Category Archives: HowTo

Making sense of Spectre and Meltdown in a vSphere and Dell environment

If you work in IT you no doubt are aware of the problems Intel has been having.  If not….here’s a link for you.  Enjoy.

In the days after the public announcement vendors released the microcode updates that Intel delivered to them, as well as, a few updates in the months prior that they slipped in without any fanfare.

Specifically, VMware had a fix in December for Spectre on VMSA-2018-0002.2

6.5: ESXi-6.5.0-20171201001s-standard – Build 7273056
6.0: ESXi-6.0.0-20171101001s-standard – Build 6856897

On January 9 after the announcement VMware posted VMSA-2018-0004.2 also for Spectre.

vCenter 6.5 U1e – Build 7515524
vCenter 6.0 U3d – Build 7462485


6.5: ESXi-6.5.0-20180104001-standard – Build 7526125
6.0: ESXi-6.0.0-20180104001-standard – Build 7504637

HOWEVER, Either on January 10th or January 12th (can’t tell from the history), they updated the KB article and pulled the ESXi patches from the depot when Intel advised they were seeing unplanned reboots from hosts with the applied microcode.

At the current time – my best recommendation is to patch ESXi up to the following: (this site is REALLY handy)

6.5: 2017-12-19 ESXi-6.5.0-20171204001-standard – Build 7388607
6.0: 2017-11-09 ESXi-6.0.0-20171104001-standard – Build 6921384

If you applied those January patches for ESXi, and have a build number of 6.5 7526125 or 6.0 7504637, VMware has a process for applying a CPU mask to help avoid the problem, however it has to be done per VM and requires a reboot of each.  My personal feeling is if you aren’t seeing a problem, wait for further updates.  Your results may vary of course.


On the Dell side, they did too make a bios update available and has since pulled it.  I only pay attention to R430’s – they released BIOS 2.7.0 (link is now dead).

As of today (Jan 22) I noticed that bios has been removed and the newest listed is 2.6.0 released November 28.  Dell’s main support page has not been updated with a recommendation as of yet.  We’ll see what develops here.   My recommendation is hold off on deploying the new bios, and be cautious of any hosts that already have it.  Dell Support says options for rolling back are coming.



Jan 23 – Dated yesterday (22nd) Dell is now recommending rolling back BIOS if you have applied it.  This worked fine for me on a R430 from 2.7.0 to 2.6.0.

Jan 24Duncan has some info on working around the pulled patches with Update Manager, because otherwise you’ll get an error.

Feb 26Dell has released new BIOS 2.7.1 to address CVE-2017-5715

March 20 – VMware has released the microcode updates in what they are calling Update 1 G, see details here ESXi 6.5 Build 7967591 and vCenter 8024368


Link roundup:

VMware’s main KB

Dell’s main KB

Intel’s Response to reboots

ESXi Patch Info

Tagged , , , , , , , ,

Things learned managing production WordPress: How to easily enable HTTPS

This is the start of a series that will chronicle everything I’ve learned along the way keeping the wife’s photography website ( running smoothly.  I’ll cover topics including performance improvements, dealing with spam & robots, content distribution networks (CDN) and using website tools to track progress.  I intend to keep the technical mumbojumbo to a minimum and make the reading level less technical than my typical blog posts for easier consumption.


In 2014 Google announced they will start boosting page rankings for https enabled sites.  While SEO is of course important, it’s also just good practice to use SSL.

The current Wikipedia entry for HTTPS includes:

HTTP Secure (HTTPS) is an adaptation of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS, or HTTP over SSL.

Put simply, when you enable HTTPS you put a private key and public key in the web server configuration that encrypts traffic between the web server and your web browser.  OK… put even more simply…  It makes your web traffic hard(er) for bad people to read.

Certificates are issued by a trusted Certificate Authority (CA).  The whole system is based on trust.  Your web browser contains a list of the CAs in the world.  When you load a HTTPS enabled site, the certificate is compared against the list, and if all checks out, it turns green and you are safe.  If one of these CAs get severely hacked, browsers will remove them from the lists and anything they issued will no longer be trusted.  Usually you have to pay out money to a CA to have a certificate issued for you from a company like GlobalSign, Verisign, or GeoTrust.  In 2016 however, a free service was launched called Let’s Encrypt that now offers them for free.  Yay!!

Let’s Encrypt

Their free service is great, but it does have a limitation of only a 60 day duration in the certificates they issue (typically the commercial ones are measured in years).  They explain their reasoning for that here.  Basically, it is a built in failsafe if they get compromised (stolen) and the short duration encourages automation.  And I have to admit, the automation tool I first used is great!

Getting Started

The easiest way to get started is by using a tool to request the certificate and put it in place for you.  I found the CertBot tool from the Electronic Freedom Foundation (EFF).  I’m using Apache on CentOS 6 so I’ll just focus on that.  The install steps for that are here.


Run the commands, and it starts off installing dependencies

Right off, it dives into a few prompts.  First the terms of service, then an EFF email notification.

It goes through your web server config and lists the configured domains. In our live site it listed all we had sites for, surprisingly.

Then it asks if you want the tool to automatically configure apache to force redirects to SSL/443 or not.  Be sure you take a backup of your config before proceeding – by default at /etc/httpd/conf/httpd.conf.

Yay!  First part is done!

So remember the certificate is only valid for 60 days.  They include a method to automatically renew it, which is actually pretty awesome.  Enterprise system administrators forget all the time to renew certificates.

They have a dry run option (which  means it shows what it would do, but doesn’t actually do it)

(ignore my annoying python warnings/errors using the default config)

Add this to cron so you don’t forget.  They recommend doing it twice a day, but I don’t see any harm in doing it multiple more times.

Yay!  We’re all good!

Ah crap…. what now?

By default, it only picked up the base domain ( that was configured in Apache, and not the full domain that is more human friendly (

They have a command to add a domain to the certificate:

There we go, thats better.

To troubleshoot any problems, you can use this syntax to dump the contents of the certificate in human readable form:


That’s all we got!  For a basic site this will work out of the box.  You may have to tweak things a little if you use a content delivery network, or pull in files from other sites and so on.  We’ll cover some of this in a later post.


Wuups…   I didn’t notice in the OpenSSL output that only the subdomain was in the certificate!  I actually ran the wrong command above with the expand flag.   What that syntax did was create a NEW certificate, not add the subdomain to the existing one.  The syntax should include the cert-name field like so:


Ahh that is better.


**** Shameless plug ****

Have a website problem of any sort you need help with?  Contact me here to see if I can help.  Rates based on complexity and time required.

**** /Shameless plug ****

Tagged , , , , , , ,

HOWTO: Change Storage Policies for VSAN across entire clusters /w PowerCLI

I had a need recently to switch the applied storage policy across a ton of VMs, but I didn’t want to change the default policy that comes out of the box.   A tough proposition as I found no easy way to do it.  It took quite a bit of googling and trial and error but I came up with this two liner to get it done, so here you go world – go forth and policy change if you need such a thing.

The first line applies it to the VM object, then the next applies it to all the disks.  Easy peasy.