WilliamLam.com

How to bootstrap vCenter Server onto a single VSAN node Part 1?

by // 18 Comments

By now, I am sure you have heard about VMware Virtual SAN (VSAN) and you are probably anxious to give it a spin once the beta becomes publicly available in the very near future. I have been doing some testing in my lab with VSAN, not Nested VSAN, but on actual physical hardware. While getting started, I hit an interesting challenge given my physical hardware configuration and also this being a greenfield deployment.

Let me explain by what I mean by this. In my lab, I have three physical hosts and each contains a single SSD and single SATA drive. Each host has been provisioned with a small 5GB iSCSI boot LUN that is used to install ESXi (this could have also been another local disk or even USB/SD card). Though VSAN itself is built into the VMkernel, the management of the VSAN cluster, configurations and policies are all performed through vCenter Server. So for a greenfield deployment, you would need to first deploy a vCenter Server which would then require you to consume at least one of the local disks. This is the good ol chicken and egg problem!

In my environment, this was a problem because I only have a single SSD and SATA disk and I would not be able to setup a VSAN datastore for all three hosts at once. This meant I had to do the following steps:

  1. Create a local VMFS volume on the first ESXi host
  2. Deploy vCenter Server and then create a VSAN Cluster
  3. Add the two other ESXi host to the VSAN Cluster
  4. Storage vMotion the vCenter Server to the VSAN Datastore
  5. Destroy the local VMFS datastore on first ESXi host (existing VMFS partitions will not work with VSAN) & delete partitions
  6. Add the first ESXi host to VSAN Cluster

As you can see this can get a bit complicated and potentially error prone when needing to destroy VMFS volumes ...

I figured there had to be a better way and I was probably not going to be the only one hitting this scenario for a greenfield and even potentially for a brownfield deployments. In talking to Christian Dickmann, a Tech Lead for the VSAN project, I learned about a really cool feature of VSAN in which you can actually bootstrap vCenter Server onto a single VSAN node! This was possible due to the tight integration of VSAN within the VMkenel and best part about this solution is that it is fully SUPPORTED by VMware. From an operational perspective, this deployment workflow is much easier and intuitive than the process listed above. This also allows you to maximize the use of your hardware investment by running both your core infrastructure VMs as well as your regular workloads all on the VSAN datastore which is great for small or ROBO offices.

In my environment, I start out with a single ESXi 5.5 host which contains a single SSD and SATA disk and I create single VSAN node from that ESXi host and contribute its storage to the VSAN datastore. I then deploy a vCenter Server for which I am using the VCSA (vCenter Server Appliance) for quick and easy deployment. The default policy for VSAN is to automatically ensure there is at least one additional replica of the VM as new ESXi compute nodes join the VSAN cluster.

Once the vCenter Server is online, I can then create a vSphere Cluster and enable it with VSAN and add all three ESXi 5.5 hosts to the vSphere Cluster. This will then contribute all their storage to the VSAN datastore all while the vCenter Server is happily running. Once the other ESXi hosts join the VSAN cluster, we will automatically get replication between the other nodes to ensure our vCenter Server is replicated and of course you can change this policy.

As you can see this is much simpler setup than having to start out with an existing VMFS or even NFS datastore to initially store the vCenter Server and then create the VSAN datstore and migrate the vCenter Server. I also like how I can start deploying my infrastructure with a single ESXi host and then slowly bring in additional ESXi hosts (just make sure you do it in timely fashion as you have a SPOF until then). In part two of this article, I will go into more details on how to configure the single VSAN node and bootstrap vCenter Server. In the meantime, if you have not checked out these awesome articles by some of my VMware colleagues, I would highly recommend you give them a read, especially Cormac's awesome VSAN series!

Here is How to bootstrap vCenter Server onto a single VSAN node Part 2?

If you are interested in testing out VSAN, be sure to sign up for the beta here!

Cormac Hogan

Duncan Epping

Dave Hill

Administrator password expiration in new VCSA 5.5

by // 4 Comments

A new security enhancement that you should be aware of when deploying the new vCenter Server Appliance (VCSA) 5.5 is that there is now a password expiration that is enabled for the administrator account (root) after powering on the VCSA. By default, the password will expire 90 days after and if the password is not changed before the expiration, the account will be locked out of the VAMI interface and the SSH console. From a security point of view, this is a nice feature to have to ensure administrative passwords are automatically rotated, however this can also be an administrative challenge if you are not aware of this new change and you suddenly notice you can no longer login after 90 days.

