{"id":75,"date":"2010-03-26T22:03:56","date_gmt":"2010-03-26T11:03:56","guid":{"rendered":"http:\/\/threemillion.net\/blog\/?p=75"},"modified":"2010-03-26T22:03:56","modified_gmt":"2010-03-26T11:03:56","slug":"settings-vswitch-security-policies-in-an-esx-scripted-install","status":"publish","type":"post","link":"https:\/\/threemillion.net\/blog\/?p=75","title":{"rendered":"Settings vSwitch Security Policies in an ESX scripted install"},"content":{"rendered":"

This is an old post that I never really finished and now it seems a little pointless since everything is moving to ESXi however we still have 3.0 and 3.5 scripted builds in our environment so I figure others would too and as such may be of use to others.<\/p>\n

As part of a scripted ESX build I was attempting to set the vSwitch Security Policies. I found a command that seemed to do what I wanted:<\/p>\n

\r\n\/usr\/bin\/vmware-vim-cmd hostsvc\/net\/vswitch_setpolicy --securepolicy-forgedxmit=false\r\n<\/pre>\n
Now the first vSwitch worked but the second one didn\u2019t. Now how do I determine if it has been set, for example \u201cMAC Address Changes\u201d (macChanges)?<\/p>\n
First of tried to see if there might be a vswitch_getpolicy<\/p>\n
vmware-vim-cmd hostsvc\/net\/<\/pre>\n
No. Maybe there is a switch on vswitch_getpolicy that will return the info. No again, so I am left with:<\/p>\n
vmware-vim-cmd hostsvc\/net\/vswitch_info<\/pre>\n
Which is good as it gives a whole bunch of info for all vSwitches<\/p>\n
[root@esx6 tmp]# vmware-vim-cmd hostsvc\/net\/vswitch_info vSwitch0\r\n(vim.host.VirtualSwitch) {\r\n   dynamicType = <unset>,\r\n   name = "vSwitch0",\r\n   key = "key-vim.host.VirtualSwitch-vSwitch0",\r\n   numPorts = 64,\r\n   numPortsAvailable = 58,\r\n   mtu = 1500,\r\n   portgroup = (vim.host.PortGroup) [\r\n      <vim.host.PortGroup:key-vim.host.PortGroup-Service Console>,\r\n      <vim.host.PortGroup:key-vim.host.PortGroup-VMotion>\r\n   ],\r\n   pnic = (vim.host.PhysicalNic) [\r\n      <vim.host.PhysicalNic:key-vim.host.PhysicalNic-vmnic1>,\r\n      <vim.host.PhysicalNic:key-vim.host.PhysicalNic-vmnic0>\r\n   ],\r\n   spec = (vim.host.VirtualSwitch.Specification) {\r\n      dynamicType = <unset>,\r\n      numPorts = 64,\r\n      bridge = (vim.host.VirtualSwitch.BondBridge) {\r\n         dynamicType = <unset>,\r\n         nicDevice = (string) [\r\n            "vmnic1",\r\n            "vmnic0"\r\n         ],\r\n         beacon = (vim.host.VirtualSwitch.BeaconConfig) {\r\n            dynamicType = <unset>,\r\n            interval = 1,\r\n         },\r\n      },\r\n      policy = (vim.host.NetworkPolicy) {\r\n         dynamicType = <unset>,\r\n         security = (vim.host.NetworkPolicy.SecurityPolicy) {\r\n            dynamicType = <unset>,\r\n            allowPromiscuous = false,\r\n            macChanges = false,\r\n            forgedTransmits = false,\r\n         },\r\n         nicTeaming = (vim.host.NetworkPolicy.NicTeamingPolicy) {\r\n            dynamicType = <unset>,\r\n            policy = "loadbalance_srcid",\r\n            reversePolicy = true,\r\n            notifySwitches = true,\r\n            rollingOrder = false,\r\n            failureCriteria = (vim.host.NetworkPolicy.NicFailureCriteria) {\r\n               dynamicType = <unset>,\r\n               checkSpeed = "minimum",\r\n               speed = 10,\r\n               checkDuplex = false,\r\n               fullDuplex = false,\r\n               checkErrorPercent = false,\r\n               percentage = 0,\r\n               checkBeacon = false,\r\n            },\r\n            nicOrder = (vim.host.NetworkPolicy.NicOrderPolicy) {\r\n               dynamicType = <unset>,\r\n               activeNic = (string) [\r\n                  "vmnic0",\r\n                  "vmnic1"\r\n               ],\r\n            },\r\n         },\r\n         offloadPolicy = (vim.host.NetOffloadCapabilities) {\r\n            dynamicType = <unset>,\r\n            csumOffload = true,\r\n            tcpSegmentation = true,\r\n            zeroCopyXmit = true,\r\n         },\r\n         shapingPolicy = (vim.host.NetworkPolicy.TrafficShapingPolicy) {\r\n            dynamicType = <unset>,\r\n            enabled = false,\r\n            averageBandwidth = <unset>,\r\n            peakBandwidth = <unset>,\r\n            burstSize = <unset>,\r\n         },\r\n      },\r\n      mtu = <unset>,\r\n   },\r\n}\r\n<\/pre>\n
Now that\u2019s great but how do I get just the info I want to see?<\/p>\n
vmware-vim-cmd hostsvc\/net\/vswitch_info | grep forgedTransmits<\/pre>\n
Returns:<\/p>\n
\r\n               forgedTransmits = false,\r\n               forgedTransmits = true,\r\n<\/pre>\n
Now that\u2019s great but which vSwitch are the settings for? And clean it up a little:<\/p>\n
\r\nvmware-vim-cmd hostsvc\/net\/vswitch_info | grep -i -E '(name|forgedTransmits)' | sed 's\/,\/\/g' | awk '{print $3}'\r\n<\/pre>\n
Returns something like:<\/p>\n
\r\n"vSwitch0"\r\nfalse\r\n"vSwitch1"\r\ntrue\r\n<\/pre>\n
Now the additional problem that the command returns the information for all the vSwitches on this host. Is there a switch on vswitch_info that I can use. Yes, simply add the vSwitch name, like so:<\/p>\n
\r\nvmware-vim-cmd hostsvc\/net\/vswitch_info vSwitch0 | grep forgedTransmits | sed 's\/,\/\/g' | awk '{print $3}'\r\n<\/pre>\n
This simply returns true or false. So now I can use this as a test and repeat for \u201cPromiscuous Mode\u201d (allowPromiscuous) and \u201cForged Transmits\u201d (forgedTransmits)<\/p>\n
\r\nif [ "`vmware-vim-cmd hostsvc\/net\/vswitch_info vSwitch0 | grep forgedTransmits | sed 's\/,\/\/g' | awk '{print $3}'`" = "true" ]; then\r\n  echo "true";\r\nfi\r\n<\/pre>\n
Now back to the question at hand, I had seen some examples around that have sleeps in them when setting these options waiting for hostd-vmdb service to start properly and allow the vmware-vim-cmd to run. One example (http:\/\/www.dailyhypervisor.com\/wp-content\/plugins\/downloads-manager\/upload\/simple_deployment_script_1.txt<\/a>) is waiting four (4) minutes. That doesn\u2019t seem very, what\u2019s the word, flexible or dynamic to me. What happens if on occasion the services take longer than 4 minutess to start properly before vwmare-vim-cmd will run. I would like a way to test the setting, sleep for a time and retry again.<\/p>\n
Now I can add the above test to a while loop:<\/p>\n
\r\nwhile [ "`vmware-vim-cmd hostsvc\/net\/vswitch_info vSwitch0 | grep forgedTransmits | sed 's\/,\/\/g' | awk '{print $3}'`" = "true"  ]; do\r\n  sleep 30\r\n  \/usr\/bin\/vmware-vim-cmd hostsvc\/net\/vswitch_setpolicy --securepolicy-forgedxmit=false vSwitch0\r\ndone\r\n<\/pre>\n
Note to the young at linux, like myself, spaces in the while command in the correct place are important!<\/p>\n
Ok cool, that works. How set it for every vSwitch? First I need to capture all the vSwitchs with a little cleanup:<\/p>\n
\r\nesxcfg-vswitch -l | grep -i "num ports" -A 1 | grep -i -v "uplinks" | awk '\/vSwitch\/ {print $1}'\r\n<\/pre>\n
Returns:<\/p>\n
\r\nvSwitch0\r\nvSwitch1\r\n<\/pre>\n
So now I can wrap the loop in a for loop for each vSwitch, like so:<\/p>\n
\r\nfor VSWITCH in $(esxcfg-vswitch -l | grep -i "num ports" -A 1 | grep -i -v "uplinks" | awk '\/vSwitch\/ {print $1}');\r\ndo\r\n  echo $VSWITCH;\r\n  while [ "`vmware-vim-cmd hostsvc\/net\/vswitch_info $VSWITCH | grep forgedTransmits | sed 's\/,\/\/g' | awk '{print $3}'`" = "true"  ]; do\r\n    \/usr\/bin\/vmware-vim-cmd hostsvc\/net\/vswitch_setpolicy --securepolicy-forgedxmit=false $VSWITCH\r\n    sleep 10\r\n  done\r\ndone\r\n<\/pre>\n
and repeat for each setting change. To take it a step further I could create an array of each setting and value and cycle through that as well, however I hope you get the idea. This is what I am doing due to time pressures to get a project out on time.<\/p>\n
Gotcha:<\/strong> Use the table below, the second column is what to grep for. The third column is the setting to change!
\n[table id=1 \/]<\/p>\n
I am sure there are better ways to do this and security lock down scripts to do the same thing. I couldn\u2019t find them and I do not have an RCLI or PCLI set up and wanted it done during the build process, not an external additional step.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is an old post that I never really finished and now it seems a little pointless since everything is moving to ESXi however we still have 3.0 and 3.5 […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"Layout":""},"categories":[18],"tags":[22,20,21,19],"_links":{"self":[{"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/75"}],"collection":[{"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=75"}],"version-history":[{"count":19,"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/75\/revisions"}],"predecessor-version":[{"id":294,"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/75\/revisions\/294"}],"wp:attachment":[{"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=75"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=75"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threemillion.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=75"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}