WilliamLam.com

How to deploy the vCenter Server Appliance (VCSA) 6.5 running on VMware Fusion & Workstation?

10.27.2016 by William Lam // 31 Comments

As with any new release of vSphere, it is quite common for customers to deploy the new software in either a vSphere home or test lab to get more familiar with it. Although not everyone has access to a vSphere lab environment, the next best thing is to leverage either VMware Fusion or Workstation. With the upcoming release of vSphere 6.5, this is no different. In fact, during the vSphere Beta program, this was something that was asked about by several customers and something I had helped document as the process has changed from previous releases of the VCSA.

In vSphere 6.5, the VCSA deployment has changed from a "Single" monolithic stage where a user enters all of their information up front and the installer goes and deploys the VCSA OVA and then applies the configurations. If you had fat finger say a DNS entry or wanted to change the IP Address before applying the actual application configurations, it would not be possible and you would have to re-deploy which was not an ideal user experience.

In vSphere 6.5, the new UI installer will still allow you to perform a "Single" monolithic stage but it is now broken down into two distinct stages as shown below with their respective screenshots:

Stage 1 - Initial OVA deployment which includes basic networking

Stage 2 - Applying VCSA specific personality configuration

Just like in prior releases of the VCSA, the UI translates the user input into specific OVF properties which are then passed into the VCSA guest for configuration. This means that if you wish to deploy VCSA 6.5 running Fusion or Workstation, you will have two options to select from. You either deploy VCSA and complete both Stage 1 and 2 or just Stage 1 only. If you select the latter option, to complete the actual deployment, you will need to open a web browser to the VAMI UI (https://[VCSA-IP]:5480) and finish configuring the VCSA using the "Setup vCenter Server Appliance" option as shown in the screenshot below.

If your goal is to quickly get the VCSA 6.5 up and running, then going with Option 1 (Stage 1 & 2 Config) is the way to go. If your goal is to learn about the new VCSA UI Installer, then you can at least get a taste of that by going with Option 2 (Stage 1 Config) and this way you can step through Stage 2 using the native UI installer.

One last thing I would like to mention is that there have been a number of new services added to the VCSA 6.5. One example is that vSphere Update Manager (VUM) is now embedded in the VCSA and it is also enabled by default. With these new services, the tiniest deployment size is going to require 10GB of memory where as before it was 8GB. This is something to be aware of and ensure that you have adequate resources before attempting to deploy the VCSA or else you may see some unexpected failures while the system is being configured.

Note: If you have access to fast SSDs and would like to overcommit memory in Fusion or Workstation, you might be able to get this to work leveraging some tricks mentioned here. This is not something I have personally tested, so YMMV.

Here are the steps to deploy VCSA 6.5 using either VMware Fusion or Workstation:

Step 0 (Optional) - Familiarize yourself with setting up VCSA 6.0 was on Fusion/Workstation with this blog post which will be helpful for additional context.

Step 1 - Download & extract the VCSA 6.5 ISO

Step 2 - Import the VCSA OVA which will be located in vcsa/VMware-vCenter-Server-Appliance-6.5.0.5100-XXXXXX_OVF10.ova using either VMware Fusion or Workstation (you can either double click or just go to File->Open) but make sure you do NOT power it on after deployment. (this is very important)

Step 4 - Locate the directory in which the VCSA was deployed to and open up the VMX file and append one of the following options (make sure to change the IP information and passwords based on your environment):

Option 1 (Stage 1 & 2 Configuration):

guestinfo.cis.deployment.node.type = "embedded"
guestinfo.cis.appliance.net.addr.family = "ipv4"
guestinfo.cis.appliance.net.mode = "static"
guestinfo.cis.appliance.net.pnid = "192.168.1.190"
guestinfo.cis.appliance.net.addr = "192.168.1.190"
guestinfo.cis.appliance.net.prefix = "24"
guestinfo.cis.appliance.net.gateway = "192.168.1.1"
guestinfo.cis.appliance.net.dns.servers = "192.168.1.1"
guestinfo.cis.appliance.root.passwd = "VMware1!"
guestinfo.cis.appliance.ssh.enabled = "True"
guestinfo.cis.deployment.autoconfig = "True"
guestinfo.cis.appliance.ntp.servers = "pool.ntp.org"
guestinfo.cis.vmdir.password = "VMware1!"
guestinfo.cis.vmdir.site-name = "virtuallyGhetto"
guestinfo.cis.vmdir.domain-name = "vsphere.local"
guestinfo.cis.ceip_enabled = "False"

Option 2 (Stage 1 Only Configuration):

Step 5 - Once you have saved your changes, go ahead and power on the VCSA. At this point, the guestinfo properties that you just added will be read in by VMware Tools as the VCSA is booting up and the configuration will begin. Depending on the speed of your hardware, this can potentially take up to 15min+ as I have seen it. Please be patient with the process. If you wish to check the progress of the deployment, you can open a browser to https://[VC-IP]:5480 and you should see some progress or you can periodically connect to the Hostname/IP Address and once it is done, you should be taken to the vCenter Server's main landing page.

