Tuesday, September 4, 2018

VMware New Updated Certifications Release

There is three certifications release before VMworld 2018 announced here. Namely VCAP-DCV 2018 Deploy, VCAP-CMA Deploy 2018 and VCP7-DTM 2018.

Here is something new is the naming convention. The certification is no longer tied to the version of the product. Though this is also mentioned in the article as well as in the certification page.

This is a long awaiting certification since vSphere 6.5 was released more than a year ago and the Design exam was available since last year and Deploy was not till now. This applies the same for Cloud Automation exam too.

For VCP-DTM, this is more of an update to match Horizon 7.5.

I do welcome the naming convention as it also allows testers to know when they last took their exam especially VCP is valid for two years.

As mentioned in my last blog on VCAP6.5-DCV Design, the difference between VCP and VCAP testing of capabilities is different. The way Design and Deploy testing criteria is also different for the different audience between an architect and a administrator per-se.

As I am fortunate to be involved in the contribution for both VCAP6.5 in Design and Deploy exam, it really took lots of time and debate between all the SMEs to have the exam created. It is a great opportunity to met up many expertise in the field around.

If you have taken of the exam, do provide some feedback good or bad so VMware Certification team can take that into future development.

Tuesday, August 28, 2018

VMware vForum 2018 Singapore: vWarrior Championship!


The yearly VMware vForum 2018 Singapore is announced to be on 4th Oct and can be registered here just as when VMworld 2018 is running. You will be expecting some content from VMworld for sure.



What's New?
One new program that is coming out from vForum this year in Singapore, will be vWarrior Championship. This is going to be one of it's kind.

This is going to be a Hands-on Lab competition and teams will be competing in completing tasks in the correct manner. Of course, there will an introduction session beforehand for those who ain't familiar. We don't expect everyone to know everything that is for sure to be fair.

Here are the details:


Grand Prize: Go Pro Hero 6 Black per member
Runner Up Prize: Amazon Echo Dot 2nd Gen per member

Short description: Showcase your technical capabilities in our Hands-on Lab environment across the VMware portfolio of solutions in Software-Defined Data Center (SDDC) and End-User Computing (EUC). 

Compete through a group stage and knockout rounds to be crowned the grand prize winner!

Notes: 
  • Each round will cover a different solution
  • Form a team of 1 – 3 members and register via this link
  • Briefing and training will be held on 13th and 20th September, each session covers a different set of solutions related to the competition < Recommended to attend
  • Registration ends 3rd September


What are you waiting for?
What are you waiting for? Quickly sign up. Did I mention, each participant will be given away a vWarrior Varsity Jacket?


Tuesday, August 14, 2018

Validated and Compliance Versus Certified and Approved

As a technical professional, it is always very ignoring to see honesty been bridge using marketing words. How many times have you seen creative words been used to justify for something which is not true? Or when they claim they are and they are not?

That comes to the topic in my subject. Have you come across products stating that they are validated and compliance instead of Certified and Approved? And you have to explain the meaning behind this.

There is a lot of confusion created due to the use of words and to clarify this, we will use an example with sources you can testify what is really Certified and Approved instead of following Validated guidelines or Compliance to follow certain requirements.

Let's use VMware products as a discussion. You can find out that VMware vSphere, NSX and vSAN is an Approved DISA STIG solution. If you head over to STIG Viewer, you can see the guidelines given to all the approved solution. You find VMware vCenter, NSX, and ESXi as an approved list. VMware vSAN is part of VMware ESXi, in such, it is also updated and stated in the STIG which you can read more from the public post which links to the STIG guideline.

To be part of a solution used in DoD, it has to have DISA STIG approval. However by just following a guideline from DISA STIG only get a solution compliance and not approved. An approved solution needs to be done only by the governance body.

So Compliance is NOT equal to Approved.

Do not get this confused. Anyone can be in compliance by following a guideline but it does not equal to be approved.

Next, let's talk about Compliance. Let's take FIPS140-2 which is govern by NIST. To know if a solution vendor is certified by NIST for FIPS on their Crypto Module, you can head over to here and search the vendor is listed. When a solution or product claims it is compliance/validated on FIPS, this does not equate to be certified as many thought. The word "Validated" is been misused many a time. To find out the truth, use the search in NIST and key in the Vendor name to be sure.

If you enter VMware, you will see that VMware Cryptography Module is listed this is because vSphere is FIPS certified and uses this module. You can also try other solution such as Redhat, Oracle, Citrix, Nutanix, Microsoft and you will find different results.

