Configure vCloud Connector for your Hybrid Cloud

April 29, 2013 Leave a comment

Just some note’s here on how an organisation can manage Public Cloud resources through the vCloud Connector, a VMware Powered Public Cloud offering of course.

First note, You don’t have to have vCloud Director.  You can move workloads from a vSphere environment straight into a vCD powered Public Cloud and back again without re-engineering.  You’ll need to be aware though that when you do, it’s construct may change. i.e. a single VM will become a vApp when moved from vSphere to vCloud Public Cloud, and become a VM when the same vApp is moved back etc . This is explained in the vCC user guide, here.

Second note, I’m a Mac OS user, so using vCD is a pain currently. The management portal doesn’t like Safari, so I use Firefox. However, configuring the vCC nodes through the web portal gets stuck on firefox, so I have to use Safari.

Mac OS is still not a supported OS for the VMRC. So I can’t access the console of any VMs without going through a Windows OS.

Third note, both the vCC Server and vCC Node default username and password is.. ‘admin’ and ‘vmware’.

Fourth note, this is a quick and dirty process, and not the most secure.. so be warned.

ok, so how do you get to this point here? ..where we can ‘copy’ workloads across from my on-premise platform to multiple Off-premise platforms.

vcenter

Step 1. Deploy the vCC Server into the environment as per a normal vApp, and configure via the web portal on port :5480. Enter your license key.

Step 2. I’ve chosen to manage my clouds through vCenter instead of the vcloud.vmware.com portal, so I register the vCC Server with my vCenter

vccserverregister

Step 3. I’ve decided to connect my normal vSphere environment to an external cloud, so deploy a vCC Node as per a normal vApp. Configure the node to connect with my vCenter instead of the vCloud Director option. Check the ignore SSL Certs.

vccnodevsphereinternal

Step 4. Go back to the vCC Server and register the vCC Node to the vCC Server, through the Node tab.

vccnodeserverreg

Step 5. Heres a bit to remember; name the ‘Node Info Name’ what you want it to be called in vCenter, i.e. Internal vSphere, or VMware Hybrid

vccregister

Step 6. Log into vCenter and accept the new SSL Certs and a vCloud Connector option appears.  Here you need to add that cloud platform in. Select ‘Clouds’ in the left hand navigation bar.  Select ‘Add’, and a pop up window will appear with the vCC Node Info Name entered in step 5.

addcloud

Step 7. Register for a Public Cloud offering, I’ve got an evaluation at VMware Hybrid Cloud and others such as Colt & BlueLock.  You can get them here and here

Step 8. Deploy a vCC Node in each of the Cloud offerings taken up, very similar to step 3. Use the vApp templates that the Public Cloud has already, otherwise you may have to upload the vApp yourself. Ensure that an IP Address is applied to the vApp via the remote console access.

colttemplate

Step 9. Configure the Edge Appliance, for NATing and firewall rules to allow connectivity to the vCC Node.
a) Do this by selecting administration and then selecting the vDC allocated
b) Select the Edge Gateways Tab and the Edge Appliance will appear.

coltvDC

c) Right click the Edge Appliance and select ‘Edge Gateway Services’. Here you have the ability to configure things like load balancing and vpn etc.

edge
d) Configure the DNAT from the Public IP address to the vCCNode and a SNAT from the ‘internal network’ to the Public IP address. (If you don’t know you’re public IP address, just put in any number and an error will pop up with the public IP address.

dNAT

e) Configure the firewall to allow inbound and outbound traffic.

ColtFirewall

Step 10. Access the vCCNode through the Public IP address on port 5480.

Step 11. Configure the vCCNode to connect to the Public Cloud the vCCNode resides in.

vccnodeaddcloud

Step 12. Log back into the vCCServer and register the vCCNode as per steps 4-5

Step 13. Log into vCenter and add the ‘cloud’ as per step 6.

Done.

Lots of questions pop into the mind from here on though..

e.g. does vCops monitor the workloads in the off-premise platform?
Does chargeback pull utilisation stats off for centralised costing?
Can we use orchestrator to automate the movement of apps across, back and forth?
How fast is this bursting?

