티스토리 뷰
현재 환경정보
Vcenter : vcenter appliance 5.5.0.30100 Build 3154314
Host : esxi 5.5 build 3248547
View admin : view connection server 5.3.0 build-1427931
View Composer : view composer 5.3.5
장애현상
- “view composer disk fault disk customization failed due to an internal error” error 메시지
뿌리며 recompose나 신규 pool생성 안됨.
- vcenter에서는 vm생성후 바로 삭제되는 증상 발행.
장애발생 前
행위
- 운영중인 서버(호스트)의
보안패치 적용(5.5 1331820 à VMware ESXi, 5.5.0, 3248547 )
원인
- 보안패치가 적용되면서 SSLv3 통신에 대한 Disable로 인한 문제.
http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-esxi-55u3b-release-notes.html#whatsnew
장애처리내역
- workaround방법으로 SSLv3 통신 enable (Vmware 권고)
- esxi 호스트에 대한 수정
Caution: These steps expose the security vulnerabilities with SSLv3. This issue is resolved in VMware View 6.2, available at VMware Downloads. For more information, see VMware Horizon 6 version 6.2 Release Notes.
The SSLv3 support can be enabled for these ports and services:
CIM Port 5989
Authd Service Port 902
Enabling support for SSLv3 on CIM Port 5989 in ESXi
Create a backup copy of the /etc/sfcb/sfcb.cfg file.
Edit the /etc/sfcb/sfcb.cfg file to append the following line at the end of the file:
enableSSLv3: true
Note: If you have the line enableSSLv3: false in the file, change it to enableSSLv3: true
For Example:
[root@blr7-7th-dhcp-45-136:~] cat /etc/sfcb/sfcb.cfg
# Generated by sfcb-config.py. Do not modify this header.
# VMware ESXi 6.0.0 build-3029758
#
basicAuthLib: sfcBasicPAMAuthentication
certificateAuthLib: sfcCertificateAuthentication
cimXmlFdHardLimit: 1024
cimXmlFdSoftLimit: 512
.
.
.
threadStackSize: 524288
useChunking: true
sslCipherList: HIGH:!DES-CBC3-SHA!CAMELLIA128-SHA!CAMELLIA256-SHA
enableSSLv3: true
Restart the SFCBD service with the command:
/etc/init.d/sfcbd-watchdog restart
Enabling support for SSLv3 on Authd service 902 in ESXi
Create a backup copy of the /etc/vmware/config file
Edit the /etc/vmware/config file to append the following line at the end of the file:
vmauthd.ssl.noSSLv3 = "FALSE"
Note: If you have the line vmauthd.ssl.noSSLv3 = "true" in the file, change it to vmauthd.ssl.noSSLv3 = "FALSE"
For Example:
[root@w1-fiqabj-003:~] cat /etc/vmware/config
libdir = "/usr/lib/VMware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"
vmauthd.ssl.noSSLv3 = "FALSE"
Restart the rhttpproxy service with the command:
/etc/init.d/rhttpproxy restart
향후대책
- 운영중인 horizon view에 대한 버전업그레이드 (5.3 à 6.2)
- Total
- Today
- Yesterday
- Virtual Hive
- https://byounghee.me
- ESX Virtualization
- Yellow Bricks
- vsphere-land.com
- vcdx133.com
- Virten.net
- Beyond IT
- Terence Luk
- myvirtualcloud.net
- thatsmyview.net
- http://buildvirtual.net/
- IOPS 및 기타
- VvirtuallyGhetto
- DigitalOcean
- vmexpo.wordpress.com
- alexhunt86.wordpress.com
- www.boche.net
- vExpert_derekseaman
- VMware Blogs
- vExpert_vhojan.nl
- thevirtualhorizon.com
- Migration King
- Virtual Reality
- virtuallyboring
- Rehoboth.. 이곳에서 부터
- 아크몬드넷
- Lets dive into world of virtua…
- CormacHogan
- Snapshot
- Disk
- vcenter
- composer
- windows 2016
- VCSA
- 복제
- server
- increase
- ad
- esxcli
- vmtools
- SSL
- Management
- esxi
- vSphere
- View
- vmotion
- backup
- DC
- VMware
- Error
- vm
- license
- Appliance
- vsan
- vdp
- VDI
- ubuntu
- Linux
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |