ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Managing Hyper-V

    Scheduled Pinned Locked Moved IT Discussion
    328 Posts 24 Posters 88.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stacksofplatesS
      stacksofplates @scottalanmiller
      last edited by

      @scottalanmiller said in Managing Hyper-V:

      @stacksofplates said in Managing Hyper-V:

      @scottalanmiller said in Managing Hyper-V:

      @stacksofplates said in Managing Hyper-V:

      @scottalanmiller said in Managing Hyper-V:

      @stacksofplates said in Managing Hyper-V:

      @scottalanmiller said in Managing Hyper-V:

      But with web, you have good choices like adding reverse proxies and such. It's easy to lock down SSL based channels in standard but still accessible ways.

      You can do that with local tunnels too which is why I mentioned that. To me that would be the preferable way. Tunnel to 127.0.0.1

      Six of one, half a dozen of the other. Same tunnel mechanism, same security.

      Not really because the form is still open. I. Can eliminate passwords with SSH completely or use Kerberos tickets.

      That's what I'm saying - it's THE SAME. Anything you think is different has to be a misunderstanding of how web SSL works. OpenSSH is using the same library for all of that as the web page is. The web server itself, not the page it loads, can do the same password and/or key system that SSH does because it's the same one, actually the same one. The idea that you need to authenticate someone "inside" of the web page is a later concept and is application level, not the web level. You can do both, if you want, adding yet another level of security to web that SSH would not have... but if you made someone log into an application inside of SSH (say a password to get into the MySQL client) then that would be analogous.

      I'm not saying it's not possible. I'm saying you can't do it with SCALE unless you modify their systems. So YOU (as in Scott not as in everyone) can't do it with SCALE.

      The whole conversation I started is about SCALE not webservers in general.

      Oh, but we had talked about a reverse proxy in front as well, and you put that on the proxy, not on the Scale itself. And if you call it SCALE instead of Scale like you did in the very first post, I actually thought you were trying to highlight that were you talking about ability to scale (as in scaling) not the product by Scale the company until later in the conversation.

      With the Scale HC3 out of the box, yes, you need a reverse proxy like Nginx to add that feature. But Scale doesn't offer an SSH management option, so if we are talking Scale, web is the answer.

      Ya the whole thing was about Scale the company. That's my whole point here. There is nothing protecting you against anything on that login page unless you put something in front of it. Which is why I said "if" they allow you to SSH in. That was my whole point here. If you have an appliance with a public facing web interface you are trusting that single web page 100% to be your first and last line of defense. Having a jump box/bastion host in front may be 'LAN' security, but it's better than a wide open login page that you can't modify.

      scottalanmillerS 2 Replies Last reply Reply Quote 0
      • stacksofplatesS
        stacksofplates
        last edited by

        All of the marketing stuff that came with our cluster has it all in caps. So I just assumed thats how they wanted it represented.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • dafyreD
          dafyre @scottalanmiller
          last edited by

          @scottalanmiller said in Managing Hyper-V:

          This shows some promise.

          https://cloudbase.it/using-freerdp-to-connect-to-the-hyper-v-console/

          This looks quite interesting. I didn't realize the OpenStack Compute bits could control Hyper-V. I may have to give that a go at work next week. I have a couple of Hyper-V servers this could work well on.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @stacksofplates
            last edited by

            @stacksofplates said in Managing Hyper-V:

            Ya the whole thing was about Scale the company.

            Sorry, I was confused. I thought you were emphasizing like "but how will that scale". As if the RDP approach would be problematic for more than a handful of VMs.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @dafyre
              last edited by

              @dafyre said in Managing Hyper-V:

              @scottalanmiller said in Managing Hyper-V:

              This shows some promise.

              https://cloudbase.it/using-freerdp-to-connect-to-the-hyper-v-console/

              This looks quite interesting. I didn't realize the OpenStack Compute bits could control Hyper-V. I may have to give that a go at work next week. I have a couple of Hyper-V servers this could work well on.

              Oh yes, all four hypervisors are available and work under OpenStack. Although once going OpenStack, is there a compelling reason to use Hyper-V over KVM?

              dafyreD 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @stacksofplates
                last edited by

                @stacksofplates said in Managing Hyper-V:

                All of the marketing stuff that came with our cluster has it all in caps. So I just assumed thats how they wanted it represented.

                That's weird, I'll mention that to someone. It's not normally in caps.

                stacksofplatesS 1 Reply Last reply Reply Quote 0
                • stacksofplatesS
                  stacksofplates @scottalanmiller
                  last edited by stacksofplates

                  @scottalanmiller said in Managing Hyper-V:

                  @stacksofplates said in Managing Hyper-V:

                  All of the marketing stuff that came with our cluster has it all in caps. So I just assumed thats how they wanted it represented.

