Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.
Category Archives: ESXi
Architectural changes to vSphere 6:
vCenter Server 6 has some fundamental architectural changes compared to vCenter Server Server 5.5. The multitude of components that existed in vCenter Server 5.x has been consolidated in vCenter Server 6 to have only two components vCenter Management Server and Platform Services Controller, formerly vCenter Server Single Sign-On.
The Platform Services Controller (PSC) provides a set of common infrastructure services encompassing
- Single Sign-On (SSO)
- Certificate Authority
The vCenter Management Server consolidates all the other components such as Inventory Service & Web Client services along with its traditional management components. The vCenter Server components can be typically deployed in with either embedded or external PSC. Care should be taken to understand the critical differences between the two deployment models. Once deployed one cannot move from one mode to another in this version.
With vSphere 6.0 the vCenter Virtual Server Appliance (VCSA), now has a component called the Platform Services Controller (PSC). The PSC handles things like SSO and the License Server and ships with its own Certificate Authority called VMware Certificate Authority (VMCA). In this blog post we’ll quickly go over some of the modes of VMCA operation and how to download and install the VMCA root certificate into your browser.
The Technical Marketing team has put out a series of vSphere 6 related feature walkthroughs. We’re covering vCenter Server install and upgrades for many different scenarios as well as vSphere Data Protection and vSphere Replication.
With the Announcement of vSphere 6 this week there is a lot of information being published by various sources. Some of that information is based on old beta builds and is much different than what we’ll see in the final product. In this post I aim to correct some of the information based on the beta builds that’s floating around out there.
First off there’s confusion on the maximum number of virtual machines per cluster vSphere 6 supports. This is in part my fault, when we wrote the What’s New in vSphere 6 white paper the number was 6000. Additional scale testing has been done and that number is now 8000. The what’s new paper will be updated soon to reflect this.
I’ve been fortunate to have one of our super sharp product line managers, Alex Jauch (twitter @ajauch), spend some time explaining to me one of the new enabling technologies of vSphere 6.0: VAIO. Let’s take a look at this really powerful capability and see what types of things it can enable and an overview of how it works.
VAIO stands for “vSphere APIs for IO Filtering”
This had for a time colloquially been known as “IO Filters”. Fundamentally, it is a means by which a VM can have its IO safely and securely filtered in accordance with a policy.
VAIO offers partners the ability to put their technology directly into the IO stream of a VM through a filter that intercepts data before it is committed to disk.
Why would I want to do that? What kinds of things can you do with an IO filter?
Well that’s up to our customers and our partners. VAIO is a filtering framework that will initially allow vendors to present capabilities for caching and replication to individual VMs. This will expand over time as partners come on board to write filters for the framework, so you can imagine where this can go for topics such as security, antivirus, encryption and other areas, as the framework matures. VAIO gives us the ability to do stuff to an IO stream in a safe and certified fashion, and manage the whole thing through profiles to ensure we get a view into the IO stream’s compliance with policy!
The VAIO program itself is for partners – the benefit is for consumers who want to do policy based management of their environment and pull in the value of our partner solutions directly into per-VM and indeed per-virtual disk storage management.
When partners create their solutions their data services are surfaced through the Storage Policy Based Management control plane, just like all the rest of our policy-driven storage offerings like Virtual SAN or Virtual Volumes.
Beyond that, because the data services operate at the VM virtual device level, they can also work with just about any type of storage device, again furthering the value of VSAN and VVOLs, and extending the use of these offerings through these additional data services.
How does it work?
The capabilities of a partner filter solution are registered with the VAIO framework, and are surfaced for user interaction in the SPBM Continue reading
The vSphere Hardening Guide provides guidance on how to securely deploy VMware vSphere in a production environment. The vSphere Hardening Guide also serves as a foundation upon which regulatory compliance objectives are built. These organizations map compliance guidelines with vSphere Hardening Guide guidelines.
Hardening Guides are an industry recognized method of implementing stricter security to meet regulatory and local security standards above and beyond frameworks like Common Criteria.
Version 6.0 of the vSphere Hardening Guide is the next step in the evolution of the guide. A goal of the vSphere 6.0 Hardening Guide is to make the guide easier to implement and assess.
The intent of this article is to go over some of the major changes that come with the new 6.0 guide prior to its release. Consider this your “heads up”.
Today VMware released an update to its vCenter Server management solution.
vCenter Server 5.5 Update 2d | 27 JAN 2015 | Build 2442329
vCenter Server 5.5 Update 2d Installation Package | 27 JAN 2015 | Build 2442328
vCenter Server Appliance 5.5 Update 2d | 27 JAN 2015 | Build 2442330
While this is a minor release it does resolve many issues previously experienced as summarized here:
The latest release of SAP HANA has brought the concepts of multi-temperature data and lifecycle management to a new level. With SP09, SAP has addressed the size and cost constraints which may prohibit an all in memory solution. SAP HANA with the Dynamic Tiering (DT) option enables placement of the highest value “hot data” in the classic SAP HANA in-memory tables, and less frequently accessed “Warm Data” is placed or migrated to tables which reside on an SAP HANA Extended Storage Host (ES Host).
The data associated with the ES Host will reside on disk and not in-memory, however since data is stored using the same columnar paradigm as classic SAP HANA, performance is optimized for data processing.
SAP Business Warehouse Powered by HANA
The Dynamic Tiering option is Plug & Play for SAP Business Warehouse (BW) 7.4 SP8 Power By HANA. SAP BW provides full access to your data whether it resides in-memory data or on the extended host, access is transparent to the user, so no need to direct your queries to the SAP in-memory store or extended host store.
With the SAP HANA SP09 release BW Objects which can reside on the Extended Storage Host are the Write-Optimized Data Storage Objects and the Persistent Staging Area. Since these objects can comprise between 15% to 40% of the total database footprint, customers using DT in their landscapes can realize substantial savings by reducing the amount of RAM necessary to run SAP HANA. In addition the SAP HANA Extended Storage Hosts can be deployed on either Certified Servers or standard x86 commodity servers.
SAP HANA Native Use Cases
The number of software ISVs and developers choosing SAP HANA as their native database is quite impressive. Whether SAP HANA is being used for Data Marts, Enterprise Data Warehouses, or for custom applications, Dynamic Tiering presents interesting opportunities to make these use cases more robust. It’s important to adhere to the SAP HANA Node to ES Host ratios when using HANA as the native database. When the HANA in-memory database is 64GB to 512GB in size, the Extended Storage Host resident data can be 4 times the size of the HANA in-memory database. Below is a sizing summary:
SAP HANA In-Memory Data
Extended Storage Host Data Ratio
64GB – 512 GB
>512 GB to <2TB
Deploying SAP HANA In The VMware Software-Defined Datacenter
SAP HANA Extended Storage Host is fully supported by SAP to runs on VMware vSphere. It’s interesting to note that SAP does not allow the deployment of a SAP HANA Worker Node and the Extended Storage option on the same physical server. In addition when deploying SAP HANA with DT in the physical world, SAP provides the following guidance:
“The distance between HANA hosts and Extended Storage hosts should be as short as possible to avoid performance impact on distributed INSERTs, UPDATEs, or Queries. Ideally, ES hosts should be placed inside the same rack as the HANA hosts.”
VMware can actually go one better. In the VMware Software Defined Datacenter both the SAP HANA Worker Node virtual machine and the Extended Storage Host virtual machine can be consolidated on a single physical vSphere Host which is a supported SAP configuration. This avoids the performance impact on distributed INSERTs, UPDATEs, or Queries which SAP mentions in the physical world. This is a clear benefit, by consolidating these virtual machines customers can better utilize server resources and increase their ROI. Also the consolidation and co-location of SAP HANA Nodes onto a single vSphere Host may reduce the internode communication latency associated with multi host deployments in a physical SAP Dynamic Tiering landscape.
SAP HANA Dynamic Tiering with VMware HA and Workload Management
For customers who choose to use the Dynamic Tiering option, SAP HANA System Replication is not available in SP09. However as with SAP HANA single node scale up deployments, the Extended Storage Host can be protected against hardware and or OS outages with VMware High Availability (HA). Enabling VMware HA allows the ES Host to be restarted on any vSphere hosts within the vSphere cluster without the need for a dedicated standby server. Also vMotion can be used to perform workload management or zero downtime maintenance by live migrating the ES Host to another server. Since the ES Host can run on both certified and standard x86 hardware, Distributed Resource Scheduler (DRS) can be set to atomically migrate virtual machines to other vSphere hosts within the cluster in order to maximize performance and availability.
SAP has devised a brilliant multi-temperature strategy to manage the data lifecycle of their customer’s SAP HANA landscapes. When deploying SAP HANA with Dynamic Tiering our joint customers can extend and virtualize their SAP HANA databases beyond the 1TB vSphere 5.5 monster VM limitation. I will be discussing these topics in-depth, as well as techniques to simplify and accelerate SAP HANA deployments in the VMware Software Defined Data Center at VMware Partner Exchange 2015 in my session entitled; “Leveraging SAP HANA Dynamic Tiering Strategy and Concepts in The VMware Software Defined Data Center”
VMware is focused on bringing the value of containers to our customers and helping them streamline application delivery and portability in their virtualized infrastructure. CoreOS is a new, lightweight Linux distribution that’s designed from the ground up to run containerized applications. We’ve been working with the CoreOS team to enable the new OS to run on the vSphere platform, including integrating open-vm-tools.
Today we’re announcing technical preview of CoreOS 494 and 522 on vSphere 5.5, and encourage our customers to take the images for a spin and help provide feedback to the development teams on improving our CoreOS support.
You can download the VMware images from the CoreOS repository –
Installation guidance on vSphere is published in KB2104303
The above installation process will be simplified in the future when CoreOS is available as an OVA image. A preview of this is available in the 557 beta channel.
You can find additional guidance on deploying CoreOS in the vSphere environment in William’s blog.
Down the road, we continue our collaboration with the CoreOS team to further improve integration of the OS with vSphere and vCloud Air environments.
Feedback can be provided in the VMware CoreOS community forum.
-vSphere GOS support team