Team Leader - Nutanix Technology Champion - Nutanix NTC Storyteller

Julien DUMUR
Infrastructure in a Nutshell

howto

Nutanix AHV : post-install operations – Part 1

Published: 10 September 2024
Written by Julien D.
1 Comment
Categories: AHV, Community Edition, HowTo, HowTo-AHV, Nutanix
Nutanix Blog Header

After a successful installation of Nutanix AHV, all passwords configured on the cluster are the default passwords “nutanix/4u” and it is imperative to change them for maximum security.

Recommendations regarding passwords complexity

You must choose strong passwords to secure your infrastructure and that they are unique!

The minimum complexity required by Nutanix is:

  • 8 characters
  • 1 lowercase letter minimum
  • 1 uppercase letter maximum
  • 1 number minimum
  • 1 special character

Some cluster passwords will also require you to respect certain constraints related to the password history.

Generally speaking, I would recommend that you use a password generator often integrated into your password management software to create your passwords and apply a length of at least 16 characters while respecting the complexity rules indicated above.

Prism Element admin password

This step is essential and you cannot bypass it. If this is your first time logging in, the login is “admin” and the password is “nutanix/4u”. You will be ask to configure a new password respecting the complexity criteria.

CVM “Nutanix” password

If you leave the default password, you will have critical alert messages on your Prism Element interface.

To fix this, connect to the IP of one of the CVMs in your cluster in SSH with the nutanix identifier and the default password nutanix/4u. Then, a simple “passwd” will allow you to configure a new password:

nutanix@NTNX-99110c89-A-CVM:~$ passwd
Changing password for user nutanix.
Current password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
nutanix@NTNX-99110c89-A-CVM:~$

Enter the current password, then the new password twice in a row and that’s it!

Hosts passwords

Just, after an installation the passwords of the Nutanix hosts are always the default ones and this will generate critical alerts on the cluster.

To change the “root” password of the hosts, connect to one of the CVMs and type the associated command:

nutanix@NTNX-99110c89-A-CVM:192.168.2.200:~$ echo -e "CHANGING ALL AHV HOST ROOT PASSWORDS.\nPlease input new password: "; read -rs password1; echo "Confirm new password: "; read -rs password2; if [ "$password1" == "$password2" ]; then for host in $(hostips); do echo Host $host; echo $password1 | ssh root@$host "passwd --stdin root"; done; else echo "The passwords do not match"; fi

The system will then ask you to enter the new password twice:

CHANGING ALL AHV HOST ROOT PASSWORDS.
Please input new password:
Confirm new password:
Host 192.168.2.199
Nutanix AHV
Changing password for user root.

To change the “admin” password of the hosts, connect to one of the CVMs and type the associated command:

nutanix@NTNX-99110c89-A-CVM:192.168.2.200:~$ echo -e "CHANGING ALL AHV HOST ADMIN PASSWORDS.\nPlease input new password: "; read -rs password1; echo "Confirm new password: "; read -rs password2; if [ "$password1" == "$password2" ]; then for host in $(hostips); do echo Host $host; echo $password1 | ssh root@$host "passwd --stdin admin"; done; else echo "The passwords do not match"; fi

The system will then ask you to enter the new password twice:

CHANGING ALL AHV HOST ADMIN PASSWORDS.
Please input new password:
Confirm new password:
Host 192.168.2.199
Nutanix AHV
Changing password for user admin.
passwd: all authentication tokens updated successfully.

To change the “nutanix” password of the hosts, connect to one of the CVMs and type the associated command:

nutanix@NTNX-99110c89-A-CVM:192.168.2.200:~$ echo -e "CHANGING ALL AHV HOST NUTANIX PASSWORDS.\nPlease input new password: "; read -rs password1; echo "Confirm new password: "; read -rs password2; if [ "$password1" == "$password2" ]; then for host in $(hostips); do echo Host $host; echo $password1 | ssh root@$host "passwd --stdin nutanix"; done; else echo "The passwords do not match"; fi

The system will then ask you to enter the new password twice:

CHANGING ALL AHV HOST NUTANIX PASSWORDS.
Please input new password:
Confirm new password:
Host 192.168.2.199
Nutanix AHV
Changing password for user nutanix.
passwd: all authentication tokens updated successfully.

Official resources

Passwords modifications : https://portal.nutanix.com/page/documents/kbs/details?targetId=kA00e000000LKXcCAO

Read More

Nutanix AHV : SSH keys and cluster lockdown

Published: 17 April 2024
Written by Julien D.
No comments
Categories: AHV, HowTo, HowTo-AHV, Nutanix, Security

It’s in Nutanix’s roadmap! Password authentication is in the sights of the publisher who intends to put an end to it and warn its users via an informational alert:

The objective is to gradually switch clients to SSH key authentication in order to impose it in a future version of its hypervisor.

