Andrew Roderos

Tech Geek

Blog

Passed JNCDA

by Leave a Comment

Yesterday, I passed the JNCDA certification exam. I know I mentioned in my JNCIA-Junos post that it might have been my last Juniper certification, but things changed since then.

Exam Details

The JNCDA exam that I took has an exam code of JN0-1101. It is one of the Associate-level Juniper certifications. While it is reasonable to compare this to the retired Cisco Certified Design Associate (CCDA) certification, I believe the CCDA was a step above JNCDA.

Here are some details about the exam:

  • 65 multiple-choice questions
  • 90 minutes to finish the exam
  • Take the exam at an authorized testing center or in your own home
  • Can skip and go back to the questions
  • The passing score is quite low, so it’s easy to pass the exam

Exam Objectives

The JNCDA exam expects you to know about Request For Proposal (RFP) process, data center, WAN, automation, network management, Business Continuity and Disaster Recovery (BC/DR), etc. at the fundamental level.

For obvious reasons, Juniper wants you to know their offerings in DC, security, automation, etc. That’s the part where it would feel like a sales exam.

To view the exam objectives, then click here.

Preparation

I used Junos Genius for the JNCDA exam preparation. It is part of Juniper’s Open Learning self-study courses. If you don’t have an account, make sure to sign up for one. It’s free!

The JNCDA self-study course consists of 14 open learning modules, seven certification prep videos, two practice tests, and a voucher assessment test.

If you complete all of these, then you’ll be eligible to get a JNCDA exam voucher, worth $200. To get the free exam voucher, you will have to score a 70% score with a maximum of three attempts.

The practice tests were relatively easy to pass because of the low passing score. Don’t even sweat the voucher assessment test because it came from the two practice tests. I was able to pass all three tests in the first and only attempt.

Exam Experience

Since this is my second time taking a Juniper exam, I’m already familiar with their exam format. What was foreign to me was the online proctoring format (OnVUE).

The JNCDA was my first OnVUE experience. I’m happy to report that it was a pleasant experience. However, I was worried they would stop the exam if I look away from the screen since I tend to do that when I’m thinking.

In my opinion, the exam wasn’t as hard as the free practice tests found in the Junos Genius site. It could be because I did more reading after taking the practice and voucher assessment tests.

Final Thoughts

Juniper Networks is very generous to give away free training and exam vouchers for their Associate-level certifications. I don’t want to speculate anymore on why they are doing this. But, I welcome free training and an exam attempt!

Will I take the other Associate-level certifications? There’s a possibility that I will look at their JNCIA-DevOps, but most likely not this year. I have other things I need to learn that won’t result in a certification.

You might like to read

Passed JNCIA-Junos – My First Juniper Certification
Deploying vQFX on VMware ESXi

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Upgrade NUC10i7FNH to ESXi 7

by Leave a Comment

Note: If you’re going to run EVE-NG on this host, then do not upgrade to ESXi 7.0

Earlier this year, I wrote a post about my new ESXi host, the Intel NUC 10 – Frost Canyon. The post covered how to install VMware ESXi 6.7 on the NUC. Since VMware released the new ESXi version, I decided to upgrade my Frost Canyon NUC to ESXi 7.0. This guide describes how to upgrade NUC107iFNH to ESXi 7.

Related: VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

Software upgrade process

Usually, I use the CLI to upgrade my ESXi hosts to a newer version. This time around, it didn’t work without some changes to my standard process. It is because I’m using the non-native NIC driver for the Intel I219-V. You can see the error I received, as shown below.

[root@esxi03:~] esxcli network firewall ruleset set -e true -r httpClient
[root@esxi03:~] esxcli software profile update -p ESXi-7.0.0-15843807-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
 [HardwareError]
 Hardware precheck of profile ESXi-7.0.0-15843807-standard failed with errors: <NATIVE_BOOT_NIC ERROR: Found=[False] Expected=[True] Boot NIC is either missing or has no native driver available.>
 Please refer to the log file for more details.
[root@esxi03:~] esxcli network firewall ruleset set -e false -r httpClient

Since ESXi 7.0 still doesn’t use the updated ne1000 driver, you’ll have to create a customized offline bundle to upgrade the Intel 10th generation NUC (Frost Canyon) from ESXi 6.7 to 7.0.

To create a custom offline bundle, you’ll need to download and install some software. In this post, I used a Windows 10 VM with VMware PowerCLI, ESXi-Customizer-PS, and ne1000 driver downloaded and installed.

PowerShell and VMware PowerCLI

You should be able to install PowerShell on Linux or macOS. That said, VMware PowerCLI should work under those OS. The compatibility guide says it is supported.

Creating a custom ESXi 7 offline bundle

Once you’ve completed the software download and install, then it is time to create the custom ESXi 7.0 offline bundle. Follow all the steps in this section to successfully create the file.

Step 1 – Run Windows PowerShell

To run the software, click the Start Menu and look for Windows PowerShell. Once located, right-click it and click the Run as administrator. Once PowerShell window is up, issue the command, as shown below. This command assumes that you already have an ESXi folder.

