Tag Archives: vSphere

VMworld 2018 US: HCI1469BU- The Future of vSAN and Hyperconverged Infrastructure

This “HCI Futures” session at VMworld US was hosted by two VPs from the Storage and Availability Business Unit, plus a customer guest. It covered the new features recently added to the vSAN environment with the release of 6.7 Update 1, alongside discussion of the possible future direction of VMware in the Hyper-Converged Infrastructure space. I caught up with the session via the online recording.

HCI is a rapidly growing architecture, with both industry wide figures from IDC and VMware’s own figures seeing massive spending increases. In the week of this VMworld, the 4-year old vSAN product is now boasting 15,000 customers. We are told customers are embarking on journeys into the Hybrid Cloud and looking for operational consistency between their On-Premises and Public Cloud environments.

The customer story incorporated into this breakout session was provided by Honeywell. They were an early adopter of vSAN in 2014, starting with the low-risk option of  hosting their management cluster on the technology. Since then they have replaced much of their traditional SAN infrastructure and are now boasting 1.7 Petabytes of data on vSAN, with compression and de-duplication giving them savings of nearly 700TB of disk.

VMware is pushing along several paths to enhance the product- the most obvious is including new storage technologies as they become available. All-flash vSAN is now commonplace, with SSDs replacing traditional spinning disk in the capacity tiers. Looking to the future, the session talked of the usage of NVMe and Persistent Memory (PMEM) developments – storage latency becoming significantly less than network latency for the first time. This prompts a move away from the current 2-tier model to one which incorporates “Adaptive Tiering” to make best use of the different storage components available.

image

In the Public Cloud- in particular the VMware on AWS offering- there have been customers who want to expand storage faster than compute. In the current model this hasn’t been possible due to the fixed-capacity building blocks that HCI is known for. This is being addressed by adding access to Amazon’s Elastic Block Storage (EBS) in 6.7U1 as a storage target for the environment. vSAN Encryption using the Amazon KMS is also included, along with the ability to utilise the Elastic DRS features when using AWS as a DRaaS provider for a vSphere environment.

vSAN is also moving away from it’s position as “just” the storage for Virtual Machines. Future developments include the introduction of file storage- and the ability to do some advanced data management- classifying, searching, and filtering the data.

With all this data being stored, VMware is looking to enhance the data protection functionality in the platform. Incorporation of native snapshots with replication to secondary storage (and cloud) for DR purposes increase the challenge to “traditional” storage vendors- and although it was played down in this talk also encroach further into the backup space which is populated by a large group of VMware partners.

Cloud Native applications are also being catered for with Kubernetes integration- using application-level hooks to leverage snapshots, replication, encryption, and backups all through the existing vCenter interface.

If you want to watch the recording of this session to get more information it’s available on the VMworld site: https://videos.vmworld.com/searchsite/2018?search=HCI1469BU. To sign up to the vSAN Beta which is covering some of the Data Protection, Cloud Native Storage, and File Services visit http://www.vmware.com/go/vsan-beta

VMworld 2018 US: VIN2992BU- vSphere Client Roadmap

This session at VMworld US 2018 covered the past, present, and some of the future of the VMware vSphere Client. I caught up with the session via the online recording.

vSphere has moved from having a Windows-only desktop client (known as the “C#” or “fat” client), through a flash-based client to the new modern HTML5 client. The fat client is no longer supported by the current vSphere platforms and the Flash client will be deprecated with the “next numbered release” of vSphere- i.e. that version will be the last one to ship with the Flash client and from then on the HTML5 client will be the interface.

vSphere Client Evolution 2016-2018- Slide from VMworld 2018 US: VIN2992BU

vSphere Client Evolution 2016-2018

The HTML5 client has been around since appearing as a “fling” back in March 2016, becoming part of the supported release in November of that year with vSphere 6.5, and has picked up additional features with each subsequent release. With the new vSphere 6.7 Update 1 release this is now fully functional.

New features in 6.5U1 to round off this functionality include the integration of VMware Update Manager (VUM) and Platform Services Controller (PSC) management. There’s improvements around the creation workflow for alarm definitions, and for the implementation of vCenter High Availability (VCHA).

Also new is improvements to the search, including filtering. The presenters discussed  how the traditional tree-view used in the client could make it difficult to locate one of 35,000 VMs and a more targeted search was a better approach. There wasn’t a huge amount of talk prospective future developments in the clients in this talk but one of the items mentioned was the interest in integrating natural language searching in a future release.

The HTML5 client fling is still available, and can be used by vCenters running versions 6.0 or 6.5, but not 6.7. At the date the slides were made there had been 70,000 deployments of this fling and it had featured 70 update releases in the 2 years it has been available.

There was some information given about the feedback options in use- notably the use of the CEIP program to collect usage analytics from admins who have signed up to the scheme. This anonymised data is being used by VMware to drive future developments and prioritise features.

Around 30 minutes into the presentation the sound drifts off for about 5 minutes as there is a discussion with members of the audience. As a tip- always try and give the audience microphones or at least repeat their question for the recordings.

If you’re watching the recording then stick around as the final section covered the modern plugin framework which allows 3rd party developers (your backup, storage vendors etc.) to produce JavaScript-based plugins for the HTML5 client. VMware is offering a certification for these plugins to ensure compliance and the new plugin architecture allows vendors to deploy new versions outside of vSphere’s own release lifecycle.

