|
Jesus christ is VMware support atrocious. Literally had to follow up a case with "please actually read what I wrote." There's like two support engineers left and they're in a hurry to do nothing but give KB articles that I've already addressed in my case notes.
|
#
?
Feb 17, 2016 20:09
|
|
|
|
| # ? May 8, 2024 05:11 |
|
|
Erwin posted:Jesus christ is VMware support atrocious. Literally had to follow up a case with "please actually read what I wrote." There's like two support engineers left and they're in a hurry to do nothing but give KB articles that I've already addressed in my case notes. I'm doing this more and more as well. I get so frustrated explaining how their core products are supposed to work and why this is in fact a problem...
|
|
#
?
Feb 17, 2016 20:14
|
|
|
psydude posted:Anyone deployed vRA yet? Several times for lots of different people. Skip 6 and go right to 7, you can thank me later! It does have some odd poo poo about it though. For example there's still a bunch of .NET stuff left in it so you'll need some windows servers to go along withe the virtual appliances. Feel free to ask me any specifics.
|
|
#
?
Feb 17, 2016 20:17
|
|
|
I can't tell if this is the right thread, or if it would be better served for the 'Parts Picker' desktop thread. Yell at me if this doesn't belong here! I want to play around with running a baremetal hypervisor on my desktop, and then running various VMs on it. Importantly, I want to passthrough certain hardware (GPU, keyboard/mouse) directly to a Windows 10 VM that will run off the machine. About half of my current hardware supports IOMMU/VT-X/whatever, and I'm struggling to figure out the cheapest way to upgrade and get full compatibility for what I want to do. CPU: i7-4770 Mobo: Asus Maximum VI Hero ( https://www.asus.com/us/Motherboards/MAXIMUS_VI_HERO ) GPU: MSI R9 390 ( http://www.amazon.com/MSI-R9-390-GAMING-8G/dp/B00ZGF0UAE ) I think the answer is 'just get another motherboard that would support IOMMU', but I'm having a ton of trouble finding one. Does that sound right? Are there weird issues I'm not thinking of with this setup?
|
|
#
?
Feb 17, 2016 22:17
|
|
|
Asus mainboards are a gamble in regards to VT-d. There's a bunch of address remapping tables needed for proper operation (DMAR tables) that are seemingly hosed up on certain models, so YMMV.
|
|
#
?
Feb 17, 2016 22:32
|
|
|
Gigabyte is more reliable. You do not need IOMMU to pass through USB devices. Also (nitpicky), but IOMMU is VT-d, if you're looking for support.
|
|
#
?
Feb 17, 2016 22:37
|
|
|
evol262 posted:Gigabyte is more reliable. Yeah, I'm struggling to find a reliable list that goes into more detail than "this motherboard vendor with this chipset type SHOULD work, but really who knows!" The IOMMU stuff is more to pass through the graphics card to make the server run my VM as close to a native desktop would as possible. Then, in my mind, I can run a management tool from that desktop to handle the VMs as necessary.
|
|
#
?
Feb 17, 2016 22:48
|
|
|
Nitr0 posted:Or just setup a proper pki infrastructure. It's just a test lab, and this isn't exactly the most complicated use of SSL certs ever. three posted:For the Citrix/vCenter SSL thing, just follow this guide: http://www.carlstalhood.com/controller-77/#vcenter This is a great site for all things Citrix related. You can find ways of avoiding a lot of little gotchas or things that the Citrix documentation doesn't address. adorai posted:At what scale is PVS REALLY better than MCS? I am a huge PVS fanboy, but in my opinion I would only use MCS for a quick POC, unless your VDIs have some crazy write-heavy I/O requirements. It is just so much easier to roll out updates for, ensure that a disk gets reset back to baseline on reboot, and it saves you a lot of I/O on your storage. It is definitely a red-headed stepchild product, but if you set it up correctly I think it is much, much better than MCS. These two articles are interesting from an I/O savings perspective: https://www.citrix.com/blogs/2014/04/18/turbo-charging-your-iops-with-the-new-pvs-cache-in-ram-with-disk-overflow-feature-part-one/ https://www.citrix.com/blogs/2014/07/07/turbo-charging-your-iops-with-the-new-pvs-cache-in-ram-with-disk-overflow-feature-part-two/
|
|
#
?
