Home > Blogs > VMware vSphere Blog > Category Archives: ESXi

Category Archives: ESXi

Load Balancing vSphere Clusters with DRS

Recently, a customer reported that DRS was not working to load balance the cluster. Under normal circumstances, a minor imbalance is nothing to be concerned about. This is because the main objective for DRS is not to balance the load perfectly across every host. Rather, DRS monitors the resource demand and works to ensure that every VM is getting the resources entitled. When DRS determines that a better host exists for the VM, it make a recommendation to move that VM.

However, some customers still prefer to have an even distribution of utilization across all hosts within a cluster. This article is intended to provide recommendations to accomplish this goal, bearing in mind that in most cases this will result in additional vMotion activity.

Continue reading

VMware Experts Database Workshop – Oracle Edition – April 2016

The most recent edition of the VMware Experts Database Workshop completed last week in Palo Alto. This event was focused on Oracle as the Cloud Platform Business Unit and VMware Execs partnered with Pure Storage to host 11 prominent and specially selected Oracle technology technical experts for a “Dawn to Midnight Oracle on vSphere” experience. Each of the invited individuals works with the Independent Oracle Users Group (IOUG) and the VMware Special Interest Group (VMware SIG) of that organization. The workshop program is a precursor to inclusion in the various BCA oriented advisory groups and the respective NDA internal/external email lists that constitute signature components of the program. After over 20 presentations and open discussions, customized labs and various extracurricular activities including a night at AT&T Park the group departed Palo Alto with a true sense of the level of the total commitment that VMware has towards all Business Critical Applications and Databases running on vSphere. Wednesday was a particularly memorable day and will forever be known as the “Wednesday of the Titans” as it began with a presentation on “Oracle on vSphere Licensing” from the worlds foremost expert on the subject, David Welch from House of Brick. Dave’s presentation was followed by an amazing open discussion led by VMware CEO Pat Gelsinger and finally the game at AT&T park featured Madison Bumgarner facing Zach Grienke on opposing mounds.

VMware SIG website
VMware SIG Handle
Mike Corey = @michael_corey
Mike Corey Website

VMWorld 2016 Preview – The Software-Defined Data Center – Mission Critical Applications & Databases

Continuing on the theme of making the VMware Software-Defined Data Center real, here is a preview of my abstracts for VMWorld 2016 submitted along with our partners Hitachi Data Systems and NetApp. One session will feature SAP HANA with the Dynamic Tiering option and the other session will feature Oracle 12c with the in-memory option. Both these sessions will showcase full stack SDDC architectures; NSX, vRealize Operations, vROPs Management Packs, and software-defined storage (virtual volumes). For the Oracle session NetApp will be a co-presenter and for the SAP HANA session Hitachi Data Systems will be the co-presenter. Get ready because VMWorld voting opens May 3rd – 24th

Title: The SDDC Stack Day 2 Operations: Oracle 12c RAC Business Intelligence In-Memory Option, SUSE Enterprise Linux, VMware NSX, vRealize Operations – Blue Medora Management Packs, Virtual Volumes on NetApp All Flash Array – AFF8060

Abstract: This session will focus on the Day 2 operations of a fully virtualized Oracle RAC 12c Business Intelligence stack using the in-memory option at multi-terabyte scales, up to 4TB, running SUSE Linux Enterprise Edition 11 on standard Intel x86 servers. The virtualized infrastructure will incorporate several major tenants of the Software-Defined Data Center, compute, network, storage, and operations. We will be deploying VMware NSX, highlighting micro-segmentation techniques by adhering to the network guidelines in the Oracle Enterprise Deployment Reference Topology. The software defined storage will be configured using vSphere 6.0 virtual volumes on a NetApp AFF8060 Flash Array. Day 2 Operational data will be captured and analyzed in VMware vRealize Operations Management and the Blue Medora NetApp vROPs storage management pack and Oracle OEM Adapter.