If you want to watch the recording of this session to get more information it’s available on the VMworld site: https://videos.vmworld.com/searchsite/2018?search=VIN2992BU

Email Alerts not sending in vCenter 6.5

Symptoms

  • vCenter (in my case VCSA 6.5 ) is not sending alert emails even though the mail server appears to be configured properly (in the vSphere Web Client this is on the vCenter node under Configure, Settings, General).
  • Network connectivity between vCenter and port 25 on the SMTP server is fine and has been tested.
  • The logs on the SMTP server show no evidence of emails beings sent.
  • When connecting via SSH to the vCenter Server Appliance the sendmail logs are showing errors such as:
    cat /var/log/messages | grep sendmail

    2018-07-14T04:24:46.569978+00:00 my-vc sendmail[21502]: ……: [email protected], [email protected] (0/0),
      delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30528, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0,
      stat=Deferred: Connection refused by [127.0.0.1]
  • Cause

    The “Connection refused by [127.0.0.1]” in the logs is the giveaway here- the settings in the client have not been applied to the sendmail service and vCenter is trying to connect to the localhost as the SMTP server.

    Solution

    Go to the client and reconfigure the mail server to point at something else (it doesn’t have to be a real hostname). Then change it back to the correct settings. Normal alerts will be resumed automatically straight away.  You can test if it works by temporarily adding an additional trigger with a very low threshold to an existing alert with notification action.

    vCenter Mail Settings in vSphere Web Client

    vCenter Mail Settings in vSphere Web Client


    Thanks to vExpert Laurens van Duijin for sending me down the right path with this issue.

Find VMs being replicated to a datastore with Get-VmdkFolders

I’m using vSphere Replication to replicate a number of VMs to a datastore which is being decommissioned. I can’t reconfigure replication by code (I’ve mentioned that there’s no public API or PowerCLI around the vSphere Replication functionality in vSphere 6.5 before- most recently on Twitter)  and I can’t multi-select VMs in the vSphere Web Client and reconfigure en-mass through the GUI.

There’s also no way of telling which VMs are being replicated to this datastore without going into the reconfigure dialogues for each one individually. That’s a lot of clicking before even starting to update the configuration.

I’ve put together a PowerCLI function takes a little of this pain away by establishing which folders on a given datastore contain VMDK files. I’ve already migrated any Virtual Machines off so any remaining VMDKs on the volume should be associated with a replication process. Additionally in this case the default folder name was used when setting up the replication so all the folder names correspond to a VM.

The function is called “Get-VmdkFolders” (as there’s potentially other uses for it) and is available on GitHub here. With this I now have a list of VMs that need manually reconfiguring.

PS C:\> Get-VmdkFolders "MyReplicationDatastore"
MyVM1
MyVM2
MyVM3
MyVM5
MyVM7

 

vSphere Encryption- Knowing your limits

SecurityI’ve been running a Proof of Concept system for vSphere Encryption using vSphere 6.5u1 and a HyTrust KeyControl 4.0 KMS cluster. This has been very straightforward to implement and use and there’s plenty of documentation out there on how to do so, but in this post I’ll be highlighting some of the limitations. A few of these are things you can’t do that you may currently do day-to-day with normal VMs but there’s usually a sound technical reason why it’s not possible to do so with an encrypted VM.

Encrypting and Decrypting

The power state of a VM limits some encryption processes. For example, a powered-on Virtual machine can not be encrypted or decrypted. This example shows what happens when PowerCLI (with the encryption module described here) is used to encrypt a running VM:

PS C:\> Get-VM -Name "KMSTest6" | Disable-VMEncryption
Disable-VMEncryption : The VM can only be decrypted when powered off,
 but the current power state of KMSTest6 is PoweredOn!

The encryption can be changed (a re-key operation), possibly to a different KMS server- however whilst a “Shallow Re-key” operation where the key is re-encrypted is fine, the “Deep Re-key” where the disk itself is re-encrypted with the new key is not possible when the VM is powered on.

Snapshots and Clones

Similarly, a snapshot including memory of a running VM is not possible. It is possible to snapshot a powered off VM, or a running VM without the memory state (which creates a powered-off snapshot), but not to include the memory. This makes sense as the VM Encryption process runs as the hypervisor writes to disk, memory would be outside this process and potentially reveal unencrypted data in the snapshot.

It’s also not possible to decrypt or encrypt a VM with snapshots:

PS C:\> Get-VM -Name "KMSTest5" | Enable-VMEncryption
Enable-VMEncryption : KMSTest5 has snapshots,
 please remove all snapshots and try again!

You can however clone an encrypted VM- the resulting clone is also encrypted and uses the same keys. vMotion also works as expected.

Replication

vSphere Replication does not work with encrypted VMs. Replication can be configured but will fail when it tries to sync.

image

Licensing

In most environments where vSphere Encryption is in use, the hosts will probably be all licensed with Enterprise Plus (see the license comparison table). However, if you are running a mixture of licenses (including any regular non-plus Enterprise licenses) the limitations of  those licenses comes into play. It’s not possible to turn on encryption on a VM allocated to a host with anything but a full Enterprise-Plus license.

Any hosts with Standard, or the no longer available to purchase Enterprise licenses will not allow their VMs to be encrypted- or for encrypted VMs to be migrated onto them. Additionally if you have one or more of these “inferior” hosts in a cluster you will not be able to power on an encrypted machine in that cluster- even if other hosts are licensed to Enterprise Plus.

Disks

There’s lots of flexibility down at the disk level. You can use different keys (or even KMS Clusters) for different virtual hard disks (i.e. each .vmdk has a different key) and you can take an encrypted disk and attach it to another VM. The limitation here is you cannot attach an encrypted virtual hard disk to an unencrypted VM- this again makes sense as the key information in the configuration would then be in the clear.

Summary

The encryption model introduced in vSphere 6.5 is a very useful feature and straightforward to implement however consideration needs to be taken on the continuing activities surrounding virtual machines post-encryption to ensure that operational processes are still valid.