Virtual NVMe and Nested ESXi 6.5?

10.26.2016 by William Lam // 4 Comments

After publishing my Nested ESXi enhancements for vSphere 6.5 article, I had received a number of questions on whether the new Virtual NVMe (vNVMe) capability introduced in the upcoming vSphere 6.5 release would also work with a Nested ESXi VM? The answer is yes, similiar to PVSCSI and VMXNET3, we also have an NVMe driver for ESXi running in VM.

Disclaimer: Nested ESXi and Nested Virtualization is not officially supported by VMware, please use at your own risk.

To consume the new vNVMe for a Nested ESXi VM, you will need to use the latest ESXi 6.5 and later compatibility (vHW 13). Once that has been done, you can then add the a new NVMe Controller to your Nested ESXi VM and then assign that to one of the virtual disks as shown in the screenshot below.

Next, you would install ESXi 6.5 as you normally would and the NVMe controller will automatically be detected and driver will be loaded. In the example below, you can see I only have a single disk which ESXi itself is installed on and it is backed by the NVMe Controller.

One of the biggest benefit of using an NVMe interface over the traditional SCSI is that it can significantly reduce the amount of overhead compared to the SCSI protocol which in turn consumes less CPU cycles as well as reducing the overall amount of IO latency for your VM workloads. Obviously, when using it inside of a Nested ESXi VM, YMMV but hopefully you should also see an improvement there as well. For those who plan to give this a try in their environment, it would be good to hear what type of use cases you might have in mind for this and if you have any feedback (good/bad), feel free to leave a comment.

5 ways to a run PowerCLI script using the PowerCLI Docker Container

10.25.2016 by William Lam // 5 Comments

In case you missed the exciting update last week, the PowerCLI Core Docker Container is now hosted on Docker Hub. With just two simple commands you can now quickly spin up a PowerCLI environment in under a minute! This is really useful if you need perform a couple of operations using the cmdlets interactively and then discarding the environment once you are done. If you want to do something more advanced like run an existing PowerCLI script as well as potentially persist its output (Docker Containers are stateless by default), then there are few options to consider.

To better describe the options, lets use the following scenario. Say you have a Docker Host, this can be a VMware's Photon OS or a Microsoft Windows, Linux or Mac OS X system which has the Docker Client running. The Docker Host is where you will run the PowerCLI Core Docker Container and it also has access to a collection of PowerCLI scripts that you have created or downloaded else where. Lets say the location of these PowerCLI scripts are located in /Users/lamw/scripts and you would like them to be available within the PowerCLI Core Docker Container when it is launched, say under /tmp/scripts.

Here is a quick diagram illustrating the scenario we had just discussed.

Here are 5 different ways in which you can run your PowerCLI scripts within the Docker Container. Each will have its pros/cons and I will be using real sample scripts to exercise each of the options. You can download all the sample scripts in my Github repository: powerclicore-docker-container-samples

Note: Before getting started, please familiarize yourself with launching the PowerCLI Core Docker Container which you can read more about here. In addition, you will need access to either a vCenter Server or ESXi host environment and also please create a tiny "Dummy" VM called DummyVM which we will be using to update its Notes field with the current time.

UPDATE (04/11/18) - Microsoft has GA'ed PowerShell Core, one of the changes is the name of the PS binary from powershell to pwsh. For entrypoint parameter, you will need to specify /usr/bin/pwsh rather than /usr/bin/powershell

Option 1:

This is the most basic and easiest method. You literally run a PowerCLI script that already contains all of the necessary information hardcoded within the script itself. This means things like credentials as well as user input that is required can be found within the script. This is obviously simple but makes it very inflexible as you would need to edit the script before launching the container. Another downside is that you now have your vSphere credentials hardcoded inside of the script which is also not ideal from a security standpoint.

To exercise example 1, please edit the pcli_core_docker_sample1.ps1 script and update it with your environment credentials and then run the following command:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample1.ps1

If executed correctly, the Docker container should launch, connect to your vSphere environment, update the notes field of DummyVM with the current time and then exit. Pretty straight forward and below is a screenshot of this example.