PS C:\Windows\System32> cd ~\Desktop\ESXi

Step 2 – Create a ZIP file

Now, you are ready to create a custom ESXi offline bundle file. To create the ZIP file, you need to issue the commands, as shown below. This step assumes that the ne1000 driver is in the ESXi folder.

PS C:\Users\Andrew\Desktop\ESXi> Set-ExecutionPolicy RemoteSigned
PS C:\Users\Andrew\Desktop\ESXi> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
PS C:\Users\Andrew\Desktop\ESXi> .\ESXi-Customizer-PS.ps1 -v70 -pkgDir .\ -ozip

Note: Generating the offline bundle file may take a while. Just be patient. Eventually, you will see a file in ESXi folder with a name of ESXi-7.0.0-15843807-standard-customized.zip.

Do you find this content useful? If so, consider buying me a coffee! ☕


Upgrading from ESXi 6.7 to 7.0

After creating the offline bundle file, you must upload the ZIP file to your ESXi datastore. Once completed, you’re going to issue the command below.

[root@esxi03:~] esxcli software profile update -d /vmfs/volumes/datastore1/ESXi-7.0.0-15843807-standard-customized.zip -p ESXi-7.0.0-15843807-standard-customized

When the process is complete, you need to reboot your NUC, as shown below.

[root@esxi03:~] reboot

Verification

When the ESXi host is fully booted up, you can now check the version. You can do this via CLI or Web UI.

[root@esxi03:~] esxcli system version get
   Product: VMware ESXi
   Version: 7.0.0
   Build: Releasebuild-15843807
   Update: 0
   Patch: 0
Upgrade NUC10i7FNH to ESXi 7

ESXi 7.0 on older Intel NUC hardware versions

Upgrading older Intel NUC should work fine. In fact, I recently upgrade my Intel NUC6i3SYH to ESXi 7.0.

Final Thoughts

I already had a lot of hoops to jump through in getting ESXi to work on Intel NUC, so this doesn’t bother me that much. Though, I, for sure, want it to be a simple process. I am still hopeful that VMware will eventually add the updated ne1000 driver to newer versions.

You might like to read

VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Blocking ads network-wide with Pi-hole

by 2 Comments

I think it’s safe to say that the majority of people hate ads. However, it is a necessary evil since we all love free stuff. Whether that’s YouTube content, email service, etc., we want it for free. Some people install ad blocker add-ons on their browsers, and they work great. Some tech-savvy folks go even further by blocking ads network-wide. Today’s post is how to block ads network-wide.

Why block ads?

I love ads! Said no one, ever.

People have different opinions about ads. However, generally, people hate ads. Some common reasons are the following:

  • Pervasive
  • Intrusive
  • Obnoxious
  • And many more

For the most part, I agree with this list. However, some creators know how to be responsible with their content monetization. Not being responsible can affect the user experience. As a result, viewership goes down, or users find ways to block ads, which results to lower ad revenue.

Malvertising

What this list doesn’t have is malvertising or malicious advertising. It is one of my reasons why I block ads. It is, after all, a security issue. If you are unfamiliar with the term, please visit this site.

Essentially, cybercriminals pay an advertising network to display malicious ads that will redirect users to a compromised server. Malvertising can perform the following attacks on users without clicking anything:

  • A “drive-by” download. It is a type of attack that downloads and installs malware or adware.
  • Redirects to a phishing site.
  • Redirects to a site with fraud advertising. Some of these fraud ads will instruct users to download software to clean their computers.
  • The list goes on.

Enter Pi-hole

block ads using pi-hole

Pi-hole is a free and open-source software (FOSS) project. It was created by Jacob Salmela as an alternative to AdTrap back in 2014.

It is a Linux-based application that allows users to block advertisements and internet trackers at the network level. Originally designed to work with embedded devices like Raspberry Pi; hence, the name Pi-hole.

For several years, Pi-hole has known to work with other operating systems. But, now, the project officially supports several Linux distros, including my distro of choice, which is Ubuntu.

Linux VM

I chose the virtual machine route this time since I had issues with internal DNS resolutions back in 2016 or 2017 when I used a pre-packaged Pi-hole Docker container. With the conditional forwarding feature, that issue should no longer exist and I may consider moving to a Docker container again in the future.

Related: VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

My network currently has three ESXi servers. I assembled one of them back in 2012, one in 2016, and one this year.

Specs of my Pi-hole VM are the following:

  • 1 x vCPU
  • 768 MB of RAM
  • 1 x vNIC
  • 8 GB of disk space

Preliminary steps

Pi-hole needs a static IP address. We can approach this in two ways. One is statically assigning an IP address to the server. The other is to use a DHCP reservation. I prefer to assign an IP address on my servers.

Before Ubuntu 18.04, assigning a static IP address is controlled via the/etc/network/interfaces file. Now, it’s a YAML file that needs to be modified which is the /etc/netplan/50-cloud-init.yaml file.

Since I used the VMXNET3 network adapter type, the interface name is ens160. Under the interface, we need to change the DHCP line from true to false. Then, assign an IP address to the interface. Alternatively, we can delete the dhcp4: true line.

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        ens160:
            addresses:
                    - 192.168.100.53/24
            gateway4: 192.168.100.1
            nameservers:
                addresses:
                    - 208.67.222.222
                    - 207.67.220.220
    version: 2

After saving the changes to the YAML file, we need to apply the changes. Issue the command as seen below for the changes to take effect.