Let see eh..

Filed under Techie Stuff Tagged with , , , , , , , , , , , , , , ,

A VCDX Wannabe…

November 12, 2012 Leave a comment

Ok, so I wanna be a VCDX.. and I’ll let you all know how I’m getting on..

Firstly, I’m already a VCAP-DCD5 and there’s not much more to add than whats already out there on the web. If you do however have access to the VMware partner portal, it’s well worth going through some of the competency courses.

I’ve taken the VCAP-DCA5 recently and this is a post on that experience.. (I haven’t got my results yet)

It was pretty scary! It’s the first time I have ever taken a live lab exam.. and I would definitely give it a thumbs up in providing employers a better gauge on a prospective employee’s skill and experience than a VCP. ( Of which I was quite happy to be, for a long time =) ).

If there is one ultimate tip I could give, and that you’re testing centre is not situated in the US is: try and get an exam time out of business hours, though this theory has not been proven as far as I know..

This is because of the latency I experienced from keystroke to screen display being horrendous from Singapore. Just switching views inside the vSphere client would take approx. 15-20secs. You might think thats not too bad if theres only 26 questions, but there are multiple tasks in each question of which each task may need different screens to complete. Lets just say on average its 10 screen changes per task and 10 tasks per question, thats equates 42 minutes of waiting time on an exam time frame of 4 hours. You’ve lost nearly 18% of you’re time.

Still I was quite well prepared, with most question do-able without too many hesitations or excessive screen switching, yet I could only get to question 21. So fingers crossed.

I’m on a Mac, so the other tip is get used to a normal keyboard preferably the same one as the testing centre.

Tip 3: As all the other guys have blogged.. Get Practising! Build that lab, with auto deploy etc. I did it under an hour so I’m sure you could too.

My study notes are below, they’re a bit verbose as all I wanted to get to grips with, was the execution rather than the outcomes and reasons why etc..

I’ve emailed VMware of my dissatisfaction, and they have kindly responded with a free retake if I have not passed. That’s all good, but I’ld rather not have to sit through another 4 hours and experience the same issue. And I’m definitely not well off enough to fly to the US for the exam.

Hey VMware, just a thought.. Can we use PCoIP instead of RDP?

So here are my notes, go execute!

Find a file

find / -name ‘name-of-file’

*****

CPU metrics

ready time ms / 20000 = % of time waiting for cpu  (ready time %)

*****

Memory

memory granted  -  memory allocated

Average memory active  -  amount of memory estimated to be used on recently touched memory pages.

Consumed memory  -  amount of memory estimated to be reserved by guest OS – minus memory sharing via TPS

check if VMware tools is installed via esxtop (J* option)

*****

Storage

Disk.commandsAborted.summation

If you see a number above 1 it means commands are taking over 60 seconds to complete and are then aborted.

Disk.busResets.Summation

is as bad as commands aborted

use ‘vDisk Informer’ to check partition alignments

**vscsiStats shows latency for the virtual SCSI device

‘vscsiStats -l’ to list out vms and their world id

‘vscsiStats -s -w [world id]‘    to start collecting information

‘vscsiStats -p latency’  to show histogram on latency

‘vscsiStats -x’ to stop collecting

‘vscsiStats -r’ to clear all the counters for next time.

ioLength‘ will help with block size

seekDistance‘ will help with sequential or random io

Show all filesystems mounted or unmounted

esxcli storage filesystem list

Re-attach storage device

esxcli storage core device detached list

esxcli storage core device set -d naa.XXX –state=on

Storage MPIO

List devices

esxcli storage nmp device list

Set PSP

esxcli storage nmp device set –device t10.dsfsdf –psp VMW_PSP_FIXED

Change SATP

esxcli storage nmp device set –device t10.E4143500000000000000000010000000F011000000000100 –psp VMW_PSP_RR

