Home > Blogs > Support Insider > Category Archives: Datacenter

Category Archives: Datacenter

Fresh vSphere 6 KB articles!

vSphere 6.0 has been out now for a few weeks and you early adopters have been busy kicking the tires. We've heard some very encouraging things about this release ie: the web client improvements. It's always interesting and top of mind for us to see what issues emerge in everyone's environments and we monitor support requests coming into support as well as social media to see what customers run into.

Here's an fresh list of Knowledgebase articles we've created to address some of these inquiries. Familiarize yourself with the list and of course share with your colleagues using the buttons on this page.

Database compatibility issues during upgrade

Deprecated VMFS volume errors

Backup failures/CBT mem heap issues

Replace certificates for vSphere 6.0

Decommissioning a vCenter Server or Platform Services Controller

Using vSphere ESXi Image Builder to create an installable ISO that is not vulnerable to Heartbleed

Here is a follow-up post from Andrew Lytle, member of the VMware Mission Critical Support Team. Andrew is a Senior Support Engineer who is specializes in vCenter and ESXi related support.

VMware recently released updates to all products affected by the vulnerability dubbed “Heartbleed” (CVE-2014-0160): http://www.vmware.com/security/advisories/VMSA-2014-0004.html

As per KB article: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 (2076665), the delivery method for this code change in the VMware ESXi product is through an updated ESXi vSphere Installation Bundle (VIB). VIBs are the building blocks of an ESXi image. A VIB is akin to a tarball or ZIP archive in that it's a collection of files packaged into a single archive.

Typically a new ESXi ISO file will be made available only during major revisions of the product (Update 1, Update 2, etc). If you need an ESXi 5.5 ISO which is already protected from Heartbleed, you can make your own ISO easily using vSphere PowerCLI.

The PowerCLI ImageBuilder cmdlets are designed to make custom ESXi ISOs which have asynchronous driver releases pre-installed, but it can also be used in a situation like this to make an ISO which lines up with a Patch Release instead of a full ESXi Update Release.

In this post we will cover both the ESXi 5.5 GA branch, as well as the ESXi 5.5 Update 1 branch. Choose the set of steps which will provide the ISO branch you need for your environment.

Creating an ISO based on ESXi 5.5 GA (Pre-Update 1)

These steps are for downloading the requirements for creating an ISO which is based on the ESXi 5.5 “GA” release, which was originally released 2013-09-22.

Step 1: Download the Required Files

When creating a custom ESXi image through Image Builder, we need to start by downloading the required files:

Install PowerCLI through the Windows MSI package, and copy the zip files to a handy location. For the purposes of this example, I will copy these files to C:\Patches\

Step 2: Import the Software Depot

  • Add-EsxSoftwareDepot C:\Patches\ESXi550-201404020.zip
    1-1

Step 3: Confirm the patched version (optional)

If you wish to confirm the esx-base VIB (which includes the Heartbleed vulnerability code change) is added correctly, you can confirm the VIB has Version of 5.5.0-0.15.1746974 and the Creation Date of 4/15/2014.

  • Get-EsxSoftwarePackages –Name esx-base
    1-2

Step 4: Export the Image Profile to an ISO

  • Export-EsxImageProfile –ImageProfile ESXi-5.5.0-20140401020s-standard –ExportToISO –FilePath C:\Patches\ESXi5.5-heartbleed.iso
    1-3

Creating an ISO based on ESXi 5.5 Update 1

These steps are for creating an ISO which is based on the ESXi 5.5 “Update 1” release, which was originally released 2014-03-11.

Step 1: Download the Required Files

When creating a custom ESXi image through Image Builder, we need to start by downloading the required files:

Copy the zip files to a handy location. For the purposes of this example, I will copy it to C:\Patches\

Step 2: Import the Software Depot

  • Add-EsxSoftwareDepot C:\Patches\ESXi550-201404001.zip
    2-1

Step 3: Confirm the patched version (optional)

If you wish to confirm the esx-base VIB (which includes the Heartbleed vulnerability code change) is added correctly, you can confirm the VIB has the Version of 5.5.0-1.16.1746018 and Creation Date of 4/15/2014.

  • Get-EsxSoftwarePackages –Name esx-base
    2-2

Step 4: Export the Image Profile to an ISO

  • Export-EsxImageProfile –ImageProfile ESXi-5.5.0-20140404001-standard –ExportToISO –FilePath C:\Patches\ESXi5.5-update1-heartbleed.iso
    2-3

Installing the ESXi ISO

The ISO file which was created in this steps can be used in exactly the same manner as the normal VMware ESXi 5.5 ISO. It can be mounted in a remote management console, or burned to a CD/DVD for installation.

Why storage paths go into a Dead state

Ever wonder why your storage path goes into a "Dead" state?

Staff Engineer Nathan Small has authored a new Knowledgebase article which describes most of the scenarios that lead to this condition.

There basically three reasons your storage path can go into a "dead" state:

  1. The ESX Storage stack determines path is dead due to TEST_UNIT_READY command failing on probing
  2. The ESX Storage stack receives a Host Status of 0x1 from HBA driver:
    a. Remote array port has timed out
    b. Remote array port has dropped from the fabric (RSCN)
    c. Remote array port has closed IP connection
  3. The ESX Storage Stack marks path as dead after PDL check condition returned by Storage array

Check out Nathan's excellent article on the topic here: Understanding how paths to a storage/LUN device are marked as Dead (2062592)

Some new ESXi patches today

Some new patches for ESXI out today you might want to be aware of:

New Network port diagram for vSphere 5.x

Over the past few weeks we have been working on constructing a brand new network diagram, depicting ports in use for vSphere 5.x

These diagrams have been very popular in the past and we hope you like this one too! We created Knowledgebase article: Network port diagram for vSphere 5.x (2054806) as a container for the pdf diagram. The pdf also lists all of the ports used in tabular format.