$ sudo netplan apply

Finally, we’re on the last command in the preliminary steps. We now need to make sure our Ubuntu Linux is up to date.

$ sudo apt update && sudo apt dist-upgrade -y

Pi-hole installation

Installing Pi-hole is quite easy. We just need to issue a one-line command.

$ curl -sSL https://install.pi-hole.net | bash

You may be thinking that this is a risky command to issue. Pi-hole wrote a post on why curling and piping to bash is controversial. If you don’t trust what this command does, then head over to their GitHub for alternative methods of installation.

In the installation wizard, you can leave everything as default. If you ever need to change it, then you can do it after installation using the admin page.

Eventually, you’ll reach the end of the installation wizard, and it will provide you a random password. It also shows you how to access the WebUI to make additional configurations.

Post-installation

The default values in the installation wizard are enough for a typical home environment. That said, no need to make any changes by logging into the admin page except to change the default password that was created by the installation wizard.

Change default password

To change the password, you need to issue one command, as can be seen below.

$ sudo pihole -a -p
Enter New Password (Blank for no password): makemypasswordgreatagain
Confirm Password: makemypasswordgreatagain
  [✓] New password set

Conditional forwarding

As previously mentioned, I run an internal DNS in my network. I may consider moving everything to Pi-hole, but not at this time. That said, I configured the conditional forwarding feature. You’d want to do this if you have a similar environment like mine.

To configure, click on Settings DNS and then scroll down until you find the Conditional Forwarding section.

Pi-hole conditional forwarding

Since I have multiple subnets, I needed to add PTR records so that I can perform reverse DNS lookups. Without these records, I was only able to perform lookups within the same network as my internal DNS server. In this case, it was only within the 192.168.100.0/24 network. To add more networks, create a file in the /etc/dnsmasq.d directory.

$ sudo vi /etc/dnsmasq.d/02-pihole.conf

server=/10.168.192.in-addr.arpa/192.168.100.155
server=/20.168.192.in-addr.arpa/192.168.100.155
server=/30.168.192.in-addr.arpa/192.168.100.155
server=/40.168.192.in-addr.arpa/192.168.100.155
server=/50.168.192.in-addr.arpa/192.168.100.155

After saving the file, make sure to restart the Pi-hole DNS service by issuing the sudo pihole restartdns command.

Do you find this content useful? If so, consider buying me a coffee! ☕


Pi-hole as internal DNS server

The easiest way to make Pi-hole as an internal DNS server is by making it the DHCP server for the network. A lot of people will opt for this option because it’s easy and automatic.

If you want to make your life harder, then adding entries to the host file is the other option. To edit the host file, use your favorite text editor and add host entries to /etc/hosts file. Below is an example of a host file I create for another home network that I have.

$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 pihole

192.168.80.151 	esxi03	esxi03.networkjutsu.local
192.168.80.1 	erx	erx.networkjutsu.local
192.168.80.100	unifi	unifi.networkjutsu.local	unifi-controller	unifi-controller.networkjutsu.local
192.168.80.101	nanohd	nanohd.networkjutsu.local

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Update: With the release of version 5.0, adding IP address and DNS name associations are now available on the Web UI. In the main navigation pane, click on Local DNS Records.

Alternatively, you can create /etc/pihole/custom.list file and add the IPs and names there.

$ more /etc/pihole/custom.list
192.168.1.1 rtr.networkjutsu.local
192.168.1.53 pihole01.networkjutsu.local

DNS resolution from another network

If you have multiple subnets, just like my environment, you will need to ensure that your Pi-hole interface listening behavior is correct. There might be an instance where the installation wizard sets it to Listen on all interfaces. With this setting, the Pi-hole ignores DNS queries from clients that are not in the same network as Pi-hole’s interface. Make sure to set it to Listen only on interface ens160 or Listen on all interfaces, permit all origins.

Alternatively, if you’re a CLI junkie, you can change this setting by editing /etc/pihole/setupVars.conf file. Below is my current setting.

$ cat /etc/pihole/setupVars.conf | grep DNSMASQ_LISTENING
DNSMASQ_LISTENING=single

If you want to know the Web UI equivalent, then use this table.

localListen on all interfaces
singleListen only on interface ens160
allListen on all interfaces, permit all origins

Adding more to the blocklist

While the built-in blocklist works great in blocking ads, there are other lists that you can add. Currently, I use some of the blocklists from The Firebog site. I need more time to test before adding more to the list. Additionally, I added Dshield’s suspicious domain list as well.

Update: I added some of the lists in here as well.

Client’s DNS configuration

Once you completed the Pi-hole configuration, you’re now ready to make changes to your DNS configuration. There are two approaches that you can take.

The first one is to change your router’s DNS configuration. I recommend using this route since it’s the easiest and fastest out of the two.

The second approach is to change the DHCP configuration settings to point to Pi-hole as the DNS server. This approach is slow since the DHCP timeout applies. To immediately take effect, clients will need to release and renew their DHCP lease.

Keeping it up to date

At this time of writing, the update mechanism is not available on the web UI. That said, you would have to use the CLI to update Pi-hole. To update, use the command below.