Note that FIPS140-2 has also two levels. Where level 1 is applicable only for software and level 2 is applicable only for hardware.

Validated is NOT Certified.

Be very careful when you need a FIPS solution and its claimed to be Validated and not really Validated or even Certified. What do you need as a compliance in your environment stated by your security policy, Is it Validated enough or Certified? Make sure you are certain of it.

Tuesday, July 3, 2018

Assumed Support from Third Party Solutions

While I was doing some presentation slides for one workshop, I happen to look for 3rd party virtual switches support on vSphere.

This is the KB that is from VMware. Just for those who are not aware, VMware has announced the end of support for third-party virtual switches on vSphere and vSphere 6.5 Update 1 will be the last release to support these switches with vSwitch APIs.

While reading through the pointers I came across one point that caught my attention:


What about Cisco AVS, which is part of the Cisco ACI solution? Are you also discontinuing support for AVS? 
VMware has never supported Cisco AVS from its initial release.

This might come as a surprise but there are customers who have implemented the above without knowing that VMware does not support.


Just by using the above for discussion. there are many solutions currently on the market that claims or market to support certain hardware or software. However, with further research, this has been a one-sided claim support. And was never two ways.


Using the above example from Cisco (hope Cisco don't hate me for that), when you hit an issue running Cisco AVS thinking that VMware supported it. When you raise a support case with VMware and needed something to be changed, or an API to be tweak, or a driver to be created/modified, you will get nothing out of it as it is unsupported in the first place.


Imagine if this is running in your production environment, you just got your environment not supported. Logging a case with Cisco might not going to solve your problem if it requires something from VMware to help support Cisco AVS.


Now to bring to attention. There are many solutions that are currently claiming to support some hardware and software. So when selecting a solution make sure to check that support comes in both ways and not just by one-sided claims. Imagine running a software and require certain support from both party where it is not supported, you are as good as hitting a dead end.


When planning for a solution, do check out both ways supportability from the vendors you are using. This avoids coming to a stop when you need the help most.

Tuesday, June 12, 2018

Software Support Service Level, Why it Auto Close?

Many times I have heard comments on software support from other vendors externally by customers as well as internally working in principle.

The interesting part is many does not know how these support services measure their support quality or success criteria.

This article is just to illustrate how a support ticket goes through and how it is closed or close temporarily till a user response.

Typically when we raised a support request, there are always three levels or severity. I would go into the details. But you can check out my past post on that.

An engineer typically response to a support request upon receiving a support based on the severity SLA if it's raised online. If that is over the phone, the user will have to wait for the next available engineer to answer the user.

Once a call is completed with the user, they will reply to the user based on what was communicated over the phone. This then follows the next step typically awaiting user to perform a certain task and revert.

This can carry on several times but eventually, once it waiting for the user to respond, a timer will start. It will last for 3 days before a ticket is automatically put to a close or temporary close and email typically is triggered to inform the user.

Now I know this is frustrating, as a user you still want that ticket to be open as you haven't got the time or didn't expect an unfinished issue to be closed.

This is the part that needs explanation. The support engineer is measured by the number of closed tickets on time. So the request system helps by identifying tickets that are opened for three days but not closed by doing an auto closure or temporary closure with an email to the customer. For a user to keep the ticket open more than 3 days, he would either reply to the service request so that the system reset the timer, or request to the engineer so he can flag it out with the system doing an auto closure.

Also having more tickets close, also means that support service quantity is higher as they are able to close more tickets and have less pending tickets. This also measures success criteria.

So the next time you need more time, or need to have a service request ticket to remain open, either reply to the email within 3 days or inform the engineer you are speaking to on not closing.

However, do note that not all system allows the engineer to prevent auto closing. Best is to reply on it within 3 days.

Tuesday, May 22, 2018

vMotion Between CPUs

With the release of vSphere 6.7, and the ability to have EVC on a per VM level instead of a per cluster level raise some questions.

Before we start here is an article on how to check what level of EVC to use here.

One of the questions often asked, does vMotion works across newer CPUs in the same generation without an EVC cluster?

If you follow this KB, in the last paragraph:

Once the virtual machine is power cycled:
  • They are only able to move to other ESX/ESXi hosts that are at the same CPU generation or newer.

What this state means if you have a new server with a new CPU generation, technically you can perform a vMotion without having the VM in an EVC cluster.

