Scope of this Blog

I just gave someone the advice without being asked (ignoring all i know about „nonviolent communication“ – sorry for that!) to include a „Scope“ in his blog:

  • he wrote an article how to setup a Raspberry-Pi but skipped all security considerations about how to setup a productive computer system.

I assume

  • many readers of his blog don’t have a clue how to harden a linux-operated Raspberry-Pi.

I assume:

  • those readers need at least a hint:
    • „there are additional steps required“
  • or even better, concrete advice:
    • „what to do next“ – maybe in a follow-up article.

How many people are part of a bot-net since the’ve been following incomplete internet blogs?

I should read my own book?

Of course, my blog lacks a scope, too – i’ll prioritize this on my todo-list.

I think, it might be worthful to never forget or ignore security considerations according to RFC 2223 Section 9 https://tools.ietf.org/html/rfc2223#page-11:

   All RFCs must contain a section near the end of the document that
   discusses the security considerations of the protocol or procedures
   that are the main topic of the RFC.

Those guys had to learn it the hard way since „all“ protocols defined by IETF-RFC where inherently insecure. DNS? TFTP? FTP? Security? Not part of the „Scope“ 😉

I’d like to propose:

   All Blog-Articles must contain a section near the end of the document that
   discusses the security considerations of the procedures
   that are the main topic of the Blog-Article.

Terraform: Enable persistent Debugging

Setting the variable

  • TF_LOG

to an arbitrary value enables „TRACE“-level Debugging

  • available too: DEBUG, INFO, WARN or ERROR

to „STDOUT“,

  • TF_LOG_PATH

to write to a file.

PS C:\RH\> $env:TF_LOG = "TRACE"
PS C:\RH\> $env:TF_LOG_PATH = "c:\temp\tf.log"

When running eg. „terraform apply“ all debug-messages will get appended to the specified file.

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

OVF/OVA-Properties

When deploying Virtual-Machines by OVF/OVA-Files in automated manner, eg. using PowerShell of Terraform, it’s crucial to set all individual deployment parameters using the provisioning system.

Discover the available Properties using

  • PowerShell
  • OFV-Tool

Using PowerShell

Create a vCenter-Connection

PS C:\Program Files\PowerShell\7>

$VIServer = "vcenter.lab.local"
$VIUsername = "administrator@vsphere.local"
$VIPassword = "VMware!23"

$viConnection = Connect-VIServer $VIServer -User $VIUsername -Password $VIPassword

Retrieve the OVF-Config-Object

PS C:\Program Files\PowerShell\7>

$OVA = "T:\csr1000v-universalk9.16.09.01.ova"

$ovfconfig = Get-OvfConfiguration -Server $viConnection $OVA
$ovfconfigHashTable = $ovfconfig.ToHashTable()

Display all contained Properties („=Keys“)

PS C:\Program Files\PowerShell\7>

$ovfconfigHashTable.Keys | Sort-Object

com.cisco.csr1000v.domain-name.1
com.cisco.csr1000v.enable-scp-server.1
com.cisco.csr1000v.enable-ssh-server.1
com.cisco.csr1000v.hostname.1
com.cisco.csr1000v.license.1
com.cisco.csr1000v.login-password.1
com.cisco.csr1000v.login-username.1
com.cisco.csr1000v.mgmt-interface.1
com.cisco.csr1000v.mgmt-ipv4-addr.1
com.cisco.csr1000v.mgmt-ipv4-gateway.1
com.cisco.csr1000v.mgmt-ipv4-network.1
com.cisco.csr1000v.mgmt-vlan.1
com.cisco.csr1000v.pnsc-agent-local-port.1
com.cisco.csr1000v.pnsc-ipv4-addr.1
com.cisco.csr1000v.pnsc-shared-secret-key.1
com.cisco.csr1000v.privilege-password.1
com.cisco.csr1000v.remote-mgmt-ipv4-addr.1
com.cisco.csr1000v.resource-template.1
DeploymentOption
NetworkMapping.GigabitEthernet1
NetworkMapping.GigabitEthernet2
NetworkMapping.GigabitEthernet3

Deployment-Option?