$  pihole -up
  [i] Checking for updates...
  [i] Pi-hole Core:	up to date
  [i] Web Interface:	up to date
  [i] FTL:		up to date

  [✓] Everything is up to date!

Pi-hole in action

Now that you’re finished with configurations, it’s time to see it in action. In the next few sections, I’m going to demonstrate the different types of scenarios to show the value of Pi-hole and ad blocker.

Scenario 1

No ad blocking

Here’s an example of a network without Pi-hole and a browser without uBlock Origin installed. As expected, advertisements are showing on the page.

Not blocking ads require more web requests

If you try it out yourself, you will notice that the page loads very slow. It is especially noticeable when you’re testing it using a low powered machine and not a very fast internet connection. With the use of developer tools, you will notice there are a lot of web requests.

Scenario 2

Using Pi-hole without uBlock Origin

Here’s an example of a network with Pi-hole and a browser without uBlock Origin installed. As expected, no advertisements are showing on the page.

Blocking ads with Pi-hole reduces web requests

If you try to load the page again, with cache disabled, you will notice that it loads very fast. It is because of the reduced number of web requests blocked by Pi-hole. In this scenario, we saved a whopping 758%!

Scenario 3

Using uBlock Origin only

Here’s an example of a network without Pi-hole and a browser with uBlock Origin installed. In this scenario, the browser add-on blocked the ads. However, it loaded the video player that we saw earlier but without the ads.

Blocking ads using uBlock Origin reduces number of web requests

Using uBlock Origin still saves us a lot of web requests. However, the number is not as high as the one shown earlier. Nevertheless, having the ad blocker reduced the number of web calls to 403%.

Scenario 4

Using both Pi-hole and uBlock Origin

Here’s an example of a network with Pi-hole and a browser with uBlock Origin installed. Visually, there’s no difference between this and the second scenario. However, inspecting with developer tools shows that there’s a slight difference.

Pi-hole and uBlock Origin further reduces the number of web requests

As you can see, it further reduced the number of requests compared to the second scenario. While not significant, having an ad blocker on your browser helps block ads and trackers not caught by Pi-hole.

An example of this is by visiting YouTube. If you turn off the ad blocker, the ads will load. Pi-hole cannot effectively block the ads because YouTube hosts both the content and advertisements on the same server.

Final Thoughts

As discussed, blocking ads is no longer just to avoid seeing obnoxious images or videos. It’s also for avoiding malvertising and saving bandwidth. With the combination of Pi-hole and ad blocker, you will definitely accomplish those objectives.

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

by 8 Comments

If you follow me on Instagram or Twitter, then you know that I recently installed VMware ESXi on Intel NUC 10 (Frost Canyon). It will join the existing hosts in my VMware ESXi home lab that I assembled in 2012 and 2016. While these hosts are old, they’re still useful for what they currently do. Eventually, I’m going to repurpose the ESXi 2012 build and will talk about it in a future post. The ESXi 2016 build will continue to host my current virtual servers and future lightweight servers. This new ESXi build will host VMs that require more oomph than the Core i3-based ESXi build. For example, CSR1000v, vMX, vQFX10K, etc.

Hardware

VMware ESXi on Intel NUC 10 (Frost Canyon)

I bought the majority of the parts during Black Friday and Cyber Monday, so I was able to minimize the cost a little bit. The NUC was a pre-order and the delivery date changed once or twice. Eventually, the order arrived a month later. Since I was traveling in Asia when it was delivered, I didn’t get to play with it until last week.

Here are the parts of this VMware ESXi build:

VMware ESXi 7.0 on Intel Frost Canyon NUC

The official ISO image for ESXi 7.0 still does not have the updated ne1000 driver. That said, you still have to create a customized ISO image.

Update

The VMware engineers responsible for the Fling USB NIC driver released the ne1000 driver offline bundle for the Intel NUC 10 (Frost Canyon). With that said, a lot of the steps covered here are no longer necessary. You do, however, still need to customize the ESXi ISO image.

Here’s the result of replacing the built-in ne1000 driver on the vanilla ESXi 6.7.0 ISO image.

[root@esxi03:~] esxcli network nic list
Name    PCI Device    Driver  Admin Status  Link Status  Speed  Duplex  MAC Address         MTU  Description
------  ------------  ------  ------------  -----------  -----  ------  -----------------  ----  -------------------------------------------------
vmnic0  0000:00:1f.6  ne1000  Up            Up            1000  Full    1c:69:7a:01:23:45  1500  Intel Corporation Ethernet Connection (10) I219-V

You might be wondering why did I buy the USB NIC. I found out that the built-in NIC on the NUC is a newer version of I219-V and it and is not currently on VMware’s hardware compatibility list. Without a recognized network adapter, I won’t be able to install ESXi on this NUC.

Related: Upgrading Intel NUC10i7FNH to ESXi 7.0

As you can see from the output below, the hardware version of the built-in NIC seems to be 10. Looking at the VMware HCL, the Intel Ethernet Connection (10) I219-V is not included on the list.