VMKFSTOOLS

create vmfs datastore

vmkfstools  –createfs vmfs5  –blocksize 1m device_id:p

Grow VMFS datastore

vmkfstools  –growfs  /vmfs/devices/disks/disk:id1  /vmfs/devices/disks/disk:id1

add nfs mount

esxcfg-nas -a -o 192.168.1.100 -s /raid0/data/Software Software

*****

Virtual Machines

VMM  -  Virtual Machine Monitor

cat ../../‘vmname’/vmware.log | grep “MONITOR”    will show whether the VM is using HW virtualisation

VMKFSTOOLS

vmkfstools  -c 8G  -a lsilogic /vmfs/vol/datastore/vm/vmdisk.vmdk  -d thin/zeroedthick/

*****

vMA 

vi fast pass

add server

vifp addserver esx01.vmpact.int

connect to server

vifptarget

resxtop –server ipaddress –user root

‘f’  to choose field options

‘o’ to display fields in order that you wish, upper case to move up, lower case to move down.

‘W’ to save configuration of esxtop

‘esxtop -c .filename‘ to open saved esxtop configuration  DONT forget FULL STOP in front of filename!

esxtop batch mode

-b batch mode

-d collection interval in seconds

-n number of iterations to collect

esxtop -b -d 5 -n 100 > “output file destination”

—–

Auto Deploy

esxcli software vib list      to list out software

esxcli software vib install -n package.pkg       to install package

Install Patches

esxcli software vib install -d UNCpath

-v  url

—–

Password complexity

Change to strong password

vi  /etc/pam.d/passwd

—–

HOST SNMP

enable snmp on ESXi, you have to do it via vMA     (SNMP default port  =  162 UDP)

Run command to configure SNMP communities to send traps

vicfg-snmp –server 192…… –username root -c ‘community,string,separated,by,commas’

Run vicfg-snmp –target with the target address, port number, and community

vicfg-snmp -t ‘target.example.com@163/public

Run vicfg-snmp –show to display info

Run vicfg-snmp –enable to enable snmp agent to send traps

configure SNMP agent for polling and enable

vicfg-snmp –server 192…… –username root -c ‘communitystring’ -t target.example.com@163/public –enable

configure SNMP port

vicfg-snmp –server 192…… –username root -p

—–

SYSLOG    (Default UDP 514)

keep twenty rotations before overwriting the oldest log

esxcli <conn_options> system syslog config set –default-rotate=20

Set the rotation policy for VMkernel logs to 10 rotations, rotating at 2MB.

esxcli <conn_options> system syslog config logger set –id=vmkernel –size=2048 –rotate=10

Save the local copy of logs to /scratch/mylogs and send another copy to the remote host.

esxcli <conn_options> system syslog config set –logdir-unique true –loghost=’tcp://myhost.mycompany.com:1514′ –logdir=’/scratch/mylogs’

after config change, reload syslog daemon

esxcli <conn_options> system syslog reload

—–

ESXi FIREWALL

list firewall service sshClient       —-stop here for full list

esxcli network firewall ruleset list –ruleset-id sshClient

enable a firewall service

esxcli network firewall ruleset set –ruleset-id sshClient –enabled true

limit networks and IP address for connections

esxcli network firewall ruleset set –ruleset-id sshClient –allowed-all false

Add networks for connections

esxcli network firewall ruleset allowedip add –ruleset-id sshClient –ip-address 192.168.1.0/24

Check network conn list

esxcli network firewall ruleset allowedip list –ruleset-id sshClient

—–

NTP

List NTP servers

vicfg-ntp <conn options> -l

Add NTP servers

vicfg-ntp <conn options> -a

Stop NTP service

vicfg-ntp <conn options> -s

Start NTP service

vicfg-ntp <conn options> -r

—–

User mgmt

Create User and add to role admin

vicfg-user <conn options>  -e user -o add -l username  -p password -r role

Add group

vicfg-user <conn options>  -e group -o add -d groupname

Add user to group

vicfg-user <conn options> -e user -o modify -l tramp -g groupname

—–

Generate New Certificates

/etc/vmware/ssl     -  location of SSL certificates

/sbin/generate-certificates   or   copy CA certificates to same location.

from vMA vifs  <conn opt>  –put rui.crt   /host/ssl_cert

vifs  <conn opt>  –put rui.key   /host/ssl_key
/etc/init.d/hostd restart   -   needs reboot

—–

Configure SSL timeouts

vi  /etc/vmware/hostd/config.xml

Find the <vmcore> and <http> and <ssl> tags, they exist already.

