Yellow Bricks

by Duncan Epping

cloud

vShield App broke down on the host that is running vCenter now what?

· ·

I was playing around with vShield App and I locked out my vCenter VM which happened to be hosted on the cluster which was protected by vShield App. Yes I know that it is not recommended, but I have a limited amount of compute resources in my lab and I can’t spare a full server just for vCenter so I figured I would try it anyway and by breaking stuff I learn a lot more.

I wanted to know what happened when my vShield App virtual machine would fail. So I killed it and of course I couldn’t reach vCenter anymore. The reason for this being is the fact that a so-called dvfilter is used. The dvfilter basically captures the traffic, sends it to the vShield App VM which inspects it and then sends it to the VM (or not depending on the rules). As I killed my vShield App VM there was no way it would work. If I would have had my vCenter available I would just vMotion the VMs to another host and the problem would be solved, but it was my vCenter which was impacted by this issue. Before I started digging myself I did a quick google and I noticed this post by vTexan. He had locked himself out by creating strict rules, but my scenario was different. What were my options?

Well there are multiple options of course:

  1. Move the VM to an unprotected host
  2. Disarm the VM
  3. Uninstall vShield

As I did not have an unprotected host in my cluster and did not want to uninstall vShield I had only 1 option left. I figured it couldn’t be too difficult and it actually wasn’t:

  1. Connect your vSphere Client to the ESXi host which is running vCenter
  2. Power Off the vCenter VM
  3. Right click the vCenter VM and go to “Edit Settings”
  4. Go to the Options tab and click General under Advanced
  5. Click Configuration Parameters
  6. Look for the “ethernet0.filter0” entries and remove both values
  7. Click Ok, Ok and power on your vCenter VM

As soon as your vCenter VM is booted you should have access to vCenter again. Isn’t that cool? What would happen if your vShield App would return? Would this vCenter VM be left unprotected? No it wouldn’t, vShield App would actually notice it is not protected and add the correct filter details again so that the vCenter VM will be protected. If you want to speed this process up you could of course also vMotion the VM to a host which is protected. Now keep in mind that while you do the vMotion it will insert the filter again which could cause the vCenter VM to disconnect. In all my tests so far it would reconnect at some point, but that is no guarantee of course.

Tomorrow I am going to apply a security policy which will lock out my vCenter Server and try to recover from that… I’ll keep you posted.

** Disclaimer: This is for educational purposes, please don’t try this at home… **

vSphere Storage Appliance – Why I think it is cool

· ·

While doing some workshops and presentations for some of our partners and customers one of the comments I usually here when discussing the vSphere Storage Appliance is “Why not just buy a cheap NAS device”? Well there are a couple of arguments:

  • Support, many lower end cheap devices are not on the HCL
  • Management, most storage devices require specific knowledge and can be difficult to setup
  • Resiliency, yes resiliency..

Resiliency is what I want to expand on. I like the vSphere Storage Appliance because of the resilience it offers. Many lower end storage devices have a single storage processor and some even a single power-supply but that is different for the VSA. Lets assume you have a 3 node cluster with each of these three serving up their local storage. What will it look like?

I hope this image is clear but what we see above is a three node cluster. Each node holds 2 volumes. One “active” volume and a Replica volume. Now the Replica volume is where the resiliency comes in to play. If one of the nodes would fail one of the other nodes, depending on which holds the replica, picks up! Yes indeed the VSA volumes are RAID-1 and the failure is literally detected in seconds. Note that this is a synchronous technique, so an acknowledgement is required from both the active and replica of the datastore.

In my example above when ESXi-1 (on the left) would fail then ESXi-2 (middle) would pick up as it is holding the replica. Note that this is a seamless fail-over if the VM is running on a node other than ESXi-1. The amount of time it takes for the fail-over to occur is literally second and the replica will be available through the same ip-address. If the VM happened to be running on ESXi-1 than vSphere HA would restart that virtual machine is in any other scenario.

This video demos what it looks like when a host fails:

For more details on the VSA I would like to recommend the following articles by Cormac Hogan:

VMworld – Day 2

· ·

VMworld Day 2 started off with a great keynote by no one less than Dr Steve Herrod. Steve spoke about all the changes we introduced with the launch of the Cloud Infrastructure Suite and all the change which are coming up… including sneak peeks of not release products. I live blogged the session and I don’t want to blog just to blog, so for more details read it here. There are a couple of things though I want to stress which in my opinion stood out:

  • VMware Appblast –> New project which allows you to start any app in a HTML5 compatible browser on any device.
  • VXLAN –> Provides a Layer 2 abstraction to virtual machines, independent of where they are located. (quote from Steve’s article)
  • VMware Octopus –> Probably best described as an enterprise level “Dropbox” service

After the keynote I headed over to the VMware Storage Booth and introduced many attendees to the cool new storage features which are part of vSphere 5. There were a couple of things which stood out for me, everyone loved Storage DRS! Profile-Driven Storage is hot and the changes in VMFS-5 were very very welcome.