[root@esxi03:~] lspci -v | grep "I219-V" -A 1
0000:00:1f.6 Network controller Ethernet controller: Intel Corporation Ethernet Connection (10) I219-V
	 Class 0200: 8086:0d4f

Pre-installation

The installation process is not straight forward compared to other versions of Intel NUC. With the Frost Canyon NUC, you need to create a custom ISO that includes the USB NIC an updated ne1000 drivers. Fortunately, there’s a Fling USB driver created by VMware engineers. Fortunately, there’s an updated ne1000 driver created by a VMware engineer that works on VMware ESXi 6.7 or 7.0.

Software

You’ll need to download and install some software before you can create a custom ESXi ISO image. Here are the tools that I loaded in my Windows 10 VM:

You don’t need to download the latest ESXi ISO since the ESXi-Customizer-PS will take care of it for you.

Do you find this content useful? If so, consider buying me a coffee! ☕


Creating a custom ESXi ISO image

Once you’ve completed the software download and install, then it’s time to create the custom ESXi ISO image. Follow all the steps in this section to successfully create the installation media.

Step 1 – Run Windows PowerShell

To run the software, click the Start Menu and look for Windows PowerShell. Once located, right-click it and click the Run as administrator. Once PowerShell window is up, issue the command, as shown below.

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
PS C:\Windows\system32> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Step 2 – Run ESXi-Customizer-PS

Now, you’re ready to create a custom ESXi ISO image. To create the ISO image, you need to issue the commands as shown below. This step assumes that the Fling USB ne1000 driver offline bundle is in the ESXi folder.

PS C:\Windows\System32> cd ~\Desktop\ESXi
PS C:\Users\Andrew\Desktop\ESXi> .\ESXi-Customizer-PS-v2.6.0.ps1 -pkgDir .\

ESXi 7.0 Custom ISO

You will need a newer version of the ESXi-Customizer-PS to generate the customized ESXi 7.0 ISO image. Replace the command above to .\ESXi-Customizer-PS.ps1 -v70 -pkgDir .\

Note: This does not work currently. More details here. Use the PowerCLI commands below to create a custom ESXi 7.0 ISO image.

PS C:\Users\Andrew\Desktop\ESXi> Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
PS C:\Users\Andrew\Desktop\ESXi> Export-ESXImageProfile -ImageProfile "ESXi-7.0.0-15843807-standard" -ExportToBundle -filepath ESXi-7.0.0-15843807-standard.zip
PS C:\Users\Andrew\Desktop\ESXi> Remove-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
PS C:\Users\Andrew\Desktop\ESXi> Add-EsxSoftwareDepot .\ESXi-7.0.0-15843807-standard.zip
PS C:\Users\Andrew\Desktop\ESXi> Add-EsxSoftwareDepot .\ESXi670-NE1000-32543355-offline_bundle-15486963.zip
PS C:\Users\Andrew\Desktop\ESXi> New-EsxImageProfile -CloneProfile "ESXi-7.0.0-15843807-standard" -name "ESXi-7.0.0-15843807-NUC" -Vendor "andrewroderos.com"
PS C:\Users\Andrew\Desktop\ESXi> Remove-EsxSoftwarePackage -ImageProfile "ESXi-7.0.0-15843807-NUC" -SoftwarePackage "ne1000"
PS C:\Users\Andrew\Desktop\ESXi> Add-EsxSoftwarePackage -ImageProfile "ESXi-7.0.0-15843807-NUC" -SoftwarePackage "ne1000 0.8.4-3vmw.670.3.99.32543355"
PS C:\Users\Andrew\Desktop\ESXi> Export-ESXImageProfile -ImageProfile "ESXi-7.0.0-15843807-NUC" -ExportToIso -filepath ESXi-7.0.0-15843807-NUC.iso

Step 3 – Run Rufus

You’re now ready to create the USB installation media using Rufus. Launch Rufus and write the ISO image to your USB flash drive. Click the Start button. If you see a message about an obsolete version of ‘menu.c32’, then click the Yes button. You may see another pop-up window that’s warning you about data destruction, just hit OK to continue.

Creating VMware ESXi USB installation media

Modifying the BIOS settings

Update

With the release of the ne1000 driver, this step is no longer necessary.

This step is necessary since you need to set the USB NIC as the primary network adapter. Using USB NIC as the primary network adapter means the settings do not persist, by default. To make it persistent, you’ll need to create a startup script. This is not allowed when Secure Boot is enabled. That said, you’ll want to disable the Secure Boot feature.

To disable the Secure Boot feature in the BIOS, power on the NUC and hit the F2 key once you see the Intel NUC logo. Once you’re in the BIOS, select the Boot tab and then Secure Boot. Under the Secure Boot menu, you should see the Secure Boot as enabled, disable it and save the changes.

Optional: While you’re in the BIOS, you may want to make sure that the Intel Virtualization Technology features are enabled. To verify, go to the Performance tab and select the Processor settings. You will now see multiple drop-down menus. Make sure that Intel Virtualization Technology and Intel VT for Directed I/IO (VT-d) are enabled. Save and exit the BIOS by hitting the F10 key.

Installing ESXi on 10th Gen Intel NUC

Update

With the release of the ne1000 driver, the installation will go smoothly.