<vmacore>

 …

 <http>

<readTimeoutMs>20000</readTimeoutMs>

</http>

 …

 <ssl>

  …<handshakeTimeoutMs>20000</handshakeTimeoutMs>

  …

</ssl>

</vmacore>

Then restart:

/etc/init.d/hostd restart

—–

STORAGE LINKS

Storage Perf Analysis & monitorinsg

http://communities.vmware.com/docs/DOC-5490

Storage Queues affect Perf

http://communities.vmware.com/docs/DOC-6490

Scalable Storage Perf

http://www.vmware.com/files/pdf/scalable_storage_performance.pdf

Changing Queue Depth QLogic/Emulex

KB1267

Setting the Max Outstanding Disk Requests per VM

KB1268

Controlling LUN Queue Depth Throttling in ESXi

KB1008113

VMFS deep dive & BP

http://www.vmworld.com/docs/DOC-2790

VMFS Sizing for Max Performance

http://vmetc.com/2008/06/10/vmfs-storage-sizing-for-maximum-performance/

——

ESXTOP bible

http://communities.vmware.com/docs/DOC-11812

ESXTOP Metrics

http://communities.vmware.com/docs/DOC-5600

Filed under Techie Stuff Tagged with ,

My SRM 5 Design Reminders

September 20, 2012 2 Comments

The process to perform a ’Failover’ or ‘Test Failover’ in SRM 5 is quite different from SRM 4.

I remember SRM 4 not really giving too much care about the primary site’s VMs unless you’ve categorically specified VM’s to be shutdown in a test failover, or did it care about the datastores so long as they are replicated.

SRM 5, because of the ‘failback’ feature, operates differently from SRM 4..

Once a failover (not forced) is initiated, one of the first things SRM tries to do is to create the placeholders in the Primary site. If this has not been set, then the failover will fail.

So, reminder 1..

Always determine the placeholder location in the primary site as well as the secondary site.

Second process in the failover is to dismount the datastore(s).  If you have SIOC enabled or HA datastore heartbeats presiding over those datastores, the failover will fail.

Reminder 2.

Select Datastores that are not protected by SRM to be used for vSphere HA datastore heartbeats

Reminder 3.

With the SIOC issue, you can use the powershell script in the Build a whole environment page and add the script as a command step in the failover process.
Dont forget to change the script to ‘disable SIOC’
Install PowershellCLi on the SRM servers
To run powershell scripts automatically with the SRM service account, login as the service account and store user credentials using the
New-VICredentialStoreItem -Host ‘vCenter’ -User ‘username’ -Password ‘password’

Not entirely sure if this is SRM 5 related, but ALUA needs to be configured consistently across sites, I had an issue with NetApp where the Primary site was enabled but the secondary site wasn’t.

Reminder 4.

Ask the Storage guy to double check LUNs at both sites are configured consistently.

And, SRM doesn’t automatically update Protection Groups when SDRS is enabled to migrate virtual machine files from one datastore to another.

Reminder 5.

Do not use SDRS, or use SDRS Affinity rules to lock down protected VMs to Datastores.

 

Filed under Techie Stuff Tagged with , , , , , , , , , , , , , , , , ,

Public Cloud: Securing Consumers on vCloud Director with PVLANs

September 13, 2012 7 Comments

Not too long ago, I designed and built a ‘VMware vCloud Datacenter‘ powered Public Cloud offering.. What a great experience that was..

It had vSphere 5, vCenter Heartbeat, vCloud Director, vShield Manager & Edge, Chargeback, SRM, Orchestrator and vCenter Operations Management Suite and to top it off, fulfil the technical requirements to be a VMware certified service provider.

