ESX Commands – esxcfg-firewall

I have really forgot to keep up on my VCDX study path. So today a quick tidbit on the esxcfg-firewall command.
Many of us today will use the vCenter Client to change firewall ports on the ESX. One instance where I exclusively mess with the firewall from the command line using esxcfg-firewall is when I install Dell OpenManage. I am already in the console to install the agents so I might as well open the firewall from the console too.
This really applies to any kind of agent or software you add to your ESX installation. So if you find yourself already in the console why not save a step and do it from the cli?

Lets look at the command

# esxcfg-firewall -o 1311,tcp,in,OpenManageRequest

First is the command, esxcfg-firewall, -o is for openport, the 1311 is the port number, tcp is protocol, in is the direction and the final part is the name of the service.

Now if you want to see all of your esxcfg-firewall settings try:
esxcfg-firewall -q

Show if specifig service is enabled.
esxcfg-firewall -q [service name]

Of course typing esxcfg-firewall -h gives lots of good help.

Some links: (You can google and find a ton more)

ESX Guide
VMware Land
Yellow Bricks
Vritualization Admin

ESX Commands – esxcfg-dumppart

Finally have a second to log into the test ESX and mess with esxcfg- commands again.

Today, esxcfg-dumppart, this command can be used to list, create and activate dump partitions used by the VMKernel during a crash. I would bet almost everyone automatically creates one of these during the install of ESX. What I mean is I never even tried to not create a dump part on installation. I was trying to think of a practical use for this. Maybe we want the dump to go to a SAN partition or a some other drive? I would guess this would make is possible.

I found a neat PDF from VMware while researching this command.

ESX Commands – esxcfg-configcheck

The ESX Quick reference has information on this command.

I didn’t find any posts in the VMware Communities or the Knowledge base with any reference to this command. From what I can cypher it checks the settings of the /etc/vmware/esx.conf . I wonder if it does any more or less.

So really, does anyone know the insides of this command?

ESX Commands – esxcfg-boot

What in the world does this command do?

-h –help
-q –query bootvmkmod
-p –update-pci
-b –update-boot
-d –rootdev UUID=
-a –kernelappend
-r –refresh-initrd
-g –regenerate-grub
Queries cannot be combined with each other or other options. Passing -p or -d enables -b even if it is not passed explicitly. -b implies -g plus a new initrd creation. -b and -r are incompatible, but -g and -r can be combined.

Here is some output from my lab:
[root@esxlab2 root]# esxcfg-boot -q boot
272 0:*; UUID=96c048d7-ee1d-4455-b6a5-801bfbaabbdc /vmlinuz-2.4.21-7.ELvmnix /initrd-2.4.21-57.ELvmnix.img

[root@esxlab2 root]# esxcfg-boot -q vmkmod vmklinuxmptscsi_2xx.oe1000.olvmdrivervmfs3etherswitchshapertcpipcosShadow.omigrationnfsclientdeltadiskvmfs2

I am picturing these commands to be much like kernel options, modprobe and bootloader settings you would set up when you compile your kernel in Linux. Most hardcore linux guys would let you know you are a real man when you recompile your own kernel. In VMware, I would be hesitant to mess with any of this unless I broke something. Then again, with all of my VM’s on the SAN, if I bombed out an ESX host this bad, I would take 20 minutes to rebuild it.

Then I noticed from the B2V Guide that I would make use of this when I changed my queue depth on my hba’s. Which I have done before. I followed this note on the forums.

What other device driver options beside the hba will you every change?
Here is some things I found:
More HBA problems
And even more queue depth fun
And this list could be longer, just searching VMware Community.
I would guess that the reason we don’t jack with the drivers with ESX and the hardware is becuase of the very good compatibility list. You don’t just run ESX 3.5 on anything (at least not for production).

ESX Commands – esxcfg-auth

Following my alphabetical method of learning.

usage: esxcfg-auth [options]

–enablemd5 Enable MD5 password storage
–disablemd5 Disable MD5 password storage
–enableshadow Enable Shadow password storage
–disableshadow Disable Shadow password storage
–enablenis Enable NIS Authentication
–disablenis Disable NIS Authentication
–nisdomain=domain Set the NIS domain
–nisserver=server Set the NIS server
–enableldap Enable LDAP User Management
–disableldap Disable LDAP User Management
–enableldapauth Enable LDAP Authentication
–disableldapauth Disable LDAP Authentication
–ldapserver=server Set the LDAP Server
–ldapbasedn=basedn Set the base DN for the LDAP server
–enableldaptls Enable TLS connections for LDAP
–disableldaptls Disable TLS connections for LDAP
–enablekrb5 Enable Kererbos Authentication
–disablekrb5 Disable Kererbos Authentication
–krb5realm=domain Set the Kerberos Realm
–krb5kdc=server Set the Kebreros Key Distribution Center
Set the Kerberos Admin Server
–enablead Enable Active Directory Authentication
–disablead Disable Active Directory Authentication
–addomain=domain Set the Active Directory Domain
–addc=server Set the Active Directory Domain Controller
–usepamqc=values Enable the pam_passwdqc module
–usecrack=values Enable the pam_cracklib module
–enablecache Enables caching of login credentials
–disablecache Disables caching of login credentials
–passmaxdays=days Set the maximum number of days a password remains valid.
–passmindays=days Set the minimum number of days a password remains valid.
–passwarnage=days Set the number of days a warning is given before a
password expires.
Sets the maximum number of login failures before the
account is locked out, setting to 0 will disable this
-p, –probe Print the settings to the console
-v, –verbose Enable verbose logging
-h, –help show this help message and exit

