System to system interaction can be hard. API integrations are a way of doing it, but we can also use a message bus. Actually I think that using a message bus is a very awesome way of doing it, it’s a very loose couple between systems and we can queue multiple things and have the task or messages in RabbitMQ until system is ready to consume the messages.
This is a guide of using vRO to pick up the RabbitMQ message and start a workflow with the payload of the message.
Adding RabbitMQ to vRO:
Open vRO legacy client, login
Expand Library > AMQP > Configuration
Start the workflow Add a broker. This will pair vRO and RabbitMQ.
Follow the wizard. I’m using a virtual host, but input all depends on your RabbitMQ config.
Subscribe vRO to a RabbitMQ queue:
From the same position in vRO, now run the workflow “Subscribe to queues“. This will make vRO aware of the queue and be able to use it as a trigger.
Now vRO is monitoring the queue, we are ready to proceed.
Creating a policy:
Now we need to create a policy that can tie the event of a message from RabbitMQ into a starting a workflow.
That was a lot of screen dumps, I hope it still makes sense.
Now you should make the policy start when vRO starts and for now also start the policy so that you can see it works. The case that is shown in the screen dumps will have a JSON as the message payload, it then sends it to the messageBody variable and then inside the script it will extract the values that it needs in for the workflow to run.
Rarely I run into a ghost VM. I can’t do anything with the VM from vCenter or local UI for the ESXi host. It looks like it’s powered off but in fact, it’s still running in a sort of ghost state. You can vMotion all VMs of and reboot that hosts that the ghost VM is on. Sometimes its standalone hosts and then killing the VMs world with esxcli is easier.
Connect to the ESXi host with ssh
Get a list of all running VM worlds
esxcli vm process list
3. Identify the world from the output and take note of the World ID. From here we will kill the world. Start with type soft and then escalate it if it doesn’t work.
esxcli vm process kill --type=[soft/hard/force] -–world-id=ID
VM should now be killed, the VMX files are unlocked and you can manage the VM with the GUI tools again. If it didn’t work then you are left with the option to reboot the host containing the ghost VM.
Even as an infrastructure guy in a datacenter you now and then have to deal with printers. The small beasts with there own life and horrible drivers! I always forget the path for where the spooler puts its temp files. So now I put it here for future me to find it again next time I have to clear spooler files and restart det print services.
GUI way is slow and by having the CMD edition you can always guess what should be done in the GUI.
Open an elevated command prompt.
Type net stop spooler then press “Enter“.
Execute del %systemroot%\System32\spool\printers* /Q
Type net start spooler then press “Enter“.
The print queue on your Windows should now be cleared.
Most of the time you would want to use VMware Update Manager when doing upgrade. Its part of vCenter and is necessary tool when having to maintain your environment. But for smaller deployments, with standalone hosts and no vCenter the following upgrade methods are desired and can help the upgrade time. Instead of having to upgrade with IPMI and an ISO.
This method is for getting the update online, no need to download ISO/offline bundles, etc. This will work for most of the upgrade use cases.
1: Connect to your ESXi host via the host client and enable SSH. Afterward ssh to the ESXi host and enable ESXi firewall rule to allow the host to access the internet.
esxcli network firewall ruleset set -e true -r httpClient
2: With the beneath command you will get a list of available ESXi packaged that are on the VMware repos. Enter this command to list all available profiles. We filter only those which are relevant to our case – upgrade to ESXi 6.7
4. After it’s done, you will need to restart the host, after its rebooted you will run on the new ESXi version.
Custom, with Offline bundle:
This method is for when you desire to install a custom update, or that your hosts down have access to the internet.
1: Download the offline bundle from the VMware webpage, in this upgrade I will use an HPE custom version. But if you run a generic version, that will also work.
2: After downloading the “VMware-ESXi-6.7.0-8169922-depot.zip” file, place it (upload it) to a datastore which is visible by your ESXi host. Best would be a local datastore if this host has some. If not, it can also be a shared datastore too.
3: Find the profile name from the depot offline bundle
esxcli software sources profile list -d /vmfs/volumes/prd.r60lun01/ISO/VMware-ESXi-6.7.0-Up
Put your host into maintenance mode, enable SSH if you haven’t done yet.
3: Execute this command to upgrade your ESXi 6.x to 6.7
I always forget how to do curtain stuff on juniper equipment, the more I do in the CLI the better I become. Many of below commands and settings will be obvious for most, but I am still learning, so bear with me. As time goes I will add more commands and tips and tricks in this post.
LLDP – Showing other LLDP or CDP enabled neighbours that are on the other end of the wire. I used the enable on specific interface, thinking strict is better. So that I know where its uses LLDP.
- To configure LLDP on all interfaces:
[edit protocols lldp]
user@srx# set interface all
- To configure LLDP on a specific interface:
[edit protocols lldp]
user@srx# set interface interface-name
- show lldp neighbors
user@srx> show lldp neighbors
Configuring access/trunk interface – my SRX delivered the native vlan on a accessport over to the switch, I wanted it to be a trunk port because I added more vlan to be routed in the SRX. Could not get it to work. Thanks to the “commit confirmed” feature is could easily try gain. Fix was to have the native vlan with as a member in the trunk configuration….
- Access port
user@srx> set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access vlan members 10
- Trunk port with native vlan, remember to add the native vlan to member of trunk, else you cut your self off.
user@srx> set interfaces ge-0/0/1 native-vlan-id 3
user@srx> set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
user@srx> set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
Juniper have a great feature when having to change config, you do you configuration change and then you commit it all. The commit command can also be chained with confirmed. If there is something in the config that cut your off management or if has some other flaw you can tell it to rollback if you haven’t confirmed the change after a specified time of commit.
- Save changes with commit and tell it to rollback unless you confirm the change. The last number is the number of minuts before the srx does auto rollback.
user@srx# commit confirmed 2
- Confim the config after it all went well
user@srx# commit check
- An other nice paremeter to commit is comment. Here you can write what your config change does, and maybe even what change request number is an behalf of.
user@srx# commit comment "This adds vlan trunk to uplink switch on port ge-0/0/1."
- Just another nice parameter. Prepare the config and make it active on other schedule or when the service windows is open. just nice.
user@srx# commit prepare
-- When its time you can active it.
user@srx# commit activate
- If you are interested in what's happening in the commit process, then you can monitor it.
user@srx# commit | display detail
DHCP – When you Junos device is doing DHCP its nice to know the IP it handed out to took for that matter
- Showing the DHCP leases that it handed out
user@srx> show dhcp server binding
- Showing the DHCP leases that it took with its own DHCP client.
user@srx> show dhcp client binding
Rollback and compare, another nice feature to help you see what have been happening on the device. You can compare older with newer or current configs.
- Give you a compare of the config that was 3 revisions back with current config.
user@srx> show system rollback 3 compare 0
NTP – settings up NTP.
- Add NTP servers and Junos will change over to use NTP instead of local time setting. Setting 5 servers from 0.dk.pool.ntp.org.
user@srx# set system ntp server 22.214.171.124
user@srx# set system ntp server 126.96.36.199
user@srx# set system ntp server 188.8.131.52
user@srx# set system ntp server 184.108.40.206
- Verify NTP servers
user@srx> show ntp associations
- Add DNS server for lookups
user@srx# set system name-server 192.168.2.253
- Verify from configuration
user@srx> show configuration system name-server
Add user and insert ssh key for quick access. Feel free to add my public key 😉
set system login user jvradm class super-user authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/VPq30qzyJHr8v6qh1vF1CVY8R9U09iCkqnIs9H6d9hBOeDu/e52rPj2BOQUfHwBmGRPVqZUyuOO20hDgT/BzP0QxISv9l2OpFariz8AmHu9m4kUwAdrBDvplw8fFeafppUwQF/aFsIF+t1PtFluz0Bp3N/sp3NQGWfkez7myctGc9X3eMc6oUAYrPPJeDZz1x5JoGdwdH/w6wjr3uK03kRx6TX1kNqxSypIQQ/8lYg1TG7yAuF5DhX4fJrPjpiLau1H6z0vChVpqY1q8oMntzHHtYtByFMrNtWFfAvG94BT27h/Lkmz5JM5d41TbL0YdZT8zCTrXzUG87wdEaRiB5ZeKy9LENgfxKO66scSU2gjiXwpyJTrHKZYz9g5EERH/41w+qMT90HAM3ArSIvk7pROoKhZy0IeOwfWbmMlQvKQFjS7OtKnFEeVUYRqnLvi3XeUiFbLxmW3ID8IqQy3iDNuESiVNRcp/PoN7lxL9cfGJdXBuJ3PBcaQZx/vQpePRqW9eBSmhhS1beIUlLV0UOFdRGTMMMjOlp7m7jaw5EnvztbInfPOdMPoUuSL9iGut7M0SVMgEzo0MiJDHNdLQYK0EKO8qrWMz76UHhpdnhOQNdi3/wtVVzxVUR/D9zBa1q2oL8ml7jKVubVbBd6Vm0lEEquDEN3I9Dan/Ev0j9w== jr@mbp"
NSX upgrades can be a delicate thing to upgrade, even though everything is in its finest shape.
After we successfully have upgrade the NSX managers we proceeded with upgrading of the NSX Controllers. We did pre-check and issued command “show control-cluster status” and it looked fine, upgrade to 6.4.6 went well and we could vMotion VMs around after the controller was booted. But post-checks was not ok, the “show control-cluster status” did not return as expected and we where not confident to proceed with the host upgrades.
