Communication between VM’s in ESX on ESX setup

VMware ESX is a hypervisor from VMware which helps you to virtualize your infrastructure. Refer this link for more details.

Virtualizing the ESX hypervisor (i.e. running it as a VM) itself is a great way to experiment with different setups and scenarios without needing physical lab setup to perform the same. One can create his own mini-lab on the virtual ESX setup, add networking and storage to it, and thus can simulate a wide variety of test scenarios. Virtualizing the ESX also gives user the freedom to clone/snapshot the ESX. Thus, user can simply bring up this virtualized ESX on some other host and he has his whole lab setup, up and running within a few minutes.

VMware ESX has the capability of running “ESX as a VM” on top of the physical ESX host. This virtual ESX host has all the capabilities as that of the physical host. Thus, one can have a VM running inside a VM (virtual ESX) present on physical server.

 

VM’s communicate with each other through the virtual switches (vswitch) provided by ESX.  Considering the case of Virtual ESX on the physical ESX, one gets the following connectivity between the vswitches:-

Looking at the above setup, let’s have a scenario where machine A wants to communicate to machine B. Packets from machine A needs to travel through vswitch1 and vswitch2 to reach to machine B. Assuming there are no VLANs configured on the switches and all ports are a part of default VLAN (native VLAN), one might say that A will be able to communicate with B. But in reality, A is unable to communicate with B. If A sends a ping request to B, then only ARP resolution takes place (mac address of B gets learn at A). Ping’s reply is not received by A. The workaround to facilitate this communication is by putting vswitch1 on promiscuous mode. Let’s discuss about the cause of failure and how promiscuous mode solves the issue.

Cause of failure:-

VMware vswitch does not have the capability of mac learning. It maintains a table of the port to mac binding only for the VM’s present on the vswitch. Anything except that, it forwards through the uplink (physical NIC).

Promiscuous mode:-

It is a mode of operation which allows network device to intercept and read each network packet that arrives in its entirety. Enabling promiscuous mode on a switch makes the switch work like a hub.

How vswitch works while in non-promiscuous mode (default):-

For ARP request, since it’s a broadcast, following steps take place:-

1.  Machine A sends an ARP broadcast.
2. vswitch1 forwards this broadcast packet to all members present in that VLAN as well as on Physical NIC. This broadcast packet is received both by vswitch2 and a Physical Switch.
3. On receiving the ARP request vswitch2 again broadcasts it and now it is received by machine B.
4. Machine B sends a unicast reply. This reply is seen by vswitch2.
5. Since the destination is not in its table, vswitch2 forward this response through physical NIC and is received at vswitch1.
6. Vswitch1 finds the destination mac-address entry in its table and it forwards the reply to machine A. Hence, machine A learns the mac-address of machine B.

Next, if one tries to ping to machine B from machine A, following steps take place:-

1. Machine A sends a ping request with destination mac-address of machine B (which it learnt from ARP broadcast).
2. Since it is a unicast request, vswitch1 tries to find the destination mac-address entry in its table. It is unable to find that entry and hence it sends that packet out to physical switch through the NIC. This packet is not forwarded to vswitch2 and hence machine A is unable to communicate with machine B.

When vswitch1 is in promiscuous mode:-

ARP request is resolved in the same way as it’s resolved for non-promiscuous mode discussed above.

For ping request/response, following actions take place:-

1. Unicast ping request is sent by machine A to machine B. This is received by vswitch1.
2. Since vswitch1 is in promiscuous mode, all the ports on the switch are able to see the traffic of other ports who are part of the same VLAN. Therefore, this packet is sent out to both physical port and vswitch2.
3. Vswitch2 finds port to mac entry for destination machine B and forwards the packet to machine B.
4. Machine B replies to ping request. This packet is received at vswitch2.
5. Since no entry for destination mac is found on vswitch2, it is forwarded to vswitch1.
6. Vswitch1 is able to find the entry for destination mac in its table, and hence the response is forwarded to A. Thus, the response from B is received by A.

With promiscuous mode enabled, VM’s on the internal ESX host are able to communicate with the outside world.

However, drawback of promiscuous mode is that it will lead to increase in the traffic on vswitch and it will degrade the performance of the switch. One solution could be to put only the port which is attached to vswitch2 in promiscuous mode. But then, A needs to be a part of the same VLAN which that port allows. Another solution could be to use the advanced virtual switches available in the market which also perform mac learning. Some examples of the advanced switches are VMware DVS, Cisco’s N1KV, IBM DOVE, etc.

