VMware Cloud Foundation 9.0 was recently launched, and that means vSAN 9.0 is also available. There are many new features introduced in 9.0, so a perfect time to ask Pete Koehler to join the podcast once again and go over some of these key enhancements. Below, you can find the links we discussed during the episode, as well as the embedded player to listen to the episode. Alternatively, you can also listen to the episode via Spotify, Apple, or any other podcast app you may use. Make sure to like and subscribe!
esa
Are the vSAN disks encrypted or not, and is the environment health?
There was an internal question that came up, and I figured I would write a quick article as I had to grab some screenshots anyway. If you have vSAN Encryption – Data At Rest enabled, how do you verify the disks are actually encrypted? There are a couple of things you can do, and one is, of course verify in the vSAN UI that encryption is enabled in the configuration section. But you can also verify on a per-host basis if the disks have been encrypted through the command: esxcli vsan storage list. The output would look as follows:
As you can see, Encryption: true.
Of course, it is also beneficial to know if the Key Management System is reachable and healthy, as well as whether the necessary CPU instructions are available. These details can be viewed in vSAN Skyline Health, as shown in the next screenshot.
Hope that helps… OH, if you do use the Native Key Server, and encounter an error “not available on host”, verify if you enabled it with “Use key provider only with TPM” ticked or not, as if that is selected and you don’t have a TPM would result in that error.
Does vSAN Data Protection work with vSAN Stretched Clusters and can snapshots be stretched?
I have written a few articles about vSAN Data Protection now, and my last article featured a nice vSAN DP demo. A very good question was asked in the comment section, and it was about vSAN Stretched Clusters. Basically, the question was whether Snapshots are also stretched across locations. This is a great question, as there are a couple of things which are probably worth explaining again.
vSAN Data Protection relies on the snapshot capability which was introduced with vSAN ESA. This snapshot capability in vSAN ESA is significantly different than with vSAN OSA or with VMFS. With vSAN OSA and VMFS when you create a snapshot a new object (vSAN) or file (VMFS) is created. With vSAN ESA this is no longer the case as we don’t create additional files or objects, but we create a copy of the metadata structure instead. This is why vSAN ESA snapshots perform much better than vSAN OSA or VMFS snapshots do, as we no longer need to traverse multiple files or objects to read data. We can simply use the same object, and leverage the metadata structure to keep track of what has changed.
Now, with vSAN, as most of you hopefully know, object (and it’s components) are placed across the cluster based on what is specified within the storage policy that is associated with the object or VM. In other words, if the policy states FTT=1 and RAID-1, then you will see 2 copies of the data. If the policy states the data needs to be stretched across locations, and within each location be protected with RAID-5, then you will see a RAID-1 configuration across sites and a RAID-5 configuration within each site. As vSAN ESA snapshots are an integral part of the object, the snapshots automatically follow all requirements as defined within the policy. In other words, if the policy says stretched then the snapshot will also automatically be stretched.
There is one caveat I want to call out, and for that I want to show a diagram. The diagram below shows the Data Protection Appliance, aka the snapshot manager appliance. As you can see, it states “metadata decoupled from appliance” and it links somehow to a global namespace object. This global namespace object is where all the details of the protected VMs (and more) is being stored. As you can imagine, both the Snapshot Manager, as well as the Global Namespace object should also be stretched. For the global namespace object this means that you need to ensure that the default datastore policy is set to “stretched”, and of course for the snapshot manager appliance you can simply select the correct policy when provisioning the appliance. Either way, make sure the default datastore policy aligns with the disaster recovery and data protection policy.
I hope this helps those exploring vSAN Data Protection in a stretched cluster configuration!
Where’s my vSAN Data Protection screen in 8.0 U3?
The first time I deployed vSphere/vSAN 8.0 U3 I immediately looked for the vSAN Data Protection UI. I always get excited about new features, and simply want to test it. I mean who doesn’t like scalable snapshots and a great way of managing snapshot schedules? Finally available within the vSphere Client! Of course, I could not find it, but I figured that was because I was on some weird alpha build of the product. Now that the product has shipped it must be there out of the box right?
No it isn’t. You will need to deploy an appliance in order for this functionality to appear in the UI. The appliance can be found under “Drivers and Tools” under the vSphere Hypervisor download (Which is under VMware vSphere), it is called “VMware vSAN Snapshot Service Appliance”. The current version is named “snapservice_appliance-8.0.3.0-24057802_OVF10.ova”. You need to deploy this OVA, and I would highly recommend to request a DNS name for it and have it properly registered. I fiddled around with the hosts file on VCSA and forgot to add the name to my local host file on my laptop and had some weird issues as a result, which I am trying to reproduce at the moment, will report back if/when I can.
The other thing to point out is the following, the documentation tells you to download the certs and copy the text for the Appliance, it isn’t something most of us do daily either, you can simply open a web browser and use the following url “https://<name of your vCenter server>/certs/download.zip” to download the certs and then unzip the downloaded file. (More details to be found here.) It will contain the certs, and if you open the cert with a proper text editor you can copy/paste that into the deployment screen for the OVA. (Yes, I know there are other ways as well, but I found this one to be the easiest.)
Now when you deployed the OVA, and when everything was configured correctly you should see a successful task, or actually two: download plugin, deploy plug, as shown in the next screenshot.
If you do get the “error downloading plug-in” error message, it likely is one of two things:
- DNS / Hosts files are not correctly configured, resulting in the URL not being reachable. Make sure you can resolve the URL!
- Cert thumbprint was incorrectly copied/pasted, there’s a whole section on troubleshooting this here.
Okay, now that I got the appliance up and running, I will probably do a follow-up post on what you can do with it 🙂
vSAN ESA and the minimum number of hosts with RAID-1/5/6
I had a meeting last week with a customer and a question came up around the minimum number of hosts a cluster requires in order to use. particular RAID configuration for vSAN. I created a table for the customer and a quick paragraph on how this works and figured I would share it here as well.
With vSAN ESA VMware introduced a new feature called “Adaptive RAID-5”. I described this feature in this blog post here. In short, depending on the size of the cluster a RAID-5 configuration will either be a 2+1 scheme or a 4+1 scheme. There’s no longer a 3+1 scheme with vSAN ESA. Of course, there’s still the ability to use RAID-1 and RAID-6 as well, the RAID-1 and RAID-6 schemes remained unchanged.
When it comes to vSAN ESA, below are the number of hosts required for a particular RAID scheme. Do note, that with RAID-5, of the size of the cluster changes (higher of lower) then the scheme may also change as described in the linked article above.
| Failures To Tolerate | Object Configuration | Minimum number of hosts | Capacity of VM size |
|---|---|---|---|
| No data redundancy | RAID-0 | 1 | 100% |
| 1 Failure (Mirroring) | RAID-1 | 3 | 200% |
| 1 Failure (Erasure Coding) | RAID-5, 2+1 | 3 | 150% |
| 1 Failure (Erasure Coding) | RAID-5, 4+1 | 6 | 125% |
| 2 Failures (Erasure Coding) | RAID-6, 4+2 | 6 | 150% |
| 2 Failures (Mirorring) | RAID-1 | 5 | 300% |
| 3 Failures (Mirorring) | RAID-1 | 7 | 400% |