PS C:\Program Files\PowerShell\7>

$ovfconfig.DeploymentOption

Key                : DeploymentOption
Value              :
DefaultValue       : 1CPU-4GB
OvfTypeDescription : string["1CPU-4GB", "2CPU-4GB", "4CPU-4GB", "4CPU-8GB"]
Description        : Small
                     Minimal hardware profile - 1 vCPU, 4 GB RAM

                     Medium
                     Medium hardware profile - 2 vCPUs, 4 GB RAM

                     Large
                     Large hardware profile - 4 vCPUs, 4 GB RAM

                     Large + DRAM Upgrade
                     Large hardware profile (requires purchase of DRAM upgrade SKU) - 4 vCPUs, 8 GB RAM

Using OVF-Tool

OVFTOOL.EXE, provided by VMware (Download OVFTOOL) allows to inspect existing OVA/OFV-Files, too.

T:\"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --verifyOnly csr1000v-universalk9.16.09.01.ova
OVF version:   1.0
VirtualApp:    false
Name:          Cisco CSR 1000V Cloud Services Router
Version:       16.09.01
Full Version:  Cisco IOS-XE Software, version 16.09.01
Vendor:        Cisco Systems, Inc.
Product URL:   http://www.cisco.com/en/US/products/ps12559/index.html
Vendor URL:    http://www.cisco.com

Download Size:  413.23 MB

Deployment Sizes:
  Flat disks:   8.40 GB
  Sparse disks: 692.60 MB

Networks:
  Name:        GigabitEthernet1
  Description: Data network 1

  Name:        GigabitEthernet2
  Description: Data network 2

  Name:        GigabitEthernet3
  Description: Data network 3

Virtual Machines:
  Name:               Cisco CSR 1000V Cloud Services Router
  Operating System:   other3xlinux64guest
  Virtual Hardware:
    Families:         vmx-10 vmx-11 vmx-13
    Number of CPUs:   1
    Cores per socket: 1
    Memory:           4.00 GB

    Disks:
      Index:          0
      Instance ID:    3001
      Capacity:       8.00 GB
      Disk Types:     SCSI-VirtualSCSI

    NICs:
      Adapter Type:   VMXNET3
      Connection:     GigabitEthernet1

      Adapter Type:   VMXNET3
      Connection:     GigabitEthernet2

      Adapter Type:   VMXNET3
      Connection:     GigabitEthernet3

Properties:
  ClassId:     com.cisco.csr1000v
  Key:         hostname
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Router Name
  Type:        string(..63)
  Description: Hostname of this router

  ClassId:     com.cisco.csr1000v
  Key:         login-username
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Login Username
  Type:        string(..64)
  Description: Username for remote login

  ClassId:     com.cisco.csr1000v
  Key:         login-password
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Login Password
  Type:        password(..25)
  Description: Password for remote login.
               WARNING: While this password will be stored securely within IOS,
               the plain-text password will be recoverable from the OVF
               descriptor file.

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-interface
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management Interface
  Type:        string
  Description: Management interface (such as "GigabitEthernet1" or
               "GigabitEthernet1.100")
  Value:       GigabitEthernet1

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-vlan
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management VLAN
  Type:        string(..5)
  Description: Management dot1Q VLAN (requires specifying a subinterface such
               as "GigabitEthernet1.100" for the Management Interface)

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-ipv4-addr
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management Interface IPv4 Address/Mask
  Type:        string(..33)
  Description: IPv4 address and mask for management interface (such as
               "192.0.2.100/24" or "192.0.2.100 255.255.255.0"), or "dhcp" to
               configure via DHCP

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-ipv4-gateway
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management IPv4 Gateway
  Type:        string(..16)
  Description: IPv4 gateway address (such as "192.0.2.1") for management
               interface, or "dhcp" to configure via DHCP

  ClassId:     com.cisco.csr1000v
  Key:         mgmt-ipv4-network
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Management IPv4 Network
  Type:        string(..33)
  Description: IPv4 Network (such as "192.168.2.0/24" or "192.168.2.0
               255.255.255.0") that the management gateway should route to.

  ClassId:     com.cisco.csr1000v
  Key:         pnsc-ipv4-addr
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       PNSC IPv4 Address
  Type:        string(..15)
  Description: IPv4 address without mask (such as "192.0.2.110") of PNSC
               service controller

  ClassId:     com.cisco.csr1000v
  Key:         pnsc-agent-local-port
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       PNSC Agent Local Port
  Type:        string(..5)
  Description: PNSC service agent SSL port (on local CSR) to receive policies
               from service manager.
               The port shall be in the range of [55001, 61000] if shared IP is
               used, i.e., Remote Management IPv4 Address is not configured.

  ClassId:     com.cisco.csr1000v
  Key:         pnsc-shared-secret-key
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       PNSC Shared Secret Key
  Type:        password(..64)
  Description: PNSC service controller shared secret key (8-64 characters) for
               PNSC agent to get SSL certificate from the controller.
               WARNING: While this password will be stored securely within IOS,
               the plain-text password will be recoverable from the OVF
               descriptor file.