Title: The SDDC: Full Stack on vSphere SAP Business Warehouse Powered By HANA, NSX, vRealize Operations with Blue Medora Management Packs, SDS – Virtual Volumes on Hitachi Unified Compute Platform and SUSE Linux Enterprise Server.

Abstract: This Software-Defined Data Center is no longer a concept, it is reality. In this session we fully virtualize an industry leading mission critical application and database; SAP Business Warehouse Powered By HANA with the Dynamic Tiering Option running SUSE Linux Enterprise Server for SAP Applications on Intel x86 servers. We will go beyond the use of vSphere to virtualize compute and extend this reference architecture to cover virtual networks and software-defined storage. We will cover the rationale and specific use case behind VMware NSX micro-segmentations for mission critical architectures. We will define and create software-defined storage via VMware Virtual Volumes, using The Hitachi Unified Compute Platform. In addition we will show the value of vRealize Opeations in conjunction with the Blue Medora SAP HANA Management Pack plug-in for vROPs when managing mission critical workloads.

Supported vSphere vCenter and ESXi Ciphers

Hi everyone,

One question that comes up regularly is “What ciphers are supported on vCenter and ESXi?”. I’m happy to share that we have published a VMware Knowledge Base article outlining the supported ciphers!

With all of the challenges around SSL/TLS the past year or two, having a solid idea of what ciphers are being used is becoming critical information that is necessary for IT and security teams to do their jobs.

Rather than list the ciphers here, I’ll just point you at the KB as it will be the central repository for this information and will be updated as necessary.

Please note that on some products like VCSA you’ll find more than one OpenSSL binary. For example, the VCSA will ship with a default OpenSSL binary from SUSE, the OS provider and from VMware. VMware uses OpenSSL we develop and ship and not the OS binaries. When this list was created it was done using the VMware binaries. This is helpful to understand in case your scanning tools only check against the OS binaries and report a false positive.

If you have questions, please respond directly to the KB using the provided feedback mechanism at the end of the KB article.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Top Ten things to consider when moving Business Critical Applications (BCA) to the Cloud (Part 3 of 3)

In the first part we looked at public, private and Hybrid Cloud and their characteristics. In this part we will look at the common characteristics of business critical applications. In the second part , we looked at how some of these characteristics relate to the different types of Cloud infrastructure. In this final part we will look at he lifecycle of a business critical application in the cloud and the conclusion. Continue reading

vSphere 6.0 Update 2 – What’s New

VMware just recently released Update 2 for vSphere 6.0. Update 2 is full of new features and bug fixes for both ESXi and vCenter Server. For a complete list of features and bug fixes make sure to review the release notes for ESXi and vCenter Server. There are few features that stood out to me in this update. The Embedded Host Client is now integrated into ESXi and fully supported as of Update 2. VSAN 6.2 is feature rich with everything but the kitchen sink in this release. Two factor authentication support for the vSphere Web Client is now available in the PSC UI. Here’s a breakdown of what’s new in vSphere 6.0 Update 2.​

ESXi

VMware Embedded Host Client (EHC)

The Embedded Host Client (EHC) started out as a fling and now is a supported product in vSphere 6.0 Update 2. The EHC is now installed as part of ESXi 6.0U2 and provides the ability to manage any ESXi host using a web browser. After a host is installed with or upgraded to 6.0 U2, open a web browser and enter https://<FQDN or IP of host>/ui.  More information on the Embedded Host Client can be found by reviewing the release notes.

vSphere 6.0 Update 2 - What's New ESXi EHC

Virtual SAN 6.2 (VSAN)

Note: VSAN is a separate product and is licensed separately

If you thought this update couldn’t get any bigger, think again. Virtual SAN 6.2 is here and Jam-packed with new features. This release of VSAN now supports compression and deduplication. When enabled on a disk group redundant copies of data are reduced to single copy. There’re also new services related to performance, space savings and health of the cluster.  The Health service monitors the VSAN cluster for issues and provides diagnostics. Performance service collects and analyzes performance statistics.  Performance service starts at the cluster down the to the disk level. You want space savings reports, that’s included. Space reporting displays information of used and free space with a detailed breakdown. These are just a few of the new features in Virtual SAN 6.2. For more information check out the Virtual Blocks blog.