Feb 18, 2016 01:53
|
|
|
Tatsuta Age posted:Yeah, I'm struggling to find a reliable list that goes into more detail than "this motherboard vendor with this chipset type SHOULD work, but really who knows!" One option would be to run Hyper-V on Windows 10 Pro. It now supports RemoteFX GPU virtualization (DirectX 11 only), so you can game and such as usual on the "Host" OS while running (potentially) 3D accelerated guests. Then you don't have to worry about your motherboard fully supporting VT-d for passing through the GPU, while still getting to game at native speed and tinker with VMs.
|
|
#
?
Feb 18, 2016 02:59
|
|
|
Speaking of, I'm playing around with Hyper-V on my desktop system, Windows 10 under Windows 10. Whenever I close the connection to the guest VM, it locks the screen (maybe it destroys the whole desktop context, like disconnecting a terminal services session). Is there any way I can prevent it from doing that? e: looks like it's related to Enhanced Session Mode. Vulture Culture fucked around with this message at 10:12 on Feb 18, 2016 |
|
#
?
Feb 18, 2016 09:58
|
|
|
This came up in discussion at work today about the whole FBI asking Apple to make it easier to brute force crack the passcode on an iPhone 5C. Wouldn't it be relatively easy to just copy the entire encrypted flash disk right off the chips and then brute force the passcode using an iPhone 5C emulator or VM? Since you have a copy of the data you don't have to worry about a VM wiping its private key after N failed attempts and you can run many VMs checking different passcodes in parallel. It could be solved in minutes once setup. I guess the question is if such a VM existed or how much work it would take to get there? Maybe prohibitively expensive or time consuming given the significance of the related case?
|
|
#
?
Feb 18, 2016 23:37
|
|
|
They have hardware AES, and use a secure boot chain, using a key derived from the UID/GID of the device. Apple would need to provide a signed image. They'd need to pull the UID/GID somehow (apple may have records of what's tied to which IMEI), break the AES key to boot the image, then crack the passcode (which has a forced delay, in hardware mode and presumably in an emulator), which could take years. No, this isn't practical. Apple may be able to help partway, but it's still an enormous amount of work, and may take essentially forever.
|
|
#
?
Feb 19, 2016 00:15
|
|
|
FWIW Apple claims that they maintain no records of which UID gets burned into each phone, and that's probably true since it gives them a legal out in situations just like this. Without the UID decryption is impossible, though recovering it from the older A6 chips (like those in the 5c) could be possible since they don't have the Secure Enclave that the A7 stuff does.
YOLOsubmarine fucked around with this message at 00:28 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 00:26
|
|
|
NippleFloss posted:FWIW Apple claims that they maintain no records of which UID gets burned into each phone, and that's probably true since it gives them a legal out in situations just like this. Without the UID decryption is impossible, though recovering it from the older A6 chips (like those in the 5c) could be possible since they don't have the Secure Enclave that the A7 stuff does.
|
|
#
?
Feb 19, 2016 01:11
|
|
|
adorai posted:The request was for a firmware that will allow them to brute force the encryption. My guess is it's using a 4 digit PIN as the password, so they only need 10000 attempts. Normally that would wipe the device, they are asking for an out to that, because 10k attempts is easy peasy. To clarify: they just want an iOS image which doesn't auto-wipe after 10 failed passcode attempts. Either way, the limitations on pumping the image and running it in the iOS emulator in a VM will preclude doing it without the hardware key. I agree with Apple here, but it's not great to do it in a VM because of the signed booting process
|
|
#
?
Feb 19, 2016 01:23
|
|
|
adorai posted:The request was for a firmware that will allow them to brute force the encryption. My guess is it's using a 4 digit PIN as the password, so they only need 10000 attempts. Normally that would wipe the device, they are asking for an out to that, because 10k attempts is easy peasy. They can't brute force it with just firmware because they need the decryption key is a mixing of the pin and the hardware key and the hardware key is locked inside the phone and, according to Apple, not retrievable by them or anyone.
|
|
#
?
Feb 19, 2016 02:05
|
|
|
NippleFloss posted:They can't brute force it with just firmware because they need the decryption key is a mixing of the pin and the hardware key and the hardware key is locked inside the phone and, according to Apple, not retrievable by them or anyone.
|
|
#
?
Feb 19, 2016 02:22
|
|
|
Or they could wait around until the whole quantum computing thing makes encryption irrelevant.
|
|
#
?
