This months vCloud Digest is a bit of a bumper edition – we have been so busy with other work and the run up to VMworld it had to be put on the back burner. Once again we are indebted to our esteemed colleagues throughout the company for providing this content including:
Tomas Fojta, Massimo Re Ferre, William Lam, Michael Haines, Ian Hamblen, Taruna Gandhi, Sean Howard, Christian Prediger, Ray Budavari, Keith Luck, Kim Ranyard, Rich Bourdeau, Evan Bills, Jonathan Hemming, Kyle Smith, : Sanjay Patnaik, Timo Sugliani, Zack Kielich, Tom O’Rourke
vCloud 5.1.2 Allocation Pool Options During Upgrade
Q. What does the following mean in the vCD 5.1.2 release notes?
“Allocation pool organization virtual datacenters can be elastic or non-elastic: Starting with vCloud Director 5.1.2, system administrators can configure Allocation Pool organization virtual datacenters with Single Cluster Allocation Pool (SCAP), making them non-elastic. This is a global setting that affects all Allocation Pool organization virtual datacenters. By default, Allocation Pool organization virtual datacenters have Single Cluster Allocation Pool enabled. Systems upgraded from vCloud Director 5.1 that have Allocation Pool organization virtual dataceters with virtual machines spanning multiple resource pools have Single Cluster Allocation Pool disabled by default.
To change the Single Cluster Allocation Pool setting go to System > Administration > General > Miscellaneous. Before enabling Single Cluster Allocation Pool, migrate any virtual machines on secondary resource pools to the organization virtual datacenter’s primary resource pool.”
A. Essentially vCD 5.1.2 allows you to choose between the vCD 1.5 allocation model and the vCD 5.1.1 allocation model.
With an Upgrade from 1.5:
1) Admin upgrades VCD to 5.1.x. The Single Cluster Allocation Pool (SCAP) flag is turned on by default and all existing Allocation Pool Org VDCs are in SCAP mode (non-elastic).
2) All new Org VDCs subsequently created on all PVDCs will be restricted to a single cluster and never span clusters.
3) The semantics of new/existing Org VDCs in single cluster mode will be exactly the same as 1.5 allocation pool and non-elastic.
4) Post upgrade, cloud admin should be able to set the global SCAP flag OFF at any time to convert all his Org VDCs to elastic.
5) Once the SCAP flag is OFF, all the newly created allocation pool Org VDCs are elastic after that.
Upgrade from 5.1 – Case 1, you have some Org VDCs that already have VMs in more than one cluster.
Post upgrade, the default mode of VCD will be elastic (same as 5.1) and all allocation pool Org VDCs continue to remain elastic. The SCAP flag is turned OFF by default. If an admin tries to turn the SCAP flag ON at this time, he will receive an error message that he needs to first manually migrate his VMs in single cluster for all Org VDCs that have VMs spanning clusters. The admin then manually migrates VMs belonging to elastic AP Org VDCs to a single cluster. This means that admin can now turn SCAP flag ON. All the elastic allocation pool Org VDCs are now in single cluster mode. All subsequently created allocation pool Org VDCs are now in single cluster mode.
With an Upgrade from 5.1:
Even though allocation pool Org VDCs are elastic, none of the allocation pool Org VDCs are spanning clusters. This is same as upgrade from 1.5.
With an Upgrade from 5.1.1:
Same as upgrade from 5.1.0. So if you did not have any Org VDC spanning multiple clusters it would revert to vCD 1.5 non elastic setting. Otherwise it will remain elastic (no change).
vCD and Independent Disks
Q. Are independent disks supported with NFS when using vCD? Or is VMFS required?
A. Yes. Independent disks work on NFS or block storage. The functionality is independent of storage type.
vCloud Director and LDAP Synchronization
Q. How is LDAP synchronization achieved in vCD?
A. What we do during a LDAP synchronization is we query the Directory (LDAPv3) server for user and group objects that we have a record of. That means groups and users that have been imported or users who have logged in. We query the Directory (LDAPv3) server using those objects’ unique identifier such as objectGuid or entryUuid (for OpenLDAP systems). Then we update our information based on that.
vCloud API: Leases
Q. In the vCloud API v5.1 you can ‘Set’ and ‘Extend’ the Deployment (Run-time) Lease and Storage Lease time in Seconds for a vApp, as in the following example:
leaseSettings.setDeploymentLeaseInSeconds(30 * 24 * 60 * 60);
leaseSettings.setStorageLeaseInSeconds(30 * 24 * 60 * 60);
But what does 30 * 24 * 60 * 60 actually refer to or mean?
A. 30 * 24 * 60 * 60 means : 30 days * 24 hours * 60 minutes * 60 seconds. This is the number of seconds in 30 days since the input parameter is in seconds.
Note: In vCloud Director v5.1 Default vApp Leases are as follows:
- Maximum run-time lease: 7 Days (this is how long vApps can run before they are automatically stopped).