                  That's weird, I'll mention that to someone. It's not normally in caps.

                  Well like the stickers and everything. I didn't read every piece of paper. I could have just looked at the website too, but I made an assumption.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @stacksofplates
                    last edited by

                    @stacksofplates said in Managing Hyper-V:

                    Ya the whole thing was about Scale the company. That's my whole point here. There is nothing protecting you against anything on that login page unless you put something in front of it. Which is why I said "if" they allow you to SSH in. That was my whole point here. If you have an appliance with a public facing web interface you are trusting that single web page 100% to be your first and last line of defense. Having a jump box/bastion host in front may be 'LAN' security, but it's better than a wide open login page that you can't modify.

                    I agree now that we are on the same [web] page and what I'd really like to see is their "reach out" management system extended for customer use. It would be super easy to do. They have a "no open ports" system already, all the logic and even the interface are there. But customers can't use it.

                    I'll mention that , too.

                    1 Reply Last reply Reply Quote 1
                    • dafyreD
                      dafyre @scottalanmiller
                      last edited by

                      @scottalanmiller said in Managing Hyper-V:

                      @dafyre said in Managing Hyper-V:

                      @scottalanmiller said in Managing Hyper-V:

                      This shows some promise.

                      https://cloudbase.it/using-freerdp-to-connect-to-the-hyper-v-console/

                      This looks quite interesting. I didn't realize the OpenStack Compute bits could control Hyper-V. I may have to give that a go at work next week. I have a couple of Hyper-V servers this could work well on.

                      Oh yes, all four hypervisors are available and work under OpenStack. Although once going OpenStack, is there a compelling reason to use Hyper-V over KVM?

                      Because your bosses said you had to use hyper-V for some project or another? lol.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @dafyre
                        last edited by

                        @dafyre said in Managing Hyper-V:

                        @scottalanmiller said in Managing Hyper-V:

                        @dafyre said in Managing Hyper-V:

                        @scottalanmiller said in Managing Hyper-V:

                        This shows some promise.

                        https://cloudbase.it/using-freerdp-to-connect-to-the-hyper-v-console/

                        This looks quite interesting. I didn't realize the OpenStack Compute bits could control Hyper-V. I may have to give that a go at work next week. I have a couple of Hyper-V servers this could work well on.

                        Oh yes, all four hypervisors are available and work under OpenStack. Although once going OpenStack, is there a compelling reason to use Hyper-V over KVM?

                        Because your bosses said you had to use hyper-V for some project or another? lol.

                        I see. OpenStack there would be the letter of the law but not the intent of it. This would be the loophole situation we talked about the other day. 99% of the time when someone says something like that, they don't actually mean the hypervisor but the ecosystem. This is essentially a KVM ecosystem (or a third party one at least) that just happens to allow Hyper-V to be used. But Hyper-V as a product will be "gone". It's like telling someone that they have to run Windows, not Linux, and so you find a way (MS did this) to replace the Linux kernel with a Windows kernel plus an API to make it act exactly like Linux. It is Windows kernel under the hood? Yes. It is Linux? No. Does it quack like a duck though, yes.

                        1 Reply Last reply Reply Quote 2
                        • matteo nunziatiM
                          matteo nunziati
                          last edited by matteo nunziati

                          basically if you enable winrm with an Enter-PSSession you can control the host from enywhere (firewall must be setup) in powershell.

                          what I do not find is a central management tool to have an overview of all hosts and their loading conditions.

                          1 Reply Last reply Reply Quote 0
                          • S
                            StorageNinja Vendor @Dashrender
                            last edited by

                            @Dashrender said in Managing Hyper-V:

                            Now we come to my question.

                            Is there any reason to not put all the Hyper-V Hosts into a single domain to ease management?

                            For security and stability I've always seen at any real scale you run a Management domain. Also, given cases of Cyrtolocker hitting Hyper-V hosts I'd be damned careful with separate accounts/domains for Hyper-V hosts as someone encrypting your VM's can bypass a LOT of your protections.

                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                            • S
                              StorageNinja Vendor @scottalanmiller
                              last edited by

                              @scottalanmiller said in Managing Hyper-V:

                              ecosystem

                              Also dropping Nano from being a supported path sucks for people who were hoping for it to be a true small secure embedded install (Core requires a 32GB DISK!)

                              stacksofplatesS ObsolesceO 3 Replies Last reply Reply Quote 0
                              • S
                                StorageNinja Vendor @scottalanmiller
                                last edited by

                                @scottalanmiller said in Managing Hyper-V:

                                @dbeato said in Managing Hyper-V:

                                @scottalanmiller You need a Windows 8.1 or Windows 10 computer, and like I said on my post before you can go to the c$ of that HyperV enter the username and password and then connect using the Hyperv console.