References:-

http://www.vkernel.co.uk/?p=14

http://blog.nlitee.com/virtualization/vmware/configuring-vlans-on-vswitches/

http://www.cisco.com/en/US/products/ps9902/index.html

Allowing FTP through Firewall by Inspecting traffic

Problem statement:-

FTP traffic needs to be allowed through the firewall. Basic details about FTP can be found here. This cannot be done by simply allowing the traffic for control connection ( by default port 21 ) and not taking care for the data-connection. For this, one needs to analyze the FTP control path (control connection) data to get the details about the data-path (data connection). Once the data-path details are known, one just needs to create embryonic flow entries for the data-connection.

Embryonic flow: A flow entry created for the traffic-flow before there is actual traffic flowing which matches the flow specifications.

flowID: This is a five-tuple field to differentiate the various connections.

Control path activities for a particular FTP request are as follows :-

For Active Mode

For Passive Mode 

  

Out of these 8 packets on control-path, ignoring ACK, we have ‘Five’ generic packets in our flow. We can list these requests/responses in terms of states.

These states are:-
1.    Opening
2.    Opened
3.    command_sent
4.    execution_started
5.    execution_complete

One needs to keep track of FTP control connection’s state and the data-connection details negotiated. This can be done by storing the details in a table called “flow table”.

Flow table column’s are as follows :-
1.    Command Type
2.    IP Address exchanged for data-connection( required for creating embryonic flow )
3.    Port number exchanged for data-connection( required for creating embryonic flow )
4.    Response_code of the command
5.    State of the FTP connection

When a new FTP connection is initiated (is in opening state), one entry is made in the flow table. It then goes through all the states; when it reaches to the state of execution_complete, that entry is removed.

STATE TRANSITIONS FOR PORT COMMANDS:-

Now lets consider the case for PORT command. Five request/response actions occur in this. These are:-

( Client[XYZ] to Server[FTP 21] ) – FTP Request: PORT          -> OPENING
( Server[FTP 21] to Client[XYZ] ) – Response: 200 PORT      ->  OPENED
( Client[XYZ] to Server[FTP 21] ) – FTP Request: <CMD>    ->  CMD_SENT
( Server[FTP 21] to Client[XYZ] ) – Response: 150                ->  EXEC_STARTED
( Server[FTP 21] to Client[XYZ] ) – Response: 226                ->  EXEC_COMP

Steps followed for each of the above requests/responses:-

Packet1:-

First packet sent is the packet with PORT command from client to server.

 

When this packet is received, a flow-entry is made and IP_Address and PORT negotiated are calculated from the message. Also the state is changed to OPENING.

Packet 2:-

Second packet is the response to the PORT command.

Once it is received, Response code is calculated from the message. If  the response-code is positive ( like 200), a flow-entry is present in the flow_table for this packet’s flowID and state is OPENING, then the state is changed from OPENING to OPENED.

Packet 3:-

On the next packet if flow table has a entry for its flowID and is in the OPENED state with the direction from Client to server, then it’s a request from Client to server to perform a specified operation.

After receiving this packet, the state is now changed from OPENED to CMD_SENT.

In case of PORT commands, TCP 3-way handshake for the data-connection occurs after this packet is received by the server. Therefore, embryonic-flow-entry is made in the allowed-connections table on the firewall so that this data-connection traffic is not blocked by the firewall.

Packet4:-

Next packet for the particular flow is the response from the server. Based on the response code received, the state will be changed.

If the response from the server is positive preliminary reply and the state for the particular flow-entry is CMD_SENT, then the state is changed to EXEC_STARTED. If the response is negative, then the flow-entry is deleted, embryonic-flow-entry is also deleted.

Packet5:-

This is the last packet received indicating the status of the FTP command.

If the response code is ‘226’, this means the transfer has occurred successfully. If the previous state was EXEC_STARTED, the state is now changed to EXEC_COMP and the embryonic-flow-entry and flow-entry can be deleted from the respective tables. If some negative reply is received, even then the embryonic-flow-entry and the flow-entry are deleted from the tables.

STATE TRANSITIONS FOR PASV COMMANDS:-

For passive commands, it again goes through the five states mentioned below:-
( Client[XYZ] to Server[FTP 21] ) – FTP Request: PASV                   ->   OPENING
( Server[FTP 21] to Client[XYZ] ) – Response: 227 (port_no)         ->   OPENED
( Client[XYZ] to Server[FTP 21] ) – FTP Request: <CMD>             ->   CMD_SENT
( Server[FTP 21] to Client[XYZ] ) – Response: 150                         ->   EXEC_STARTED
( Server[FTP 21] to Client[XYZ] ) – Response: 226                         ->   EXEC_COMP

Steps followed for each of the above requests/responses:-

Packet1:-

First packet sent is the packet with PASV command.