  ClassId:     com.cisco.csr1000v
  Key:         remote-mgmt-ipv4-addr
  InstanceId   1
  Category:    1. Bootstrap Properties
  Label:       Remote Management IPv4 Address (optional, deprecated)
  Type:        string(..15)
  Description: Secondary IPv4 address without mask (such as "192.0.2.101") for
               access to remote management features (REST API, etc.). This
               should be in the same IP subnet as the Management Interface IPv4
               Address entered above.
               Warning: THIS IS A DEPRECATED OPTION IN THIS RELEASE.

  ClassId:     com.cisco.csr1000v
  Key:         enable-scp-server
  InstanceId   1
  Category:    2. Features
  Label:       Enable SCP Server
  Type:        boolean
  Description: Enable IOS SCP server feature
  Value:       False

  ClassId:     com.cisco.csr1000v
  Key:         enable-ssh-server
  InstanceId   1
  Category:    2. Features
  Label:       Enable SSH Login and Disable Telnet Login
  Type:        boolean
  Description: Enable remote login via SSH and disable remote login via telnet.
               Requires login-username and login-password to be set!
  Value:       False

  ClassId:     com.cisco.csr1000v
  Key:         privilege-password
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       Enable Password
  Type:        password(..25)
  Description: Password for privileged (enable) access.
               WARNING: While this password will be stored securely within IOS,
               the plain-text password will be recoverable from the OVF
               descriptor file.

  ClassId:     com.cisco.csr1000v
  Key:         domain-name
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       Domain Name
  Type:        string(..238)
  Description: Network domain name (such as "cisco.com")

  ClassId:     com.cisco.csr1000v
  Key:         license
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       License boot level
  Type:        string(..30)
  Description: Configure license boot level(such as ax, security, appx, ipbase,
               lite, vacs)
  Value:       ax

  ClassId:     com.cisco.csr1000v
  Key:         resource-template
  InstanceId   1
  Category:    3. Additional Configuration Properties
  Label:       Resource template
  Type:        string(..30)
  Description: Configure Resource template(service_plane_medium,
               service_plane_heavy or default)
  Value:       default

Deployment Options:
  Id:          1CPU-4GB  (default)
  Label:       Small
  Description: Minimal hardware profile - 1 vCPU, 4 GB RAM

  Id:          2CPU-4GB
  Label:       Medium
  Description: Medium hardware profile - 2 vCPUs, 4 GB RAM

  Id:          4CPU-4GB
  Label:       Large
  Description: Large hardware profile - 4 vCPUs, 4 GB RAM

  Id:          4CPU-8GB
  Label:       Large + DRAM Upgrade
  Description: Large hardware profile (requires purchase of DRAM upgrade SKU) -
               4 vCPUs, 8 GB RAM

References:
  File:  csr1000v_harddisk.vmdk
  File:  bdeo.sh
  File:  README-OVF.txt
  File:  README-BDEO.txt
  File:  cot.tgz
  File:  csr1000v-universalk9.16.09.01-vga.iso

OVF-Tool – Extra-Config?

Error: OVF Package is not supported by target:
 - Line -1: Unsupported value 'ethernet0.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'ethernet1.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'ethernet2.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'ethernet3.rxDataRingEnabled' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.diskWiper.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.memSchedFakeSampleStats.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.diskShrink.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.vmxDnDVersionGet.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.unityActive.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'isolation.tools.guestDnDVersionSet.disable' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'snapshot.maxSnapshots' for attribute 'key' on element 'ExtraConfig'.
 - Line -1: Unsupported value 'RemoteDisplay.maxConnections' for attribute 'key' on element 'ExtraConfig'.

The CLI-Switch „–allowExtraConfig“ enables the support for ExtraConfig-Key/Values:

T:\>"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --verifyOnly --allowExtraConfig nsx-unified-appliance-3.1.3.5.0.19068437.ova
The provided certificate is in valid period
Source is signed and the certificate validates
Certificate information:
  CertIssuer:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
  CertSubject:/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
  -----BEGIN CERTIFICATE-----
  MIIDyzCCArOgAwIBAgIJAKH7xLtwMqSZMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
  BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8x
  FTATBgNVBAoTDFZNd2FyZSwgSW5jLjAeFw0xMDAyMjYyMjE3NDFaFw0yNjAxMDMy
  MjE3NDFaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYD
  VQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwgSW5jLjCCASAwDQYJKoZI
  hvcNAQEBBQADggENADCCAQgCggEBALU9NUtC39fqG7yo2XAswUmtli9uA+31uAMw
  9FFHAEv/it8pzBQZ/4r+2bN+GnXOWhuDd1K4ApKMRvoO4LwQfZxrkx4pXrsu0gdb
  4OunHw0D8MrdzSoob8Js/uq+IJ+8Bhsc6b7RzTUt9HeDWzHasAJVgMsjehGt23ay
  9FKOT6dVD6D/Xi3qJnB/4t/XNS6L63dC3ea4guzKDyLaXIP5bf/m56jvVImFjhhT
  W2ASbnEUlZIVrEuyVcdG7e3FvZufE553JmHL0YG/0m5bIHXKRzBRx0D3HHOAzOKw
  kkOnxJHSTN4Hz8hSYCWvzUAjSYL3Q8qiTd7GHJ2ynsRnu3KlzKUCAQOjga8wgaww
  HQYDVR0OBBYEFHg8KQJdm8NPQDmYP41uEgKG+VNwMH0GA1UdIwR2MHSAFHg8KQJd
  m8NPQDmYP41uEgKG+VNwoVGkTzBNMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
  aWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUsIElu
  Yy6CCQCh+8S7cDKkmTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCP
  nVEBVF2jYEsgaTJ1v17HNTVTD5pBPfbQk/2vYVZEWL20PtJuLeSWwoo5+TnCSp69
  i9n1Hpm9JWHjyb1Lba8Xx7VC4FferIyxt0ivRm9l9ouo/pQAR8xyqjTg1qfr5V8S
  fZElKbjpzSMPrxLwF77h+YB+YjqWAJpVV+fAkAvK7K9vMiFgW60teZBxVW/XlmG0
  IJaSUWSI3/A+bA6fuIy8PMmpQMtm0droHrCnViAVRhMMgEC/doMH1GqUSmoiyQ1G
  PifLAp5wV5/HV+S9AGrb8HGdWIvW+kBgmCl0wSf2JFYm1bpq30CVE4EC0MAY1mJG
  vSqQGIbCybw5KTCXRQ8d
  -----END CERTIFICATE-----


OVF version:   1.0
VirtualApp:    false
Name:          nsx-unified-appliance
Version:       3.1.3.5
Full Version:  3.1.3.5.0.19068437
Vendor:        VMware, Inc

Download Size:  8.37 GB

Deployment Sizes:
  Flat disks:   300.00 GB
  Sparse disks: 4.74 GB

Networks:
  Name:        Network 1
  Description: Network 1

Virtual Machines:
  Name:               nsx-unified-appliance
  Operating System:   ubuntu64guest
  Virtual Hardware:
    Families:         vmx-10 vmx-11 vmx-13
    Number of CPUs:   6
    Cores per socket: 1
    Memory:           24.00 GB

    Disks:
      Index:          0
      Instance ID:    5
      Capacity:       200.00 GB
      Disk Types:     SCSI-lsilogic

      Index:          1
      Instance ID:    6
      Capacity:       100.00 GB
      Disk Types:     SCSI-lsilogic

    NICs:
      Adapter Type:   VmxNet3
      Connection:     Network 1

Properties:
  Key:         nsx_passwd_0
  Category:    Application
  Label:       System Root User Password
  Type:        password(12..)
  Description: The password for root user for this VM.
               Please follow the password complexity rule as below:
                   - minimum of 12 characters in length
                   - >=1 uppercase character
                   - >=1 lowercase character
                   - >=1 numeric character
                   - >=1 special character
                   - >=5 unique characters
                   - default password complexity rules as enforced by the Linux
               PAM module
                   NOTE: Password strength validation will occur during VM
               boot.  If the password does not meet the above criteria then
               login as root user for the change password prompt to appear.


  Key:         nsx_cli_passwd_0
  Category:    Application
  Label:       CLI "admin" User Password
  Type:        password(12..)
  Description: The password for default CLI user for this VM.
               Please follow the password complexity rule as below:
                   - minimum of 12 characters in length
                   - >=1 uppercase character
                   - >=1 lowercase character
                   - >=1 numeric character
                   - >=1 special character
                   - >=5 unique characters
                   - default password complexity rules as enforced by the Linux
               PAM module
                   NOTE: Password strength validation will occur during VM
               boot.  If the password does not meet the above criteria then
               login as admin user for the change password prompt to appear.