vSphere APIs for I/O filtering (VAIO) Enhancement

vSphere 6.0 Update 2 also includes updates to vSphere APIs for I/O filtering (VAIO). If you are not familiar with VAIO I highly recommend you read the following blog post by Ken Werneburg.

  • VASA provider in a pure IPv6 environment
  • VMIOF 1.0 and 1.1

High Ethernet Link Speed

ESXi hosts can now support 25G and 50G ethernet speeds.

vCenter Server

Two-factor authentication for vSphere Web client

vCenter Single Sign On allows authentication to the vSphere Web Client via username and password. vSphere 6.0 Update 2 introduces two-factor authentication supporting RSA SecurID and Smart card.  RSA SecurID is configured using the SSO-Config utility. It also requires RSA Authentication Manager in your environment. Once setup, login to the vSphere Web Client with your username and RSA passcode.  Mike Foley has an excellent two part blog post walking through RSA SecurID setup.

Smart card authentication as mentioned above is also supported. Many large enterprises and government agencies use smart cards to meet security regulations. Smart Cards such as Common Access Card (CAC) are used at a machines with a smart card reader. Smart Card Authentication can be configured from the Platform Services Controller UI or using SSO-Config utility. Stay tuned as Mike Foley will be discussing Smart card authentication in a future post.

vSphere 6.0 Update 2 - What's New Smart Card

In addition to two factor authentication, the vSphere Web Client now supports the ability to add a login banner.  The Login Banner can be configured from the Platform Services Controller UI by adding a title and message.

vSphere 6.0 Update 2 - What's New Login Banner

An added layer of consent ensures the user can not login without acknowledging the Login Banner.

vSphere 6.0 Update 2 - What's New Login Banner Consent

vCenter Server Appliance update status might be stuck at 70 percent

vSphere 6.0 Update 1b had a bug when using the virtual appliance management interface (VAMI) to update. The UI would hang at 70 percent, although the update had completed. The only way to verify the status of the upgrade was by checking the update log – /var/log/vmware/applmgmt/software-packages.log. This bug has been fixed in vSphere 6.0 Update 2 displaying 100 percent in the VAMI when the update is complete.

Support to change vSphere ESX Agent Manger Logging Level

vSphere Web Client support for Windows 10 operating system

vCenter Server now supports the following external databases

  • Microsoft SQL Server 2012 Service Pack 3
  • Microsoft SQL Server 2014 Service Pack 1

vCenter Server now supports multiple embedded to multiple PSC migrations in a single SSO domain

vSphere 6.0 Update 1 introduced the ability to reconfigure and repoint using CMSSO-UTIL. This is handy when going from a vCenter with an embedded PSC to an external PSC deployment in the same SSO domain. vSphere 6.0 Update 1 would not allow having two external PSCs and trying to repoint. The result was the following error:

vSphere 6.0 Update 2 - What's New ESXi EHC Repoint Error

vSphere 6.0 U2 now allows having multiple external PSCs with the use of the repoint command. The diagram below represent two embedded deployments replicating to each other. This deployment model is considered deprecated. The term deprecated means the topology will be supported in vSphere 6.0 but not in future releases. To get out of this deprecated topology two external Platform Services Controllers have been deployed. Now we can using the reconfigure command in CMSSO-Util to remove the embedded PSC and repoint vCenter Server to the external PSC.

vSphere 6.0 Update 2 - What's New Deprecated Embedded to External PSC

As you can see vSphere 6.0 U2 is loaded with lots of new features, go download and give them a try.

