vSphere ESXi Service / Daemon – LBTD

 

To be honest, when I was engaging with one of my clients and he asked me what is LBTD in ESXi as they need to understand what it is as part of the hardening process, it dawned on me that I see this daemon there everyday in Security Profile but I never question what exactly it is. No matter, in the spirit of seeking understanding of technology, I search on the Net and I’m seriously surprised that there are not much information about this. Not something publicly available or even mentioned about this! This raised my curiosity even more. What exactly is this daemon used for?

A further search lands me in this site: http://virtalicious.blogspot.sg/2010/10/undocumented-esxi-41-features.html

It’s mentioned that this daemon is called Load Balanced Teaming Daemon. Wow so is this the LBT daemon responsible for the Load Balance Team policy (LBT) in Distributed vSwitch?! So this brings me to another question. If I disable this daemon from starting during host startup, will this stop DvS from using this protocol? Another question is whether this is really the LBT daemon in the first place. Not that I’m doubting but there must be some form of evidence right?

First step, I went into one of my ESXi whitebox and search for this daemon under /etc/init.d. True enough it’s there and I took a look into the script that starts this:

lbtd-01

Taking a closer look, it’s monitored by watchdog within ESXi and link to net-lbt itself. In case you are wondering what watchdog.sh is doing, it’s basically doing monitoring on the services/daemons running and respawning the services/daemons when it’s not responding. Looking further into the script it seems to only watch for net-lbt and do not seems to do anything much. So the next few questions came into my mind:

  1. Since this has something to do with LBT, if I disable this daemon, would it stop DvS or LBT from working? (From the script it do not seems to be so)
  2. If this has something to do with net-lbt, is net-lbt also related to anything on standard vSwitches?
  3. If it’s only related to DvS, will stopping this daemon (using /etc/init.d/lbtd stop ; or stopping lbtd in Security Profile) cause DvS or related components to fail?

Let’s put up a few test cases on this!

 

Test Case 1: To test if the creation of standard vSwitch will depend/trigger net-lbt

Settings on ESXi: lbtd daemon is stopped and set as Start/Stop manually with host

Steps

  • Set LBTD daemon to “Start/Stop manually with host” in Security Profile (it’s set to Start/Stop with host by default)
  • Reboot and check if daemon is not running
  • Open a SSH session or enable ESXi console and type command net-lbt -vand keep it running
  • Create a standard vSwitch with 2 pNICs and see for any output on the session on previous step.

Expected Result
There shouldn’t be any dependency at all. No output from command net-lbt -v

Actual Results
No status shown on net-lbt -v. No dependency at all

 

Test Case 2: To test if changing of load balancing policies on standard vSwitch will affect net-lbt

Settings on ESXi: lbtd daemon is stopped and set as Start/Stop manually with host

Steps

  • Set LBTD daemon to “Start/Stop manually with host” in Security Profile (it’s set to Start/Stop with host by default)
  • Reboot and check if daemon is not running
  • Open a SSH session or enable ESXi console and type command net-lbt -v and keep it running
  • Using the previous created standard vSwitch, change the Load Balancing settings in Teaming section for all 4 load balancing policies.

Expected Result
There shouldn’t be any dependency at all. No output from command net-lbt -v

Actual Results
No status shown on net-lbt -v. No dependency at all

 

Test Case 3: To test if the creation of Distributed vSwitch will depend/trigger net-lbt

Settings on ESXi: lbtd daemon is stopped and set as Start/Stop manually with host

Steps

  • Set LBTD daemon to “Start/Stop manually with host” in Security Profile (it’s set to Start/Stop with host by default)
  • Reboot and check if daemon is not running
  • Open a SSH session or enable ESXi console and type command net-lbt -v and keep it running
  • Create a Distributed vSwitch with 2 pNICs and see for any output on the session on previous step.

Expected Result
There might be a chance that net-lbt will trigger if it’s not just a protocol enablement daemon. In fact, if LBT is bundled as part of DvS, the LBT daemon should be ready to serve when the DvS is created.

Actual Results
Yes, net-lbt -v return with status as below

lbtd-02

 

Test Case 4: To test if stopping the lbtd daemon either using /etc/init.d/lbtd stop or stopping the daemon in Security Profile will kill the net-lbt process.

Settings on ESXi: lbtd daemon is stopped and set as Start/Stop manually with host

Steps

  • LBTD daemon should be at a running state from previous test
  • Open a SSH session or enable ESXi console and type command net-lbt -v and keep it running
  • Do a stop service in Security Profile for lbtd or in ESXi Console or separate SSH session, do this command /etc/init.d/lbtd stop

Expected Result
On the robustness side of things, I don’t think the process will be killed especially if there is a dependency on the newly created DvS.

Actual Results
Yes, the process is not killed and both status on /etc/init.d/net-lbt and Security Profile shows that it’s running even after stopping it.

 

Caveats

However there is a caveat. Though my testing, I realised that keeping the lbtd daemon on Start/Stop manually with host settings does not trigger the daemon to turn on during startup.

 

Conclusion

If you need to use DvS, please ensure that this lbtd daemon stays on during boot else you should be able to turn it off if you are concerned about security. Even having said this, with your management network segment isolated, would you be concerned on this daemon being started during boot time? It’s a decision eventually to be made depending on your environment.

 

Useful commands

  • net-lbt -v (to check on LBT status in verbose mode)
  • chkconfig – -list (to check status of your daemon whether it’s supposedly to be turn-on during boot time)
  • /etc/init.d/<daemon> (as usual your usual start/stop command for daemons)

 

Leave a Reply

* Copy This Password *

* Type Or Paste Password Here *

21,160 Spam Comments Blocked so far by Spam Free Wordpress