Feb 19, 2016 03:12
|
|
|
adorai posted:Obviously there is some kind of solution, or else apple would not be making a public appeal, they would instead just stick to the "not possible" defense. I am guessing the idea is to attach a secondary storage to it, boot from that, while the existing storage is still attached, and then try to brute force it from there. Without knowing the specifics of IOS, I am just guessing at the possibility here. This also requires a signed boot chain. Apple is making a public appeal because they've turned a very high profile case into Apple v. Investigating Terrorists (TM) There are already a huge number of law enforcement cases which are blocked on this issue. The FBI just chose to throw their weight behind this one, as an appeal to emotion and anti-terrorist settlement. Apple's response is basically "look, we'd cooperate if we could do it without giving a government which has a history of warrantless searches the keys to the kingdom, but we really can't, and we want public pressure on law enforcement so they drop it without us fighting a prolonged legal battle". Yes, Apple could introduce a backdoor key into iOS, OTA a new image which re-encrypts on first boot to everybody, then provide the FBI with a signed image which will upgrade that device to this version without bricking/wiping it, but they don't want to go this route for a variety of reasons, mostly good ones. Newer iPhones (this is a 5c, I think) handle all the encryption in a separate microkernel, with an AES engine sitting inbetween, and... You should read this. There are obviously very smart people working in some areas of the government, but it's a tough nut. Even assuming you were able to attach secondary storage and boot from it, everything on the main storage partition will be AES locked, because no part of the signed booting process has completed, and you're still trying to brute force AES256. If they can boot the device normally and not have it wipe itself, they can eventually unlock it (assuming it's a 4 character numeric passcode, and I don't think they have any idea). Apple is not willing to sacrifice the security of every iOS user and introduce backdoors which can be used by foreign nation states and other powerful actors (or criminals/hackers) in order to make gathering information for one case easier, and they want public backing. We're pretty far off the thread of the virt thread, but the short answer is that no, they cannot dump the memory from the device into an image and virtualize it (in the iOS emulator on OSX, presumably), because it's all encrypted, the encryption is tied to a hardware key, and Apple says they don't know that hardware key.
|
|
#
?
Feb 19, 2016 03:17
|
|
|
HPL posted:Or they could wait around until the whole quantum computing thing makes encryption irrelevant. This is only true for encryption relying on factoring semi prime numbers being hard. Elliptic curve encryption is still safe, AFAIK.
|
|
#
?
Feb 19, 2016 05:42
|
|
|
KillHour posted:This is only true for encryption relying on factoring semi prime numbers being hard. Elliptic curve encryption is still safe, AFAIK. Safe for what? If the feds eventually get near limitless computational power on tap, anything will be breakable in short order. Of course, we're still a long way from that, but possibly within our lifetimes, which will be awesome/sucky.
|
|
#
?
Feb 19, 2016 05:53
|
|
|
HPL posted:Of course, we're still a long way from that, but possibly within our lifetimes, which will be awesome/sucky.
|
|
#
?
Feb 19, 2016 06:18
|
|
|
HPL posted:near limitless computational power on tap Why do you think that quantum computing would provide that?
|
|
#
?
Feb 19, 2016 06:22
|
|
|
PCjr sidecar posted:Why do you think that quantum computing would provide that? It's a technology they haven't got a handle on yet. Once they do, it should be neat.
|
|
#
?
Feb 19, 2016 07:01
|
|
|
Prior to 8.1.1 you could just bypass the key limit this way: http://techcrunch.com/2015/03/19/iphone-bruteforce-pin/
|
|
#
?
Feb 19, 2016 13:43
|
|
|
HPL posted:It's a technology they haven't got a handle on yet. Once they do, it should be neat. I don't think quantum computing does what you think it does.
|
|
#
?
Feb 19, 2016 13:51
|
|
|
HPL posted:It's a technology they haven't got a handle on yet. Once they do, it should be neat. Noap.
|
|
#
?
Feb 19, 2016 15:17
|
|
|
To bring this back around to the thread topic, this lawsuit is interesting for virtualization as well. How long until cloud providers have the FBI knocking on their door asking to see the contents of a VM? The hypervisor is sitting in a neat place where it can access any drat thing it wants. It might not be able to decrypt it, but it can see when the VM decrypts the information. I hope you really trust your cloud provider, because they can drop in a new hypervisor on their hardware without you ever knowing! Part of that will be solved by secure enclaves though. Then you have to depend on Intel really actually making it secure, and not giving the hypervisor access to the enclave. It would be a bit harder for the FBI to get modifications at that level. I could see this Apple fight having legal implications with secure enclaves from Intel though. It might take a bit to get there, but it is related.
|
|
#
?
