WilliamLam.com

How To Enable Nested ESXi Using VXLAN In vSphere & vCloud Director

by // 9 Comments

Recently I had received several inquiries asking on how to configure nested ESXi (Nested Virtualization) to function in a VXLAN environment. I have written several articles in the past on configuring nested ESXi in a regular vSphere and vCloud Director environment, but with the use of a VXLAN backed network, there are a few additional steps that are required. These steps include additional configurations of the vCloud Network & Security Manager (previously known as vShield Manager) which ensures that both the required promiscuous mode and forged transmits are automatically enabled for the VXLAN virtual wires (vWires) as they are managed exclusive by the vCNS Manager.

In this article, I will walk you through the configurations that is required when using VXLAN in both a vSphere only environment as well as a vCloud Director environment. If you would like to learn more about how VXLAN works, be sure to check out the multi-part VXLAN series (Part 1/Part 2) by Venky Deshpande.

Disclaimer: This is not officially supported by VMware, please use at your own risk.

Configurations for VXLAN in vSphere Environment

Step 1 - Deploy vCNS Manager and configure it to point to your vCenter Server (do not enable or prepare VXLAN, this must be done after the configurations)

Step 2 - You will need to identify the VDS MoRef ID in your vCenter Server which will be used in the next step. Since the configuration is applied at the VDS level, you may want to consider having a separate VDS serving Nested Virtualization traffic since both promiscuous mode & forged transmits will automatically be enabled for all vWires. To locate the VDS MoRef ID, login to the vSphere Web Client and select the summary view for the VDS.

The VDS MoRef ID will be towards the end of the URL link and it should start with dvs-X where X is some arbitrary number. Record this value down for the next step

Step 3 - Download the enablePromForVDS.sh shell script which will be used to prepare the VDS within the vCNS Manager. The script basically performs a POST to the REST API to the vCNS Manager using cURL and it accepts three input parameters: vCNS Manager IP Address/Hostname, VDS MoRef ID and VDS MTU. The username/password is hard coded in the script to use the default which is admin/default. If you have modified the default password like any good admin, you will want to change the password before running the script. If you take a look at the request body, you will notice only promiscuous mode is enabled to true, but this will also automatically enable forged transmits as well.

In my lab enviroment, I have the vCNS Manager IP to be 172.30.0.196, VDS MoRef ID to be dvs-13 and VDS MTU to be 9000. So the syntax to run the script would be:

./enablePromForVDS.sh 172.30.0.196 dvs-13 9000

Here is a screenshot of executing the script, you should see a response back with 200 to indicate successful execution of the script.

Step 4 - Now, we will proceed with the VXLAN preparation. Start off by logging into the vCNS Manager and selecting the vSphere Datacenter which you wish to enable VXLAN. On the right you should see a tab called "Network Virtualization" go ahead and click on that and then click on the sub-tab called "Preparation". Click on edit and then select the vSphere Cluster and proceed through the wizard based on your environment configuration.

Step 5 - Once the VXLAN preparation has completed, click on the "Segment ID" and configure that based on your environment.

Step 6 - Next, click on "Network Scopes" and you will create a network scope and specify the set of vSphere Clusters the VXLAN network will span.

Step 7 - Lastly, click on "Networks" and this is where you will create your vWires and ensure it the proper network scope is selected.

Step 8 - To confirm that everything has been configured properly. We now log back into our vSphere Web Client and heading over to the VDS settings page. You should now see a new vWire portgroup that is created, if we take a look at it's settings we should see that both promiscuous mode and forged transmits is enabled.

You are now done with the VXLAN configurations in the vCNS Manager and can proceed to the regular instructions for enabling Nested ESXi for vSphere.

Note: If you have already prepared VXLAN in your environment, you can still configure the above without having to un-prepare your VXLAN configurations. You just need to login to the vCNS Manager via the REST API and perform a DELETE on the VDS switch (Please refer to page 153 of the vCNS API Programming Guide) which will just delete the mapping from vCNS but will not destroy any of your VDS configuration. Once that is done, you will be able to use the script to configure the VDS with the proper settings.

Configurations for VXLAN in vCloud Director Environment

A VXLAN network pool is automatically created for you when using vCloud Director 5.1, so the steps for preparing Nested Virtualization for vCloud Director is extremely simple compared to the vSphere only environment.

Note: VXLAN is only supported in vCloud Director 5.1, for previous versions you have the choice of using a VCD-NI or vSphere backed network and the configurations for that can be found here.

Step 1 - Please follow the steps 1-5 from above in the vSphere only environment and then you are done. If you would like a more detailed walk through for configuring VXLAN for a vCloud Director environment, check out this article by Rawlinson Rivera who takes you through the process step by step.

Step 2 - Proceed to the regular instructions for enabling Nested ESXi for vCloud Director.

Step 3 - Lastly, you will go through the vCloud Director setup which is to attach your vCenter Server & vCNS Manager, create a Provider VDC, create an Organization and assign resources to your Organization VDC and ensure that the OrgVDC is consuming the VXLAN network pool that is automatically created for you when you create the Provider VDC. Once that is done, when you deploy your vApp, you will see a vWire that automatically created for you. If we login to the vSphere Web Client and go to the VDS settings, you will see the vWire has both promiscuous mode and forged transmits automatically enabled.

