Piszki Lab | EN

My case study in the clouds…

2021/08/17
by Piotr Pisz
1 Comment

CloudStack – VM with vTPM and Secure boot UEFI

Virtualization provides all possible tools to support the launch of operating systems with special requirements. One of such requirements is to ensure possible security by using TPM and UEFI with Secure Boot. This type of system startup ensures that nothing has been tampered with in the boot loader. While it is easy to implement in a physical host, in solutions the Stack type requires a bit more work. How it is solved in VMware vSphere, already written here. Today we will test a very similar solution in CloudStack. However, note that existing VMs installed with the BIOS will not be usable, you will have to create a completely new UEFI reference VM.

Continue Reading →

2021/05/13
by Piotr Pisz
9 Comments

CloudStack – KVM and running VM with vGPU

GPU cards (such as Nvidia V100) have recently gained popularity in many companies and other places (such as universities). Such a card can be used in many ways, for CUDA calculations but also for virtualization (NVIDIA RTX Virtual Workstation). Thanks to the support for vGPU, we can divide such a card according to the desired profile (more on that later) and run up to 32 virtual machines (per physical card), each of which will be able to operate with its own GPU processor. In this article, I would like to discuss two aspects in detail, the first is the physical card passthrough (one or more) to the VM and the second is the use of vGPU. In both cases, we have a VM running on CloudStack, although some techniques described here can be used in any IaaS (eg Proxmox, Openstack, vSphere and others).

8x-NVIDIA-Tesla-V100-32GB-Server

Continue Reading →

2021/05/04
by Piotr Pisz
2 Comments

CloudStack – Kubernetes plugin

Most of the IaaS solutions (CloudStack, vSphere, OpenStack, Proxmox etc.), so far focused on virtual machines, very intensively develop support for containerization. The leading standard at the moment is Kubernetes, support for it can be found in VMware vSphere (Tanzu project) and in CloudStack (kubernetes plugin). The approach to containerization in IaaS is more or less the same everywhere, containers run in lightweight VMs, and the IaaS platform is designed to facilitate cluster startup and management. Today we will deal with the latter solution, configure CloudStack step by step and launch a Kubernetes cluster. The CS documentation for version 4.15 is quite detailed and has up-to-date links to the ISO images you need, be sure to read it.

9BBF8AbW_400x400

Continue Reading →

2019/11/19
by Piotr Pisz
0 comments

vSphere 6.7U3 – Unable to push CA certificates and CRLs to host

The current version of vCenter 6.7U3 brought with it an interesting change, as we can read here, all CA certificates in trusted store must have the “X509v3 Basic Constraints: CA: TRUE” flag set. Lack of this flag in any certificate basically blocks all operations on certificates, the error “Certificate is not valid CA certificate” appears. Today, on the example of the problem with refreshing CA certificates at the host level, I will show you how to deal with it. Generally, as I wrote in this post, the vCenter CA certificate store should be in order, the mess brings only problems.

ca3

Continue Reading →

2019/09/27
by Piotr Pisz
0 comments

Secure file server based on Samba, CTDB, CephFS and OpenLDAP

The purpose of today’s exercise will be to run a secure, full HA, Samba cluster with which we will serve files directly from CephFS and authorize users at the OpenLDAP level. The closest equivalent to this configuration is the Failover Cluster + DFS service available in Microsoft Windows Server 2012+. Ceph and OpenLDAP configuration can be found in the linked articles, here we will focus mainly on CTDB and Samba. Clustered Trivial Data Base, because this is how this abbreviation develops, ensures the consistency of user sessions between multiple nodes. He also oversees the work of samba itself. In this configuration the VFS module samba-vfs-ceph (Samba Gateway for CephFS) will be used, this module allows samba to work correctly (natively) with CephFS. Using this module, Samba dumps all file operations (opening, blocking, closing, etc.) on CephFS. To ensure consistency with recent configurations, users will be taken from OpenLDAP (the entire Samba configuration will also be stored there). Thanks to this approach, we will obtain a coherent, redundant configuration that will seamlessly connect many components. Due to the use of the latest versions, which are not available in CentOS 7 or Ubuntu 18, all configuration will be carried out on Fedora Server 29 (but I think we will put it on CentOS 8 without any problems).

smb5

Continue Reading →

2019/09/13
by Piotr Pisz
0 comments

Cryptographic security in vSphere aka what is KMS, vTPM, VBS and others.

Quite recently I wrote about support for TPM 2.0 in vSphere 6.7, why use this technology and how to configure it. Today I would like to take the topic further, we will deal with the security of virtual machines (VM). VMware is intensively developing the VM security by introducing support for virtual machine encryption, support for virtual TPM (vTPM) and support for Microsoft Virtualization Based Security (VBS) technology. This is a very interesting piece of knowledge that I will try to bring as detailed as possible.

vsphere-encryption

Continue Reading →