For more actual usage I would defer to one of the most useful vm blogs around from Scott Lowe. The common usage for most of us daily users would be to enable active directory authentication on the ESX. So your team of admins can get in and do work in certain situations. Now when your team is one (still looking for that other VCP, hopefully he passes the test this week) or two this is not a huge requirement.
Additional authentication requirements can be set here depending on your environments reqs. I would generally let clients know this is available but have not had anyone demand to have the maxfailedlogsin set to 5 or something.

ESX Commands – esxcfg-advcfg

Everything I find out in the VM Blogosphere about studying for the VCDX says to know your esxcfg- commands. Ok. So here I go.
The first command as I start out was the one on the top: esxcfg-advcfg.

[root@esxlab1 root]# esxcfg-advcfg
Usage: esxcfg-advcfg []
-g|–get Get the value of the config option
-s|–set Set the value of the config option
-d|–default Reset Config option to default
-q|–quiet Suppress output
-k|–set-kernel Set a VMkernel load time option value.
-j|–get-kernel Get a VMkernel load time option value.
-m|–set-message Set DCUI welcome message.
-u|–uuid Ensure the Vmkernel system UUID is set and print it.
-h|–help Show this message.
-r|–restore Restore all advanced options from the configuration

A great wealth of info about this command (and all esxcfg- commands) from b2vGuide2vmware3. So not wanting to repeat anything written on the site. I would ask what is the common usage situation for this command?
We can see how to use the command but exactly why would I do those changes?
I guess from the looks of things this command might be the hardest one to explain.
Anyone out there able to fully explain this?

Maybe alphabetical was the wrong way to start.

VCDX – Nugget — Identify iSCSI, Fibre Channel

Storage – Create and Administer VMFS Datastores using advanced Techniques

Describe how to identify iSCSI, Fibre Channel, SATA and NFS configurations using CLI commands and log entries.

First, there are several commands relating to storage. Two of which I have discovered give me very useful information.

First is esxcfg-vmhbadevs

[root@esxvdi01 log]# esxcfg-vmhbadevs -h
Print the mappings between vmhba names and /dev names
-m–vmfs Print mappings for VMFS volumes to their Service Console partitions and vmhba names.
-f–vfat Print mappings for VFAT volumes to their Service Console partitions and vmhba names.
-q–query Print mapping in 2.5 compatibility mode to mimic vmkpcidivy -q vmhba_devs.
-a–all Print all devices, regardless of whether they have console device or not.
-h–help Show this message.

The useful switch is the –m, this will also print the VMFS id for easy identification of the HBA, Service Console device path and the VMFS volume.

[root@esxvdi01 log]# esxcfg-vmhbadevs -m
vmhba0:0:0:3 /dev/cciss/c0d0p3 48c64d26-b496c344-0a0f-001cc4be79c0
vmhba0:1:0:1 /dev/cciss/c0d1p1 48c64f2c-f4eb2f06-df8b-001cc4be79c0

Next is the command esxcfg-mpath
[root@SCG-PRESX3 root]# esxcfg-mpath -l
Disk vmhba1:0:1 /dev/sdc (1342249MB) has 2 paths and policy of Most Recently Used
FC 13:0.0 2100001b320b1e1f<->5006016030230c0d vmhba1:0:1 On active preferred
FC 15:0.0 2100001b320b6b31<->5006016830230c0d vmhba2:0:1 Standby

Disk vmhba1:0:2 /dev/sdd (2072576MB) has 2 paths and policy of Fixed
FC 13:0.0 2100001b320b1e1f<->5006016030230c0d vmhba1:0:2 Standby
FC 15:0.0 2100001b320b6b31<->5006016830230c0d vmhba2:0:2 On active preferred

Disk vmhba1:0:0 /dev/sdb (2072576MB) has 2 paths and policy of Fixed
FC 13:0.0 2100001b320b1e1f<->5006016030230c0d vmhba1:0:0 Standby
FC 15:0.0 2100001b320b6b31<->5006016830230c0d vmhba2:0:0 On active preferred

Disk vmhba0:0:0 /dev/sda (69376MB) has 1 paths and policy of Fixed
Local 1:0.0 vmhba0:0:0 On active preferred

This command is intended to supply multi-pathing information for the VMFS volumes. It additionally tells you the type of disk the service console device path the HBA identifier. I can see local, iSCSI, NFS, and Fibre Channel disk information from this command.

Any other commands to get this information? Let me know. As I (slowly) make my way into studying for the VCDX I hope to compile a big list