  Key:         nsx_cli_audit_passwd_0
  Category:    Application
  Label:       CLI "audit" User Password
  Type:        password
  Description: The password for audit CLI user for this VM.
               Please follow the password complexity rule as below:
                   - minimum of 12 characters in length
                   - >=1 uppercase character
                   - >=1 lowercase character
                   - >=1 numeric character
                   - >=1 special character
                   - >=5 unique characters
                   - default password complexity rules as enforced by the Linux
               PAM module
                   NOTE: Password strength validation will occur during VM
               boot.  If the password does not meet the above criteria then
               login as admin user and use the NSX CLI command "set user audit"
               to change the audit user password.


  Key:         nsx_cli_username
  Category:    Application
  Label:       CLI "admin" username (default: admin)
  Type:        string
  Description: Username of administrator user.

  Key:         nsx_cli_audit_username
  Category:    Application
  Label:       CLI "audit" username (default: audit)
  Type:        string
  Description: Username of auditor user.

  Key:         extraPara
  Category:    Application
  Label:       Optional parameters
  Type:        password
  Description: For internal use only.


  Key:         nsx_hostname
  Category:    Network properties
  Label:       Hostname
  Type:        string(1..)
  Description: The hostname for this VM.
                   NOTE: Underscores in hostname are not allowed.  If hostname
               contains underscore, then the appliance gets deployed with
               'nsx-manager' as hostname.


  Key:         nsx_role
  Category:    Network properties
  Label:       Rolename
  Type:        string["NSX Manager","nsx-cloud-service-manager","NSX Global
               Manager"]
  Description: The role for this VM. Currently supports
               'nsx-cloud-service-manager', 'NSX Global Manager' OR 'NSX
               Manager' as rolename.

  Value:       NSX Manager

  Key:         nsx_ip_0
  Category:    Network properties
  Label:       Management Network IPv4 Address
  Type:        string(1..)
  Description: The IPv4 Address for the first interface.

  Key:         nsx_netmask_0
  Category:    Network properties
  Label:       Management Network Netmask
  Type:        string(1..)
  Description: The netmask for the first interface.

  Key:         nsx_gateway_0
  Category:    Network properties
  Label:       Default IPv4 Gateway
  Type:        string
  Description: The default gateway for this VM.

  Key:         nsx_dns1_0
  Category:    DNS
  Label:       DNS Server list
  Type:        string
  Description: The space separated DNS server list for this VM (valid only if
               an IPv4 address is specified for the first interface).
                   NOTE: At most three name servers can be configured (first 3
               name servers passed in list will be used and all other will be
               ignored)


  Key:         nsx_domain_0
  Category:    DNS
  Label:       Domain Search List
  Type:        string
  Description: The space separated domain search list for this VM (valid only
               if an IPv4 address is specified for the first interface).

  Key:         nsx_ntp_0
  Category:    Services Configuration
  Label:       NTP Server List
  Type:        string
  Description: The NTP server list(space separated) for this VM.

  Key:         nsx_isSSHEnabled
  Category:    Services Configuration
  Label:       Enable SSH
  Type:        boolean
  Description: Enabling SSH service is not recommended for security reasons.
  Value:       False

  Key:         nsx_allowSSHRootLogin
  Category:    Services Configuration
  Label:       Allow root SSH logins
  Type:        boolean
  Description: Allowing root SSH logins is not recommended for security
               reasons.
  Value:       False

  Key:         nsx_swIntegrityCheck
  Category:    Services Configuration
  Label:       Software Integrity Checker
  Type:        boolean
  Description: Software Integrity Checker is required only for NDcPP 2.2
  Value:       False

  Key:         mpIp
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager IP
  Type:        string
  Description: For internal use only. Do not set this parameter.


  Key:         mpToken
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager Token
  Type:        password
  Description: For internal use only. Do not set this parameter.


  Key:         mpThumbprint
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager Thumbprint
  Type:        string
  Description: For internal use only. Do not set this parameter.


  Key:         mpNodeId
  Category:    Internal Properties - Do not set these parameters.
  Label:       Manager Node ID
  Type:        string
  Description: For internal use only. Do not set this parameter.


  Key:         mpClusterId
  Category:    Internal Properties - Do not set these parameters.
  Label:       Cluster ID of First Manager Cluster
  Type:        string
  Description: For internal use only. Do not set this parameter.


Deployment Options:
  Id:          extra_small
  Label:       ExtraSmall
  Description:
               IMPORTANT: This configuration is only supported for the
               nsx-cloud-service-manager role.