However, there are cases where vMotion will fail even the CPU is of the same generation due to an older version of VM hardware which has a more stringent check. As stated here, due to the destination host with a newer CPU with ISA extension not found on the source host.

In the above case, vMotion will still fail without having the VM in an EVC cluster unless the VM is upgraded with a newer version of VM hardware.

In a good practice, when upgrading your vSphere environment, upgrade your VMware Tools and VM hardware as much as possible. Often than not, I have seen many environments with old VMware Tools and VM hardware but of a newer version vSphere environment.

In any of which, both upgrading of VM hardware and placing a cluster or a VM (in vSphere 6.7) in an EVC mode, require a power cycle (note the difference, not a restart).

Saturday, May 5, 2018

VMUG Singapore by VMware and HPE

If you are in Singapore, do remember to register for VMUG Singapore event sponsored by VMware and HPE.

Look for the event details here.

This is not going to be the usual evening session but going to start at 2pm coming Friday, 11th May. There will be several sessions on the updated release from VMware and HPE and a networking session, vBeer to interact with fellow professionals as well as a chance for you to find out more what VMware and HPE are cooking.

We will also have our special guest Don Sullivan, author of Virtualizing Oracle Databases on vSphere.

So don't look further, if you are in town, Join Us!

Tuesday, April 17, 2018

New in Software Defined Compute in vSphere 6.7

Today marks the release of the next iteration of vSphere. Most changes are the improvement of existing features and that includes what is embedded together with ESXi which is vSAN.

First, vCenter Appliance will support Single Sign On domain with embedded PSC with Hybrid Linked mode. During this release, support for the upgrade with older vCenter Server with External PSC will not be possible at release. External PSC setup is still supported. There is a Hybrid Linked Mode which will support on prem vCenter Server 6.7 with VMware Cloud on AWS vCenter Server 6.5. Lastly, this is also the last release support for vCenter Windows Server as mentioned in the last release.

There will be a backup tool and can be scheduled to help manage vCenter recovery process.
In terms of migration to vCSA, the migration tool allows asynchronize background process to reduce the amount of downtime.

The HTML5 Client (Clarity UI) has not feature priority up to 95%, up from version 6.5. You can now operate almost everything not limited to Content Library, Storage Policies, and vDS Topology Diagram to name a few. VM encryption also has more granular control to allow further customization. TLS 1.2 will be default used.

Update Manager is completely using Clarity UI.

For ESXi, the biggest change here is a new feature, "Quick Boot". This removes the need to reboot the server to the hardware boot screen but only reboot at the hypervisor level. This definitely save lots of time. Don't you hate the point to keep waiting for every single hardware device test to be done before you even reach the hypervisor or OS. To enjoy this, you need to be at least on 6.5 and upgrade to 6.7.

In terms of security, TPM is used to ensure hardware root trust with Secure Boot (in vSphere 6.5) validate boot loader and VMkernel. With the support of Windows 10 and Server 2016, VBS and Credential Guard is also supported. vTPM is also support for VM. However, do note that this requires the upgrade to the newer vHardware.

vSphere will also support Nvidia GRID for normal server VM. Suspend and resume is 
Instant clone is another big feature

One big enhancement is on EVC. From a per cluster level, you are now able to do it on a Per VM. That really make life really much easier if you do use EVC.

Check out the details here.

Update 19th Apr
Fault Tolerance now supports per VM 8vCPU and 128GB of memory. Check out https://configmax.vmware.com/home new site for configure maximum.

VVOLs now support SCSI-3 persistent reservations which can now support WSFC. Which also means you can leverage on vSphere Replication to replicate a WSFC VM without using RDM! Check it out.

What So New in vSAN 6.7

With the release announcement of vSphere 6.7 it comes with his in-kernel vSAN 6.7 upgraded together.

With the big move to HTML5 client (Clarity UI), vSAN 6.7 will support Clarity and with much of its functions and management done in Clarity. That definitely better than using vSphere Web Client.

Together with this release, a new assessment tool for HCI is introduced. This will work not just on vSphere but also Hyper-V and physical server. The best part is that this assessment tool is free.

The long awaited support for WFSC is not possible with iSCSI target. Bigger improvement on destaging and data placement and failure handling.

Check out the post here.

Tuesday, April 3, 2018

VMware vCenter Server Virtual Machine Name Character Limit

Recently I got asked how many characters can a VM name character support and any special character can be used?

