Wednesday, November 16, 2011

Quick VMotion in VMware

I ran into an issue today where I was unable to VMotion a VM due to host issues. While troubleshooting, I remembered how Microsoft first dealt with its inability to support VMotion - Quick VMotion.
The idea is that instead of migrating the VM while online, pause the VM, then migrate it, then restart the VM on the target. Though this causes some outage, it allows movement of VMs will less impact than actually powering off the VM (or allowing HA to recover a failed host)

Quick VMotion powershell code:

$vm = get-vm vmName
$Myhost = get-vmhost hostName
suspend-vm -VM $vm -Confirm:$False
move-vm  -VM $vm -destination $Myhost -Confirm:$False
start-vm -VM $vm -Confirm:$False

Monday, November 14, 2011

VCP5 - Configure network security policies

There are 3 basic network security policies: Promiscuous mode, MAC address changes, and Forged transmits. These policies allow for customization of the networking layer to allow network sniffing, clustering, and load-balancing

Changing policies on a Distributed Switch

  1. Open vSphere client and select Networking
  2. Right-click the Port Group and select Edit Settings
  3. Under Policies | Security, change the policies as needed
Changing policies on a Standard Switch
  1. Open vSphere client and select Hosts and Clusters
  2. Select a host and click the Configuration tab
  3. Under Hardware | Networking, click Properties for a Virtual Switch
  4. Select the switch or a port group and click Edit
  5. Under Security, change the policies as needed


http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.networking.doc_50/GUID-D6EF211D-0028-4CED-970F-9FF8FA528EF4.html
http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.security.doc_50/GUID-D53632D3-EEBC-4A47-A7F8-53E2560039AC.html

VCP5 - Enable Lockdown Mode

Lockdown mode blocks direct access to the ESXi host and forces all configuration to be done via the Virtual Center. This can be used to secure your VMware environment and ensure security protocols are followed.

Enabling Lockdown Mode via DCUI

  1. Log onto the ESXi host console as root
  2. Select Configure Lockdown Mode
  3. Use the spacebar to check the box and hit Enter to accept
Enabling Lockdown Mode via vSphere
  1. Open the vSphere console and select Hosts and Clusters
  2. Choose a host and click the Configuration tab
  3. Select Software | Security Profile
  4. Next to Lockdown Mode, click Edit
  5. Check the box and click OK

Enable/Configure/Disable services in the ESXi firewall

Unlike prior versions of ESX, v5 uses an XML file to describe the firewall configurations. These files are stored in the /etc/vmware/firewall directory and are automatically loaded. Firewall rules should be installed as part of a VIB package.
More information on creating rules: http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html

Once installed, the firewall rules and service is managed via the vSphere client.

  1. Open vSphere and select Hosts and Clusters
  2. Select a host and click the Configuration tab
  3. Select Software | Security Profile
  4. Next to Firewall, click Properties to enable or disable specific rules

VCP5 - Describe how permissions are applied and inherited in vCenter Server

Permissions in vSphere are applied on managed entities (datacenters, folders, VMs, etc...) Permissions are propagated from the managed entity to child identities.

  • Permissions applied at the same level are summed to include both sets of permission. 
  • Unlike other permission inheritance schemes (which sum permissions at different levels), permissions applied at lower levels over-ride inherited permissions. 
  • Permissions applied directly to a user over-ride group and inherited permissions



http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html

VCP5 - Identify common vCenter Server privileges and roles

There are 9 default roles in vSphere - 6 sample roles, and 3 standard.

Default Roles
Role
Role Type
Description of User Capabilities
No Access
system
Cannot view or change the assigned object.
vSphere Client tabs associated with an object appear without content.
Can be used to revoke permissions that would otherwise be propagated to an object from a parent object.
Available in ESXi and vCenter Server.
Read Only
system
View the state and details about the object.
View all the tab panels in the vSphere Client except the Console tab. Cannot perform any actions through the menus and toolbars.
Available on ESXi and vCenter Server.
Administrator
system
All privileges for all objects.
Add, remove, and set access rights and privileges for all thevCenter Server users and all the virtual objects in the vSphere environment.
Available in ESXi and vCenter Server.

Note
Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.
Virtual Machine Power User
sample
A set of privileges to allow the user to interact with and make hardware changes to virtual machines, as well as perform snapshot operations.
Privileges granted include:

All privileges for the scheduled task privileges group.
Selected privileges for global items, datastore, and virtual machine privileges groups.
No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Usually granted on a folder that contains virtual machines or on individual virtual machines.
Available on vCenter Server.
Virtual Machine User
sample
A set of privileges to allow the user to interact with a virtual machine’s console, insert media, and perform power operations. Does not grant privileges to make virtual hardware changes to the virtual machine.
Privileges granted include:

All privileges for the scheduled tasks privileges group.
Selected privileges for the global items and virtual machine privileges groups.
No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Usually granted on a folder that contains virtual machines or on individual virtual machines.
Available on vCenter Server.
Resource Pool Administrator
sample
A set of privileges to allow the user to create child resource pools and modify the configuration of the children, but not to modify the resource configuration of the pool or cluster on which the role was granted. Also allows the user to grant permissions to child resource pools, and assign virtual machines to the parent or child resource pools.
Privileges granted include:

All privileges for folder, virtual machine, alarms, and scheduled task privileges groups.
Selected privileges for resource and permissions privileges groups.
No privileges for datacenter, network, host, sessions, or performance privileges groups.
Additional privileges must be granted on virtual machines and datastores to allow provisioning of new virtual machines.
Usually granted on a cluster or resource pool.
Available on vCenter Server.
Datastore Consumer
sample
A set of privileges to allow the user to consume space on the datastores on which this role is granted. To perform a space-consuming operation, such as creating a virtual disk or taking a snapshot, the user must also have the appropriate virtual machine privileges granted for these operations.
Usually granted on a datastore or a folder of datastores.
This role is available on vCenter Server.
Network Consumer
sample
A set of privileges to allow the user to assign virtual machines or hosts to networks, if the appropriate permissions for the assignment are also granted on the virtual machines or hosts.
Usually granted on a network or folder of networks.
Available on vCenter Server.


http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html

VCP5 - Upgrade an ESXi Host using vCenter Update Manager

Upgrading ESXi host via VUM is an elegant process.

  1. Install VUM
  2. Open vSphere and open Update Manager
  3. Select the ESXi Images tab
  4. Click Import ESXi Image
    1. Walk through process to import image
  5. Open Hosts and Clusters and select the Update Manager tab
  6. Click Scan to refresh compliance
  7. Click Remediate to begin updating the hosts

VCP5 - Upgrade VMware Tools / Virtual Machine hardware

This is a two-fer, two objectives listed in 1 post (since they are generally simple tasks).

Upgrading tools and hardware manually:

  1. In vSphere, open VMs and Templates and select the VM
  2. Right-click the VM and select Guest | Install/Upgrade VMware Tools
  3. Select Automatic Tools Upgrade and click OK
    1. This will upgrade the tools and reboot the VM
  4. When finished upgrading the tools, shut down the VM
  5. Right-click the VM and select Upgrade Virtual Hardware
  6. Power on the VM


VCP5 - Upgrade from VMFS3 to VMFS5

Upgrading from VMFS3 to VMFS5 is seamless and can be performed online with active VMs. Note however, that there are drawbacks to upgrading to VMFS5:

  • Datastores are accessible to ESXi 5 hosts only
  • The upgrade process will not take advantage of some of the VMFS5 improvements (such as universal block size)
Upgrading to VMFS5
  1. In VSphere, browse to Datastores and Datastore Clusters
  2. Select the datastore and click the Configuration tab
  3. On the right, click Upgrade to VMFS-5
  4. Click OK to start the upgrade


VCP5 - Upgrade a vNetwork Distributed Switch

There are 3 versions of vNetwork Distribute Switches available: 4.0, 4.1, and 5.0. Each version provides new functionality, but also limits the interop with older versions

Upgrade Distributed Switch

  1. In vSphere, browse to Networking
  2. Select the switch and on the Summary tab, click Upgrade
  3. Select the upgrade version and click Next
  4. Confirm no hosts report as incompatible, click Next
  5. Click Finish


Version Compatibility / Features
VersionFeaturesCompatibility
4.0N/AESX 4.0 and later
4.1Load-Based Teaming
Network I/O Control
ESX 4.1 and later
5.0User-defined network resource pools
NetFlow
Port Mirroring
ESX 5.0 and later

VCP5 - Identify steps required to upgrade a vSphere implementation

Upgrading is generally a top-down process starting with the Virtual Center Server, then hosts, then VMs. This ensures that everything is properly supported during the upgrade process.

  1. Make sure vSphere plug-ins are supported in vSphere 5
    1. Upgrade or remove them if necessary
  2. Confirm the environment meets the system requirements
  3. Upgrade vCenter Server
  4. Upgrade VMware Update Manager
  5. Upgrade ESXi hosts
  6. Reconfigure Licensing
  7. Upgrade VMs
Note that this process will differ somewhat if using VMware View.

VCP5 - Identify upgrade requirements for ESXi hosts

ESXi 5 upgrade requirements are above and beyond the standard ESXi installation requirements - they determine the state the ESX host must be in prior to upgrade.

Minimum ESX version: 4.0 ESX or ESXi

  • An ESX 3 host can be upgraded to 4, and then upgraded to 5
Supported ESX upgrade path tools:
  • vSphere Update Manager
  • Interactive upgrade via DVD
  • Scripted upgrade

Non-supported configurations:
  • ESX 4 host with an incompatible disk partition
    • Often result from ESX 3 host upgraded to ESX 4
  • ESX 4 host with missing, inaccessible, or corrupt Service Console VMDK


NOTE: By definition, "upgrade" refers to updating the current system. Pay note that this is different than a new install, such as using vSphere Auto Deploy.

http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html

VCP5 - License an ESXi host

Once licenses are installed in Virtual Center, they need to be assigned to hosts


  1. Open vCenter Server and go to Home | Administration | Licensing
  2. Click Manage vSphere Licenses
  3. On the Add License Keys screen, click Next
  4. On the Assign Licenses screen, select the ESXi host and pair it with the appropriate license
  5. Click Next, Next, Finish

VCP5 - Enable/Size/Disable memory compression cache

Memory compression uses standard compression techniques (like ZIP or RAR) to extend the use of RAM instead of swapping to disk. Compression is enabled by default and improves performance when over-committing memory by limiting the amount of swap-to-disk, a process that can take considerable time.

Enabling/Disabling Memory Compression

  1. Open the Virtual Center and select Hosts and Clusters
  2. Select a host and click the Configuration tab
  3. Select Software | Advanced Settings
  4. Select Mem.MemZipEnable, 1 for on, 0 for off
Configuring Memory Compression
  1. Open the Virtual Center and select Hosts and Clusters
  2. Select a host and click the Configuration tab
  3. Select Software | Advanced Settings
  4. Select Mem.MemZipMaxPct
    1. This defaults at 10% of the RAM for caching and can be altered from 5% to 100%



http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html

VCP5 - Enable/Configure/Disable hyperthreading

Hyperthreading has historically been a troublesome issue. The precursor to multiple cores, the idea is to run multiple commands through the same processor at the same time - thereby simulating multiple cores. This worked well with some applications, but caused nightmares for others. The good news is that Hyperthreading has been rebuilt with the latest generation of processors, and specifically tuned for VMware.

To enable/disable Hyperthreading in ESXi

  1. Configure the system BIOS to enable/disable hyperthreading
  2. Open Virtual Center and select Hosts and Clusters
  3. Select the host and click the Configuration tab
  4. Select Hardware | Processors - here you can view the current Hyperthreading settings
  5. Click Properties to change the Hyperthreading

Once enabled, Hyperthreading is defaulted to be used by all VMs in a fashion similar to multi-core processors. This sharing can be configured on a per-VM basis and be set to ANY (default), NONE (no hyperthreading), and Internal (hyperthreading only with itself). These configurations exist to stabilize individual VMs, but should be used with care.
Configuring Hyperthreading in ESXi
  1. Open Virtual Center and select VMs and Templates
  2. Select the VM and click Edit Settings
  3. On the Resources tab, select Advanced CPU to change the settings

VCP5 - Configure DNS and Routing on an ESXi Host

Although this objective sounds complicated, its simpler than you think, and you may already have completed it without realizing. This objective basically means, setting the default gateway, and DNS servers/suffixes - a step most likely completed during installation

Configuring DNS and Routing via DCUI

  1. Log into the DCUI and select Configure Management Network
  2. Select IP Configuration and enter the Default Gateway
    1. NOTE: If you are using DHCP to assign the address, the Gateway should be assigned via DHCP as well
  3. Select DNS Configuration to configure the DNS servers and local hostname
  4. Select Custom DNS Suffixes to customize the FQDN
Configuring DNS and Routing via Virtual Center
  1. Open the Virtual Center and browse to Hosts and Clusters
  2. Select the ESXi host
  3. Select the Configuration tab and Software | DNS and Routing
  4. Click Properties to configure the name, DNS servers, FQDN, and default gateway



VCP5 - Configure NTP on an ESXi Host

NTP configuration for ESXi hosts can be configured via multiple methods: command line, Virtual Center, Host Profile, or editing configurations directly (doesnt appear to be directly supported in ESX 5). The easiest by far is configuring the system via Virtual Center

Configuring NTP via Virtual Center

  1. Open Virtual Center and select the Hosts and Clusters view
  2. Select the host and click the Configuration tab
  3. Select Software | Time Configuration
  4. On the right, click Properties to edit the date, time, and NTP settings



vicfg-ntp http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html
http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html