I recently spoke at a lunch and learn event about “Security in a Virtualized World”. If one thing was made abundantly clear during the discussion, it was the fact that securing a virtual infrastructure is more complicated than securing a physical infrastructure. There are many moving parts to consider along with the hypervisor itself. For many years, I have been discussing the need for automation with my clients. It makes the infrastructure much easier to manage and from a security standpoint it helps to ensure that build policies are consistent for all of the virtual hosts in the infrastructure.
There have always been tools to automate a vSphere infrastructure ranging from Perl scripts to PowerCLI. With the release of vSphere 5 automation is becoming more and more a reality. When you think about automating a VMware infrastructure, you may think about writing scripts to perform certain tasks or spending hours on the “perfect” ESX build that can be deployed through automation. Scripts are still available and in some cases necessary for automation. However, with vSphere 5 we are beginning to see an “automation-friendly” environment built into the management tools that are given to us from VMware.
ESXi: Built for Automation
One of the most important aspects of maintaining a consistent environment starts with the hypervisor deployment itself. ESXi is the official hypervisor that will be deployed in vSphere environments moving forward. It has come a long way since Virtual Infrastructure 3. vSphere 4.1 saw the release of official LDAP authentication integration. This means that you can authenticate to your ESXi hosts using Active Directory. The vSphere CLI and vMA have many more commands available now. Also, PowerCLI is more feature rich with more cmdlets than ever before. Probably the most significant aspect of ESXi that makes it built for automation is its footprint on disk. Since ESXi only takes up a few hundred Megabytes on disk, it is easy to deploy from the network. While that would make it possible to install a common ESXi image across the infrastructure, vSphere 5 takes this one step further.
vSphere 5 Auto Deploy
Auto Deploy is a new deployment method in vSphere 5. This deployment method allows you to PXE-boot the ESXi hosts from the network, load a common image, and apply configuration settings after the image is loaded via vCenter Host Profiles. The idea is to maintain a consistent deployment throughout the infrastructure by eliminating human error. With this method, ESXi has literally zero disk footprint as the image is loaded into the memory of the host. The hosts become truly stateless and are decoupled from any underlying storage dependency. In other words, the host images are disposable. The hypervisor becomes just another part of the infrastructure, disappearing into the background like it should. After all, the virtual machines themselves run the applications. They are the real stars of the show. The system administrators should not have to think about maintaining the hypervisor itself. Let the infrastructure work for you instead of you working for the infrastructure.
Consistency is the key to any stable, secure infrastructure. An infrastructure component as important as the hypervisor should have a consistent, repeatable deployment that introduces as little human intervention as possible. vSphere 5 Auto Deploy makes this possible. You still have to do the work up front to ensure the hypervisor image is built properly. After that, you can let the hypervisor fade into the background and do what it does best. It can provide the best platform for running the applications that run your business.