WilliamLam.com

Decoding Services Roles/Permissions from a VMware Cloud Services Platform (CSP) Token

03.04.2021 by William Lam // 1 Comment

To programmatically access the various VMware Cloud Services (CSP) such as VMware Cloud on AWS as an example, a user must first generate a CSP Refresh Token using the CSP Console.

When creating a new CSP Refresh Token, you have the option to scope access to a specific set organization roles and service roles which will enable you to limit the permissions of this token to specific CSP Services. In the example below, I have created a new token which is scoped to the organization owner role along with two VMware Cloud on AWS Service Roles: Administrator (Delete Restricted) and NSX Cloud Admin to be able to grant access to a VMware Cloud on AWS SDDC.

One common issue that I see folks run into when working with some of the CSP Services including VMware Cloud on AWS from a programmatic standpoint is that they did not properly create a token with the correct permissions which usually will lead to some type of invalid request.

For popular services like VMware Cloud on AWS, it is usually pretty easy to track down, especially if the user who is using the CSP Refresh Token is the same person who created it. However, if you are not the person who created the original token or if you have forgotten or you may have access to multiple token, it can be a little bit difficult to troubleshoot.

The good news and probably lesser known detail about how CSP Refresh Tokens work is that you can actually decode these tokens to understand what specific scopes were used to create the initial token. Below are two methods to decode these tokens, both CSP Refresh Tokens (generated from the CSP UI) as well as CSP Access Token, which is returned when you request access providing your CSP Refresh Token.

[Read more...]

Easily create custom ESXi Images from patch releases using vSphere Image Builder UI

03.01.2021 by William Lam // 11 Comments

Creating a custom ESXi Image Profile that incorporates additional ESXi drivers such as the recently released Community Networking Driver for ESXi Fling or Community NVMe Driver for ESXi Fling is a pretty common workflow. Due to the infrequency of this activity, many new and existing users sometime struggle with the process to quickly construct a new custom ESXi Image Profile. I personally prefer to use the Image Builder UI that is built right into the vSphere UI as part of vCenter Server.

There are a couple of ways to create a custom new ESXi Image Profile using the Image Builder UI, but the easiest method is to use the Clone workflow, which is especially helpful when you are selecting an ESXi patch release as your base image.

With a regular major release, you only have to deal with two image profiles: standard (includes VMware Tools) and no-tools (does not include VMware Tools).

With an ESXi patch release, you actually have four image profiles: standard (includes VMware Tools + all bug/security fixes), security standard (includes VMware Tools + security fixes only), security no-tools (does not include VMware Tools + security fixes only) and no-tools (does not include VMware Tools + all bug fixes)

If you start with an empty custom image profile and then select your ESXi base image, you will notice there are multiple VIB version packages to select from since patch release you had imported earlier actually contains four different ESXi image profiles. Below are a step by step instructions on using the cloning workflow since this is a question I get from users who run into package conflicts not realizing they have selected the same package multiple times.

[Read more...]

Apple NVMe driver for ESXi using new Community NVMe Driver for ESXi Fling

02.23.2021 by William Lam // 77 Comments

VMware has been making steady progress on enabling both the Apple 2018 Mac Mini 8,1 and the Apple 2019 Mac Pro 7,1 for our customers over the past couple of years. These enablement efforts have had its challenges, including the lack of direct hardware access for our developers and supporting teams due to the global pandemic but also the lack of participation from Apple has certainly not made this easier.

Today, I am happy to share that we have made some progress on enabling ESXi to see and consume the local Apple NVMe storage device found in the recent Apple T2-based mac systems such as the 2018 Mac Mini and 2019 Mac Pro. There were a number of technical challenges the team had to overcome, especially since the Apple NVMe was not just a consumer grade device but it also did not follow the standard NVMe specification that you normally would see in most typical NVMe devices.

This meant there was a lot of poking and prodding to reverse engineer the behavior of the Apple NVMe to better understand how this device works, which often leads to sudden reboot or PSODs. With the Apple NVMe being a consumer device, it also meant there were a number of workarounds that the team had to come up with to enable ESXi to consume the device. The implementation is not perfect, for example we do not have native 4kn support for SSD devices within ESXi and we had to fake/emulate a non-SSD flag to work around some of the issues. From our limited testing, we have also not observed any significant impact to workloads when utilizing this driver and we also had had several internal VMware teams who have already been using this driver for a couple of months now without reporting any issues.

A huge thanks goes out to Wenchao and Yibo from the VMkernel I/O team who developed the initial prototype which has now been incorporated into the new Community NVMe Driver for ESXi Fling.

UPDATE 2 (06/30/2023) - Thanks to reader Spotsygamer, who shared v1.2 of NVMe Fling also works with ESXi 8.x and vSAN ESA

UPDATE 1 (11/21/2021) - v1.2 of NVMe Fling works with ESXi 7.x

Caveats

Before folks rush out to grab and install the driver, it is important to be aware of a couple of constraints that we have not been able to work around yet.

ESXi versions newer then ESXi 6.7 Patch 03 (Build 16713306) is currently NOT supported and will cause ESXi to PSOD during boot up.
The onboard Thunderbolt 3 ports does NOT function when using the Community NVMe driver and can cause ESXi to PSOD if activated.

Note: For detailed ESXi version and build numbers, please refer to VMware KB 2143832

VMware Engineering has not been able to pin point why the ESXi PSOD is happening. For now, this is a constraint to be aware of which may impact anyone who requires the use of the Thunderbolt 3 ports for additional networking or storage connectivity.

With that out of the way, customers can either incorporate the Community NVMe Driver for ESXi offline bundle into a new ESXi Image Profile (using vSphere Image Builder UI/CLI) and then exporting image as an ISO and then installing that on either a Mac Mini or Mac Pro or you can manually install the offline bundle after ESXi has been installed over USB and upon reboot, the local Apple NVME will then be visible for VMFS formatting.

Here is a screenshot of ESXi 6.7 Patch 03 installed on my 2018 Mac Mini with the Apple NVMe formatted with VMFS and running macOS VM