I’m not going to write about how to install vCloud Director or the Org/vDC/PvDC configs, there are plenty of blogs & sites that do that already. This post is about a particular requirement in which required a good amount of thought.. Let me give you the context.

Here’s a diagram to part explain..

As consumers are instantiated through vCloud Director, the consumer workloads will be placed in separate VLANs on isolated, non-routable physical switches. This allows the consumers to utilise an IP Scheme (Private Addressing) of their choice, even if it clashes with another consumer.

A vShield Edge is deployed to enable access to the consumer workload from the outside world; it has a Public IP address (consumer access point) and a Private IP address (consumer gateway).

The physical firewall is at the perimeter, filtering traffic from the internet inbound and allowing network traffic outbound, it does not however filter traffic between the public IP addresses of the vCloud consumers.

So the $64M dollar question is, how do we prevent ‘Consumer A’ from potentially trying to get into ‘Consumer B’?

Options that I could think of..

1. Dont use vShield Edge and use dedicated lines from consumers and Cisco VRF for each consumer?
- This could work, but due to budgetary constraints, it was deemed financially un-viable

2. Use Firewall rules / ACLs
- This could work, positives are
a) It’s a standard security practice
b) Level of Firewall & Networking skills and capability should be available

- however the drawbacks are:
a) Firewall rules & ACLs can be difficult to manage when consumers grow to the 100′s or 1000′s
b) A whole public IP range was provided by the ISP and therefore if we were to subnet that range, there would be a significant loss of public IP addresses

3. Use PVLANs, and place the external NIC of each consumer vShield Edge in a isolated/community PVLAN.
- This is what we decided to use because:
a) It is secure, consumers will not be able to communicate to each other
b) Less firewall and routing management, its just adding VLANs on physical switches
c) Minimal waste of public IP addresses
d) Lower cost of hardware

… and the drawback..

vCloud director is unable to provision PVLANs ’automatically’! arghhh… (feature request please)

So a ‘MANUAL‘ consumer on-boarding process is required to create the PVLANs on physical switches, on dvSwitches and to then create the external network in vCloud Director in order to be allocated.

… or is it?

As one of my previous posts suggests, VMware Orchestrator can be your best friend.. It can break out into ssh and build out PVLANs on the physical switches, create PVLAN portgroups on dvSwitches and its got a plug-in to configure vCloud director, ‘AUTOMATED’.

Filed under Techie Stuff Tagged with , , , , , , , , , , , , , , ,

Migrating vCenter Folders, Roles and Permissions

September 10, 2012 Leave a comment

A project currently in flight is a migration of 450 ESXi hosts and 2000 VMs from vsphere 4.x to 5.0.1.

A new vCenter has been built to consolidate the number of vCenters in the enterprise. However, the folder structure, roles and permissions need migrating from existing vCenters to the new vCenter.

Here’s a Powershell script to export the folders and permission already set:

Get-Folder | Get-VIPermission | select Entity,Role,Principal,Propagate

This will provide a table of all folders and permissions set on those folders.

All we need to do is feed the information into the below lines of script.

New-Folder -Name ‘name‘ -Location ‘parentfoldername
New-VIPermission -Entity ‘Folder‘ -Principal ‘domain\userorgroup‘ -Role ‘role‘ -Propagate ‘0 or 1

Filed under Techie Stuff Tagged with , , , , ,

Start your journey to Cloud with ‘Orchestrator’

September 10, 2012 1 Comment

VMware Orchestrator has been around for a long time, since vSphere 4.0 if I remember correctly, and to be honest, I didn’t really care for it too much at the time. I couldn’t see the true value of it until I started:

1. Providing advice on cloud computing,
2. Consulting in ASEAN
3. Building a basic self-provisioning portal

 

Point 1. (Revelation..)