Authorized Keys and ESXi 6.0 Update 2 – Changes to OpenSSH

sshWilliam Lam brought up some feedback on Socialcast the other day. The story was of a customer who updated to ESXi 6.0 Update 2 and the SSH keys he was using no longer worked. The customer was advocating for changing the file /etc/sshd_config so that he could continue to use the keys on his ESXi server. IMHO, that’s the wrong course of action.

ESXi 6.0 Update 2 has shipped with an updated version of OpenSSH. The version has been updated to 7.1p1. One of the major changes in this release is the disablement of “ssh-dss” and “ssh-dss-cert-*” (a.k.a DSA) keys. They have also announced the future deprecation of legacy cryptography. I urge you to read more about these changes as they may impact you in other places in your infrastructure.

Now, the customer had added dss keys to the /etc/authorized_keys file so that he could easily log into his ESXi system. Ok, I get that. Adding authorized keys is a supported configuration outlined in this KB.

What happened is that now that ESXi 6.0 U2 is running the new OpenSSH bits his SSH connections were refused. This is expected behavior! This issue could be remediated by generating new keys using RSA keys. As I said above, that is the wrong course of action. You put your ESXi host at risk for convenience?

Please don’t bring up the “but DSA keys are faster/less overhead/etc” argument. I’m pretty darned sure that OpenSSH is using AES-NI instructions (I looked) that are plenty fast for a simple SSH session. Performance is no longer an excuse to use less security! It’s 2016.

Bottom line, if you are using Authorized Keys on your ESXi server and they were generated with DSA keys, it’s time to be proactive and re-generate them with RSA keys.

Final note: Limit who can log into your ESXi host. Only those you trust the most should have access. If you are logging in to “run scripts and stuff” (as many customers tell me they do) then you might want to look into using tools like the vSphere API and scripting tools like PowerCLI or Python.

If you have something you CAN’T do via API or scripting, please let us know! Reply here or send email.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Top Ten things to consider when moving Business Critical Applications (BCA) to the Cloud (Part 2 of 3)

In the first part we looked at public, private and Hybrid Cloud and their characteristics. In this part we will look at the common characteristics of business critical applications. We will also look at how some of these characteristics relate to the different types of Cloud infrastructure.

Common Characteristics of Business Critical Applications (BCA):

Business critical applications typically have very stringent SLAs and have a direct impact on the business. These are the crown jewels of the business that need to be managed with utmost care to avoid loss of productivity, data and potential revenue. These are the major factors can have a direct impact on these applications such as the following:

Continue reading

Top Ten things to consider when moving Business Critical Applications (BCA) to the Cloud (Part 1 of 3)

The cloud transformation is now for real. Customers have a stated long-term goal of running a majority of their applications in the cloud. Gartner predicts that public cloud services to grow by 16.5% in 2016. The highest growth area is cloud infrastructure, which is projected to grow at 38.4% in 2016. Today’s CIOs understand that a clear cloud strategy is a critical component of managing their information technology needs.

While developers have adapted to the cloud and its benefits, traditional enterprise business critical applications are not very prevalent in the cloud. Until recently most of these applications had not even been virtualized. Just in the past two to three years a majority of these enterprise applications have been virtualized. What are the unique characteristics of these applications that need to be considered for cloudification? In this three part blog series, we will analyze the top ten BCA requirements and how different types of cloud infrastructures satisfy them. In part 1 we will look at the different types of cloud infrastructures and their characteristics. Continue reading

Maintenance Mode Improvements in vSphere 6.0 Update 2

vSphere 6.0 Update 2 has launched and with it comes a very simple change with the way that VMs and Templates are evacuated from hosts that enter Maintenance Mode. In all prior versions, when a host enters Maintenance Mode, DRS will evacuate the host by placing all the running VMs, powered off VMs, and the templates on other hosts within the cluster.  However, under certain conditions the order of operations produces very different results.  For math geeks, (4+2)2 ≠ 4+2×2.  Continue reading