Creating SSH keys

Supported SSH encryption algorithms are:

  • AES128-CTR
  • AES192-CTR
  • AES256-CTR

If you already have such a key pair, you can proceed directly to cluster integration.

To create an SSH key pair, we will need a tool like PuttyGen.

Click “Generate” and move the mouse cursor over the window. Then indicate a passphrase then save the public key and the private key.

WARNING: be sure to use a strong, non-predictable passphrase.

We must now integrate the public key into the cluster.

Integration of the public key on the cluster

To integrate your public key into your cluster, connect to the Prism interface and go to “Settings > Cluster Lockdown”

Click on “New Public Key”, give it a name, paste the public key content and validate.

At this stage, classic password authentication and SSH key authentication are both active and functional, it is time to test.

Testing and activation of the cluster lockdown feature

First, we will test authentication via SSH key. Don’t panic, whatever happens, even if the SSH connection via the keys does not work after activating the cluster lockdown, you can always backtrack via the Prism interface.

Configure your favorite SSH connection tools, integrate your private key then launch a connection to your Nutanix cluster. First, enter the login you want to use, here I chose “nutanix”:

Then enter the passphrase that you configured when creating your SSH key. Validate, you are now connected to your cluster via your SSH key without having to use the password for the “nutanix” account.

Now let’s deactivate password authentication by returning to the “Settings > Cluster Lockdown” menu. Uncheck the “Enable Remote Login with Password” box:

Try logging in again using the “nutanix” account and the usual password and notice that you can no longer log in with this method:

Try with your private key and the associated passphrase :

Your cluster is now SSH accessible only via the SSH key system. If there are several administrators working on the server, don’t forget to repeat the operation for each of them.

Important point: remember to keep your private keys in a safe place and use a strong passphrase.

Official documentation

The Nutanix official documentation: https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v6_7:mul-security-cluster-lockdown-pc-t.html

Read More

Nutanix AHV : Deploy Nutanix Self-Service

Published: 23 March 2024
Written by Julien D.
No comments
Categories: AHV, HowTo, HowTo-AHV, Nutanix

Nutanix has a tool for automating the deployment and life cycle of applications: Nutanix Self-Service (formerly Calm).

I’ll show you how to deploy Nutanix Self-Service on your Nutanix cluster.

Nutanix Self-Service Overview

Self-Service (formerly Calm) streamlines application management, deployment, and scalability across hybrid clouds through self-service, automation, and centralized role-based governance.

Deploy Nutanix Self-Service

To deploy Nutanix Self-Service, you must have a functional Prism Central on your cluster. Indeed, almost all of Nutanix’s complementary building blocks are managed by Prism Central, so don’t look for it on Prism Element.

In the side menu, look for the “Services” section and click on “Calm” (the old name for Nutanix Self-Service):

Deployment is very simple, then just click on “Enable App. Orchestration”:

The first box must be checked to be able to deploy Self-Service, the second is optional but highly recommended because it allows access to the online catalog offering a plethora of ready-to-use blueprints.

Once you have made your choice, click on “Save” and wait around ten minutes while Self-Service deploys:

Once deployment is complete, a new Volume Groups will be available on your Nutanix cluster:

That’s it, Nutanix Self-Service is deployed and ready to use:

Read More

Nutanix AHV : locked “admin” account

Published: 12 March 2024
Written by Julien D.
No comments
Categories: AHV, HowTo, HowTo-AHV, Nutanix

It happens that the admin account of a Nutanix cluster is locked due to too many authentication failures and that you can no longer connect to it.

Most of the time, this is the result of changing the password of the admin account on the cluster if it is used on other systems such as Nutanix Move or HYCU for example.

Here’s how to reset the password for the “admin” account of a cluster

Remove the “admin” account from routines

To begin with, if you do not want the problem to recur, you must remove the “admin” account from the cluster from the elements that can cause this. This could be backup software, a Nutanix brick (Move for example), possibly a monitoring tool.

It is important not to use the “admin” account of a cluster to connect a tool to the cluster.

Reset “admin” password

Connect by SSH to a CVM of the Nutanix cluster on which the account is locked with the “root” account.

Then enter the following command:

passwd admin

Enter the new password twice, the password is reset.

Unlock the “admin” account

To unlock the “admin” account, enter the following command:

allssh sudo faillock --user admin --reset

The “admin” account is now unlocked.

Read More

Nutanix AHV: deploy a hypervisor nested on AHV

Published: 26 February 2024
Written by Julien D.
3 Comments
Categories: AHV, HowTo, HowTo-AHV, Nutanix

As part of setting up labs on a Nutanix infrastructure, you may be required to deploy a hypervisor (ESXi, Promox, Hyper-V, etc.) on the AHV hypervisor (Inception!).

You will then be confronted with this type of error message when installing ESXi for example (the form differs for other hypervisors, but the substance remains the same):

The processor will not be detected as having virtualization capabilities and you will therefore not be able to deploy a hypervisor… But it is possible to bypass this restriction.

