Today VMware announced vSphere 6.7 coming almost a year and a half after the release of vSphere 6.5. Doesn’t look like the download is quite available yet but it should be shortly. Below is the What’s New document from the Release Candidate that summarizes most of the big things new in this release. I’ll be doing an in-depth series following this post with my own take on what’s new with vSphere 6.7. Also be sure and check out my huge vSphere 6.7 Link-O-Rama collection.
Compute
- Persistent Memory (PMem): In this RC, ESXi introduces support for Persistent Memory to take advantage of ultra-fast storage closer to CPU. PMem is a new paradigm in computing which fills the important gap between ultra-fast volatile memory and slower storage connected over PCIe. This RC includes support for PMem at the guest level to consume as a ‘virtualized Non-volatile dual in-line memory module (NVDIMM)’ as well as a ‘virtualized fast block storage device’ powered by PMem. It is also important to note that customers using ESXi with PMem can manage PMem resources at the cluster level and can also perform live migration of workloads using PMem.
Security and Compliance
- Transport Layer Security protocol (TLS) 1.2: This vSphere RC has been updated (in accordance with the latest security requirements) to adopt the latest version of TLS protocol. This release includes support for TLS 1.2 out of the box. TLS 1.0 and TLS 1.1 will be disabled by default with the option to manually enable them on both ESXi hosts and vCenter servers.
- FIPS 140-2: This vSphere RC includes FIPS 140-2 capabilities turned on by default! The UI management interfaces now use FIPS 140-2 capable cryptography libraries as default and the VMware Certificate Authority will have use FIPS 140-2 capable libraries for key generation by default. The kernel cryptography is under evaluation to be FIPS 140-2 validated and currently uses this cryptography under evaluation. Note VAMI UI is not FIPS capable in this release. Note: To clarify, FIPS features are “turned on” in this release. FIPS certification of vSphere is a process that VMware is exploring for a later date.
- TPM 2.0 Support and Host Attestation: This vSphere RC release introduces support for TPM 2.0 and a new capability called “Host Attestation”. A TPM, or Trusted Platform Module, is a hardware device designed to securely store information such as credentials or measurements. In the case of ESXi, a number of measurements are taken of a known good configuration. At boot time measurements are taken and compared with known good values securely stored in the TPM 2.0 chip. Using this comparison, vSphere can ensure that features such as Secure Boot have not been turned off. In 6.5, Secure Boot for ESXi was introduced and ensures that ESXi boots using only digitally signed code. Now with Host Attestation, a validation of that boot process can be reported up to a dashboard within vCenter.
- Virtual TPM (vTPM): The vTPM capability in this release lets you add a virtualized TPM 2.0 compatible “chip” to a virtual machine running on vSphere. The guest OS can use virtual TPM to store sensitive information, perform cryptographic operations, or attest integrity of the guest platform. In this release, vSphere makes adding virtual TPM to a VM as easy as adding a virtual device to the VM. In a hardware TPM, the storage of credentials is ensured by having an encrypted space on the TPM. For a virtual TPM, this storage space is encrypted using VM Encryption. VM Encryption was introduced in vSphere 6.5 and requires the use of an external Key Management System. See the documentation for more information on these requirements. As a point of clarification, the virtual TPM does not extend to the hosts hardware TPM. To support operations such as vMotion or vSphere High Availability, the host has a root of trust to the hardware and based on that, presents trusted virtual hardware to virtual machines.
- Support for Virtualization Based Security (VBS): This vSphere RC provides a seamless way to prepare Windows VMs for Virtualization Based Security (VBS). This is as easy as clicking a single checkbox in VM settings! vSphere will enable admins to enable and disable VBS features for Windows VMs and verify that Windows VBS features (Credential Guard and Device Guard) are functional inside the guest OS. This feature requires ESXi host to be running with Haswell CPU (or greater) and the guest OS to be Windows Server 2016 or Windows 10 (64 bit). Note: Additional configuration within Windows is necessary to enable these features. See Microsoft documentation for more information.
- Encrypted vMotion: Encrypted vMotion was introduced in vSphere 6.5. With this release, this feature will also be supported across different vCenter instances and versions.
- VM Encryption: VM Encryption provides VM level data-at-rest encryption solution and was introduced in vSphere 6.5 to protect the VM from both external and internal threat vectors as well as to meet the compliance objectives of an organization. In this release, VM Encryption UI in the HTML5 client gets a facelift which makes enabling encryption on virtual machines seamless using the new HTML5 based vSphere client.
Management
- vSphere Client (HTML5): Try out the most recent release of the vSphere Client, with additional support for existing functionality, further improved performance and usability, and support for new features in this release. Specific highlights include support for basic Licensing functionality, create/edit VM storage policies, and the new vSphere HTML Client SDK, amongst many others. You can also try the version available on Fling site to experience the new features faster, available at – https://labs.vmware.com/flings/vsphere-html5-web-client
- vCenter Server Appliance monitoring and management enhancements: vCenter Server Appliance (vCSA) management interface (VAMI UI) includes a lot of new capabilities like scheduling backup, disk monitoring, patching UI, syslog configuration and also the new Clarity themed UI. Also included are new vSphere Alarms for resource exhaustion and service failures. All these new capabilities further simplify vCenter Server management.