Next stop was the infamous #VSP1425 aka “Ask the Expert vBloggers”. We had roughly 200 attendees. The panel was formed as follows: Scott Lowe, Frank Denneman, Chad Sakac and I. It was moderated by Rick Scherer (Thanks for buzzing out Chad :-)) and as we had an empty seat we decided to pull up a person from the audience… I forgot the name of this person (please identify yourself), but once again thanks for joining this session and thanks for your great contribution, much appreciated! This session did extremely well in my opinion. We had great questions from the audience but especially the interaction between the panel members worked great. Definitely something we will do again next year. (We scored 4.8 out of 5 on the survey.)

Next up was a meeting with Tintri. We met up with Kieran Harty and Pratik Wadher and got a demo of the current platform and discussed futures. I already discussed their product in-depth on my blog so I will not repeat our whole discussion or my thoughts. I just want to add that I was impressed by their UI now that we got to play around with it and I expect them to do really well in Europe due to the simplicity of the set up.

After having random chats with other vendors we (when I say we I mean Frank and I) headed over to my Group Discussion (#GD43). Now this was the first Group Discussion I ever hosted… I LOVED IT! This is the best format for a session and can I say thanks to Richard Garsthagen who came up with this excellent concept! I had prepared a couple of slides with questions around VMware Clustering solutions. These questions formed the basis of the discussion. The participation of the audience was excellent. Frank helped driving this session and one of our lead HA engineers, Keith Farkas, joined as well… Believe me when I say that Keith was happy with all the excellent feedback we received from the audience during this session. Next year, and in Copenhagen, I want to do more sessions like these… This is what VMworld should be like, small discussion sessions with lots of interaction with the audience!

Before I head out to breakfast there are a couple of things I would like to mention… Did everyone see PowerCLI-Man? I don’t know who he is or where he all of a sudden came from, but he is my new favorite super hero! What an amazing guy, dropping in on a session hosted by Luc Dekens and Alan Renouf while you know he is fighting operational wars on a day to day basis… amazing. (He even has Facebook?!)

I also forgot to mention VMworld TV in my “Day 1” report… Sorry Richard here you go. In all seriousness check the VMworld TV youtube channel and watch the great interviews and summaries that Richard and his team produced. It is a great way of getting an impression of what is going on at VMworld. Believe me, it is a madhouse.

Another day at VMworld about to start… hopefully I will have bit more time to watch some sessions myself today. If you are attending I would ask all of you to please fill out the session surveys. Keep in mind that all speakers, and the VMworld organizational, love to feedback on what worked well and what can be improved. Please provide constructive feedback, keep in mind that many of the people presenting at VMworld are just technical people like you and me and not professional “marketing” type speakers! My respect to each and everyone of you who does not do this on a day-to-day basis and presented a session at VMworld. I know it is a huge step and I know it is not easy to get up in front of literally hundreds of people!

Download it now… vSphere 5

· ·

The wait is finally over… I’ve noticed many people on twitter craving for it so I figured it wouldn’t harm anyone if I would provide the links to the download page. Here are the links to the direct page of ESXi and vCenter

Evaluation Guides:

What’s new whitepapers (release at launch last month):

By the way, did you know there were over 140 new features in vSphere 5.0? Check out my article on the VMware vSphere Blog for a full list and for a nice contest / challenge!

Changelog:
edit 1 – added links to VSA, Zones and Data Recovery)
edit 2 –  added eval guide links
edit 3 – added different management tools etc
edit 4 – added a list with compatible and updated products

vCenter Appliance

· ·

I was playing around in my lab and figured I would give the vCenter Appliance (VCVA)  a try. I realize that today there are limitations when it comes to the vCenter Appliance and I wanted to list those to get them out in the open:

  • No Update Manager
  • No Linked-Mode
  • No support for the VSA (vSphere Storage Appliance)
  • Only support for Oracle as the external database
  • With the embedded database it supports 5 hosts and 50 VMs
    • vSphere 5.0 embedded database uses DB2
    • vSphere 5.0 Update 1 and higher uses vPostgres
  • No support for vCenter Heartbeat

Now that you’ve seen the limitations why would you even bother testing it? You will still need Windows if you are running VUM and you can only use Oracle for large environments… Those are probably the two biggest constraints for 80% of you reading this and I agree they are huge constraints. But I am not saying that you should go ahead and deploy this in production straight away, I do feel that the VCVA deserves to be tested as it is the way forward in my opinion! Why? Most importantly, it is very simple to implement… Seriously setting it up takes a couple of minutes. You just import the OVF, accept the EULA, select the correct database type and start the vCenter service. Without any hassle it also includes the following services:

  • vSphere Web Client
  • vCenter Single Sign On (SSO)
  • vSphere Auto Deploy Server
  • ESXi Dump Collector
  • Inventory Service
  • Syslog Collector

But that’s not all… If you look at it from a strategic perspective this is the first step. A first step towards a possible distributed vCenter solution, and I know some of you have been waiting on that for a while, so why not get your hands dirty straight away and start testing it.

If you want to know how to deploy the vCenter 5.1 Appliance I highly recommend reading this article.

**info updated – 1st of february 2013**