Once it is received, a flow-entry is made in the flow_table. Also the state is changed to OPENING.

Packet 2:-

Second packet is the response to the PASV command. If a flow-entry is present in the flow_table for the packet’s flowID and its state is OPENING and the direction is from server to client, then its a response from the server.

Once it is received, Response code and PORT negotiated is calculated. According to the response code received, a particular action is taken. Suppose if its 227, then the state is changed from OPENING to OPENED.

In case of PASV commands, TCP 3-way handshake on the data-connection occurs after this packet is received by the client. Therefore, an embryonic flow-entry is made in the firewall’s allowed-connections table with the data-connection details.

Packet 3:-

If the next packet for the particular flowID is from Client to server and state is OPENED, then it is a request from Client to server to perform some operation.

After receiving this packet, the state is now changed from OPENED to CMD_SENT.

Packet4:-

Next packet for the particular flowID would be response from the server.

If the response from the server is positive and state is CMD_SENT, then the state is changed from CMD_SENT to EXEC_STARTED. If the response is negative, then the flow-entry and embryonic-flow-entry are deleted  from the respective tables.

Packet5:-

This is the last packet received indicating the status of the FTP command.

If the response code is ‘226’ and state is EXEC_STARTED, this means the transfer has occurred successfully, state is changed to EXEC_COMP and the flow-entry and embryonic-flow-entry can now be deleted from the respective tables. In case of negative replies also, the same action is taken.

Conclusion:-

This approach can be followed in all the cases where you have the data-path created dynamically and its information is negotiated on the control-path. Above example listed how this can be applied to FTP. Similarly, one can use it for RSH, MSRPC with different set of columns in flow_table( as per the protocol needs).

 

How FTP works

FTP stands for File Transfer Protocol which is used to transfer files from one host to another over TCP. RFC 959 lists all the details of FTP. It is an application layer protocol and is used widely across the world for transferring files.

FTP connections (what we read and know):-

FTP consists of 2 connections:-

1.    Control Connection on port 21 of server (Standard, can be changed)

2.    Data Connection on port 20 of server (Standard, can be changed)

Control connection is established between port 21 of server and random port of client. Once opened, this connection remains there unless closed by user or idle timeout occurs.

Data connection is established every time client sends a request using control connection to server for data transfer. For every new Data connection, port number changes. The new port number is negotiated on the control connection. 

NOTE:-

Not all the FTP commands use the Data Connection…

Here is the list of FTP commands. Commands with (√ ) indicates that the command uses data connection and commands with (X) indicates that the command doesn’t use data connection.

 

Looking at the above diagram, one could see that of all the commands available for FTP, ratio of commands which use data connection to all commands is very less.

FTP data transfer modes are of 4 types:-

·        1. Active Mode (Also known as PORT based)

·        2. Passive Mode (Also known as PASV based)

·        3. Extended active mode to support NAT (EPRT)

·        4. Extended passive mode to support NAT (EPSV)

Active Mode:-
In this, client tells to the server on which client-port the data connection will be made. So client sends the port number with the command to the server. In PORT commands, port 20 is used by server for Data transfer.

Passive Mode:-

Sometimes client might be behind the firewall. In such cases, server cannot directly connect to the client on the negotiated port. So for that Passive mode is used. In Passive mode, any random port is used by server for Data connection.

        

In this, Server sends the data connection port no. to client and then client connects to that portnumber for data connection.

EPRT and EPSV modes:-
These modes are to support FTP in case of IPv6 and NATing. More details about them can be found in FTP’s RFC document.      

Traffic flow examples for PORT and PASV modes:-

Now we will try to see what traffic flows in case of FTP connection.

Server’s IP: 192.168.10.10

Client’s IP:  192.168.10.11

Now let us see what traffic flows when some request is sent by FTP-client to FTP-server which uses data-connection for both Active and passive modes. Thing to note here is that control connection is already established between client and server. We will discuss what happens after that.

­For Active mode:-

Once the user enters the FTP request, ftp client needs to create a data connection to get the output from the server. It first needs to negotiate the port. So it sends the command “PORT” with client machine’s IP and port to which the data connection should be made.

As seen from the above diagram, client sends request to server and server responds back. Port is successfully negotiated between them.

Next client sends the FTP request on the control channel. Now server performs 3-way handshake with the data port negotiated and then responds back with the output on the data channel. Once the data-transfer is complete, the data-connection is terminated.