- New vSphere client APIs for the vSphere HTML5 client: vSphere HTML5 client APIs introduced are extensible and scalable for HTML5 client use cases, optimized for Clarity design guidelines, have no Flex dependencies, and have security improvements. Plugins written with these new APIs will reduce developer effort on testing with the vSphere web client (Flex). Moreover, usage of these APIs is a prerequisite for plugins to be compatible with VMware Cloud on AWS.
- Instant Clone: Instant Clone enables a user to create powered-on VMs from the running state of another powered-on VM without losing its state. This will enable the user to move into a new paradigm of just-in-time (JIT) provisioning given the speed and state-persisting nature of this operation.
- Per-VM EVC: Per-VM EVC enables the EVC mode to become an attribute of the VM rather than the specific processor generation it happens to be booted on in the cluster. This allows for seamless migration between two datacenters that sport different processors. Further, the feature is persisted per VM and does not lose the EVC mode during migrations across clusters nor during power cycles.
- What’s new with Nvidia GRID™ vGPU: For this release, VMware and Nvidia collaborated to significantly enhance the operational flexibility and utilization of virtual infrastructure accelerated with Nvidia GRID™ vGPU technology. Most prominent is the new ability to suspend any VM using a compatible Nvidia GRID vGPU profile and resume it on either the same or another vSphere host with compatible and available compute and vGPU resources. This reduces the dependence of VI Admins on end-users’ awareness of maintenance windows, and significantly lowers end-user disruption by removing the need for them to log off and shut down their desktops before maintenance windows. In addition, by using Horizon View’s Power Policy option, idle desktops consuming vGPU could be suspended, either freeing up resources for other clients, or reduce OpEx by lowering power usage.
- APIs for SPBM Using vAPI: The Storage Policy Based Management APIs manage the storage policy association for a virtual machine and its associate virtual disks. These include retrieving information on the compliance status of a virtual machine and its associated entities.
Storage
- 4K Native Hard Disk Drive support with ESXi Hosts: With this release, customers can now deploy ESXi on servers with 4K Native HDD used for local storage (4K Native NVMe/SSD drives are not supported at this time). We are providing a software read-modify-write layer within ESXi PSA stack which allows it to emulate these drives as 512e drives for all layers above PSA stack. ESXi continues to expose 512 sector VMDK’s to guest OS. Servers having UEFI BIOS support can boot from 4K Native drives. This release does not support creating RDMs on these local drives.
- Improving backup performance with network-block device modes (NBD and NBDSSL): This vSphere RC includes performance improvements to the network-block device transport modes between the third-party backup proxy and the virtual disk over a LAN. VMware VADP/VDDK code now only backups allocated sectors and also leverages asynchronous NFC calls to improve NBD and NBDSSL performance.
- Supporting snapshots and backups for detached first-class disks (FCD): This vSphere RC includes support for snapshots and VADP/VDDK based backups for detached first-class disks. For example, a key use-case where detached first-class disks are useful is for Horizon Appstacks and writeable volumes. With vSphere 6.5, we introduced support for snapshots and backups for attached first-class disks. This new release supports the capability for when first-class disks are detached from any VM.
- iSCSI Extension for RDMA (iSER): Now customers can deploy ESXi with external storage systems supporting iSER targets. iSER takes advantage of faster interconnects and CPU offload using Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE). We are providing iSER initiator function, which allows ESXi storage stack to connect with iSER capable target storage systems.
- Extending support for number of disks per VM: Now customers can deploy virtual machines with up to 256 disks using PVSCSI adapters. Each PVSCSI adapter can support up to 64 devices. Devices can be virtual disks or RDMs.
- Software Fiber Channel over Ethernet (FCoE) Initiator: In this release, ESXi introduces software based FCoE (SW-FCoE) initiator than can create FCoE connection over Ethernet controllers. The VMware FCoE initiator works on lossless Ethernet fabric using Priority-based Flow Control (PFC). It can work in Fabric and VN2VN modes. Please check VMware Compatibility Guide (VCG) for supported NICs.
- Support for Intel’s Volume Management Device (VMD): ESXi introduces the inbox driver support for Intel’s VMD technology which was introduced recently with Intel’s launch of their Skylake platform. Intel’s VMD technology helps managing NVMe drives with hot-swap capabilities and reliable LED management.