               This configuration requires the following:
               * 2 vCPU
               * 8GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


  Id:          small
  Label:       Small
  Description:
               IMPORTANT: This configuration is supported for Global Manager
               Production deployment

               This configuration requires the following:
               * 4 vCPU
               * 16GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


  Id:          medium  (default)
  Label:       Medium
  Description:
               IMPORTANT: This configuration is supported for Local Manager
               Production deployment ('NSX Manager' role)
                          This is supported for Global Manager Production
               deployment (but not required)

               This configuration requires the following:
               * 6 vCPU
               * 24GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


  Id:          large
  Label:       Large
  Description:
               IMPORTANT: This configuration is supported for Local Manager
               Production deployment ('NSX Manager' role)
                          This is supported for Global Manager Production
               deployment (but not required)

               This configuration requires the following:
               * 12 vCPU
               * 48GB RAM
               * 300GB Storage
               * VM hardware version 10 or greater (vSphere 5.5 or greater)


References:
  File:  nsx-unified-appliance.vmdk
  File:  nsx-unified-appliance-secondary.vmdk


*** System restart required ***

When Linux prompts to reboot a server – „for reasons“, of course – some background information might be welcome.

Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
...
0 packages can be updated.
0 updates are security updates.

*** System restart required ***

Last login: Tue Dec  8 15:50:09 2020 from 192.168.1.413

First try: 😉

user@ubuntu:~$ cat /var/run/reboot-required
*** System restart required ***

Better:

user@ubuntu:~$ cat /var/run/reboot-required.pkgs
libssl1.0.0
linux-base

Let’s go.

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

Ubuntu 20.04 – Static Server IP-Address

Of course, every release of an linux-distribution has to change the way very basic network settings are configured. 😉

  • Ubuntu 20.04 Server LTS

to be fair:

  • „netplan“ has been in place since at least release 17.10
  • the „subiquity“-tool which has written the yaml-file has been confusing me…

Step 1: Figure out – which IP/DNS-Settings where set by DHCP

user@hostname:~/map-local$ sudo netplan ip leases ens160
# This is private data. Do not parse.
ADDRESS=172.16.9.107
NETMASK=255.255.255.0
ROUTER=172.16.9.254
SERVER_ADDRESS=172.16.9.252
T1=43200
T2=75600
LIFETIME=86400
DNS=208.67.222.222 208.67.220.220
CLIENTID=ff9f6e847110020000ab11b9a540e7d1e0d2b5

Step 2: Disable (if required) automation tools – here „subiquity“

This is YAML:

user@hostname:~/map-local$ cat /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens160:
      dhcp4: true
  version: 2

user@hostname:~/map-local$ cat /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
network: {config: disabled}

Optional: Try a temporarily YAML-File before Apply

  • safeguard if you are using a ssh-connection
  • Roll back, after a Timeout
user@hostname:~/map-local$ joe netplan-temp.yaml

user@hostname:~/map-local$ cat netplan-temp.yaml
# This is the network config written by 'ron'
network:
  ethernets:
    ens160:
      addresses: [172.16.9.9/24]
      gateway4: 172.16.9.254
      nameservers:
        addresses: [208.67.222.222, 208.67.220.220]
  version: 2

user@hostname:~/map-local$ sudo netplan try –config-file netplan-temp.yaml -timeout 120

user@hostname:~/map-local$ sudo cp netplan-temp.yaml /etc/netplan/00-installer-config.yaml

Step 3: Edit/Apply NetPlan Config

  • Apply
user@hostname:~/map-local$ sudo joe /etc/netplan/00-installer-config.yaml
user@hostname:~/map-local$ cat /etc/netplan/00-installer-config.yaml
# This is the network config written by 'ron'
network:
  ethernets:
    ens160:
      addresses: [172.16.9.9/24]
      gateway4: 172.16.9.254
      nameservers:
        addresses: [208.67.222.222, 208.67.220.220]
  version: 2

user@hostname:~/map-local$ sudo netplan apply 

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.

BASH „History“: display ISO-Timestamp

Have just been somehow annoyed by the default-format of the „history“-bash command:

510  2020-12-05T17:46:33 echo 'export HISTTIMEFORMAT="%G-%m-%dT%T "' >> ~/.bash_profile
511  2020-12-05T17:46:42 source ~/.bash_profile
512  2020-12-05T17:46:47 history

Disclaimer

Since i’m trying to get rid of Evernote, too anoying too often, i’ll start to document non-private-stuff here.