Feb 19, 2016 17:06
|
|
|
Sorry if this is stupid but I'm an oVirt baby -- The way I've always worked with vSphere is: - Install ESXi on bare metal - Use thick client to deploy VCSA to said ESXi machine, alternately use VCSA6 deployer from a Windows machine. - Log into VCSA to manage ESXi infrastructure What is the oVirt paradigm here? - Deploy oVirt-node on bare metal - Use ??? to deploy something (oVirt-engine?) to manage said oVirt-node The reason I ask is that I'm trying to arrange a standalone server that hosts its own management VM and I'm feeling extra stupid when looking through documentation.
|
|
#
?
Feb 19, 2016 19:17
|
|
|
Deploy ovirt on bare metal (centos node, fedora node, ovirt node, whatever -- ovirt node has pluses and minuses) Install ovirt-hosted-engine on the node. Using the prebuilt ovirt appliance with hosted-engine --deploy is probably the nicest way to do this. Log into the engine and go from there. You can use a standalone engine somewhere off your ovirt infrastructure if you want, but the hosted engine is easier in lots of ways, and you don't need to burn a VM or physical hardware somewhere else to do it. I'd point you at docs, but I'm spending my whole day doing rebuilds... E: http://www.ovirt.org/documentation/how-to/hosted-engine/ evol262 fucked around with this message at 19:42 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 19:39
|
|
|
Swanky, thanks a bunch  I'm thinking about oVirt-node because it closest mirrors the VMware paradigm of "hypervisor appliance" and I'm sort of trusting the maintainers to create the leanest OS that will run oVirt versus me installing on CentOS-minimal for example. Not sure how much truth there is to that but that's been my thought process so far. Really the only reason why I wanted to deploy engine on its own VM as well, which may be overkill if I can do what you're suggesting.
|
|
#
?
Feb 19, 2016 19:58
|
|
|
Using hosted-engine will actually deploy it as a VM. The big thing here is that vdsm sets up SASL for libvirt, so you'd need to go through some hassle in order to create it as a VM on ovirt and do anything yourself. The hosted engine broker and agent will make sure the engine is alive, fail over the VM to another node if it isn't, etc. Hosted engine is absolutely the way to go if you want the engine running as a VM. A lot of the work can be done now with cloud-init, but 4.0 will completely remove the need to touch it at all -- just deploy the appliance+cloud-init and go. At present, you need to log into the VM at least once in order to run engine-setup. oVirt Node/RHEV-H is one of the products that I explicitly work on, along with hosted engine (I'm not involved with vdsm/mom/engine), so I'm intimately familiar with it. The primary issue many users face is that it's a mounted read-only image, basically as a livecd image dumped on the drive with persistence happening on a separate LV, with a bunch of readonly-root stuff happening to make it work. I imagine that when it was first concieved, this was great, but it presents a lot of obstacles if you want to treat it like a "normal" RHEL system, because it's basically a custom spin, and there's a fair amount of stripping done to make it as small as possible. You can, of course, always 'mount -o rw,remount /' and do whatever you want (`yum` is an alias, but /usr/bin/yum works as expected if you add repos -- everything in /etc should stay, and /config is the persistence partition if you want "permanent" stuff there. /data is also an option). I actually do this every time I install hosted-engine on Node (to put xauth on the system to use remote-viewer directly, since I can't be bothered), but you can always use remote-viewer remotely, too. Our primary effort now is into "oVirt Node next" which is basically a plain RHEL system using copy-on-write LVM snapshots, distributing squashfs images which are laid down on a new thin-provisioned LV as the update mechanism, and will take away all of these quirks (plus moving to Cockpit for management). That should land around oVirt 4.0, with a tech preview beforehand. It's (Node) very nice because you don't need to actually know how to configure snmp/etc, since we provide easy curses-ish configuration for all of it (including the hosted engine parts). It's not nice if you're an experienced admin who wants to own the system, pass a kickstart into Anaconda (somebody in the distant past decided it was better to write our own installer, so there's a bunch of kargs for PXE booting/installing it), etc. If you just want a hands-off appliance as a hypervisor that you manage from the engine, it's great. The vast majority of our downstream customers use the node, and are super happy with it (plus a smaller attack footprint), but you get the choice... evol262 fucked around with this message at 20:32 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 20:30
|
|
|
evol262 posted:Hosted engine is absolutely the way to go if you want the engine running as a VM. It was a bit of a pain to get it all sorted the first time, (testing failover and the whole thing crashed and had to be reinstalled) but when it works it is glorious.
|
|
#
?