- Maximum storage lease: 30 days (this is how long stopped vApps are available before being automatically cleaned up).
VXLAN and NAT
Q. Is it possible to use VXLAN without NAT? A. Yes, VXLAN can be used without NAT. It is just Layer 2 network and does not care about Layer 3.
Q. Is it possible to use routed Org VDC networks without NAT?
A. Yes. The problem is propagation of the routes to the Org VDC networks to upstream physical routers. Currently it would have to be done manually, this may change in the future. You can use VXLAN networks for external networks, but you have to rename the portgroup. The problem is how do you then connect the VXLAN external networks to physical networks.
VXLAN and Multicast MTU Size
Q. My understanding is that VXLAN packets are normal unicast packets, encapsulated within a VXLAN header. If I sent out a normal 1500 Byte IP packet, the packet would be 1550 Bytes (if I’m correct) due to the header being added. Whenever the source VTEP does not know the destination IP of the target VTEP, it needs to send out a Multicast packet to discover that IP. What size would that Multicast packet be at maximum?
A. Any VM level multicast, broadcast or unknown unicast gets encapsulated by VTEP into multicast. So it depends on the VM and the network applications it is running. You could decrease the MTU size inside VM guest OS to 1400 or this maybe an issue that is address in future releases.
vCNS IPSec VPN Tunnel Status Error
Q. When I set up and configure IPsec VPN with vCNS v5.1.2, I see the following Tunnel Status Error Message:
vCloud Networking and Security IPsec VPN Error : STATE_QUICK_I1 (sent QI1, expecting QR1)
What is the problem?
A. The problem is that the Peer subnet is incorrect. Make sure you check the Peer subnets carefully. Also note as per the documentation that the Subnets need to be entered in CIDR format i.e xx.xx.xx.xx/24
vCNS IPSec VPN AES-NI
Q. Is AES-NI for IPsec VPN enabled or disabled by default on the vShield Edge Appliance?
A. It is ‘Enabled’ by default. <enableAesni>true</enableAesni>
vCNS Edge VPN
Q. Do IPsec VPN and SSL VPN support two-factor authentication?
A. For IPsec VPN, we support either certificate-based authentication or PSK authentication. For SSLVPN, you can enable either or both certificate as well as user/password authentication.
Q. Can it connect to LDAP or AD for authentication?
A. This facility is available only for the SSLVPN feature.
Q. Do both IPsec VPN and SSL VPN support client software and/or clientless for end user access?
A. Client-based access is available only with SSLVPN. IPsec VPN is only for site-to-site connectivity.
vCNS Licensing
Q. I have a vCloud Suite Enterprise license for 32 CPUs. I would like to use vCNS Edges on my management cluster for load balancing my vCD cells. Do I need to purchase additional vCNS licenses or can I use the one that is included in the vCloud Suite?
A. If your management cluster is covered by the vCloud Suite, then the vCNS that comes with vCloud Suite can be used. This means you can have multiple vCNS Managers connected to different vCenters as long as they run under the vCloud Suite.
vCNS Edge and NAT
Q. Using vCD, I deployed a vApp with NAT enabled on the vApp network Edge. Is this expected behavior that a VM can get an IP for PXE boot through an Edge with NAT enabled? The VM gets an outside IP via DHCP, when trying to PXE boot. So the VM actually gets an IP that doesn’t match the network it is connected to.
A. There is no DHCP relay support on the Edge at present, so this is not the expected behavior. If the VM is getting an IP address from an alternative source it maybe incorrectly patched to an Organization or External Network, and receiving an IP address from an DHCP server on those networks.
vCNS (vShield) Endpoint
Q. Do we have to install the Endpoint secure VM appliance on every ESX host in a cluster, or on one/some hosts only to scan all VMs on all cluster members?
A. Our Endpoint must be installed on all hosts in the cluster where VM can possible vMotion. VMTools must also be installed in every Windows guest VM (no support for Linux). The actual AV engine is a purchase from Trend Micro, Bitdefender, Kaspersky, McAfee, or Symantec. This too must be installed to ever host in order to protect sibling guest VMs on that host.
vCAC Locked Out
Q. I added an AD group (WINops-sysadmin), which I belong to, the list of administrators, and removed BUILTINAdministrators (SOP). The interface seemed to accept that as a valid group. However, after the change, I only see an “Enterprise Administrator” column in the interface, rather than the “vCAC Administrator.”
I’m locked out. Is there a database query to re-add “BUILTINAdministrators” back into the list of authorized vCAC administrators?
A. This role is controlled via azman, not the database. You should be able to re-add the account using azman.msc. Be careful though, changes to the azman store directly can cause serious issues. Take a backup copy of the store (security.xml) before any change.
- Start azman.msc on the vCAC server from CMD prompt.
