Continued Enhancements in vSphere 6.7

vSphere 6.7 is finally upon us. It should not be a surprise that vSphere is focused on more efficient manageability, especially at scale, and increased security. These design qualities have become paramount as VMware continues to partner with public cloud vendors (AWS, Microsoft Azure) to deliver “hybrid” offerings and as more edge sites are added into the data center’s purview.

Nearly everything in the vSphere suite has gotten a minor facelift for this new release. The one upgrade consideration that caught my eye:

It is not supported to upgrade from vSphere 5.5 to vSphere 6.7. This introduces a multi-step upgrade path.

Additionally, upgrading from 6.5u2 is not currently support but will be added in future releases of 6.7.x so watch for that if it affects you. Refer to my previous blog post about architecting upgrades.

vCenter Server Appliance (vCSA)

I have long been a fan of the vCSA since its initial announcement in 5.0. I thought that combining the app and OS, putting it in VMware’s control could increase security and lead to quicker updates and innovations. Unfortunately, while consulting I found that many customers misunderstood the architecture introduced in 6.x (PSC and vCSA), which led to more confusion than upgrades.

Therefore, the road led has led to 6.7 where VMware has simplified the vCenter Server topology by now supporting vCenter Server with an embedded platform services controller running in enhanced linked mode (ELM). ELM allows customers to link multiple vCenter Servers together for increased visibility aka ‘single pane of glass’ (drink!). This change allows this architectural design decision without the complexity of external PSCs or load balancers.

vCSA

For the rest of the vCenter goodness, check out Emad Younis’ post about the rest of the vCSA enhancements.

Increased Security

In a world where cybersecurity is allocated billions of dollars of the Federal budget and ransomware attacks are commonplace, it only makes sense for companies like VMware to invest in increasing security capabilities. The heart of the vSphere platform is ESXi, therefore it makes sense to start there.

Support for Trusted Platform Module (TPM) 2.0 and the introduction of Virtual TPM 2.0 has been added with vSphere 6.7. If you are unfamiliar with TPM, it enables ESXi to verify drivers/boot components, effectively validating its image during the boot process. It measures the VMkernel with its Platform Configuration Modules to make sure the image is still authentic and hasn’t been changed.

Additionally, VM Encryption has been enhanced to make assignment of this policy a simple right-click. Moreover, encrypted vMotion for cross-vCenter migrations (including versions) addresses the age old security concern about data being migrated in clear-text.

Lastly, VMware has announced support for the entire Microsoft Virtualization Based Security portfolio. I am very interested to see how this plays out, especially as it pertains to NSX.

vSAN 6.7

It is no secret that I find storage enhancement announcements to be jejune. However, I concede that it is important to consistently improve performance, consistency, and usability.

These days, I am more interested in using APIs to interact with software. But I do believe that a simple and performant user interface is necessary in 2018. I am happy to see that vSAN has a new HTML5 UI built on the same “Clarity” framework used by other VMware products.

When vSAN iSCSI services were previously announced, I wondered when Windows Server Failover Clusters (WSFC) would be supported. That day is today. This adds to the already existing support for SQL AAG, Exchange DAG, and Oracle RAC. For organizations with WSFC servers in a physical or virtual configuration, vSAN 6.7 supports shared target storage locations when storage targets are exposed using the vSAN iSCSI service.

You can find more information about vSAN 6.7 by checking out Anthony Spiteri’s blog post.

Architecting a vSphere Upgrade

At the time of writing, there are 197 days left before vSphere 5.5 is end of life and no longer supported. I am currently in the middle of an architecture project at work and was reminded of the importance of upgrading — not just for the coolest new features, but for the business value in doing so.

giphy

Last year at VMworld, I had the pleasure of presenting a session with the indomitable Melissa Palmer entitled “Upgrading to vSphere 6.5 – the VCDX Way.” We approached the question of upgrading by using architectural principles rather than clicking ‘next’ all willy-nilly.