- Configurable Automatic UNMAP Rate: In this release, we have added a feature to make UNMAP rate a configurable parameter at a datastore level. With this enhancement, customers can change the UNMAP rate to the best of storage array’s capability and this can fine tune the space reclamation accordingly. In this release UNMAP rate can be configured using ESXi CLI only. We allow UNMAP rates in increments of 100 where the minimum rate is 100 MBps and maximum rate is 2000 MBps. CLI command to check current configuration: esxcli storage vmfs reclaim config get –volume-label <volume-name> Setting the UNMAP rate to 100 MBps: esxcli storage vmfs reclaim config set –volume-label <volume-name> –reclaim-method fixed -b 100
- Automatic UNMAP Support for SE Sparse: SE Sparse is a sparse virtual disk format and is widely used as a snapshot in vSphere. SE Sparse is the default snapshot format for VMFS 6 datastores. In this release, we are providing automatic space reclamation support for VM’s with SE Sparse snapshot on VMFS-6 datastores. This will only work when the VM is powered on, and it is applicable to the top-most snapshot only.
- No Support for VMFS-3 Datastores: In this release, we are not supporting VMFS-3 datastores. All VMFS-3 volumes will get upgraded automatically to VMFS-5 volumes during mount. Customers can do in-place or online upgrade of VMFS-3 volumes to VMFS-5.
Networking
- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) v2: This beta introduces RoCE v2 support with ESXi hosts. RDMA provides low latency and higher-throughput interconnects with CPU offloads between the end-points. If host has RoCE capable network adaptor(s), this feature is automatically enabled.
- Para-virtualized RDMA (PV-RDMA): In this release, ESXi introduces the PV-RDMA for Linux guest OS with RoCE v2 support. PV-RDMA enables customers to run RDMA capable applications in virtualized environment. PV-RDMA enabled VM can also be live migrated.
- ESXi platform enhancements for NSX: This release includes Vmxnet3 version 4, which will support Geneve/VXLAN TSO as well as checksum offload. It will also support RSS for UDP as well as for ESP, and while disabled by default the guest/host admin will be able to enable/disable both features as needed.
vCenter Topology
- vCenter Embedded Linked Mode: vCenter Server appliance now has support for vCenter with embedded Platform Services Controllers connected in Enhanced Linked Mode. We are calling this vCenter Embedded Linked Mode and we will support 10 nodes connected in Linked Mode. Moreover, full support for vCenter HA and vCSA back-up and restore is also included. This can reduce your management VMs and configuration items by up to 75 percent!
- vCenter Cross-domain repointing: Have you ever wanted to move your vCenter to another domain or consolidate two domains? Cross-domain repointing gives you an interactive way to move your vCenter to a new domain. The same tool can be used to move all of your vCenters to another domain. We guide you through this process and allow you to keep, copy or delete your data along the way.
- Cross-VC Mixed Version Provisioning: vCenter 6.0 introduced provisioning between vCenter instances. This is often called “cross-vCenter provisioning.” The use of two vCenter instances introduces the possibility that the instances are different release versions. This feature enables customers to use different vCenter versions while allowing cross-vCenter, mixed-version provisioning operations (vMotion, Full Clone and cold migrate) to continue as seamlessly as possible.
vSphere Lifecycle Enhancements
- vCenter Migration Assistant: In this release, the Windows Migration assistant now includes an engine so when migrating your vCenter, we can have your vCenter operational very quickly and import external database data such as stats, events, alarms in the background. This means your vCenter is up and running while the other data is imported in the background.
- vCenter Embedded Linked Mode Multiple Deployment CLI: Along with vCenter Embedded Linked Mode, we are also releasing CLI based deployment options for installation where up to 10 vCenter Embedded Linked Mode nodes can be deployed automatically using our CLI.
- Single Reboot during ESXi upgrades: With this release, hosts that are upgraded via Update Manager are rebooted only once instead of twice. This feature is available for all types of host hardware, but limited to an upgrade path from vSphere 6.5 to this new release. This will significantly reduce the downtime due to host upgrades and will provide a huge benefit to business continuity.
- Quick Boot: In this release, Update Manager will trigger a “soft reboot” and skip BIOS/firmware initialization for a limited set of pre-approved hardware. This further reduces the downtime incurred during ESXi upgrades. This feature can be disabled if necessary, but is the default method of rebooting for hosts that satisfy the hardware and driver requirements.
Performance and Availability
- Fault Tolerance scalability improvements: With this release, vSphere Fault Tolerance supports 8 vCPU / 128 GB RAM per FT-protected VM. Other FT supported scalability limits remain the same.
- Storage failure protection with Fault Tolerance-protected VMs: In this release, vSphere Fault Tolerance interoperates with VM Component Protection (VMCP). Fault Tolerance will trigger when storage for the protected VM experiences All Paths Down (APD) and Permanent Device Loss (PDL) failures. FT will failover protected VMs to hosts with storage that is available and active.
- Support for memory mapping for 1GB page sizes: Applications with a large memory footprint, especially greater than 32GB, can often stress the hardware memory subsystem (i.e. Translation Lookaside Buffer) with their access patterns. Modern processors can mitigate this performance impact by creating larger mappings to memory and increasing the memory reach of the application. In prior releases, ESXi allowed guest OS memory mappings based on 2MB page sizes. This release introduces memory mappings for 1GB page sizes.