After all the pre-work that you’ve done, I’m sure you’ve been waiting for this step. The installation is straight forward, for the most part. The only hiccup that you will encounter is the installation gets stuck at 85%, and an error message appears. Don’t worry about being stuck at 85%. The ESXi install went through fine. Restart the NUC, and ESXi will boot properly.

Installing ESXi on Intel NUC (Frost Canyon)

Post-installation

Update

With the release of the ne1000 driver, this section is no longer necessary.

Once ESXi is up and running, there are still some steps you will need to take before you can start firing up VMs. Follow these post-installation steps to make the USB NIC persistent.

Step 1 – Configure password

Unfortunately, the password that you set during the installation process won’t work. With that said, you will need to leave the password blank after hitting the F2 key. Once you’re in, you need to configure a password for your ESXi server. Go to the Configure Password settings. Leave the password blank for the Old Password section, then enter your new password.

Step 2 – Perform network restore

The next step is to perform a network restore. By doing this step, the system will recognize the network adapter. To perform a network restore, go to the Network Restore Options settings. Select the Restore Network Settings and hit the Enter key. It will ask you if you want to reset the network configuration, hit the F11 key for yes, and then hit the Enter key.

Once done, you need to log out of the system. Hit Esc key twice to log out. You will now see that the host has an IP address via DHCP. If your network does not have DHCP enabled, then it should get an APIPA address.

Step 3 – Configure the management network

This step is necessary if you want your server to use a static IP address. Log back in using the password that you set earlier. Then, go to Configure Management Network and then IPv4 Configuration settings. Select the static option and enter the IP address information. Once completed, make sure to apply the changes.

Feel free to change the hostname while you’re in this section as well.

Step 4 – Enable SSH

From time to time, I need to access CLI, so when I build an ESXi system, I usually enable SSH. There are two ways to enable SSH. One via the console and the other one is via the ESXi Embedded Host Client (Web UI).

Option 1 – Console

To enable using the console, go to Troubleshooting Options settings and select Enable SSH.

Option 2 – Host Client

Log into the Web UI using the IP address or DNS name. Once logged in, go to Actions > Services > Enable Secure Shell (SSH).

Step 5 – Add a script

As mentioned in the BIOS settings section, using USB NIC as the primary network adapter means the settings do not persist, by default. That said, you will need to add some lines to the /etc/rc.local.d/local.sh file.

The script that you need to add will depend on your virtual switch configuration. In my case, I use the Standard Virtual Switch in my environment. If you use Distributed Virtual Switch (VDS), then you can customize the one here.

ESXi has VI editor built-in, so you can use that to add the script. Insert the text before the exit 0 section, as shown below.

#!/bin/sh

# local configuration options

# Note: modify at your own risk!  If you do/use anything in this
# script that is not part of a stable API (relying on files to be in
# specific places, specific tools, specific output, etc) there is a
# possibility you will end up with a broken system after patching or
# upgrading.  Changes are not supported unless under direction of
# VMware support.

# Note: This script will not be run when UEFI secure boot is enabled.

vusb0_status=$(esxcli network nic get -n vusb0 | grep 'Link Status' | awk '{print $NF}')
count=0
while [[ $count -lt 20 && "${vusb0_status}" != "Up" ]]
do
    sleep 10
    count=$(( $count + 1 ))
    vusb0_status=$(esxcli network nic get -n vusb0 | grep 'Link Status' | awk '{print $NF}')
done

if [ "${vusb0_status}" = "Up" ]; then
    esxcfg-vswitch -L vusb0 vSwitch0
    esxcfg-vswitch -M vusb0 -p "Management Network" vSwitch0
    esxcfg-vswitch -M vusb0 -p "VM Network" vSwitch0
fi

exit 0

Verification

To verify that the script works, reboot your ESXi server. After a minute or so, you should be able to log back in.

In addition, you may want to create a VM to test network connectivity. In my case, I created a Ubuntu Linux Server edition to verify if the vNIC works correctly.

Final Thoughts

VMware ESXi on Intel NUC 10 (Frost Canyon)

While there are a lot of hoops to jump through to get ESXi working on this Intel NUC 10 (Frost Canyon) with 10th generation Intel Core CPU, I still prefer this host compared to a Dell or HP used server. Sure, I’ll save more money acquiring them, but I don’t have space for it. In addition, they’re more power-hungry than the Intel NUC.

It’s worth noting that when the Intel NUC 8 (Bean Canyon) was released, people had to create a custom ISO as well. Eventually, VMware released updates to where the ISO included the Intel I219-V drivers. I’m hoping that VMware will release an update for this hardware revision as well. With the release of the ne1000 driver offline bundle, there may be a good chance that VMware will release an ISO with the driver.

You might like to read

Deploying vQFX on VMware ESXi
Deploying TACACS+ on a Docker container
Upgrade Intel NUC10i7FNH to ESXi 7.0

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Deploying TACACS+ on a Docker container

by Leave a Comment

tacacs+ docker container

Back in 2011, I wrote how to configure tac_plus (TACACS+ daemon) on an Ubuntu server. Then two years ago, I wrote a post about adding two-factor authentication (2FA) to TACACS+. Today, I’m going to talk about deploying TACACS+ on a Docker container.