Planning Your Upgrade

When it comes to business justification, simply saying “it’s awesome” or “latest and greatest” simply does not cut it.

Better justification is:

  • Extended lifecycle
  • Compatibility (must upgrade to ESXi 6.5 for VSAN 6.5+)
  • vCenter Server HA to ensure RTO is met for all infrastructure components
  • VM encryption to meet XYZ compliance

It is important to approach the challenge of a large-scale upgrade using a distinct methodology. Every architect has their own take on methodology, it is unique and personal to the individual but it should be repeatable. I recommend planning the upgrade project end-to-end before beginning the implementation. That includes an initial assessment (to determine new business requirements and compliance to existing requirements) as well as a post-upgrade validation (to ensure functionality and that all requirements are being met).

There are many ways to achieve a current state analysis, such as using vRealize Operations Manager, the vSphere Optimization Assessment, VMware {code} vCheck for vSphere, etc.

I tend to work through any design by walking through the conceptual model, logical design, and then physical. If you are unfamiliar with these concepts, please take a look at this post.

An example to demonstrate:

  • Conceptual –
    • Requirement: All virtual infrastructure components should be highly available.
  • Logical –
    • Design Decision: Management should be separate from production workloads.
  • Physical –
    • Design Decision: vCenter Server HA will be used and exist within the Management cluster.

However, keep in mind that this is not a journey that you may embark on solo. It is important to include members of various teams, such as networking, storage, security, etc.

Future State Design

It is important to use the current state analysis to identify the flaws in the current design or improvements that may be made. How can upgrading allow you to solve these problems? Consider the design and use of new features or products. Not every single new feature will be applicable to your current infrastructure. Keep in mind that everything is a trade off – improving security may lead to a decrease in availability or manageability.

When is it time to re-architect the infrastructure versus re-hosting?

  • Re-host – to move from one infrastructure platform to another
  • Re-architect – to redesign, make fundamental design changes

Re-hosting is effectively “lifting-and-shifting” your VMs to a newer vSphere version. I tend to lean toward re-architecting as I view upgrades as an opportunity to revisit the architecture and make improvements. I have often found myself working in a data center and wondering “why the hell did someone design and implement storage/networking/etc. that way?” Upgrades can be the time to fix it. This option may prove to be more expensive, but, it can also be the most beneficial. Now is a good time to examine the operational cost of continuing with old architectures.

Ensure to determine key success criteria before beginning the upgrade process. Doing a proof of concept for new features may prove business value. For example, if you have a test or dev cluster, perhaps upgrade it to the newest version and demo using whatever new feature to determine relevance and functionality.

Example Upgrade Plans

Rather than rehashing examples of upgrading, embedded is a copy of our slides from VMworld which contain two examples of upgrading:

  • Upgrading from vSphere 5.5 to vSphere 6.5 with NSX, vRA, and vROPs
  • Upgrading from vSphere 6.0 to vSphere 6.5 with VSAN and Horizon

These are intended to be examples to guide you through a methodology rather than something that should be copied exactly.

Happy upgrading!

macOS VCSA Installer “ovftool” Error

I recently ran into an issue with the vCenter Server Appliance (VCSA) 6.5 installer. When I proceeded to Step 5, “Set up appliance VM” I received the error:

“A problem occurred while reading the OVF file…Error: ovftool is not available.”

Screen Shot 2016-12-19 at 5.00.22 PM.png

After some research, it turns out that macOS Sierra (10.12.x) is not supported and, of course, that is the operating system of my laptop. I found a blog post from Emad Younis that outlines two possible options for working around this error.

I tried both options. Option 1 did not work for me, but Option 2 did. I’d like to take a minute and demonstrate step-by-step what I did to proceed with the VCSA deployment.

On the deployment wizard error, I selected Installer log.

Screen Shot 2016-12-19 at 5.00.22 PM copy.png

Quickly read through the log and find the error regarding the ovftoolCmd, it will state the directory that the installer is searching for the tool set. Copy that directory, sans /vcsa/ovftool/mac/ovftool.

