Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

KB ID: 2291
Product: Veeam Backup & Replication
Version:
Published:
Last Modified: 2017-06-07

Challenge

This article contains instructions on how to create a VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.

To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing over NFS, it is needed to change the ESXi host firewalls. See more background information here.

One of the Methods to change the ESXi host firewall is by a newly created VIB file that can be created with help of the VMware VIB Author Software.
Please follow the next steps to create the VIB.

Solution

Create a VIB in SLES11

SLES11 can be downloaded here.
VMware VIB Author can be downloaded here.
All steps are performed as the root user from the root (/) directory.

1. Prepare SLES

zypper install python-lxml
zypper install python-urlgrabber

2. Install VIB Author
cd /tmp
rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm
cd /

 3. Create File Directory
mkdir stage
mkdir stage/payloads
mkdir stage/payloads/payload1
mkdir stage/payloads/payload1/etc
mkdir stage/payloads/payload1/etc/vmware
mkdir stage/payloads/payload1/etc/vmware/firewall

4. Copy the required files to the folder tree
The "descriptor.xml" (link here) must be copied to /stage

descriptor.xml sample:
<vib version="5.0">
 
<type>bootbank</type>
<name>VeeamCiscoHXFirewall</name>
<version>1.0.0-0.0.1</version>
 
 <vendor>Veeam</vendor>
 <summary>Veeam Firewall rule for Cisco HyperFlex</summary>
 <description>Adds inbound ports required by Veeam</description>
 
 <relationships>
  <depends></depends>
  <conflicts/>
  <replaces/>
  <provides/>
  <compatibleWith/>
 </relationships>
 <software-tags>
 </software-tags>
 <system-requires>
  <maintenance-mode>false</maintenance-mode>
 </system-requires>
 <file-list>
  <file></file>
 </file-list>
 <acceptance-level>community</acceptance-level>
 <live-install-allowed>true</live-install-allowed>
 <live-remove-allowed>true</live-remove-allowed>
 <cimom-restart>false</cimom-restart>
 <stateless-ready>true</stateless-ready>
 <overlay>false</overlay>
 <payloads>
  <payload name="payload1" type="vgz"></payload>
 </payloads>
 
</vib>

The “VeeamCiscoHXFirewall.xml” <download link> must be copied to /stage/payloads/payload1/etc/vmware/firewall

VeeamCiscoHXFirewall.xml example:
<ConfigRoot>
  <service id='1230'>
    <id>VeeamCiscoHXFirewall</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>0</begin>
        <end>65535</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>           
  </service>
</ConfigRoot> 

5. Create the VIB using vibauthor:
vibauthor -C -t stage -v VeeamCiscoHXFirewall -f

6. Creation finished, ready for download
The VIB is now created and available in the root (/) directory. You can use the SCP client to download the VIB to your local operating system.

7. Install on ESXi

Install the Firewall VIB on ESXi:

Repeat the following steps on all Cisco HyperFlex nodes in your cluster.

a. Enable ssh and log in to your ESXi host using a ssh tool like PuTTY
User-added image

b. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
User-added image

c. Install the VIB
Command:
esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f

User-added image

d. Verify that the VIB was installed
Command:

esxcli software vib list | grep 'Veeam'
User-added image

e. Verify that the new firewall rule is active
Command:
esxcli network firewall ruleset list
User-added image

Note: If the VIB installation fails, you may need to set the acceptance level to CommunitySupport and retry the installation.
Command:
esxcli software acceptance set --level=CommunitySupported

 Set the Veeam Proxy Servers

1. Enable allowed IP list for the new firewall rule
Command:
esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false 
User-added image

2. Set the Veeam proxy server data network IP (storage network)
Repeat the following command for all Veeam proxy server or set a subnet.
Command:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.16.3.10"
User-added image

3. Verify that the IPs are set
Command:
esxcli network firewall ruleset allowedip list | grep -v "All"
User-added image


Note: Veeam recommends to set all IPs of Veeam proxy servers in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. You can specify either the IP address or a subnet. Use one command per proxy.


Check if everything is configured correctly

1. Check the Security Profile on the ESXi hosts
User-added image

2. Check the VIB
esxcli software vib list | grep 'Veeam'
User-added image

3. Check the ruleset
esxcli network firewall ruleset list
User-added image

4. Check which Veeam Proxy IPs are assigned
esxcli network firewall ruleset allowedip list | grep -v "All"
User-added image
 

0 / 5 (0 votes cast)

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system