How To Shrink a VMDK with ESXi5

I’ve had the luxury of working quite a bit with ESXi5 and how it relates to storage. With ESXi5, you can easily expand your virtual disks (VMDK file) for the VM on the fly, however there isn’t a simple way to reduce the size of your drives. As I’ve learned, best practices for VM’s is to always start small, as you can always increase later on with ease. Unfortunately, the previous administrator didn’t honor this, and started everything out with 600gb drives, and only utilizing 25gb. Needless to say, my SAN was getting chewed up by VMDK’s that only using a fraction of the space allocated for it. After some research, this was the method that I use to reduce the size of the VMDK.

I should probably preface all of this that this is a dangerous procedure, and you run the risk of hosing your VM, so proceed at your own risk.

Most of my VM’s are windows machines, so I first need to reduce the windows partition. First I’ll need to defrag the drive. Then, open up the Disk Management via the MMC console snap-in, and right click on the drive, and select Shrink. It will tell you the maximum amount that it can shrink. If you want it to shrink more, it means that certain files are locked towards the end of the disk. In my case, I was able to delete/move the user profiles off of the disk, and that’s what was preventing me from reducing the disk to the size I wanted.

Great, so in this case, I was able to reduce a 600gb disk to 38gb.

Now I need to power down the VM, and SSH into the host and copy the VMDK file to make a backup of it. Hold onto these in case something goes wrong:

cp vmname.vmdk vmname-original.vmdk
cp vmname-flat.vmdk vmname-original-flat.vmdk

Now let’s open the vmdk within vi and modify the expected size. Towards the top, you will see a line that appears similar to the following:

# Extent description
RW 1258291200 VMFS “vmname-flat.vmdk”

The number value will need to be changed to the desired size using the following formula (x = desired size in GB):
vmdk_size = [x * (1024*1024*1024)] / 512

Because I like round numbers, I decided to make my new drive size of 40gb, so my new Extent description was as follows:

# Extent description
RW 83886080 VMFS “vmname-flat.vmdk”

Now I need to clone the drive to get it to the new size:

vmkfstools -i vmname.vmdk vmname-new-size.vmdk

Assuming all goes well, I will new delete the original (because I already made a copy of it just in case), and clone the disk to the original file name:

rm vmname.vmdk
rm vmname-flat.vmdk
vmkfstools -i vmname-new-size.vmdk vmname.vmdk

Now I should be able to start the VM again, and the new disk size will be shown!

Posted in Uncategorized | Leave a comment

How to get IPSec Working Between Watchguard and ClearOS

Let me start off that ClearOS is really fuzzy when it comes to IPSec VPN tunnels.  They don’t really support it, although everyone else does.  The web interface for ClearOS flat out doesn’t work for IPSec, and will break any working configs, so do yourself a favor and remove the ClearOS IPSec plugin (via ssh it’s “rpm -e app-ipsec”)

SSH into your ClearOS machine, and type in:

cd /etc/
mv ipsec.conf ipsec.conf.orig
touch ipsec.conf
nano ipsec.conf

And then insert the following config. Adjust it as needed:

version 2.0
 
#ClearOS LAN = 192.168.10.0/24
#ClearOS WAN IP = 172.16.1.1
#Watchguard LAN = 192.168.20.0/24
#Watchguard WAN IP = 10.0.0.1
 
config setup
        interfaces=%defaultroute
        protostack=netkey
        klipsdebug=none
        plutodebug=none
        virtual_private=%v4:192.168.20.0/24,%v4:192.168.10.0/24
 
conn Corporate #modify this to your tunnel name
        type=tunnel
        auto=start
        auth=esp
        pfs=yes
        authby=secret
        left=172.16.1.1 # adjust to your ClearOS WAN IP
        leftsourceip=192.168.10.1 #adjust to your ClearOS LAN IP
        leftnexthop=172.16.1.2 # adjust to your ClearOS WAN IP Gateway
        leftsubnet=192.168.10.0/24 #adjust to your ClearOS LAN Subnet
        right=10.0.0.1 # adjust to your Watchguard WAN IP
        rightsourceip=192.168.20.1 #adjust to your Watchguard LAN IP
        rightnexthop=64.131.59.249 #adjust to your Watchguard WAN IP Gateway
        rightsubnet=192.168.0.0/24 #adjust to your Watchguard LAN Subnet
        rightid=10.0.0.1 # adjust to your Watchguard WAN IP
        esp=3des-md5
        ike=3des-md5
 
# Disable OE
#-----------
 
conn block
        auto=ignore
 
conn private
        auto=ignore
 
conn private-or-clear
        auto=ignore
 
conn clear-or-private
        auto=ignore
 
conn clear
        auto=ignore
 
conn packetdefault
        auto=ignore
 
# Tunnels defined in separate files
#----------------------------------
 
#include /etc/ipsec.d/*.conf

Then you’ll need to edit the password for the tunnel. You’ll need to name it the same as your tunnel name. I’m going to assume that the tunnel name is “Corporate”. Edit /etc/ipsec.d/ipsec.Corporate.secrets

10.0.0.1 172.16.1.1 : PSK "TheTunnelPassword" # Far WAN IP, Near LAN IP

You’ll want to restart the ipsec service by issuing “service ipsec restart”

Now we’ll switch over to the Watchguard. I’m going to assume you already know how to setup an IPSec VPN tunnel (Watchguard calls it BOVPN). You’ll need to set your phase 1 and 2 PFS DH group to 5, use ESP phase1 with md5 and 3des. phase2 needs md5 and 3des. Make sure that the password matches. The tunnel should start. For troubleshooting if it doesn’t work is to either watch the logs in the Watchguard (which is a pain if you ask me), and/or you can watch the logs in the ClearOS box by running “tail -f /var/logs/secure” (watch for the “pluto” labeled logs).

Posted in Networking | Tagged , , , , , , , | Leave a comment

NMAP Example To Test For Security Holes

This will get you blocked from the Internet:

nmap 127.0.0.1 -sA -O -r -sV -A -p1-65535

… unless you live in England (and most places outside of the USA), then this command is illegal (well, if you put a real IP in there). Very enlightening if you run it against your own systems. For fun you could through in a “-S 127.0.0.1 -e eth0″ for even crazier results. For further reading, see http://nmap.org/book/man.html

Posted in Uncategorized | Leave a comment