Screen Shot 2016-12-19 at 5.01.03 PM.png

Launch the Terminal utility and type the open command for Finder to open that directory.

asdfasdf.png

For example:

open /private/var/folders/j8/ttwss5yx6cqf0flb5lrj_hww0000gn/T/AppTranslocation/

As mentioned before, leave off everything from /vcsa/ and on.

When that directory opens in Finder, you’ll notice that is it empty…therein lies the problem!

empty.png

Copy the vcsa folder into this directory.

vcsa.png

Once the vcsa folder has successfully copied, you should be able to go back to the macOS installer, press Back, and then hit Next to go back to Step 5.

Screen Shot 2016-12-19 at 5.04.47 PM.png

You should now be able to select the deployment size options and successfully proceed with the VCSA deployment.

2016 takes a leap…a leap second

As if 2016 weren’t bad enough…this year is going to be slightly longer than normal. New Year’s Eve will be one second longer in 2016 to adjust for the shifting rotation of the Earth.

giphy-2

leap second is a one-second adjustment that is sometimes applied to Coordinated Universal Time (UTC) in order to keep its time of day close to the mean solar time, or UT1.

This leap second has the potential to cause chaos for IT systems that cannot deal with a 61-second minute. Websites such as Reddit, Yelp, LinkedIn have previously experienced outages for a period of time due to the leap second in 2012.

Most VMware products are unaffected by this time change that will occur this weekend However, some products are affected. Please see KB 2147498 for more information.

For those VMware products affected, the common work-around is to enabled Slew Mode for NTP. For more information see KB 2121016.

VCAP6-DCV Deploy (Beta)

I had the opportunity to take the VCAP6-DCV Deploy (Beta) exam last week.

The beta is still ongoing and costs $100 (regularly $400). A few notes:

It’s HOL based (HTML5 rather than RDP) so performance has improved quite a bit. But as expected, the vSphere Web Client is still quite laggy. The vSphere Client is still available, though some tasks must be completed through the vSphere Web Client.

Another improvement is that you can see the lab console and the instructions at the same time. But this posed a major issue with the screen resolution, in particular being able to see all of the vSphere Web Client.

CTRL and ALT are disabled, which you are warned about at the beginning of the exam. However, the exam does not warn you that the backspace key is also disabled. This irked me to no end throughout the test and slowed me down quite a bit when I was doing command line. (I don’t normally use the arrow key and then delete)

Copy and Paste does not work in the vSphere Web Client (another thing you are not warned about), only in the vSphere Client, PuTTY and Notepad++.

There are 27 questions, and the exam is 4 hours long. Ensure to pace yourself. If you get up to use the restroom mid-exam, the time will keep ticking down.

The content was decent, it stayed on track with the exam blueprint. I didn’t feel as rushed for time as with previous versions of the VCAP-DCA exam.

Here are a few other blogs that discuss the beta exam experience:

http://davidstamen.com/certification/my-vcap6-dcv-deploy-beta-experience/

https://sites.google.com/site/arielsanchezmora/home/study-guides/vcap6-dcv-deploy-beta

http://www.thomgreene.com/blog/2016/6/25/strategy-going-into-the-vcap6-dcv-deploy

Book Review – “Mastering VMware vSphere Storage”

For a book titled “Master VMware vSphere Storage,” about 1/3 of the book is spent discussing other topics. Storage does not get directly discussed until 88 pages in and begins by discussing storage APIs. I can understand giving a brief overview of vSphere but a majority of the review should be focused on the storage protocols and storage architecture rather than beginning with storage APIs and storage profiles. Once the book finally delves into configuring, optimizing, and troubleshooting storage, it does a good job covering the topics…though out of order at times (i.e. discusses optimizing before how to configure storage). Many great screenshots and diagrams demonstrating the points of discussion. However, for a book written for vSphere 5.1 / 5.5, there are quite a few screenshots from the vSphere Client rather than the vSphere Web Client. Overall 3/5.

 

You can find the book here.