VMware

vCenter Orchestrator Blog (vCO Team)

Duncan Epping · Jun 7, 2010 ·

Two of my colleagues just launched a new website. It is probably one of the few vCenter Orchestrator Blogs out there and definitely worth following.

Christophe & I (Burke) have launched a new website at http://www.vcoteam.info that we hope to use to help educate and encourage the adoption of Orchestrator for VMware automation tasks.

One of the first articles explains how to create a self provisioning portal with vCO in a detailed stepwise approach.

I am certain many more cool articles will follow. Bookmark it or add vCOTeam.info to your RSS reader.

VM Monitoring (aka VM HA) heartbeat

Duncan Epping · Jun 4, 2010 ·

I got a question around VM Monitoring (aka virtual machine level HA) this week. A customer wanted to test if VM Monitoring worked and as such disabled the NIC of the virtual machine and waited for 30 seconds for the VM Monitoring response to kick in…. nothing happened.

VM Monitoring restarts individual virtual machines when needed. VM monitoring uses a similar concept as HA, heartbeats. If heartbeats, and in this case VMware Tools heartbeats are not received for a specific amount of time the virtual machine will be rebooted. An example of when this will happen for instance is when a Windows virtual machine shows a BSOD.

The big question of course was why didn’t this trigger a response?

The answer is simple: The VMware Tools heartbeat does not use the virtual machine NIC. This heartbeat is “caught” by hostd and passed on to vCenter. vCenter uses this to show those “green/yellow/red” alarm dots. The same heartbeat is used by VM Monitoring to detect the failure of a virtual machine. Even without any NIC attached to your virtual machine these heartbeats will still be received.

One thing to keep in mind though is that when heartbeats are no longer received, by default sent out every second, VM Monitoring will check if there is any Network or Storage I/O to avoid false positives.

Question for you guys! One thing that I always wondered is how many people use VM Monitoring? And if you use it, do you use it on all VMs in every cluster?

VCAP4-DCA Exam?

Duncan Epping · May 30, 2010 ·

Got a couple of questions around this over the last few days and wanted to clear it up. The VCAP4-DCA (Datacenter Administrator) is 100% LAB based. For those who did the VI3 Enterprise Exam it will be similar to the second part of the exam.

In other words you will receive multiple tasks and you will get a full vSphere environment to your disposal including Service Console access, vSphere Client and vCenter. Just get the job done! It could be configuring a Distributed vSwitch or even troubleshooting and solving a problem…

In terms of preparations, make sure you have had enough LAB time. Start using the “esxcfg-” commands and make sure you know where to find what within the vSphere Client.

Limiting your vCPU

Duncan Epping · May 18, 2010 ·

I had a discussion with someone around limiting a VM to a specific amount of Mhz’s after I found out that limits where set on most VMs. This environment was a “cloud” environment and the limit was set to create an extra level of fairness.

My question of course was doesn’t this impact performance? The answer was simple: No as a limit on a vCPU is only applied when there’s a resource constraint. It took me a couple of minutes to figure out what he actually tried to tell me but basically it came down to the following:

When a single VM has a limit of 300MHz and is the only VM running on a host than it will run it full speed as it will be constantly rescheduled for 300MHz.

However, that’s not what happens in my opinion. It took me a while to get the wording right but after a discussion with @frankdenneman this is what we came up with:

Look at a vCPU limit as a restriction within a specific time frame. When a time frame consists of 2000 units and a limit has been applied of 300 units it will take a full pass, so 300 “active” + 1700 units of waiting before it is scheduled again.

In other words applying a limit on a vCPU will slow your VM down no matter what. Even if there are no other VMs running on that 4 socket quad core host.

Would I ever recommend setting a limit? Only in very few cases. For instance when you have an old MS DOS application which is polling 10000 times a second it might be useful to limit it. Personally witnessed they can consume 100% of your resources, unnecessary as it isn’t doing anything actually.

In most cases however I would recommend against it. It will degrade user experience / performance and there is no need in my opinion. The VMkernel has got a great scheduler which will take fairness into account.

Hytrust Labs….

Duncan Epping · May 13, 2010 ·

During VMware Tech Summit last week one of the few Labs I did get to do myself was the Hytrust Lab. Roughly a year ago I first got introduced to Hytrust.

Hytrust is a policy driven appliance which enhances security and auditing for virtualized environments. Although I had seen multiple demos I had never actually played around with it. I must say I was pleasantly surprised at Tech Summit.

Hytrust sits in between you, the user/admin, and the vCenter/ESX. Basically it proxies the requests based on your role. If the role has no permissions on the specific “task” it will return a message stating “permission denied by Hytrust”.

Now that sounds cool doesn’t it? I guess what was even more impressing was the fact that with Hytrust this also works on ESXi. Yes you are reading that correct, role based “unsupported” mode access to ESXi, that’s something VMware doesn’t even offer at the moment. I tested it, it works great! (Yeah I know it is still not supported, but it does offer a solution to those who need it.)

Another cool thing is the configuration templates for Hosts. It basically enables assessment of security configuration. Hytrust contains several pre-built templates including for instance VMware’s Security Hardening Best Practices. Not only assessment but also the option to remediate when needed.

And I haven’t even talked about the auditing functionality yet. As Hytrust proxies all commands, it is just a small step for them to log all the info and make it audit-able….

After playing around with in Hytrust I fully understand why Cisco invested, it rocks. Just try it out. The Community Edition, free for up to three hosts is available here: Hytrust Appliance v2.0 Community Edition