- With Authorization Manager highlighted, click on Action and open the authorization store, most likely it is found at C:Program Files (x86)DynamicOpsDCAC ServerStoresecurity.xml
- Then open VMPS, ManagementModel, Role Assignments and click on VRM administrator
- In the right-hand window, right-click and use Assign Users and Groups to add the user back as a ‘vCAC Administrator
It may take a few minutes, and you may need to stop/start the manager service, but the role should be restored.
vCAC Licensing
Q. What license version of vCAC do you need for other clouds or non-VMware technologies when you have the vCloud Suite Enterprise? For example, I’d like to provision to a vCloud provider is that covered?
A. vCAC can be purchased either Standalone or via vCloud Suite. The vCloud Suite License is per CPU for an unlimited number of VMs. vCloud Suite Licenses are for vSphere capacity only. vCAC Standalone can be purchased for vSphere and non-vSphere capacity and is licensed for $400 per server machine and $133 for desktop machines.
If you have non-vSphere machines (for example: Physical Servers, other Hypervisors, or Amazon AWS resources), you must purchase vCAC standalone for those machines.
You can ONLY deploy VMs to the hosts that are licensed under the vCloud Suite Enterprise with the license from it (vCloud Suite Enterprise). This means no cloud provisioning and no physical provisioning. If you want to do that, you need to buy a per OS Instance license. For AWS, this is per Amazon Machine instance. Even though AWS has other resources like Elastic load balancers, Elastic Block Storage, etc. we only license on machines under management.
vCloud Director: Storage Profiles
Q. Is it possible to have disks from different storage profiles to be associated with the same VM? For example, to use a slower disk for a boot disk, and faster one for a database in a vCD environment?
A. No, this is not possible. The entire VM must be assigned to the same storage profile. The only exception is when you use independent disks that is a vCloud API only feature. This is something we are looking to change in the future.
vCloud Director: VMRC and vCenter Dependency
Q. If a resource vCenter goes down, should users still be able to connect to their running VM’s console using the VMRC?
A. The VMRC ticket is obtained via vCenter by vCD. Once the VMRC connection is established to the ESXi host, you should be fine. vCenter only needs to be up and functioning for the MKS ticket to be obtained and for the initial VMRC connection to be handed off to the ESXi host.
vCloud Director: Installation Directories
Q. Where does vCloud Director install its files to on the vCD Cells?
A. Most of the content will be found in /opt/vmware. Some system files will be impacted and the vcd service scripts :
– /etc/init.d/vmware-vcd
– /etc/profile.d/vcloud.sh
– the RPM database entry
vCloud Director 5.1 and vCNS Edge Load Balancer
Q. In vCD 5.1, the load balancer shows for org vDC networks, but not application networks within a vApp. Is this correct? I can see the load balancing for application networks from vCNS.
A. Yes. Unfortunately today we cannot load balance VMs within a self-contained vApp using the Edge load balancer.
vCNS 5.1 and Timezone
Q. Is it possible in vCloud Networking and Security 5.1 using the UI or API to set the Timezone to a specific value in the logs?
A. No, vCloud Networking and Security 5.1 does not allow the setting of the timezone for log output. This is to ensure that all the logs, across all the appliances, are collected at the same timezone, in this case UTC.
vCNS Edge and Multicast
Q. Is vShield Edge v5.1 able to route multicast traffic?
A. vShield Edge v5.1 does not support multicast routing. We do however support a very special vCloud Director use case where a L2 network is ‘bridged’ by vShield Edge using proxy-ARP. Other than that, vShield Edge provides very standard L3 packet forwarding.
vCNS Edge L7 Proxy Load Balancer
Q. Is the L7 proxy for the vCNS Edge load balancer just referring to HTTP traffic?
A. vShield 5.0 is only HTTP traffic. vCNS 5.1.x supports any TCP traffic. L7 proxy is the default mode for SLB. L7 mode supports HTTP, HTTPS (passthrough only, it doesn’t terminate HTTPS sessions currently) and TCP. The L4 mode only supports TCP connections, i.e. there’s no understanding of HTTP/S at L4.
vCAC and SSL Certificates
Q. Are signed SSL certificates required with vCAC 5.2? I have a vCAC installation in a lab but do not have a Certificate Authority (CA) available.
A. For a lab, you can use a self-signed certificate. During the installation process, you have the option to create a self-signed certificate.
vCAC: Un-Manage VM
Q. I used the Infrastructure Organizer to add existing VMs under management in a test blueprint. I now want to delete the test blueprint, but do not want to delete the associated VMs. How do I do this in vCAC 5.2?
A. Under Enterprise Admin, you can move the VMs (right click menu) to a different provisioning group and reservation.
vCenter Server Groups and SSO
Q. When importing vCenter Server Groups is SSO Mandatory?
A. Yes, SSO is mandatory if you want to use vCenter Server Groups for login.