You can find the password expiration settings under the Admin tab of the VAMI interface. You have the ability to enable or disable the feature as well as change the number of days the password is valid for. If you decide to change the default number of days, you will be required to enter an email address which will be used to email you 7 days prior to expiration which is the default.

In addition to using the VAMI interface to configure these settings, I was also interested to see if these settings can be automated through the command-line and with a bit of digging, these options can be completely controlled through the CLI!

We will be using the chage utility which manages user account expiry. To view the default settings for the root account or any other account, run the following command:

chage -l root

We can see from the screenshot above, the maximum days before expiration is 90 and the number of days to warn before expiration is 7 which matches the VAMI UI.

Lets say we want to change the maximum days before expiration to 120 and instead of warning 7 days before expiration, we want to change it to 12, you can do so by running the following command:

chage -M 120 -W 12 root

If you wish to completely disable account password expiry, you can do so by running the following command:

chage -M -1 -E -1 root

You can also configure the email address through the command-line which is used to warn X days before password expiry. To add or update the email address, you will need to create a file called /etc/vmware-vpx/root.email that contains the email address.

From an operational perspective, you will want to ensure you configure an SMTP server in your vCenter Server after deploying the VCSA and ensure you add an email address so you can be notified before the root account password expires. You should also configure the maximum number of days before the password expire and the number of days to warn to match your internal security policies.

In the event that you lock yourself out, how do you go about recovering from this since you will not be able to login to the VAMI interface nor the SSH console? I have purposely configured one of my VCSA to expire the password in 1 day, so stay tune for a future article on how to recover from this.

Here is How to recover VCSA 5.5 from an expired administrator account article.

New vCenter Server Simulator 2.0 enhancements in VCSA 5.5

by // 47 Comments

Last year I wrote about a very interesting tool called vCenter Server Simulator (VCSIM) which allows a user to quickly simulate a VMware environment that can be comprised of thousands of ESXi hosts and virtual machines. VCSIM can benefit a variety of use cases such as learning about the vSphere API, creating reports for vSphere or vCloud Director to building vSphere Web Client plugins to help visualize large inventories. There was an overwhelming interest in VCSIM from last year and I received some great feedback and feature requests which I fed back to the VMware engineers who developed this internal tool.

With the upcoming version of vSphere 5.5 to be released very soon, I was wondering if there were going to be any new features for VCSIM in VCSA 5.5? I reached out to one of the engineers, Haiping Yang, who works in the Performance Engineering team who is currently taking over some of the development of VCSIM. Some of you might be familiar with some of her work such as the recent visualEsxtop, esxtop and resxtop to just name a few. In talking to Haiping, I found that she has been quite busy adding cool new features to VCSIM and this is on top of her regular day job!

Disclaimer: This is not officially supported by VMware, please use at your own risk.

Here is a quick summary of the new features of VCSIM 2.0:

Distributed Virtual Switch (VDS) Support:

  • Add / Remove ESXi hosts from VDS
  • Create / Delete Distributed Virtual Portgroup
  • Reconfigure Distributed Virtual Portgroup
    • Add / Remove VM from Distributed Portgroup

vCloud Networking & Security (vCNS) Support:

  • Create / Delete vCNS Gateway
  • Create / Delete Isolated/Routed Org Networks
  • Create / Delete vApp Networks
  • Deploy / Undeploy vApp with DHCP service enabled

Persistent Inventory Configuration upon restart:

  • Folder, Cluster, Resource Pool, Host, Datastore, Virtual Machine, Network and VDS

Custom Configuration Support:

  • ESXi version template
  • ESXi configuration template
  • Datastore configuration
  • Virtual Machine datastore

Easy startup commands:

  • vmware-vcsim-start
  • vmware-vcsim-stop [true|false] - Determines whether the inventory is cleared after stopping VCSIM

Note: Before you can use VCSIM, you will need to configure the VCSA as you normally would by going through the VAMI interface or running through the SSH commands noted in this article.