Feb 19, 2016 21:15
|
|
|
psydude posted:Anyone deployed vRA yet? Built it out in the lab at my erstwhile employer and managed to get certified before they pulled the rug out from under me at the end of last year. What's up?
|
|
#
?
Feb 20, 2016 03:24
|
|
|
adorai posted:At what scale is PVS REALLY better than MCS? This is probably the most pitchfork-producing question in the Citrix realm since MCS was released. The answer, of course, is "it depends." PVS write cache in memory with overflow to disk is loving fantastic. I agree with IE above pretty much across the board. PVS unless you're doing something quick and dirty, then MCS. I've also been using PVS since Citrix bought it from Ardence so take that with a grain of salt, I guess. H2SO4 fucked around with this message at 07:29 on Feb 21, 2016 |
|
#
?
Feb 21, 2016 07:22
|
|
|
Internet Explorer posted:I feel as the thread's resident Citrix guy I should have responded to this already. I'm feeling really guilty for having not have responded. Did you get this sorted? If not, I should be a leader to give you a hand. If I remember correctly all you rally need to do is rekey your cert on vCenter, export it, then import it on your DDCs, but it's been a few months. Thanks, I did get it sorted. I ended up rebooting the controller and reimporting the cert and it worked like it should. At this point I'm not looking a gift horse in the mouth. I managed 4.5 - 6.5 farms for years and was pretty good with it. 7.x is completely different and is almost like starting from scratch. I'm setting up PVS now. I also had issues with MCS failing to build Machine Catalogs with vDisks. I had the master image on local storage on the esxi server, once I moved it to the SAN it built successfully. I was supposed to have my certification by now but it hasn't gone as smoothly as I would have thought.
|
|
#
?
Feb 22, 2016 19:56
|
|
|
Cool, glad you got it working. I see autocorrect completely butchered that post of mine, sorry. I like the architecture changes in 7.x and things seem a bit more polished, which isn't saying much. I would recommend setting VDIs to report to the farm using registry keys, even though AD discovery is default. It worked fine for us to start but we quickly ran into issues and several Citrix techs we spoke to have no idea about AD discovery. Other than that we've been running into high CPU usage intermittently with Internet Explorer and dwm.exe, but I'm not 100% sure that's Citrix. Oh, we also had to disable some Citrix application hooks because they were causing real strange issues with Office.
|
|
#
?
Feb 22, 2016 20:46
|
|
|
mewse posted:Is it true that you can't use the free version of vSphere ESXi in production? Quoting myself from a few pages back. This same coworker now wants me to use a Workstation license for the server because we have licenses for Workstation available. Can someone give me quick bullet points to why I should use the free hypervisor instead of Workstation? I'd rather have a bare metal hypervisor and I don't think Workstation will work with our Veeam install. e: crap I just read that the free hypervisor locks out the APIs for Veeam as well e: maybe I will check out hyper-v..... mewse fucked around with this message at 21:58 on Feb 22, 2016 |
|
#
?
Feb 22, 2016 21:48
|
|
|
Can you put the VoIP server elsewhere in your VMware infrastructure? Is the issue just that you don't have a spare license for the ESXi host that runs the VoIP server? Hyper-V isn't awful from all my interactions with it, but the whole idea of having an entire underlying Windows server just kind of irks me. I know it's not a LOT of overhead, still. If the VoIP server is Windows based, theoretically you could use something like Veeam Endpoint Protection to do the backup from the guest itself. some kinda jackal fucked around with this message at 23:38 on Feb 22, 2016 |
|
#
?
Feb 22, 2016 23:35
|
|
|
|
| # ? May 8, 2024 05:11 |
|
|
It's not really an entire Windows server - the hypervisor sort of replaces the OS and then the original OS becomes virtualised on top. See https://msdn.microsoft.com/en-us/library/cc768520%28v=bts.10%29.aspx
|
|
#
?
Feb 22, 2016 23:59
|
|
