vSphere 6.0 – Content Library

Content Library is the new feature introduced with vSphere 6.0. vCenter’s Content Library provides simple and effective management of VM templates, vApps, ISO images and scripts for vSphere admins. Content Library centrally stores VM templates, vAPPs, ISO images and scripts. This content can be synchronized across sites and vCenter servers in your organization. In many environment,  NFS mount has been used to store all ISO images and templates but Content Library will simply the management of storing VM templates , vApps and ISO images either backed up by NFS mount or Datastores. Contents of Content library are synchronized with other vCenter Servers and ensure that workloads are consistence across your environment.

Benefits of vCenter Content Library:

• Content Library provides storage and versioning of files including VM templates, ISOs and OVFs.
• You can publish the Content Library  to public or Subscribe content library to get it synchronized with other vCenter Content Library. You will be able to Publish or Subscribe between vCenter -> vCenter & vCD -> vCenter

• Content Library basically backed up by vSphere Datastores or NFS file system,which uses this storage to store the library items like VM Templates, ISOs and OVFs.

• You can perform the deployment from the contents stored (templates, ISOs and appliances) in content library to host and clusters. and you can also perform deployment into Virtual Data center.

How to Properly Remove Datastore or LUN from ESXi hosts

This post might be sounds simple that removing datastore from ESXi host but it is not actually simple as it sounds. VMware Administrators might think that right-click the datastore and unmounting. It is not only the process to remove LUN from ESXi hosts but there are few additional pre-checks and post tasks like detaching the device from the host is must before we request storage administrator to unpresenting the LUN from the backend storage array. This process needs to be followed properly otherwise it may cause bad issues like APD (All Paths Down) condition on the ESXi host. Lets review what is All Path Device (APD) condition.
AS per VMware “APD is when there are no longer any active paths to a storage device from the ESX, yet the ESX continues to try to access that device. When hostd tries to open a disk device, a number of commands such as read capacity and read requests to validate the partition table are sent. If the device is in APD, these commands will be retried until they time out. The problem is that hostd is responsible for a number of other tasks as well, not just opening devices. One task is ESX to vCenter communication, and if hostd is blocked waiting for a device to open, it may not respond in a timely enough fashion to these other tasks. One consequence is that you might observe your ESX hosts disconnecting from vCenter.“
VMware has  did lot of improvements to how to handle APD conditions over the last number of releases, but prevention is better than cure, so I wanted to use this post to explain you the best practices of removing the LUN from ESXi host.

Pre-Checks before unmounting the Datastore:

1.If the LUN is being used as a VMFS datastore, all objects (such as virtual machines, snapshots, and templates) stored on the VMFS datastore are unregistered or moved to another datastore using storage vMotion. You can Browse the datastore and verify no objects are placed on the datatsore.
2. Ensure the Datastore  is not used for vSphere HA heartbeat.
3. Ensure the Datastore is not part of a Datastore cluster and not managed by Storage DRS.
4. Datastore should not be used as a Diagnostic coredump partition.
5. Storage I/O control should be disabled for the datastore.
6. No third-party scripts or utilities are accessing the datastore.
7. If the LUN is being used as an RDM, remove the RDM from the virtual machine. Click Edit Settings, highlight the RDM hard disk, and click Remove. Select Delete from disk if it is not selected, and click OK. Note: This destroys the mapping file, but not the LUN content.

Procedure to Remove Datastore or LUN from ESXi 5.X hosts:

1. Ensure you have reviewed all the pre-checks as mentioned above for the datastore ,which you are going to unmount.
2. Select the ESXi host-> Configuration-> Storage-> Datastores. Note down the naa id for that datastore. Which starts something like naa.XXXXXXXXXXXXXXXXXXXXX.

3.Right-click the Datatsore, which you want to unmount and Select Unmount.

Image thanks to shabiryusuf.wordpress.com

4. Confirm Datastore unmount pre-check is all marked with Green Check mark and click on OK. Monitor the recent tasks and Wait till the VMFS volume shows as “unmounted”.

Image thanks to shabiryusuf.wordpress.com

5.Select the ESXi host-> Configuration-> Storage-> Devices. Match the devices with the naa.id (naa.XXXXXXXX) which you have noted down in step 2 with the Identifier. Select the device which has same naa.id as the unmounted datastore. Right-click the device and Detach. Verify all the Green checks and click on Ok to detach the LUN

Image thanks to shabiryusuf.wordpress.com

6. Repeat the same steps for all ESXi hosts, where you want to unpresent this datastore.
7. Inform your storage administrator to physically unpresent the LUN from the ESXi host using the appropriate array tools. You can even share naa.id of the LUN with your storage administrator to easily identify from the storage end.
8. Rescan the ESXi host and verify detached LUNs are disappeared from the ESXi host.
That’s it. I hope this post helps you understand the detailed procedure to properly remove the Datastore or LUN from your ESXi host. Thanks for Reading!!!. Be Social and Share it in Social media. if you feel worth sharing it.

vCenter Server Appliance (vCSA) 6.0 - What's New

What’s new in the vCenter Server Appliance (vCSA) 6.0:

• ISO with an easy guided Installer
• Different deployment options possible during the guided installer such as:
  • Install vCenter Server
  • Install Platform Services Controller
  • Install vCenter Server with an Embedded Platform Controller (default)
• Scripted install. Values can be specified in a template file
• Embedded vPostgres database. As external database Oracle is supported.
• IPv6 Support
• Enhanced Linked mode support
• VMware Data Protection (VDP) support for backup and recovery
• Based on a hardened Suse Linux Enterprise 11 SP3 (64-bit)
• The minimum (Up to 20 hosts and 400 VMs) appliance requirements for the VCSA are:
  • 2 vCPU
  • 8 GB memory
  • ~ 100 GB diskspace
• Is has the same feature parity as vCenter Windows:

What are we missing:

• Still no Microsoft SQL database support.
• Possibility to separate roles of the vCenter
• VMware Update Manager is not included in the appliance. Still need an additional Windows Server for VMware Update Manager (VUM)
• Clustering of the vCenter Server Appliance

RHELAH

Red Hat also saw the technical advantages of a lean, mean Linux. They started working on it in Project Atomic. This open-source operating system is now available as variations on Fedora, CentOS, and RHEL.

From this foundation, Red Hat built RHELAH. This operating system is based on RHEL 7. It features the image-like atomic updating and rollback. Red Hat has committed to Docker for its container technology.

According to Red Hat, RHELAH has many advantages over its competitors. This includes being able to run "directly on hardware as well as virtualized infrastructure whether public or private." In addition, Red Hat brings its support and SELinux for improved security.

VMware Fault Tolerance (FT) in Vsphere 6.0

VMware Fault Tolerance (FT) is being one of my favorite feature but because of its vCPU limitation, It was not helping to protect the Mission Critical applications. With vSphere 6.0, VMware broken the limitation lock of Fault Tolerance. FT VM now Supports upto 4 vCPUs and 64 GB of RAM (Which was 1 vCPu and 64 GB RAM in vSphere 5.5). With this vSMP support, Now FT can be used to protect your Mission Critical applications. Along with the vSMP FT support, There are lot more features has been added in FT with vSphere 6.0, Let’s take a look at what’s new in vSphere 6.0 Fault Tolerance(FT).

Graphic thanks to VMware.com

Benefits of Fault Tolerance

• Continuous Availablity with Zero downtime and Zero data loss
• NO TCP connections loss during failover
• Fault Tolerance is completely transparent to Guest OS.
• FT doesn’t depend on Guest OS and application
• Instantaneous Failover from Primary VM to Secondary VM in case of ESXi host failure

What’s New in vSphere 6.0 Fault Tolerance

• FT support upto 4 vCPUs and 64 GB RAM
• Fast Check-Pointing, a new Scalable technology is introduced to keep primary and secondary in Sync by replacing “Record-Replay”
• vSphere 6.0, Supports vMotion of both Primary and Secondary Virtual Machine
• With vSphere 6.0, You will be able to backup your virtual machines. FT supports for vStorage APIs for Data Protection (VADP) and it also supports all leading VADP solutions in Market like symantec, EMC, HP ,etc.
• With vSphere 6.0, FT Supports all Virtual Disk Type like EZT, Thick or Thin Provisioned disks. It supports only Eager Zeroed Thick with vSphere 5.5 and earlier versions
• Snapshot of FT configured Virtual Machines are supported with vSphere 6.0
• New version of FT keeps the Separate copies of VM files like .VMX, .VMDk files to protect primary VM from both Host and Storage failures. You are allowed to keep both Primary and Secondary VM files on different datastore.

 Graphic thanks to VMware.com

Difference between vSphere 5.5 and vSphere 6.0 Fault Tolerance (FT)

vCenter Server 6.0

In vSphere 6.0, you will notice considerably new terms, when installation vCenter Server 6.0. As similar to the previous versions of vCenter Deployment, You can install vCenter Server on a host machine running Microsoft Windows Server 2008 SP2 or later or you can deploy vCenter Server Appliance (VCSA). With vSphere 6.0, There are 2 different new vCenter Deployment Models.

• vCenter with an embedded Platform Services Controller
• vCenter with an external Platform Services Controller

One of the Considerable Change, you will notice with vCenter Server installation is deployment models and embedded database. Embedded database has been changed from SQL express edition to vFabric Postgres database. vFabric Postgres database embedded with vCenter installer is suitable for the environments with up to 20 hosts and 200 virtual machines and vCenter 6.0 continuous to support Microsoft and Oracle Database as external database. with vCenter Upgrades, where SQL express was installed will be converted to vPostgres. Let’s review the System requirements to install vCenter 6.0:
Supported Windows Operation System for vCenter 6.0 Installation:

• Microsoft Windows Server 2008 SP2 64-bit
• Microsoft Windows Server 2008 R2 64-bit
• Microsoft Windows Server 2008 R2 SP1 64-bit
• Microsoft Windows Server 2012 64-bit
• Microsoft Windows Server 2012 R2 64-bit

 Supported Databases for vCenter 6.0 Installation:

• Microsoft SQL Server 2008 R2 SP1
• Microsoft SQL Server 2008 R2 SP2
• Microsoft SQL Server 2012
• Microsoft SQL Server 2012 SP1
• Microsoft SQL Server 2014
• Oracle 11g R2 11.2.0.4
• Oracle 12c

Components of vCenter Server 6.0:

There are two Major Components of vCenter 6.0:

• vCenter Server: vCenter Server product, that contains all of the products such as vCenter Server, vSphere Web Client,Inventory Service, vSphere Auto Deploy, vSphere ESXi Dump Collector, and vSphere Syslog Collector

• VMware Platform Services Controller: Platform Services Controller contains all of the services necessary for running the products, such as vCenter Single Sign-On, License Service and VMware Certificate Authority

vCenter 6.0 Deployment Models:

vSphere 6.0 introduces vCenter Server with two deployment model. vCenter with external Platform Services Controller and vCenter Server with an embedded Platform Services Controller.

vCenter with an embedded Platform Services Controller:

All services bundled with the Platform Services Controller are deployed on the same host machine as vCenter Server. vCenter Server with an embedded Platform Services Controller is suitable for smaller environments with eight or less product instances.

vCenter with an external Platform Services Controller:

The services bundled with the Platform Services Controller and vCenter Server are deployed on different host machines.You must deploy the VMware Platform Services Controller first on one virtual machine or host and then deploy vCenter Server on another virtual machine or host. The Platform Services Controller can be shared across many products. This configuration is suitable for larger environments with nine or more product instances.

How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204

A serious security problem has been found and patched in the OpenSSL Library. Multiple vulnerabilities have been discovered in OpenSSL on 19/March/2015. The Common Vulnerabilities and exposures project identifies the following issues:

1. OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
2. Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
3. Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
4. Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
5. Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
6. Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
7. ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
8. PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
9. Base64 decode (CVE-2015-0292) - Severity: Moderate
10. DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
11. Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
12. Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
13. Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) Severity: Low
14. X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Severity: Low

How bad will this actually be?

It is not bad as the heartbleed openssl bug disclosed in April 2014 in the OpenSSL cryptography library. But, new bug can cause "Denial of Service" and crash your services. It is good security practice, to quickly apply the patched version on your system and restart the affected services.

How to find openssl version on a Linux?

The syntax is as follows:

Find openssl version on a CentOS/RHEL/SL/Fedora Linux

openssl version
## or ##
sudo yum list installed openssl
 

Sample outputs:

Fig.01: How to RHEL/CentOS/Fedora Linux Find OpenSSL Version Command

A list of affected Linux distros

I recommend that you upgrade your openssl packages ASAP to avoid any security issues on both client and server systems powered by Linux based distro.

• RHEL version 6.x
• RHEL version 7.x
• CentoS Linux version 6.x
• CentoS Linux version 7.x
• Debian Linux stable (wheezy) 7.x
• Ubuntu Linux 14.10
• Ubuntu Linux 14.04 LTS
• Ubuntu Linux 12.04 LTS
• Ubuntu Linux 10.04 LTS

How to patch on a Linux?

Type the following commands as per your distro version/type:

## how do I find out my distro version? ##
lsb_release -a
## or use ## 
cat /etc/*-release

Sample outputs:

Gif 01: HowTo: Find Out My Linux Distribution Name and Version

CentOS/RHEL/Fedora Linux

Type the following yum command to patch openssl as root user to patch openssl:

sudo yum clean all

To install the updates, use the yum command as follows:

sudo yum update

To only update the OpenSSL package and its dependencies, use the following yum command:

sudo yum update openssl

Debian/Ubuntu Linux

Type the following apt-get commands to patch openssl as root user to patch openssl:

sudo apt-get update
sudo apt-get upgrade

Sample outputs:

Fig.04: OpenSSL patched on a Ubuntu Linux

Do I need to reboot my server/laptop/computer powered by Linux?

Short answer - yes, you need to reboot your computer/server to make all the necessary changes. Sysadmin should plan on updating as soon as possible or use maintenance reboot window:

sudo reboot

Long answer - It depends. You can avoid reboot by restarting required services. Fist, find all services that depend on the OpenSSL libraries, and restart them one-by-one using the service command:

### Debian/Ubuntu find out if service needed reboot ##
checkrestart -v
 
## Generic method ##
lsof | grep libssl | awk '{print $1}' | sort | uniq
 

Sample outputs:

hhvm
mysqld
nginx
php5-fpm

Restart the above services one-by-one, run:

sudo service restart hhvm restart
sudo service restart mysqld restart
sudo service restart nginx restart
sudo service restart php5-fpm restart