswitch -l | grep -i "num ports" -A 1 | grep -i -v "uplinks" | awk '/vSwitch/ {print $1}');
do
  echo $VSWITCH;
  while [ "`vmware-vim-cmd hostsvc/net/vswitch_info $VSWITCH | grep forgedTransmits | sed 's/,//g' | awk '{print $3}'`" = "true"  ]; do
    /usr/bin/vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-forgedxmit=false $VSWITCH
    sleep 10
  done
done

and repeat for each setting change. To take it a step further I could create an array of each setting and value and cycle through that as well, however I hope you get the idea. This is what I am doing due to time pressures to get a project out on time.

Gotcha: Use the table below, the second column is what to grep for. The third column is the setting to change!
[table id=1 /]

I am sure there are better ways to do this and security lock down scripts to do the same thing. I couldn’t find them and I do not have an RCLI or PCLI set up and wanted it done during the build process, not an external additional step.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.