Recently, I had the privilege to travel to San Francisco to take the v4 troubleshooting course (4 days). It’s about time that they have a training program that is less lecture and more labs (about 65% lab to 35% lecture). What was even more appealing was the fact that about 10 of the labs in this course were strict troubleshooting labs (I know this may not sound surprising being it’s a troubleshooting course). The issue I have with some labs in a training lab is that they are very well structured and don’t necessarily hit major issues encountered in many production environments. However, the troubleshooting labs were outlining issues that are commonly occurring in many production environments. It was developed by VMware experts that polled their own FAQ page as well as forums and support calls. From there they developed scripts that broke the training environment in multiple ways and we had free reign (and a little instructor help if needed) to fi x the issues.
Reading into what the requirements are on the VMware Certified Advanced Professional-Data Center Administration (VCAP-DCA), this course is a must take for those wanting to upgrade their VCP to the next level. Considering that the VCAP-DCA exam is 100% lab based, I highly recommend that you take this course before looking to build a lab in your house or workplace. This will also give you design ideas as well as you start to think down the advanced certification road… Okay enough plugging the VMware education, now to discuss something more technical.
Another issue I encountered recently (and it seems I have to bang my head against the wall with my security people every few months) is the utilization of ESXi over ESX. For those that know VMware’s market, the ESX hypervisor is going to be discontinued and ESXi will be the only hypervisor delivered by VMware. This isn’t a huge ordeal considering the development and evolution of the virtual management assistant (vMA) or the vCLI toolset. However, I seem to continue to have discussions with our security people because they don’t seem to understand the differences between the two hypervisors (no matter how many times I can explain it or illustrate it). However, I’ll try my best to explain it here and show you what exactly the key differences are and why your virtual environment needs to be designed (or upgraded) with ESXi.
"Improve Reliability and Security. The older architecture of VMware ESX relies on a Linux-based console operating system (OS) for serviceability and agent-based partner integration. In the new, operating-system independent ESXi architecture, the approximately 2 GB console OS has been removed and the necessary management functionality has been implemented directly in the core kernel. Eliminating the console OS drastically reduces the codebase size of ESXi to approximately 100 MB improving security and reliability by removing the security vulnerabilities associated with a general purpose operating system." (VMware, 2011).
Look at the image below regarding patch levels between ESX and ESXi (you would think that this alone would illustrate to the security professionals why use of ESXi is a better choice.
(VMware, 2011).
When looking at this diagram again, I still shake my head in disbelief. However, for those that work in small businesses where selling new products to security is easier, for larger organization it sometimes doesn't necessarily depend on what's more secure, but what has routinely been done in the past. Similar to the "if it ain't broke, don't fix it" mentality.
The other item I found very interesting and I think this is what finally got through to the security engineering team was the following.
Additionally, this layout on the key compatibility differences between ESX and ESXi (both 4.0 and 4.1). If you notice at 4.1 (which was a major patch level release for ESX/ESXi) you'll notice that the only major difference between ESX 4.1 and ESXi 4.1 is serial cable connectivity to hosts through a serial port. I find this negligible because of the increased support of IP KVM and the use of fastpass or session based authentication against a host using the vMA in ESXi 4.1. For those that want direct cable connection to the host, get a nice KVM or invest in some sort of web console connectivity via the server (iLO, DRAC, etc...).
| Capability | ESX 4.0 | ESX 4.1 | ESXi 4.0 | ESXi 4.1 |
|---|---|---|---|---|
| Service Console | Present | Present | Removed | Removed |
| Admin/config CLIs | COS + vCLI | COS + vCLI | PowerCLI + vCLI | PowerCLI + vCLI |
| Advanced Troubleshooting | COS | COS | Tech Support Mode | Tech Support Mode |
| Scripted Installation | Supported | Supported | Not Supported | Supported |
| Boot from SAN | Supported | Supported | Not Supported | Supported |
| SNMP | Supported | Supported | Supported (limited) | Supported (limited) |
| Active Directory | 3rd party in COS | Integrated | Not Supported | Integrated |
| HW Monitoring | 3rd party agents in COS | 3rd party agents in COS | CIM providers | CIM providers |
| Web Access | Supported | Not Supported | Not Supported | Not Supported |
| Serial Port Connectivity | Supported | Supported | Not Supported | Not Supported |
| Jumbo Frames | Supported | Supported | Supported | Supported |
Hopefully, this puts the core difference issue between ESX and ESXi to bed but for those that need additional information. The links to VMware's site are below.
References:
VMware. (2011). Understanding the Difference between ESX and ESXi
VMware. (2011). Benefits of VMware ESXi Hypervisor Architecture