If you'd like to see more of these, tell us in the comments section below!

Network port diagram for vSphere 5

Alternate download location.

Note: This information provided is on a best effort basis. VMware will endeavor to update the diagram as new releases come out.

10 videos on vSphere Snapshots

Today we have compiled two lists of videos that will provide you a clear understanding of how to use vSphere snapshots effectively. The first set comes from Joe Desmond, VMware Certified Instructor. The second list comes from our VMware KBTV YouTube channel. Those videos compliment our Knowledgebase articles on the same topic.

  • vSphere Snapshots in Non Production Environments describes how to make changes in a non-production environment using vSphere snapshots, by using snapshots to compare two alternative changes to an environment.
  • vSphere Snapshot Consolidation describes how to discover and implement changes in the environment using the vSphere Snapshot Consolidation function -- a function that recognizes unresolved snapshots from 3rd parties, consolidates them and cleans up the environment.
  • vSphere Snapshot Overview provides an overview of the vSphere Snapshot tool to support guest O/S administrators. Snapshots allow safe change to virtual machines without the worry of failed implementation.
  • vSphere Anatomy of Snapshots describes the snapshot process, a powerful tool that allows safe change of virtual machine states without the worry of failed implementation.
  • vSphere Powerful Tools Come with Big Warning Labels New describes the proper use of vSphere Snapshots avoiding loss of data or downtime, and allowing movement from pre-change to post-change with ease.
  • vSphere Snapshots in Action walks through two demos installing a software program using vSphere Snapshots to capture the before state and the after state.

KBTV videos discussing snapshots

SSL Certificate Automation Tool version 1.0.1

Last month we announced a new SSL Certificate Automation tool to help everyone with the implementation of custom certificates. Yesterday, we released the second version of it (version 1.0.1). This is a minor update which aims to simplify the replacement of certificates further by adding Certificate Signing Request (CSR) functionality to the tool. This functionality allows a user to quickly generate certificate requests (and consequently the private keys) for submission to the Certificate Authority.  The CSR functionality was the largest portion of manual steps, and as a result the update reduces the number of steps by over 15.

In addition, there are several minor bug fixes which were fixed which impacted tool functionality.

For further details and to download the latest version of the SSL tool see: Deploying and Using the SSL Certificate Automation Tool (2041600)

We hope these additions provide useful for everyone!

ALERT: Login issue after updating to vCenter 5.1 Update 1

VMware Support Alert VMware has become aware of an issue that may occur after upgrading to vCenter Server 5.1 Update 1.

 

Specifically:

  • You are unable to log in using the vSphere Web Client or domain username/password credentials via the vSphere Client.

This issue can occur if the specified vCenter Server login domain user account is associated with a large number of domain groups and multiple domains are configured as SSO identity sources. The precise number of groups at which this issue can occur varies due to the nature of Active Directory internals. However, it is more likely to occur once domain-group membership for an account exceeds 19.

Customers with SSO configured with multiple domain-based identity sources along with vCenter Server domain user accounts that are associated with a large number of groups should not upgrade to vCenter Server 5.1 Update 1.

We urge you to read the official KB article for more details and/or updates:
Cannot log in to vCenter Server using the domain username/password credentials via the vSphere Web Client/vSphere Client after upgrading to vCenter Server 5.1 Update 1 (2050941).

How to deploy SSO in a multisite configuration

For those of you administering multiple vSphere environments, getting a SSO multisite deployment up and running in a correct configuration is very important. Multisite deployments are where a local replica is maintained at remote sites of the primary vCenter Single Sign-On instance. The process of setting this up is not complicated, but it is possible to take a wrong turn and end up wasting a whole lot of time correcting it. That is why we have created a best-practice Knowledgebase article titled: Multisite Single Sign-On deployment best practices. (2042849). We highly recommend you look at the examples in that article.

We've written extensively in this blog about SSO in the past. You can see all the other posts on the topic here: http://blogs.vmware.com/kb/tag/sso

If you are still at the point where you are asking yourself- what is SSO? and why do I care? we recommend you start with this great introduction from Justin King: vCenter Single Sign-On Part 1: what is vCenter Single Sign-On?

Determining which users are available to log into vCenter Server

Question: When installing SSO in a multisite configuration, is there a way to find out which users have rights to log into vCenter? We do not have the install log files any longer and we need to know which users have been removed from the authorized users.

Answer: You can access the the following table in the vCenter database to determine which users are available to log into vCenter Server. You can then use this list to recreate  removed users on the affected vCenter Server.

Steps:

  1. Log in to the SQL Database using the SQL Management Studio.
  2. Select your vCenter Server Database.
  3. Select New Query and enter the following query:
    select * from dbo.vpx_access
  4. Click Execute
ID     PRINCIPAL                    ROLE_ID        ENTITY_ID      FLAG
1      Domain\Administrators             -1                1         3
101    Domain\user1                       5               48         1
701    Domain\user2                      -5               85         1
501    SYSTEM-DOMAIN\admin               -1                1         1
809    Domain\uesr3                      -2                1         1
602    Domain\user4                      -5               85         1
603    Domain\user5                      -5               85         1
604    Domain\user6                      -5               85         1
605    Domain\user7                      -1               85         1
606    SYSTEM-DOMAIN\admin               -2               85         1
804    Domain\testaduser                 -1              131         1
808    Domain\testaduser                 -2               85         1

Under the column PRINCIPAL, look for any users that do not currently have rights to log into vCenter. Disregard the other columns of data, you do not need that.