WilliamLam.com

Search Results for: kickstart

Configuring TLS Cipher Suites in ESXi 8.0 Update 1

by // 1 Comment

For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.

As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.

The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.

[Read more...]

ESXi configstorecli enhancement in vSphere 8.0 Update 1

by // Leave a Comment

The ESXi configstorecli was introduced back in vSphere 7.0 Update 1 and provides access to the ESXi ConfigStore which responsible for centrally managing all configurations for an ESXi host instead of relying on different methods including a variety of configuration files, I highly recommend reviewing this refresher article HERE if you have not heard of the configstorecli before. The ESXi ConfigStore is also the underlying infrastructure that powers the new vSphere Configuration Profile feature which is also part of the vSphere Lifecycle Manager (vLCM) solution.

For those who currently or plan to automate ESXi installations using Kickstart, I wrote an article HERE last year on how to start converting some of your existing automation into using the new ESXi configstorecli, which is another article I recommend folks take a look if you have no already.

One of the challenges that I personally found when using configstorecli was purely figuring out the overall schema for the different components, groups and keys that are available. While I have demonstrated how to traverse the configstore in this blog post HERE, I still found experience less than ideal. I would have liked a bit more of an iterative exploration of the configstore itself and rather than showing the entire schema, I could slowly expect each node as configstore is a stored as a JSON document.

[Read more...]

How to bootstrap vSAN Express Storage Architecture (ESA) on unsupported hardware?

by // 2 Comments

I was recently chatting with a fellow colleague who asked an interesting question about the memory overhead between running vSAN Original Storage Architecture (OSA) versus the new vSAN Express Storage Architecture (ESA) from a VMware Homelab perspective. I honestly did not know the answer as I am only using vSAN OSA for my personal homelab. I was curious myself, especially its implicationn on small form factor (SFF) systems which typically max at out 64GB of memory.

Today, vSAN ESA is only officially supported when using vSAN ESA Ready Nodes which are all listed in the vSAN ESA HCL and the minimum amount of memory is 512GB. For the best possible experience and supported configurations, customers should only use approved vSAN ESA hardware and the use of any other systems will not yield the same benefits nor outcomes. As an aside, a fantastic resource for all things vSAN ESA can be found on the vSAN ESA TechZone page, which I highly recommend bookmarking as there is a lot of in-depth technical resources and collateral.

Disclaimer: This is not officially supported by VMware and is purely for educational purposes, use at your own risk.

[Read more...]