I will not go over every single feature mentioned above, but I did want to take a look at a few noteworthy features such as the new VCSIM start/stop command, datastore configuration and ESXi host configuration templates.

VCSIM Start/Stop Commands:

With the previous version of VCSIM, you had to manually edit the vCenter Server configuration file (vpxd.conf) and append the necessary VCSIM configurations. In this release, we now have an easy to use command-line utility to start and stop VCSIM. The vmware-vcsim-start command supports several startup options.

To view the list of supported options, just run the following command:

vmware-vcsim-start help

Option 1 - You can specify a VCSIM configuration file and you can find several examples located in /etc/vmware-vpx/vcsim/model

Option 2 - You can specify either the keyword "empty" for a blank vSphere inventory or "default" which will automatically use /etc/vmware-vpx/vcsim/model/vcsim-default.cfg inventory configuration

Option 3 - You can just specify the inventory layout on the command-line. An example would be "custom:dc=1,cluster=1,rp=1,host=1,vm=1,vm_on=1,latency=true"

To get a list of all the available VCSIM configurations, take a look at /etc/vmware-vpx/vcsim/model/vcsim.cfg.template

Here is an example of starting VCSIM using the "default" mode:

vmware-vcsim-start default

 

Datastore Configuration:

Custom datastore configuration was something that was much sought after with VCSIM 1.0 and unfortunately, there was only a single global datastore that was automatically "connected" to all simulated ESXi host. The new version of VCSIM now supports custom datastore configurations that can be defined globally, at the cluster level, local storage as well as string prefix which can help you separate out different VCSIM instances.

Here is an example of the configuration that would need to be added to the VCSIM configuration file:

<datastore>
   <global>1</global>
   <cluster>4</cluster>
   <local>5</local>
   <prefix>vghetto</prefix>
</datastore>

Here is what one of the simulated ESXi hosts would show for its datastores:

 

ESXi Configuration Template:

Another useful feature that I personally have asked for is the ability to customize an individual simulated ESXi host. Though this is still currently a work in progress, what you can do with VCSIM 2.0 is to customize the ESXi host version as well as the datastores on a per host basis. If you take a look vcsim.cfg.template, you will find a configuration line that looks like:

vcsim/model/hostConfig

This specifies a directory that would contain custom simulated ESXi host templates and their configurations. A sample host template is provided at /etc/vmware-vpx/vcsim/model/hostConfig.xml.template and currently, you need to specify the default simulated hostname (e.g. DC0_C0_H0.xml).

Here is an example of what that host template can look like:

<hostConfig>
  <datastores>
     <ds id="virtuallyGhetto-datastore-1"/>
     <ds id="virtuallyGhetto-datastore-2"/>
     <ds id="virtuallyGhetto-datastore-3"/>
  </datastores>
</hostConfig>

Now if we go back to our DC0_C0_H0 ESXi host, you will see that the host template will override the global configuration:

For the two examples above, here is what I used in my custom VCSIM configuration file that I called vcsim-virtuallyghetto.cfg if you are interested in what I used:

<simulator>
  <enabled>true</enabled>
  <initInventory>vcsim/model/initInventory-default.cfg</initInventory>
  <hostConfigLocation>vcsim/model/hostConfig</hostConfigLocation>
  <datastore>
     <global>1</global>
     <cluster>4</cluster>
     <local>5</local>
     <prefix>vghetto</prefix>
  </datastore>
</simulator>

I have already asked for the ability to fully customize the simulated ESXi host display name and have already been told that this is something they would consider for a future release. VCSIM 2.0 has also been improved to better operate with vCloud Networking & Security and vCloud Director. I was able to quickly test VCSIM 2.0 with the latest version of vCloud Director 5.5 and everything seems to be working fine. You can follow the existing instructions here for vCloud Director setup with VCSIM.

As you can see VCSIM 2.0 contains many new features and I highly encourage you to give it a spin when vSphere 5.5 is made generally available. There are definitely some additional fit and finish features that Haiping just could not get into this release. Hopefully we will get those updates in a future release of VCSIM and include additional ESXi template versions. If you have any feedback, comments or feature requests feel free to leave a comment and I will make sure it reaches Haiping and the development team. I do not want to spoil the surprise, but I just want to say one of the features coming in VCSIM 3.0 will be quite AWESOME! 😀 (sorry for the tease)