Been doing vSphere since version 3.x, it has never encountered to me there was a limit in that space.

Having said that, there is a case where a customer would need this. Example, to have the VM name similar to the FQDN especially true in a multi-domain or tenant environment where VM name could be the same and only the domain or tenant is the differentiator.

So doing a quick check here is the below KBs that state the limit:

  • As of vCenter Server 4.1, the number of characters support is 80. KB
  • Display names for any objects e.g. VM Name, Datastore Name, etc. should not contain special characters like %, &, *, $, #, @, !, \, /, :, *, ?, ", <, >, |, ;, ' etc are contained in names of vSphere entities such as virtual machine name, cluster name, and datastore/folder/file name. However, '-' and '.' is apparently supported. KB

Here are the test results:


To be inline I did a check on Microsoft Active Directory DNS, 64 characters are the maximum allowed for a DNS name and 255 characters for a FQDN as stated here.



Tuesday, March 13, 2018

VMware vExpert 2018 Announcement

Just back from my company's Tech Summit and waiting for the announcement to be made.

The very next day an email came in and the announcement was made here. Did a quick check on the list of candidates, there was a total of 1525 who made it this year.

Congrats to everyone who made it this year.

Am glad to be part of this community for the 7th year running since I started paying forward this blog, discussion group, videos, etc.

For those who didn't make it or have not apply for it, do attempt it you never know when you are actually making your effort rewarded.


Update 19th Mar 2018
The number is still increasing to 1533 as there is some pending application that got approved.
You can follow the stats here with breakdown https://vexpert.vmware.com/directory/stats.

VMware License Key Error

Recently encounter valid license key but not accepted by the system. This was done on vRealize Operations as shown below. Was adding the license key for vRealize Operations for Horizon Adapter.


A license gotcha here, it seems that VMware has a fixed format for all the license key. It should come in 5 segments instead of 4, each with 5 digits.


Sometimes simple things like this might just slip our eyes.

Tuesday, February 27, 2018

VMware vCenter Editions

Recently a colleague hit into an issue with his setup on vCenter due to the expiry of license. A new license will be used however he is still hitting some problems. A quick check, he was using vCenter ROBO edition license and ESXi is running vSphere Enterprise Plus.

So here is to clarify the different editions of vCenter from VMware and the features available and limitation. Do note some features is dependent on the vSphere editions.

Refer to this KB for some of vSphere 6.x features comparison. I have also previously illustrated in vCenter 5.x here which basically stays the same other than new features in vCenter 6.x. For vCenter Desktop that would be another article here.


-->
vCenter Edition
Essential
Foundation
Standard
Availability
Bundled in Essential/Plus Kit
Sold separately. Manage up to 4 hosts (3 prior to 6.5 U1)
Sold separately.
Manage
vSphere Essential/ Plus
vSphere Standard and above
vSphere Standard and above
vCenter HA
NA
Yes
Yes
Enhanced Linked mode
NA
NA
Yes
vRealize Log Insight Lite
NA
NA
Yes
Fault Tolerance
No
Yes
Yes
Backup Restore
Yes
Yes
Yes
Appliance Migration Tool
Yes
Yes
Yes

Lastly, what happens to your vCenter when license expire? Check out my past post.


Update 6th Mar 2018
Update vCenter Foundation Edition and remove vCenter ROBO edition.

Tuesday, February 6, 2018

Horizon 7 with Nvidia GRID Setup Gotchas

Been setting up POC environment for customer and this time wrong got involve with using Nvidia GRID.

Encounter some setup steps that are missing from nVidia Deployment guide.
In fact, every single setup guide uses the nVidia K1 & K2 card as a reference and those cards have EOA.

Here will share with you if you are using any of the newer cards e.g. M60, M6, M10, etc.

Here are some resources you should refer to when setting GRID on Horizon 7.x.
  1. Register an account on nVidia to download the vibs for ESXi and nVidia License server and Nvidia Driver for Windows OS.
  2. Deploying Hardware-Accelerated Graphics with Horizon 7
  3. GIRD Virtual GPU
    I love to use this guide as a reference to what profile is available for each card type.
In a summary what needs to be done on the master image:
  1. Install VMware tools
  2. Install Horizon View Direct-Connect agent (you know why this needed later)
  3. Shutdown VM
  4. Edit VM settings, add shared PCI device, select your GRID profile
  5. Take a snapshot (in case you need to revert)
  6. Power up the VM
  7. Install Nvidia GRID drivers
  8. Reboot VM
  9. Use the IP and connect using Horizon Client (a bug due to Nvidia graphics driver in use, vSphere console no longer works)
Some of the Gotchas to watch out.
1. On ESXi 6.5 and above, remember to go to each ESXi server and under Configure, make sure the 2 things need to be in place:

Security Profile: X.Org Server service is started
Alternative you can run ESXi Shell or SSH with  > /etc/initi.d/xorg start

-->


Graphic: Change Shared to Shared Direct for both Host and Slot
Reference


2. If you are using the new Dell Gen 14 server, there is a bug stated in the release notes, page 9.

When running nvidia-smi you will receive the following error message "“failed to initialize NVML: unknown error”


Resolution
In the System BIOS Settings, Integrated Devices, Memory Mapped I/O Base, set to 12TB (default 56TB)


Lastly checking everything is in place:

ESXi Shell or SSH:

> nvidia-smi
This will return all the GPU found on the nVidia card on the server.

>dmesg | grep -i nvidia
This will show you if the driver on ESXi is loaded properly and successfully.

Friday, January 12, 2018

VMware Spectre and Meltdown Information

Recently the most talk about security measurement against the two discovered vulnerabilities has raised a lot of talks. This all started and revealed by Google Project Zero.

I have also recently shared advice from VMware support and KBs to our Singapore VMUG users during our event yesterday.

Below is a summary of questions and the approach you should be doing for patching your VMware environment.

Details on Spectre and Meltdown


Side Notes

  • ESXi is only affected by Spectre and all patches for ESXi 5.5. and above has been released. Removed due to retracting of code instructed by Intel. Check update below.
  • ESXi is NOT affected by Meltdown as it does not have untrusted user access.


FAQ

  1. We heard that the patches affect performance. Will these patches from VMware affect the performance of hypervisor?
    Patches from ESXi have no measurable performance impact. But guest level patching might have. Guest OS vendor is the right contact to comment on this. E.g. from Microsoft.
  2. Other than patching ESXi and OS is there other things to take note?VM hardware must be upgraded in order for the patches to work. Virtual Hardware Version 9 is a minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715) due to MSR bit been exposed in this version. Hardware version 11 is best recommended as PCID on CPU is exposed in this version.
  3. I am running vCenter on Windows, do I need to patch vCenter?
    Yes, please download the latest patches together with ESXi for your vCenter. Follow the same upgrade process as per upgrading.
  4. How will VM that is running Windows XP, 2003, Windows 2000 and legacy OS be impacted?
    OS vendors should provide the patches. In this case, Microsoft does not provide the patches for legacy OS, there will be no solution.
  5. Do I need to install BIOS patch from server vendor if I have applied ESXi patches?
    Yes, it is best to apply server vendor BIOS patches if available as server vendor might provide additional components specific to their server hardware.
    Follow Server vendor BIOS update. ESXi patches has been retracted following Intel 's instruction.
  6. What if I have applied server BIOS patches do I still apply VMware ESXi patches?
    ESXi will only push microcode on the hardware if it is older.
    No more ESXi patches.
  7. I am using server custom ESXi ISO but it is not updated, can I apply the patches from VMware?
    Yes, you can apply these patches to custom ISO. Please check with your hardware vendors for any special change they might have.
    No more ESXi patches.
  8. How do I know if my CPU has an updated microcode from Intel?
    Please check https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr.

Refer to security advisories 

  1. https://www.vmware.com/security/advisories/VMSA-2018-0004.html supersede https://www.vmware.com/security/advisories/VMSA-2018-0002.html

Additional materials

Update 23rd Jan 2018
VMware has updated the response on this KB.
If you are running on ESXi 5.5, there is an update patch based on the Security Advisories.

Update 22nd Jan 2018
VMware has released some dashboard kit using vRealize Operations to help monitor performance after patches recommendations and manage BIOS patches here. If you are do not own vRealize Operations, you can use the evaluation for 60 days.

Update 15th Jan 2018

ESXi patches update has been retracted till further notice. Only vCenter update applies. Follow KB update.

Update 13th Jan 2018

Following Intel's update, please follow https://kb.vmware.com/s/article/52345 for Intel Haswell and Broadwell processors

 


VMware New Updated Certifications Release

There is three certifications release before VMworld 2018 announced here . Namely VCAP-DCV 2018 Deploy, VCAP-CMA Deploy 2018 and VCP7-DTM 20...