                                Okay, having him try that. What about if you are not on a LAN and not willing to expose SMB over the WAN?

                                Wouldn't you never put a hypervisor on the public internet directly on any port?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • stacksofplatesS
                                  stacksofplates @StorageNinja
                                  last edited by

                                  @John-Nicholson said in Managing Hyper-V:

                                  @scottalanmiller said in Managing Hyper-V:

                                  ecosystem

                                  Also dropping Nano from being a supported path sucks for people who were hoping for it to be a true small secure embedded install (Core requires a 32GB DISK!)

                                  Holy crap. I didn't realize it was that big.

                                  S matteo nunziatiM scottalanmillerS 3 Replies Last reply Reply Quote 0
                                  • S
                                    StorageNinja Vendor @Obsolesce
                                    last edited by

                                    @Tim_G that you get triple redundant, or more, secure web remote management plus no open port remote assistance all automatic and out of the box and that almost no one else offers that

                                    No open port remote assistance is a commodity (I can throw a rock and hit a vendor who does this). If your talking phone home support The top 3-4 HCI appliance vendors fit the bill here.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      StorageNinja Vendor @stacksofplates
                                      last edited by

                                      @stacksofplates said in Managing Hyper-V:

                                      @John-Nicholson said in Managing Hyper-V:

                                      @scottalanmiller said in Managing Hyper-V:

                                      ecosystem

                                      Also dropping Nano from being a supported path sucks for people who were hoping for it to be a true small secure embedded install (Core requires a 32GB DISK!)

                                      Holy crap. I didn't realize it was that big.

                                      Hyper-V's dependency on a DOM0 style Windows VM in the IO path means it's impossible to shrink the install that small. Xen isn't quite as bad (You can build a damn small DOM0) KVM is next in size (You can shrink it quite a bit) and then ESXi being the smallest (few hundred MB is all the VMkernel takes up with the rest being log, crash dumps, and VMTools that technically you can redirect).

                                      This is why a Hyper-V environment should require monthly patching while a shrunk and reasonably hardened KVM or ESXi environment can easily go quarterly or farther to maintain compliance requirements.

                                      1 Reply Last reply Reply Quote 0
                                      • matteo nunziatiM
                                        matteo nunziati @stacksofplates
                                        last edited by

                                        @stacksofplates said in Managing Hyper-V:

                                        @John-Nicholson said in Managing Hyper-V:

                                        @scottalanmiller said in Managing Hyper-V:

                                        ecosystem

                                        Also dropping Nano from being a supported path sucks for people who were hoping for it to be a true small secure embedded install (Core requires a 32GB DISK!)

                                        Holy crap. I didn't realize it was that big.

                                        my hyper-v server 2016 is around 8GB including the altaro agent.

                                        1 Reply Last reply Reply Quote 1
                                        • matteo nunziatiM
                                          matteo nunziati
                                          last edited by

                                          @Dashrender ok, this is what I've done accordingly to my notes:

                                          on the hyperv host:

                                          winrm quickconfig (yes to all questions)
                                          net user /add <USERNAMEHERE>
                                          net <USERNAMEHERE> <PASSWORDHERE>
                                          net localgroup Administrators /add <USERNAMEHERE>
                                          

                                          on the control machine

                                          winrm quickconfig (yes to all questions)
                                          net user /add <USERNAMEHERE>
                                          net <USERNAMEHERE> <PASSWORDHERE>
                                          winrm set winrm/config/client @{TrustedHosts=”<IP-OR-FQDN-OF_HOST>”}
                                          

                                          Do not promote user to admins in the control machine: it is uneeded.

                                          you have then to adjust win firewall rules but you can control any host from the mmc snap-in if you have an adequately recent version of win (win ver >= hyper-v ver)

                                          the trick is to run the snap-in as the dedicated user. I've made a bat with the following contents:

                                          runas /user:<USERNAMEHERE> "%windir%\System32\mmc.exe %windir%\System32\virtmgmt.msc" 
                                          
                                          1 Reply Last reply Reply Quote 1
                                          • ObsolesceO
                                            Obsolesce @StorageNinja
                                            last edited by

                                            @John-Nicholson said in Managing Hyper-V:

                                            @scottalanmiller said in Managing Hyper-V:

                                            ecosystem

                                            Also dropping Nano from being a supported path sucks for people who were hoping for it to be a true small secure embedded install (Core requires a 32GB DISK!)

                                            Why would anyone use that for a Hyper-V Host? I certainly wouldn't, unless 2016 Full Datacenter edition is needed at the host level for some reason. If you need to use Hyper-V, Hyper-V Server 2016 or Nano Server is the way to go.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 16
                                            • 17
                                            • 9 / 17
                                            • First post
                                              Last post