For each new FTP request, a new data-connection is created.

For Passive mode:-

In passive mode, the client first informs server that it wants to open a passive mode data-connection with the server. It sends “PASV” command to server on control channel. Server responds back by sending the port to which it will open the data connection.

As we can see from the above diagram, server responds back with the IP and port number. 3-way handshake occurs at this time for the data-connection.

Next client sends the FTP request on the control-connection and server sends back the output on the data-connection. Once the data-transfer is complete for that request, the data-connection is terminated.

Conclusion:-

Considering the active and passive modes, we can re-design the basic diagram of FTP to more advanced and appropriate one as follows:-

This diagram now appropriately lists about the FTP and the various connections in FTP.

Desktop Customization using rainmeter

After long time, took out some free time to customize my desktop. I used rainmeter for customization and used various themes available for rainmeter. End result is the pics listed below.

For all these, I have used a combination of rainmeter themes which include enigma, arcs_by_kaelri, LEXIS, rainmeter_elegance and many more.

Try out your combinations and make your desktop much more prettier.

Running VMs in XEN if HVM support is not there

I have seen this problem a lot many times when people try to run linux VMs on Xen host which does not have Intel VT feature. Once Xen is installed, they are unable to run any VM since by default Xen keeps the virtualization type to HVM.

However you can run VMs on this host by following the following trick:-
You need to get VMs which are Paravirtualized. You can get them by creating them on a host which has VT feature, then making them Paravirtualized and then exporting them from that host and importing on the host which does not have intel VT feature. Using this, you will be able to run Paravirtualized VMs on hosts which does not have Intel VT feature. I have tried this and it worked in my case. Thought of sharing this with larger audience as it might help someone in need. To create paravirtualized Ubuntu VM, see my post link: Creating Paravirtualize Ubuntu VM

Setup FTP Server on Ubuntu and precautions to take

Most of the times I face issue in configuring FTP on Linux platform as a lot many types of FTP servers are available and each one has different properties. In this post, I am going to share info about one such FTP server which is most common and using simple steps, we can configure it. So here it goes.

I am going to discuss about vsftpd. First you need to install it onto your ubuntu box. For that, enter the following command:-

rahul@ubuntu$ sudo apt-get install vsftpd

Once its installed, you can see its conf file in /etc with name vsftpd.conf . There you can specify the access_type ie, whether you want to allow anonymous access or local_access. By default, local access is enabled, so anyone with the username "anonymous" can login to ftp server. To allow only authenticated users to be able to access FTP server, you need to change the access_type to local_access. One can do this by editing the vsftpd.conf file, commenting the "anonymous_enable=NO" and adding "local_enable=YES".

rahul@ubuntu$ sudo vi /etc/vsftpd.conf

Once you are done with the changes, restart the service.

rahul@ubuntu$ sudo /etc/init.d/vsftpd restart

Once its done, are done with the setup of FTP server. Now you need to keep following things in mind:-
You cannot connect to FTP server by using the username as "root" as it might give error.
For that, use username "ftp" or any user which is present on that machine except root.
Use the default credentials of that account to log in.

Default Directory:-
Default directory in this case is the home directory of the user with whose name you have logged in. So if you have a user "rahul" and you have logged in via that username, then the default directory of ftp will be "/home/rahul" . If you will do "ls" once you are connected to that server, it will list all the files present in that directory.

If you want to allow user to write to that directory, then you have to accordingly change the setting in vsftpd.conf file and enable that flag.

Hope this will solve some of the problems which users face due to vsftpd.

Using proxy-server to access Blocked Websites

A proxy server is a server which gets the request from the client, evaluates the request and then sends back the response to the client. For example, if one wants to access a webpage, the request is sent to proxy-server, which reads that page and then sends the contents back to the client.

This comes handy when someone has blocked some sites and you want to access them. In that case, the request to those sites will be first sent to proxy server, who will fetch those results and will then return them back to you.

Recently some of the websites are blocked by the ISP's. If you want to access them, you need to have a proxy server. There is a site called www.proxy.org which lists a whole lot many proxy servers which one can use. Just select any proxy-server you want, based on the country and then it will ask for what address you want to go to. Type the address and you will be redirected to that website through proxy-server.

One thing to note is that don't use proxy-server for sites like facebook or gmail as they require authentication and you would not be able to do that using the proxy-servers.

Creating Ubuntu 12.04 Paravirtualized VM for Xen

Creating an Ubuntu VM:-

First of all, you need to create an Ubuntu VM. For that, there is no default template in XENServer 6.0. Therefore, select the "Other Install Media" template. Make sure that the VM-Name which you write should not contain any spaces. This is because we are going to use a script at later stages and it gives error if vmname contains space.