Additional Resources:

Exporting An Amazon EC2 Instance To Run On vSphere

by // 15 Comments

I attended the Silicon Valley VMUG yesterday and there was an interesting question that was brought up at the end of Joe Sarabia's Software Defined Datacenter session (which was great BTW, folks stayed past the end and this was during lunch!). The question from the attendee was how to export an Amazon EC2 Instance and run that on an vSphere ESXi host? Joe's answer was that there is not a tool from VMware but there should be some 3rd party tools out there that could help with this task.

This was not something I had really thought about before since I do not use Amazon EC2 and of course that perked my curiosity. I assumed importing and exporting Instances to and from Amazon EC2 would be just as easy as it is on VMware vSphere. To export a VM in vSphere, you simply select the VM and then Export which can be outputted to either an OVF or OVA format.

After a quick search on Amazon's EC2 website, I found that you can export an EC2 Instance by using EC2 API Tools. So I went ahead and deployed both a Linux and Windows Instance and ran through the installation of the EC2 API Tools on my Mac OS X system at home. I tried to export the Linux Instance and it threw an error saying not supported which I thought was odd and then tried the Windows Instance and it threw another interesting error:

Client.NotExportable: Only imported instances can be exported.

My initial thought was that I must have done something wrong. I dug a bit more into Amazon's documentation which was not very easy to find and finally found the Exporting EC2 Instance documentation. It turns out there are a few "caveats" if you want to export an EC2 Instance:

Only the following operating systems are supported:

  • Windows Server 2003 R2 (Standard, Enterprise, and Datacenter)
  • Windows Server 2008 (Standard, Enterprise, and Datacenter)
  • Windows Server 2008 R2 (Standard, Enterprise, and Datacenter)

This meant that you could not export any of your Linux Instances. In addition, these Instances must be uploaded by the user initially for them to be eligible for export. I also found there were several other export limitations:

  • You cannot export Amazon Elastic Block Store (Amazon EBS) data volumes.
  • You cannot export an instance that has more than one virtual disk.
  • You cannot export an instance that has more than one network interface.

I was actually quite surprised to see how difficult and restrictive Amazon has made it for exporting their EC2 Instances, I really thought it would have been just as easy as it is on VMware vSphere. I also came across this VMware KB 1018015 which provides an alternative to the EC2 API Tools, which has you install VMware Converter on the Windows system to export the EC2 Instance.

Installing ESXi 5.1 Update 1 on Mac Mini is Now a Breeze! (No Custom ISO/patches Needed!)

by // 68 Comments

ESXi 5.1 Update 1 was just released by VMware and similar to the ESXi 5.0 Update 2 release last year, the tg3 (Broadcom) driver has now been updated to 3.123b.v50.1 which is required to support network connectivity on the Apple Mac Mini's. Prior to this, to install ESXi on an Apple Mac Mini, users were required to build a custom ISO that included the updated tg3 driver and I am happy to say this is no long necessary! In addition, having the latest driver also provides out of the box support for the Thunderbolt ethernet adapter which is great if you are looking to add an additional ethernet connection to the Apple Mac Mini.

Disclaimer: The Apple Mac Mini is not officially supported by VMware.

Here is a quick screenshot of the networking details including the Thunderbolt ethernet adapter on my Apple Mac Mini 5,3 running ESXi 5.1 Update 1:

Apple Mac Mini 6,2 Users

If you have an Apple Mac Mini 6,2 the workarounds described in this article are still required as well as an additional issue regarding the on-board NIC for the Apple Mac Mini 6,2. The issue is that the on-board NIC is not recognized and claimed by the tg3 driver because there is not a PCI ID entry in the tg3 map file. Note, BCM57766 driver is supported, just that it was missing the mapping (I believe this was the case in 5.0 as well). Working with VMware engineering, I was able to obtain the SMC fix and along with the workarounds that I built earlier for ESXi 5.0 and I have created a custom ESXi 5.1 Update 1 ISO that includes all the fixes and you will be able to install it on your Apple Mac Mini 6,2 without any further modifications.

Download: ESXi-5.1u1-MacMini-SMC-BOOT-FIX-6-2.iso

Note: From my understanding, some of these issues have been fixed but just did not make it in time for the Update 1 release. I'm hoping that we will be able to get most of these fixed in a future patch or update. This is actually pretty awesome, given that this is NOT SUPPORTED by VMware, but engineers are still willing to help the community out!

UPDATE: When trying to enable vSphere HA, the following error "Could not find a trusted signer" is thrown. To get around this problem, you will need to manually install the vSphere HA VIB and then reconfigure vSphere HA. The easiest method is to SCP the VIB from the VCSA and then using ESXCLI and the --no-sig-check flag to install the VIB.

Here are the commands to run:

scp /etc/vmware-vpx/docRoot/vSphere-HA-depot/vib20/vmware-fdm/VMware_bootbank_vmware-fdm_5.1.0-1064983.vib [email protected]:/tmp
esxcli software vib install -v /tmp/VMware_bootbank_vmware-fdm_5.1.0-1064983.vib --no-sig-check

Additional Resources: