Skip navigation

Category Archives: vSphere 5


hi, folks:

I didn’t realize that would be case for Vmware. But when I check and open the file, I noticed this file contains user and password(in plain txt) regarding my RSA database on SQL server!

Is this by design?

To be honest, I’m very disappointed that such big security breach exists on vCenter server.

I would recommend everyone runs vCenter 5.x to check your server and see whether you can see it as well.

7-08-2014 2-29-44 PM

 

7-08-2014 2-30-34 PM

 

Updates:

It seems like it only exists in vCenter 5.1x. File doesn’t exist in vCenter 5.5.

 


First of all, Happy New Year of 2013!! I am happy the whole world didn’t blow up and my guess those Mayan dudes just running out of space on that piece of stone  so they think, why the hell I need to care about world in thousands years later? Winking smile

Now, back to Vmware. With vSphere 5.1.0b released, I start to wonder whether it’s time to consider to use vDS (Virtual distribution switch) to replace VSS.

vDS has been around for years, only Enterprise plus license would actually use it. The concept of vDS is great, but the real world is not practical from my point of View to use vDS to complete replace VSS.

My suggestion is to have hybrid environment with vSS and vDS. As matter of fact, that , I’m afraid, is your only option. There will be time for you to failover VMs from broken vDS to something else, so between another vDS and vSS, which one you would go?

I did a little bit research regarding vDS and I would like to share some tricks and “how to” to everyone. Feel free to pop up question and correct my mistakes as usual.

vSphere Client or vSphere Web Client?

Now, with vSphere Web Client getting more and more popular, should we use Web Client and dump old one? The answer is No. The new Web Client is incompleted, slow but it does provide more functions than C++ version. I will stick with Web client in this post as much as possible.

What’s is vDS?

You can always find this answer from my old post here. Comparing with vSS, vDS provide more virtual gateways (not like vSS, vDS also virtualize Uplink). More control and monitoring on the traffic going through virtual switch and also profile base deploying from vCenter to Hosts so vDS is aware all hosts network rather than working alone like vSS.

However, it does bring lots of other issue if you want to put vDS into production. One of few issues is to rename Uplink.

Why do we need to rename Uplink?

Uplink exists on vDS only. It’s a virtual port group which you connects your physical  nics to. Assuming you have 10 hosts, it’s hard to guarantee all vmnic01 will connect to Uplink01 since vmnic01 may connect to different network in the real world. After a while, you may get confused about what each Uplink for.

Tricks:

Always rename your Uplink before you start to connect anything to vDS.

You need to rename your Uplink ASAP after you create your vDS. Once vDS is hook up something, it simply won’t let you touch Uplink because it may connect to something. Even if you remove the connection to another link, the vDS will still hold same configuration till refresh time. (for me details and solution, please check my old post).

Steps to rename Uplink

Login to Web Client,

image

After you rename your Uplink, you can start to create vMotion group for vDS.

Create vMotion for vDS

The funny thing for this step is you have to create a vDS port group first before you can do anything lese.

clip_image002

clip_image002[5]

clip_image002[7]

Now, you can create a new Uplink for vMotion

image

image

image

image

I skip the rest of parts.

Tricks:

I don’t think you can vMotion between vss and vDS. You can only vmotion between same type of vSwitch. Although you can migrate vms from VSS to vDS with few ping drops.

Assign specific vmnic to Uplink

One thing you would like to do is to assign vmnic01 (for example) to a specific Uplink. Please follow these steps.

Add Physical adapters into vDS via web client

image

change Auto-assign to a specific Uplink

vds-01

Delete a Uplink (not physical nic connection)

The simple thing I want to do is to remove one of Uplinks. It’s virtual Uplink on vSwitch, it is NOT the physical nic which I connect to Uplink. but this very simple thing almost can’t be done via either vSphere Client or Web client.

To give you a better understanding, a new vDS coming with 4 Uplinks connecting with nothing. What happen if I add more uplinks now and want to remove some Uplinks latter?

The way you add more Uplink is here

image

Unfortunately, the only way to remove Uplink is either rebuild a new vDS or migrate all your VMs to other switch and remove all physical host nic connection to Uplink and go back to here and to set a LOWER number!

If you set this number to 3, 2 uplinks will disappear but it won’t let you choose which 2 uplinks. Therefore, you better move all VMs and connections between physical host nics to Uplink before you remove Uplink.

This is not just my conclusion, a Vmware Support Engineer was on the phone 1 hour with me and come up with this solution. Maybe there is another way to do it, but we are not able to find out. If you know how to do it, please let me know or leave it in comment.

Conclusion:

There are still lots testing we can do with vDS, but at this stage, I definitely wouldn’t recommend to ditch vSS and use vDS solely. A hybrid environment is what I would recommend.


It’s shame that it took me 2 hours to find out why my Syslog Collector is not working. But I would like to share my experience with everyone including how to debug it.

Syslog collector has two parts.

Part running on vCenter

 

Syslog Collector must be installed first.

clip_image002

clip_image002[6]

It is very important to configure your firewall so your syslog can go through.

the Syslog collector can use 3 different protocol. TCP,UDP,SSL. You can enable all of them.

clip_image002[8]

make sure you have space for this log collector

clip_image002[10]

that’s will install plug-in directly into your vCenter.

image

Feel free to use your DOMAIN/SERVICE_ACCOUNT to replace local administrator. But you need to make sure that service_account has local admin rights first.

By using different account will make better view in the TASK Manager to see how much memory it consumes.

 

clip_image002[14]

You can replace SSL certificate with local CA certificate if you really want.

clip_image002[16]

image

Then you can finish installation.

You will see it in your service.

image

You will see it in your task manager.

image

Parts you need to configure on ESXi host

 

As ESXi host, you need to configure it little bit more than just PDF file tells you.

You need to configure ESXi Firewall to open the port (which I didn’t. –_-b)

image

After that, the easiest way to configure is to use vSphere client (not web client).

image

You can use either tcp://servername:514 or tcp://serverIP:514 or other protocols

Once it’s done, you should have a new folder under your Syslog collector folder immediately without any other actions.

Debug Procedure:

 

Debug from vCenter

You need to check out whether syslog collector service is up

You need to check out whether Syslog appears in Task Manager

Use telnet to check tcp port to see whether port is open / listening

image

If you want to test UDP port, you can use Microsoft tools PortQryUI to do it. You can find it at this link.

http://www.microsoft.com/en-us/download/details.aspx?id=24009

Debug from ESXi host

Check the firewall and make sure port is open

Use this command on console to check the setting in esxi

image

Use this command to reload esxi syslog

esxcli system syslog reload

Use this command to test esxi syslog

esxcli system coredump network check

If it is successful, you should see something like this

Verified the configured netdump server is running

You can also use esxi console to configure rather use vCenter

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003322

The IP is the syslog collector IP address.

The VMA command is little bit different since you normally need to authenticate yourself, hence I won’t list here.

I think that’s everything about Syslog. Please let me know if you have questions.


Symptom:

 

Well, essentially, this issue exists in both vSphere 5.1 and vSphere 5.1a. No matter what I did to install either vsphere 5.1 or 5.1a, I always not able to use web client to connect to vCenter.

All what you got is this error.

Could not connect to one or more vCenter Server Systems:

https://domain.com.au:443/sdk

image

 

This is really driving me crazy. The vSphere Web Client should connect to vcenterServer.domain.com.au rather than just domain.com.au.

I have tried many things via vSphere Web Client and none of them actually fixed issue.

Now, Let’s see the root of this issue:

 

Cause:

The root cause is when you install your vCenter Server, the wizard gives you misguide and you input wrong value.

image

When you install vCenter server, you are required to input a service account in terms of running vCenter Service. Here is what I went wrong.

If you see the account name, it only indicates a simple user name. Clearly, I wanted to use a domain service account to run this service. With this picture, I thought the system is providing a local user on the vCenter server which I don’t want.

so I modified that FQDN by using domain.com.au so I thought I could use domain account rather than local account.

But I was wrong since that FQDN is actually vCenter server and has nothing to do with account name and account password.

 

Solution:

You should reinstall vCenter Server if you do have this issue. You can’t change FQDN of vCenter in look up service easily (at least, I didn’t see any public docs). A reinstall vCenter should fix the issue, but if that doesn’t work, you have to reinstall SSO, inventory service and vCenter server.

 

The interesting thing about that error is once you leave that account, and type password and FQDN, then you click Next and Click Previous to go back and check settings, the simple username becomes domain\username!!

 

image

 

Other information:

Do not login Web client with admin@system-domain because that SSO admin and it has no rights on vCenter server to see the content.

 

Please let me know if you have more questions.


I recently installed vSphere 5 on my test lab. Immediately, I notice there are few new services running under windows server. Let’s talk a look with those services.

 

vCenter Inventory Service

Remember I always encounter issue that inventory of datastore didn’t exactly refresh. It means when you browse content of datastore, you actually see nothing. Even after you restart service of vCenter. I believe Vmware understand this is a common issue and decided to separate Inventory service so we can manually clean up.

I quote a procedure of how to clean up Inventory service database as follow. It may come handy in one day.

Procedure

1

Stop the vCenter Inventory Service.

a

From the Windows Start menu, select Administrative Tools > Services.

b

Right-click vCenter Inventory Service and select Stop.

2

Open a command prompt.

3

Delete the entire contents of the Inventory_Service_Directory/data directory.

The location of the Inventory Service directory is specified during the vCenter Server installation.

4

Change directory to Inventory_Service_directory/scripts

For example, if you installed vCenter Inventory Service in the default location, run this command.

cd /Program Files/VMware/Infrastructure/Inventory Service/scripts
5

Run the createDB.bat command, with no arguments, to reset the vCenter Inventory Service database.

6

Run the register.bat command to update the stored configuration information of the Inventory Service.

register.bat current_vCenter_Server_fully_qualified_domain_name vCenter_Server_HTTPS_port

For example, if the vCenter Server fully qualified domain name is machinename.corp.com and the HTTPS port is 443, run this command.

register.bat machinename.corp.com 443
7

Restart the vCenter Inventory Service.

a

From the Windows Start menu, select Administrative Tools > Services.

b

Right-click vCenter Inventory Service and select Start.

The vCenter Inventory Service database is reset.

Vmware USB Arbitration Service

According to Vmware:

USB Arbitration Service

Manages connection requests and routes USB device traffic. The arbitrator is installed and enabled by default on ESXi hosts. It scans the host for USBdevices and manages device connection among virtual machines that reside on the host. It routes device traffic to the correct virtual machine instance for delivery to the guest operating system. The arbitrator monitors the USB device and prevents other virtual machines from using it until you release it from the virtual machine it is connected to.

However, it’s first time I see this service installed with vClient 5.0. As you can see from above, it normally sits on Esxi Host. so I assume it will work just like vmplayer which allows you to redirect your USB device on your vClient machine to your VM. Still need to find out whether it’s secured to do this way though.

VMware vSphere Profile-Driven Storage Service

As you all know, with in vSphere 5, we can associate a Virtual Machine Storage Profile with a VM and it’s virtual Disks. The associatable files are including .vmx,vmsd,nvram etc. You can assign disk to different speed or priority storage profile.

If you add a new virtual disk and associate it with a VM storage profile, this service will help you to do this job.

Well, that’s all what I have discovered so far for vCenter. More stuff coming soon.


As you all know, vSphere 5 is released day. I was so happy and excited to see my favourite software made a milestone of it’s journey.

However, when I checked out vSphere 5 license, I found myself experiencing betray and sad feeling.

The reason for that is very simple. vSphere 5 license lift the CPU limit but put limit on the memory instead.

vsp5_001

As you can see, the Enterprise can only allow Enterprise user to use Maximum 32GB per core for your VM.

Let’s take an example.

If you have 5 DL380G7 hosts. Each host has 2 processors and 384GB memory.

With your current Enterprise license, the maximum RAM you can use is:

5(hosts) x 32(GB) x 2 (proc) = 320GB (10 licenses)

If you want to use all your memory you have already bought which is 1920GB, you need to buy additional  50 Enterprise license!!

so with same company and same equipment, you have 5 times cost than vSphere 4.

What makes it even worse is:

vRAM Entitlement
We have introduced vRAM, a transferable, virtualization-based
entitlement to offer customers the greatest flexibility for vSphere
configuration and usage. vRAM is defined as the virtual memory
configured to virtual machines
. When a virtual machine is created,
it is configured with a certain amount of virtual memory (vRAM)
available to the virtual machine. Depending on the edition, each
vSphere 5.0-CPU license provides a certain vRAM capacity
entitlement. When the virtual machine is powered on, the vRAM
configured for that virtual machine counts against the total vRAM
entitled to the user. There are no restrictions on how vRAM capacity
can be distributed among virtual machines: a customer can
configure many small virtual machines or one large virtual machine.
The entitled vRAM is a fungible resource configured to meet
customer workload requirements.

Wow. It means no matter what kind of Vmware memory technology you applied to your vCenter, it’s calculated by virtual memory!!! Not even physical memory!!

It means if you use 4 GB on 4 VMs, in fact, only 1GB your physical memory is used by VMs, but it’s still counted as 16GB vRAM!!

WTF is Vmware thinking? guess what I feel when I read it? It’s a deal break for my career changing!! I guess I need to focus on Hyper-v and Citrix now. If their price is reasonable.

Is 13th July an excited day for Vmware? No, it’s a very very SAD day.

P.S: Too bad I just past VCAP-DCA. If I knew that, I would switch to Citrix Xen…..

Follow

Get every new post delivered to your Inbox.

Join 123 other followers