XenServer 5.5's pygrub(the bootloader for PV) is unable to read Ext4 filesystem. This could be a limitation in XenServer 6.0 as well although I am not sure about it. Therefore to be on the safer side, make sure that your /boot partition uses Ext3 or Ext2 filesystem. Here is one sample partition table which you can make. Make 3 partitions and keep the rest of space unallocated which we can allocate later.

Partition Table:-

Type: /boot              Filesystem:   Ext3/Ext2                Size:    5 GB

Type: /                     Filesystem:   Ext4/Ext3/Ext2        Size:  10 GB

Type: Swap                                                                Size: 2 * Size of RAM

Unallocated Space: XX GB

If you don't want to take advantage of Ext4, then you can format using entire disk and using filesystem type as anything except Ext4.

Once done with this, just install Ubuntu12.04 on the VM. Also install openssh-server on that machine.

rahul@ubuntu$ sudo apt-get install openssh-server

Xen uses hvc0 console. So one needs to change tty1 to hvc0. For that perform the following steps:-

step1:-

rahul@ubuntu$ sudo cp /etc/init/tty1.conf /etc/init/hvc0.conf

Step2:-

Open hvc0.conf and replace all tty1 occurences by hvc0.

rahul@ubuntu$ sudo vi /etc/init/hvc0.conf

That file looked like this on my Ubuntu12.04 VM.

Now there are a fixed set of commands which need to be run to make the VM paravirtualized. Here on this link, they have listed those commands.

Commands to run on Xen's Dom0 to make a VM PV

These commands are used(are present) in the script which we are going to run at later stage. Now it requires some parameters as input which are present in the grub.cfg file. So we will copy that part from grub.cfg and keep it in some text file with us so that we can refer to it at later stages when required.Copy these parameters from VM and keep with you so that its available when the VM is off.

We need to copy the "Default Menu Entry" and copy its entire stuff(kernel and ramdisk name) in a different text file for later use. Here is example of the grub.cfg of my machine "Ubuntu12.04". Please note that the location of kernel and initrd will change in your cases as it depends on which partition your /boot is. So just copy the default menu entry and its whole content till the start of next entry.

Xen modules are not loaded into initramfs. We can correct that by adding the entry in modules file. Enter the following command for that:

rahul@ubuntu$ sudo echo "xen-blkfront" >> /etc/initramfs-tools/modules 

rahul@ubuntu$ sudo update-initramfs -u

Shutdown the VM. Create a snapshot if you want to revert back if some error occurs.

 Now you need to SSH to XenServer ie. to Dom0 machine and configure the properties of DomU machine which you want to paravirtualize.
Perform "xe vm-list" to list all the vm's present on xen host. Identify the name of vm which you want to paravirtualize.

root@xen# xe vm-list

  Now download the script available here.

The above mentioned script contains nothing but the steps which we have pointed out above on the blog with the link to that site.

Change the execution permissions of the script.

root@openstack-xen1# chmod +x makepv.sh

Execute the script. It will ask for vmname. Provide the name of VM which you want to para-virtualize.

root@openstack-xen1# ./makepv.sh <vmname>

Then it will ask for other parameters like kernel path and kernel parameters.
Provide them from the boot_config we have earlier copied and saved in a file. Copy the parameters from that file and provide them here.
If you don't have the script, then manually execute the commands as listed in the blog-post provided above.

Once its done, you need to install xentools onto the VM which you are paravirtualizing.
So connect xen-tools.iso to the ubuntu12.04 vm and power-on the VM.
SSH to the vm and install xen-tools on it.

Steps to install xentools:-

ssh <vm_ip>
sudo mount /dev/cdrom1 /media/cdrom
cd /media/cdrom/Linux
sudo dpkg -i xe-guest-utilities_6.0.0-743_amd64.deb

If you try to access vm-console using xencenter and the default console is hvc0, then you might see the error that you are unable to type anything  there. This is one of the bugs of xencenter. You just need to close xencenter and reopen it again to get it fixed.

Reboot the VM.
You need to change the run-level of the services. For that, enter the following commands:-

ssh <vm ip address>

sudo update-rc.d -f xe-linux-distribution remove
sudo update-rc.d xe-linux-distribution defaults

Reboot the VM.

Now your ubuntu12.04 VM. Your VM is paravirtualized now.

Run xe vm-param-list command and you will see that now it uses pygrub instead of HVM.