Nutanix AHV: bypass processor restriction

I assume that the virtual machine on which you want to deploy a hypervisor is already created.

To bypass the processor restriction, we must connect to one of the CVMs in our cluster and modify our virtual machine with the acli vm.update command and the “cpu_passthrough” parameter:

acli vm.update VM_NAME cpu_passthrough=true

You will get the following message:

nutanix@NTNX-a64e778d-A-CVM:192.168.2.241:~$ acli vm.update VM_NAME cpu_passthrough=true
VM_NAME: pending
VM_NAME: complete

Please note, this command will only work if your virtual machine is turned off.

Once the command is applied you can restart your installation… Except for ESXi which still requires a little subtlety!

Nutanix AHV: truncate NIC type to install ESXi

To install an ESXi nested on Nutanix AHV and have it be fully functional, you also need to modify the network adapters to make it think they are e1000 type.

To do this, with the virtual machine still off, connect to one of the CVMs, and type the following command:

acli vm.nic_create VM_NAME network=NETWORK_NAME model=e1000

Be sure to replace VM_NAME with the name of the virtual machine concerned, and NETWORK_NAME with one of the networks previously created on your Nutanix cluster. You will get the following message:

nutanix@NTNX-a64e778d-A-CVM:192.168.2.241:~$ acli vm.nic_create VM_NAME network=NETWORK_NAME model=e1000
NicCreate: pending
NicCreate: complete

You can now restart the installation of your hypervisor.

Read More

Nutanix AHV – Add subnet to your cluster

Published: 22 January 2024
Written by Julien D.
No comments
Categories: AHV, Community Edition, HowTo, HowTo-AHV, Network, Nutanix

To be able to deploy a virtual machine on your Nutanix cluster and have it reachable on your network, you will need to start by configuring the network(s) on your cluster.

Creating a network using Prism Element

Under Prism Element, in the “Settings > Network Configuration” menu is the list of all existing networks on the cluster, click on “Create Subnet”:

Then enter your network information, namely the name and vlan ID:

If you do not have a DHCP server, you can let Nutanix manage the addressing of the network created using the “Enable IP address management” option:

You will then need to complete all the options that would normally have been delivered by a traditional DHCP server:

Click “Save” once the settings are correct. Repeat for each VLAN you need on your infrastructure.

Creating a network using Prism Central

In Prism Central, network management is carried out in “Network & Security > Subnets”:

To add a new network, click “Create Subnet”:

It is then a form similar to that of Prism Element that must be completed by activating, or not, the “IP Address Management” option if you wish to leave the management of your addressing to Nutanix.

Official Nutanix documentation

Link to official documentation: https://portal.nutanix.com/page/documents/solutions/details?targetId=BP-2071-AHV-Networking:bp-ahv-network-management.html

Read More

Nutanix AHV : Upload image to your cluster

Published: 8 January 2024
Written by Julien D.
No comments
Categories: AHV, Community Edition, HowTo, HowTo-AHV, Nutanix

To be able to deploy virtual machines on your cluster, you will need images that are available to launch your installations and here is the procedure to follow.

Before you start

An image uploaded via Prism Element can be imported to Prism Central. The reverse is not possible.

An image uploaded or imported via Prism Central is visible but not editable on Prism Element.

An image uploaded via Prism Element can only be used by the cluster to which it was uploaded.

An image downloaded via Prism Central can be used by all clusters managed by this Prism Central

Nutanix provides compatibility with images in the following formats:

  • RAW
  • VHD
  • VHDX
  • VMDK
  • VDI
  • OVA
  • ISO
  • QCOW2

Download via Prism Element

To upload an image via Prism Element, connect to the web interface using your credentials, then navigate to the “Settings > Image Configuration” menu:

Click Upload Image:

Complete the “Name”, “Image Type”, “Storage Container” fields, select the image you wish to transfer then click on “Save”:

Wait during the transfer and then while your image is processed by the cluster. Its status must be “ACTIVE” for it to be operational:

Download via Prism Central

The process for transferring an image through Prism Central is essentially identical to that of Prism Element.

Connect to the web interface then navigate to “Compute & Storage > Images” and click on “Add Image”:

Click on “Add File”, select the image you want to transfer, fill in the description then click on “Next”:

On the next screen, select the image placement mode based on your environment. In most cases, the default method “Place image directly on clusters” will do the trick, click “Next”:

Wait while the cluster transfers and processes the image.

Import images from Prism Element to Prism Central

On the image management page on Prism Central, click “Import Images”:

Then select the transfer method that suits you:

“All images” will repatriate all the images from all the clusters managed by Prism Central

“Images on a cluster” will allow you to select the cluster(s) and source image(s) on a case-by-case basis.

Official Nutanix documentation

Link to official documentation: https://portal.nutanix.com/page/documents/details?targetId=Web-Console-Guide-Prism-v6_7:wc-image-configure-acropolis-wc-t.html

Read More