For example, a small but typical part of the ‘Journey to Infrastructure as a Service’ for an organisation would be to provide a self-servicing portal, with a service catalog, an underlying approval process leading to a provisioning task. Automating some or all of the tasks in that process is where organisations will differ the most; from one end of the spectrum, some will believe the effort taken to automate tasks costs more than just doing it manually, whereas others will see the value in reducing the operational overhead and potential mistakes.

Now, there are numerous products on the market that claim to be able to satisfy those requirements and much more, of which I don’t dispute..
And as a customer, I would look at these products and consider multiple points not limited to:

a) the outcome (deliverable)

b) the costs (TCO/ROI)

c) the disruption to the organisation (time & effort)

d) the integration with existing tools

One approach could be to purchase a product from the well known ISVs; a big investment and in return should potentially accelerate the journey with a faster ROI.

Another approach, for those who want to take a more measured progression, or have a smaller scope, or may not want all the bells and whistles just yet, I would recommend taking real a good look at VMware Orchestrator and my reasons are quite simple:

a) there are a huge number of pre-canned workflows ready to be configured, and would cater for most organisation who are on the learning curve of providing ‘Infrastructure as a Service’

b) licensing is included with vCenter (the only payment required is help with configuring it to your liking!)

c) the disruption with all products are relatively similar; you will need someone to configure it to your liking!

d) plug-ins are already being created to allow integration with vCloud Director, Chargeback, SSH devices, storage such as EMC VNX

e) when your organisation is ready for the bigger products, the workflows can then be migrated.

To summarise my recommendation: make full use of a fully supported product that does not have additional licensing costs to get your organisation automating menial tasks, and slowly make these workflows more comprehensive stage by stage. Once you believe you have outgrown VMware Orchestrator, move to another more comprehensive suite of tools.

 

Point 2.

I’ve heard it numerous time that there are huge operational challenges where organisations are trying to accelerate the deployment of ‘Infrastructure as a Service’, where virtualisation hasn’t been a part of the organisations fabric for a sustained period of time. The challenge being low operational confidence and operational maturity.

Just like 10 years ago, when moving to Active Directory, it was deemed too risky to expose the whole directory and its components to operational staff. The same challenge has arisen from the importance of vCenter access.

I guess it’s like giving a teenager a 1000cc motorbike when they’ve only just taken the training wheels off their pedal bike.

And using ACLs do not necessarily provide the answer, as the operational tasks required are still the ones that can be executed incorrectly.. e.g. using VMware snapshots maybe a requirement, and VMware experts know that it should only be used on a temporary basis. But this information doesn’t always flow down the chain leading to snapshots taken sporadically and then being forgotten. The impact being a filled datastore causing a DoS to the incumbent VMs.

Spending about 10 days building a self-provisioning portal, I’ve realised that VMware orchestrator could also be used to create a ‘Cloud Operations Portal‘.

Here’s an example

where each of the links can have a description of task, and also trigger a workflow in the designed manner.

e.g. The ‘Create a VM snapshot’ workflow could look like this..

The great thing about this is that, just like 10 years ago when Quest came out with a facade with operational controls whilst shielding AD and reducing the risk of the project, a VMware Operations Portal can provide the same outcome.

 

 

Point 3.

All credit due to the guys on vcoteam.info on demonstrating with great instructions and screenshots on how to configure workflows and of course the creation of self-provisioning portal.

You can also follow the same instructions I did.. Here they are..

http://www.vcoteam.info/learn-vco/create-a-simple-vco-self-service-vm-provisioning-portal-part-1.html
http://www.vcoteam.info/learn-vco/create-a-simple-vco-self-service-vm-provisioning-portal-part-2.html
http://www.vcoteam.info/learn-vco/create-a-simple-vco-self-service-vm-provisioning-portal-part-3.html


VMware Orchestrator can be your best friend in a place where the choice of cloud management software can be as confusing as cloud computing…

Filed under Cloudie Talk

Using the ESXCLi command via Powershell

September 9, 2012 Leave a comment

Some more powershell goodies…

How to use the esxcli command through powershell instead of using vMA or direct SSH.

Click here

Filed under Techie Stuff

Older posts

Follow

Get every new post delivered to your Inbox.