After some trouble shooting we found that the /var/log partition on 2/3 of the controllers where full. Without any other evidence we concluded that this was the problem. After some google-fu we didn’t find any KB or blogs on how to purge logs.
But we found out that we could get into a engeering mode that would give us shell access. Long store short, we did the following:
1. https://kb.vmware.com/s/article/2149630 to gain shell access on manager 1.1 password is IAmOnThePhoneWithTechSupport 2. Extracting root passwords for controllers with /home/secureall/secureall/sem/WEB-INF/classes/GetNvpApiPassword.sh controller-nn 3. Loged into each controller, and issued : debug os-shell and thereby gain root shell access. 4. Deleted /var/log/syslog.1 on each node. 5. Rolling restart of controllers and after they booted they all joined the cluster.
After this we got the status as we wanted. In the mean while we had create a case with VMware support and the supporter was on a remote session with us. We told him what we have done, we verified that the controlleres was health and they where.
Next step, VIB upgrade on the hosts.
Good commands to know:
Look after if the controllers is busy or doing something
show process monitor
Gives a list over the controllers in the cluster and how they are doing
show controller list all
Show how the controller is doing in the cluster
show control-cluster status
Edit: This article from VMware have the exact problem we encountered. We also contacted VMware Support, but before they where able to assist us we had the problem solved. 🙂 https://kb.vmware.com/s/article/59509
Quick post, had to make Tomcat9 and Java12 work together. The procedure is as follows:
1. pkg install tomcat9 (it will also install java8)
2. pkg install openjdk12
Now and edit /etc/rc.conf with a parameter to start tomcat on boot and set the tomcat java_home.
And not to part that took me a long time to figure out. In Java12, there is no longer a feature that tomcat is using in its startup parameters. But if you remove that from the init script you are able to start it up. The line is: Djava.endorsed.dirs=’/usr/local/apache-tomcat-8.0/endorsed’ \
Mail spoffing etc. is a big problem, there are technologies that can help, but many domain owners have not yet implemented them. To help our customers we have started to monitor and see if the SPF, DKIM and DMARC policies have been implementened, and if not we can help 🙂
Our own spamfilter solution have a button that gives you an export over all the domains, nice and easy, but Office 365 CSP portal doesnt.
So there is a quick script to help with that. Next post will hopefully contain the checkscript for if the domain have implemented SPF, DKIM or DMARC.
This is from a VMware support experience. A customer could not change DNS server parameters of the NSX Edge IP Pool. But actually is was a problem due to a bug in VCD 9.5, where a Edge XML config was missing some tags and therefor not being able to validate the XML when VCD post the edited XML config back to NSX manager.
I have attached VMware support answer in the bottom of the post.
Script will get all edges from the NSX manager, then you find the correct one and fill into the next part of the script. Then you get the XML down to a file on your local machine, you then edit the file and put in the missing tags and lastly PUT the XML backup NSX manager. After this operation, it works from the GUI again.
– The issue you are seeing is a known issue 9.5.
– Like I mentioned in the previous email, this is due to missing elements from the xml.
– From the xml in the logs, I could see there are 52 NAT rules on that edge.Correct me if I am wrong. The following 2 rules had the elements missing
Quick post, had a customer that yearly wants a clone of there VMs, copied to a NAS and then shipped to customers HQ. The owner of the company put this as a requirement. Fair enough. I have almost always done the clone of the VMs by GUI, in the start this was easy because they only had 5 servers, but they now have more. So this time i wanted to try and script it instead. It toke my some extra time, but in the end i think its worth it. My PowerShell skills is not great, still learning so bear with me.
$vcenter=<IP or hostname>
$cluster=<name of cluster that contains the servers>
Ran into a annoying problem, have been having this problem multiple times of past, and never remember what the fix is. So now its on the blog for next time that i need it. Use the shell option in the freenas installer, the disks that i wanted to install onto was ada0 and ada1.
Had en interesting problem where a ESXi host only showed it had 30GB of memory, but the motherboard was populated with 6*8GB modules. In earlier versions of ESXi 5.5< it was possible to use dmidecode to show how the physical hardware was populated. But since 6.0> that have been removed.
The new command to find those kind of information are now “smbiosDump”
Show memory population
You can also just run smbiosDump without any paramenters and you get a hole lot of information to crawl through.
I outdated FreeBSD 10.1-Stable server needed to be updated for it to install packages again. Problem was, it was deployed from stable, i normally never use stable because it not production ready, its a development branche. But this server was stable and here are the steps to get it to a release train.
Had to resync master-slave replication setup. Here are my notes on how it’s done.
Binary bin-log files are kept for 7 days on DB1. If the replication is stopped for more than a week DB2 replication cannot start again due to the binary log files is no longer available. therefor a fresh dump is needed and DB2 replication can be started again from the master log position.
Single-transaction, makes it possible to do the dump without locking the database, very useful when having to dump from a production database. But while not locking the DB you may not create or alter table schema. Mysql documentation link
master-data, is very useful because it records the master position when doing the dump and putting it into the output of the dump file. Therefore it is much easier to start the slave from the correct position. The number 2 is for only printing it to the output as a comment. Mysql documentation link
event and routines, if there are any stored procedures or like in the old server we take them with us. Mysql documentation link
When the dump is done we move the dump file over to the other server. Here we import it to the MySQL server if there already were an old database in place, drop it and create it again. zcat <DATABASE>.sql.gz | mysql <database>
Also, have a look at the head of the dump file where we will find the master position data that we need to start the replication again.
gzip -cd <DATABASE>.sql.gz | head -n24
Now we have the position and need the user for replication. I did it on an older 5.5 database, in newer MySql servers it is done differently.
GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%' IDENTIFIED BY 'happyS3ed99'';
Or if the user is in place and you just need to reset the password: SET PASSWORD FOR ‘repl’@‘192.168.10.11’ = PASSWORD('happyS3ed99'); FLUSH PRIVILEGES;
When it is imported we need to setup the master to master(slave) replication again. Remember to have a user on DB1 that is allowing replication from the DB2 server and have the user and password ready CHANGE MASTER TO MASTER_HOST='<IP>',MASTER_USER='repl', MASTER_PASSWORD='happyS3ed99', MASTER_LOG_FILE='mysql-bin.000849', MASTER_LOG_POS=758329777 ;
It will now start to replicate from the master, now you can do a “mysql -e ‘show slave status\G'” and see if the slave IO is running as it should.
Notthing more greate than getting a call from HQ 30 minutes after closing hours. Never the less i decided to take the call. Network problem onsite at customer…. After getting green light from women in charge, i got in the car an when on to the customer.
Connection with the USB cable to the SRX console port i got a weird boot sequence. Just like the following:
Either the Junos partition was corrupt or the disk inside of the unit was fried. Decided to try and install Junos again just see if that would help. Went to juniper.net and downloaded the oldest Junos version available, junos-srxsme-12.3X48-D10.3-domestic.tgz. Found a USB drive and put the .tgz file on it and plugged it in the SRX. From the console i broke the bootloader while its was trying to find kernel and issued the following command.
Load tgz on SRX from console
I began to install Junos, but when it tried to create partitions on the card, it died with DMA errors. Great!
Since a SRX550 is not something you find everyday and spareparts a hard to get (support was also expired) i decided to take the srx apart. happily to find a CF card inside and luckily i found a kingstone CF card in my bag (I knew that would come in handy someday). Swapped the card and put it together again.
Power on and issued the install command again. This time with success.
The install of Junos take sometime, a long time 20 minutes. But then you also get a very nice login prompt. logged in with root and no password. Went into cli configuration mode and did a “delete” to wipe the factory config. then loaded the backup configuration with
load overwrite terminal
load overwrite terminal
Pasted the 55kb JSON config into the console and finished with a ctrl+d followed by a commit. commit success and all network was suddenly alive again.
just to make all the LEDs green on the SRX i did wrote the config to rescue config. This is in operational mode.
request system configuration rescue save
A happy consumer and hopefully a new Juniper SRX1500 firewall on its way to relive the SRX550 off its duties.
Had a minor problem with a host that was not able to configure HA agent after a vCenter update, 6.5 build 15000 to build 21000. It was the only host in the cluster that had the error.
– set the host in and out of maintenance mode and to move the host out and in of the cluster. Did not help.
– disable and enable of HA on cluster level work for all the other host, but not my stubborn one.
Reading a VMware 2056299 told me to manuel uninstall the HA vib (vmware-fdm) with
esxcli software vib remove-nvmware-fdm
After successfully uninstall i took the host out of maintenance and did a Disable/enable HA on cluster level, and volia it now works.
GUI is always a bit slow to update, but with PowerCLI you get current status.
Normally when I get a certificate from a customer I often get it in PFX format, but NSX Edge wants it in PEM format. What often is confusing here is that the when converting the PFX the private key gets out in the PKCS8 format but Edge wants the private key in PKCS1 format.
Here is a write-up of the conversion. You will need OpenSSL on the machine that you work on windows, UNIX or macros doesn’t matter.
First, we will need to spit the PFX into .crt and .key with these two commands
Now you can go to your NSX Edge and import the certificate with .crt and pricate_pkcs1.key files
Later on, I have found that I need to import the certificate with the intermediate certificate of the signing 3. party. In my case its GoDaddy. To do this we convert the certificates to .PEM and afterward.