root == Bad

I’ve been reading a bunch of posts that have been covering the idea of “making another root account”.   I read this KB article from VMware when it first came out and said “how dumb, no thanks”.   I didn’t realize it would cause such a stir.

When I design new systems and deploy new applications and processes at my work, a large part of the discussion in my mind is how much support work will this new procedure cause.   Initial deployment is typically all a project planner thinks about.  That is a small cost in the overall picture from my experience.

Adding an additional root level account introduces the following support issues:

  • An account that has to be audited
  • An account that has to have a regular password update which means tracking that password
  • An account that needs to have the password distributed to various individuals
  • An attack vector that must be considered or contained

Anyone that immediately says these are trivial never has had to maintain this for thousands of accounts from the top down to the actual account.  It might be simple to do though when you start adding this to every procedure you have, it adds up.

Now why would you need another root account?  I’m doing everything I can to get rid of all usage of it.  sudo does 99.99% of everything I need to do with root level privileges in ESX.   If I could add a host into VirtualCenter using a user account instead of root I’d be happy to disable logins using root.  There is only one situation I can think of that I need root for and if the host is that screwed up, I’ll most likely be rebooting it anyways.

Not much use for root honestly.  Fight the power.   As a fellow blogger says so elegantly, “Just cause you can doesn’t mean you should”.

vSphere here we come

Ever since VMworld 2008 I’ve been waiting on the official words on what the new VI4 version name will be.   I figured it’d be changed from VMware VI4 which was the latest name.  Just wasn’t sure what it would change to.


VMware vSphere

This according to

Makes sense.   Just curious when the official announcement will come.

Powershell speed – Get-VM vs. Get-Type -ViewType

I’ve been starting to look at using the VI Toolkit which uses Powershell.   In doing this many of the command formats tend to be “Get-VM | Get-View” or “Get-VMHost | Get-View“.   So I’m off and figuring this out and I run a small script and say “Geez that took a long time to run”.   I’m talking to my co-worker (a pretty smart cookie) and he says “Why don’t you just use “Get-View -ViewType VirtualMachine” and skip the middle man?”   Good point.  Didn’t know about that command.  Well this is just a tad bit faster.

Get-VM | Get-View timing in my script takes 1 minute and 37 seconds.

Get-View -ViewType VirtualMachine takes an amazing 5.12 seconds.

The VI Toolkit developers have identified this as a serious issue are working on ways to speed this up and retain backwards compatibility.

So the lesson today is if you need to do a Get-View immediately after doing some set collection look at using the Get-View -ViewType instead.  It isn’t as readable though it gets the job done well.

Citrix vs VDI/View – Round 1

Recently my company has gone through this huge architectural discussion/debate around using Citrix versus using VDI.   It has been rather entertaining to say the least.   I’ve met with the architect that’s attempting to put together a comparision document on a direction to go.

Some background… We’ve worked to get Citrix to run our critical home grown apps 3 times now.   All since Citrix is going to save us some untold amount of money in the long run.  Each time trying to get our homegrown apps to Citrix-ize has been completely and horribly unsuccessful.   So great.. We have Citrix running some 2 dozen applications (not the important ones still) and still have to maintain a separate application deployment system for applications outside of Citrix currently (lets talk about management, labor and support effort of maintaining two separate systems).  The current Citrix environment gets at least a dozen new tickets

When we attempted to get Citrix up and running the first time 4+ years ago we spent some 200 hours trying to get One homegrown business critical application up and running on Citrix.   That failed horribly.   We then looked at running this “Virtual Machine” concept with XP workstations which was completely new at the time.  It was this or putting some 200 desktops into our datacenter.  Ewwww.   We went and tried the Virtual Workstations out and had the application, entire environment and all systems up and running in about 100 hours of effort.   It worked.  The environment then grew organically as more and more teams heard about it and found that it just kept working.   We are up around 1200 VDI instances (we call it Virtual Workstations) now.

Sooo.. Back to architectural discussion..

Citrix has some 12 pages in this document around the things we’d have to fix and all the unknowns and estimated effort to Citrix-ize all these apps and possible, maybe cost savings if we are lucky and can get some of these business critical applications up and working and so forth.    Virtual Workstations has 1/2 a page that says basically.. “It works and will work for the forseeable future.”

What is upper management thinking about doing?  Citrix.   Why?  Beats the tar out of me as the possible cost savings just don’t appear to be there.     *sigh*