While I’ve written migrating FreeRADIUS with 2FA to a Docker container post in the past, I’d still consider myself a newbie. I don’t deal with Docker daily to be well-versed.

Since I’m still a newbie, I make mistakes writing a Dockerfile and sometimes get stuck when the container keeps restarting. Part of the problem is I’m still learning Linux even though I’ve been using it for many years.

Another part is I have yet to sit down and read a book about Docker, like this one. The book has a high rating on Amazon and seems like a good buy if you’re trying to learn it.

Yes, I could download someone else’s Docker container. However, I don’t like doing that. When I write the Dockerfile from scratch, it forces me to learn both Docker and Linux.

Docker Installation

Before we can deploy a TACACS+ container, we need to install the Docker software. Docker’s documentation has the steps on how to do it on your preferred OS. For this tutorial, I’m using the Ubuntu Server 18.04 as my OS of choice.

andrew@networkjutsu:~$ sudo apt-get update
andrew@networkjutsu:~$ sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y
andrew@networkjutsu:~$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
andrew@networkjutsu:~$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
andrew@networkjutsu:~$ sudo apt-get install docker-ce docker-ce-cli containerd.io -y
andrew@networkjutsu:~$ sudo apt autoremove -y
andrew@networkjutsu:~$ docker --version
Docker version 19.03.4, build 9013bf583a

Alternatively, we can install the Docker version that Ubuntu is using in their repo. Installing from Ubuntu’s repo is the easiest way to install Docker.

andrew@networkjutsu:~$ sudo apt install docker.io -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
<-- Output omitted for brevity -->
andrew@networkjutsu:~$ docker --version
Docker version 18.09.7, build 2d0083d

Docker Compose installation

I like to use the docker-compose command to run multiple containers in one syntax. That said, I have that installed on my Ubuntu server. This step is optional, but I highly recommend using it. If you have a different OS, then visit this page.

andrew@networkjutsu:~$ sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
andrew@networkjutsu$ sudo chmod +x /usr/local/bin/docker-compose
andrew@networkjutsu$ docker-compose --version
docker-compose version 1.24.1, build 4667896b

Dockerfile

I like to separate my files for each Docker containers that I want to deploy. That said, I create a new directory for each of them.

andrew@networkjutsu:~$ mkdir tacacs

Once I’ve created the directory, it’s time to write the Dockerfile. Since I’m more familiar with VIM than any other text editor on Linux, that’s what I use. Please feel free to use your favorite Linux text editor.

andrew@networkjutsu:~$ vi tacacs/Dockerfile

Once VIM is running, we can now write the contents of our Dockerfile. Here’s a sample of my TACACSC+ Dockerfile.

Do you find this content useful? If so, consider buying me a coffee! ☕


# Use Base Ubuntu image
FROM ubuntu:18.04

# Author of this Dockerfile
MAINTAINER Andrew Roderos <andrewroderos.com>

# Update & upgrades
RUN apt-get update && apt-get upgrade -y

# Install tacacs+ and Google Authenticator
RUN apt-get install tacacs+ libpam-google-authenticator -y

# Clear local repo
RUN apt-get clean

# Create a user with home directory
RUN useradd -m -d /home/andrew -s /bin/bash andrew

# Add password to andrew account
RUN echo "andrew:makemypasswordgreatagain" | chpasswd

# Copy Google secret key from host's volume to tacacs+ container
COPY .google_authenticator /home/andrew

# Change file owner
RUN chown andrew:andrew /home/andrew/.google_authenticator

# Copy tac_plus configuration file from host to the container
COPY tac_plus.conf /etc/tacacs+/tac_plus.conf

# Add tac_plus PAM
RUN touch /etc/pam.d/tac_plus
RUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plus
RUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus

# Run tac_plus as foreground process and use /etc/tacacas+/tac_plus.conf as the config file
CMD ["tac_plus", "-G", "-C", "/etc/tacacs+/tac_plus.conf"]

Preliminary steps

Before we can build the TACACS+ Docker container, we need to do some preliminary steps. As you can see from the Dockerfile, it will copy some files that I already have in the current directory. Without these files, the docker build command will error out.

Google Authenticator secret key

The first file we need is the .google_authenticator file. This file contains all the necessary parameters for our TOTP (Time-based One Time Password).

Since I use Google Authenticator at home, I just copied my existing file for this lab. If you don’t have one, you may want to generate one from another host. I covered the generation of the secret key in this post.

Once you’ve generated the secret key, we can now copy the .google_authenticator file in the home directory. Please copy it to the tacacs directory.

andrew@networkjutsu:~$ cp .google_authenticator tacacs

TACACS+ configuration file

The next file we need is the tac_plus.conf file. This file gets generated when you install tac_plus software. Since I’ve covered this topic before, I already have a configuration file that I can use. If you don’t have one, then you can use my configuration files from here and here.

If you do create this from scratch, make sure the owner and permissions are the same as the one below.

andrew@networkjutsu:~/tacacs$ ls -l tac_plus.conf
-rw------- 1 root root 3108 Nov 4 18:43 tac_plus.conf

Depending on how you create the file, the owner and permissions are different. For example, I created the tac_plus.conf file using a non-root account.

andrew@networkjutsu:~/tacacs$ ls -l tac_plus.conf
-rw-rw-r-- 1 networkjutsu networkjutsu 3108 Nov 4 20:41 tac_plus.conf

There are multiple options to fix this minor issue. One option is by deleting the file and recreating it using the root account.

andrew@networkjutsu:~/tacacs$ rm tac_plus.conf
andrew@networkjutsu:~/tacacs$ sudo vi tac_plus.conf
andrew@networkjutsu:~/tacacs$ sudo chmod 600 tac_plus.conf
andrew@networkjutsu:~/tacacs$ ls -l tac_plus.conf
-rw------- 1 root root 3108 Nov 4 20:44 tac_plus.conf

Another option is adding some lines to the Dockerfile to change the owner and permissions. Add the following lines after the COPY tac_plus.conf /etc/tacacs+/tac_plus.conf line.

# Change owner from andrew to root
RUN chown root:root /etc/tacacs+/tac_plus.conf

# Change permission to root only access
RUN chmod 600 /etc/tacacs+/tac_plus.conf

Creating a Docker image

Once done with the preliminary steps, we can now create our TACACS+ Docker image. Creating a Docker image is pretty straightforward. All we need to do is issue the command below.

andrew@networkjutsu:~/tacacs$ docker build -t tacacs .
Sending build context to Docker daemon  8.192kB
Step 1/14 : FROM ubuntu:18.04
 ---> 452a96d81c30
Step 2/14 : MAINTAINER Andrew Roderos <andrewroderos.com>
 ---> Using cache
 ---> 1c717e03db89
<-- Output omitted for brevity -->

Once the building process is done, you can verify that the Docker image is ready by issuing the command below.

andrew@networkjutsu:~/tacacs$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
tacacs              latest              32a7bc92b24a        2 minutes ago       205MB
radius              latest              c558d1437285        33 hours ago        248MB

Docker Compose

We’re now ready to run the Docker image. If you prefer to use docker run syntax, then feel free to use that one. I happen to like to use the docker-compose command when starting up Docker containers. That said, we need to edit my existing docker-compose.yml file before we can run the Docker container.

andrew@networkjutsu:~/tacacs$ vi ../docker-compose.yml

The file should look like the one below.

andrew@networkjutsu:~/tacacs$ cat ../docker-compose.yml
version: "3"
services:
  radius:
    container_name: radius
    image: radius
    ports:
    - "192.168.200.51:1812:1812/udp"
    - "192.168.200.51:1813:1813/udp"
    - "192.168.200.51:18120:18120/udp"
    environment:
    - VIRTUAL_HOST=radius.networkjutsu.local
    restart: always
    volumes:
    - /etc/timezone:/etc/timezone:ro
    - /etc/localtime:/etc/localtime:ro
  tacacs:
    container_name: tacacs
    image: tacacs
    ports:
    - "192.168.200.49:49:49/tcp"
    environment:
    - VIRTUAL_HOST=tacacs.networkjutsu.local
    restart: always
    volumes:
    - /etc/timezone:/etc/timezone:ro
    - /etc/localtime:/etc/localtime:ro

Now, we’re ready to run our TACACS+ Docker container.

andrew@networkjutsu:~$ docker-compose up -d
Creating tacacs ...
radius is up-to-date
Creating tacacs ... done
andrew@networkjutsu:~/tacacs$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                                                      NAMES
1a6eb28498d6        tacacs              "tac_plus -G -C /etc…"   14 seconds ago      Up 13 seconds       192.168.200.49:49->49/tcp                                                  tacacs
946d992dddb5        radius              "freeradius -f"          17 hours ago        Up 17 hours         192.168.200.51:1812-1813->1812-1813/udp, 192.168.200.51:18120->18120/udp   radius

If the status says Restarting, then that means there’s something wrong with the tac_plus.conf file or Dockerfile. You might have to spend some time troubleshooting if your config isn’t the same as mine.

Note: The instructions covered here are not recommended for production use since it’s running the container as root.

Verification

Once the Docker container is running, then we’re now ready to verify if our TACACS+ is working as expected. This step assumes that you already have an IOS device with a TACACS+ configuration. If you need a sample configuration, please check out my post.

R1 con0 is now available
Press RETURN to get started.
User Access Verification
Username: andrew
Password & verification code: makemypasswordgreatagain468792
R1>en
Password: makemypasswordgreatagain
R1#

Note: The example above was done using the CSR 1000v and may not represent what the prompt would look like on regular IOS-based devices.

Final Words

OS-level virtualization, such as Docker, offers a lot of advantages over server virtualization. One of the benefits of OS-level virtualization is that it consumes fewer system resources compared to VMs. It is the major reason why I run containers for my FreeRADIUS and TACACS+ services.

Additionally, if done right, it’s faster for me to deploy something on Docker than provisioning new VMs. Though, with the mistakes I’ve done in the past, I am sure I could’ve provisioned new VMs a lot faster.

Just because everyone is doing Docker containers, doesn’t mean you should follow suit. Make sure to weigh in the pros and cons of running services, such as TACACS+, on Docker.

You might like to read

VMware ESXi Home Lab – Intel NUC (Frost Canyon)
Blocking ads network-wide

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.