Option 2:

Nobody likes hardcoding values, especially when it comes to endpoints and credentials. This next method will allow us to pass in variables from the Docker command-line and make them available to the PowerCLI scripts inside of the container as OS environmental variables. This allows for greater flexibility then the previous option but the downside is that you may potentially be exposing credentials in plaintext which can be inspected by others who can perform docker run/inspect commands. You also need to update your existing PowerCLI scripts to handle the environmental variable translation which may not be ideal if you have a lot of pre-existing scripts.

To exercise example 2, run the following command and specify your environmental credentials in the command-line instead:

docker run --rm -it \
-e VI_SERVER=192.168.1.150 \
-e VI_USERNAME=*protected email* \
-e VI_PASSWORD=VMware1! \
-e VI_VM=DummyVM \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample2.ps1

If executed correctly, you will see that the variables that we have defined are passed into the container and we are now able to make use of them within the PowerCLI script by simply accessing the respective environmental variable names as shown in the screenshot below.

Option 3:

If you have created some PowerCLI scripts which already prompt for user input which can include also include credentials, then another way to run those script is to do so interactively. If the parameters are required for a given script, then it should prompt for input. The benefit here is that you can reuse your existing PowerCLI scripts without needing to make any modifications even when executing it within a Docker container. You are also not exposing any credentials in plaintext. To take this step further, you could also implement the secure string feature in PowerShell but that would still require you to include a small snippet in your PowerCLI script to do the appropriate decoding when connecting.

To exercise example 3, run the following command and specify your environmental credentials in the command-line instead:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample3.ps1

If executed correctly, you will be prompted for the expected user inputs to the script and then it will perform the operation as shown in the screenshot below.

Option 4:

Similiar to Option 3, if you have defined parameters to your PowerCLI script, you can also just specify them directly in the Docker command-line just like you would if you were to manually run the PowerCLI script in a Windows environment. Again, the benefit here is that you can reuse your existing PowerCLI scripts without any modifications. You do risk exposing any credentials if you are passing it through the command-line, but the risk was known as you are already doing that with your existing scripts. A downside to this option is if your PowerCLI script accepts quite a few parameters, your Docker run command can get quite long. You may just consider prompting for endpoint/credentials and the rest of the user input can then be passed in dynamically if you were to go with this option.

To exercise example 4, run the following command and specify your environmental credentials in the command-line instead:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample3.ps1 -VI_SERVER 192.168.1.150 -VI_USERNAME *protected email* -VI_PASSWORD VMware1! -VI_VM DummyVM

Option 5:

The last option is a nice compromise of the above in which you can continue leveraging your existing scripts but providing a better way of sending in things like credentials. As I mentioned before, Docker Volumes allows us to make directories and files available from our Docker Host to the Docker Container. This not only allows us to make our PowerCLI scripts available from within the container but it can also be used to provide access to other things like simply sourcing a credentials file. This method works on a per-individual basis running the container without any major modification to your existing scripts, you simply just need to source the credential file at the top of each script. Best of all, you are not exposing any sensitive information

Note: Some of you might be thinking about PowerCLI's credential store and seeing how that might be a better solution but currently today that has not been implemented yet in PowerCLI Core which is really leveraging Microsoft's credential store feature. Once that has been implemented in .NET Core, I am sure the PowerCLI team can then add that capability which is probably the recommended and preferred option both from a security perspective as well as Automation standpoint.

To exercise example 5, edit the credential.ps1 file and update it with your environmental credentials and run the following command:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample4.ps1 -VI_VM DummyVM

If executed correctly, the same variables in the credentials file will then be loaded into the PowerCLI script context and run the associated operations and exit.

As you can see, there are many different ways in which you can run your existing PowerCLI scripts using the new PowerCLI Core Docker Container. Hopefully this article gives you a good summary along with some real world examples to consider. Given this is still an active area of development by the PowerCLI team, if you have any feedback or suggestions, please do leave a comment. I know the Alan (PM) as well as the engineers are very interested in hearing your feedback and seeing how else we could better improve the user experience of both PowerCLI Core as well as consuming PowerCLI Core through these various interfaces.

UPDATE (10/25/16) - It looks like PowerCLI Core Docker Container has been updated with my suggestion below, so you no longer need to specify the --entrypoint parameter 🙂

One finale note, right now the PowerCLI Core Docker Container does not automatically startup the Powershell process when it is launched. This is why we have the --entrypoint='/usr/bin/powershell' command appended to the Docker command-line. If you prefer to have Powershell start up which will automatically load the PowerCLI module, you can check out my updated PowerCLI Core Docker Container: lamw/powerclicore which uses the original as a base with one tiny modification. Perhaps this is something Alan and the team would consider making as a default in the future? 🙂