Welcome to vSphere-land!

Just happening to be downloading VMware Workstation today to run ESX 4.1 as a guest OS and lo and behold a new version came out today with official support for running ESX/ESXi 4.1 as virtual machines. Doesn’t look like there are any other major changes to Workstation besides the added support for vSphere 4.1 and some minor bug fixes. Download here and release notes are here.

What’s New

VMware Workstation 7.1.1 is a maintenance release that resolves some known issues and adds the following new support. It is a free upgrade for all VMware Workstation 7.x users.

New Support for Guest Operating System

VMware vSphere 4.1 is now supported as a guest operating system. VMware Certified Professionals (VCPs) and virtualization experts can use VMware vSphere 4.1 to install the latest server virtualization software and experiment with server setup, conduct training, show demos, and test production configurations. Running ESX as a guest eliminates the need to have spare hardware available to run ESX natively and enables ESX to run on systems that are not listed on the ESX hardware compatibility list (HCL). For more information on the supported processors and host operating systems, see Considerations for Running an ESX Guest.

This feature is intended for educational and demonstration purposes only and should not be used in production environments. To use this feature, you must download VMware vSphere 4.1 from the VMware Web site and follow the installation documentation provided with VMware vSphere to install ESX.

I participate in a weekly video podcast called vChat along with Simon Seagrave (techhead.co.uk) and David Davis (vmwarevideos.com). Each week we discuss certain topics related to virtualization for about 30 minutes. This weeks episode (vChat #3) we discuss home labs and give advice and our experiences with building our own home labs. So head on over there and check out the latest episode as well as past episodes, you can also subscribe via iTunes.

While the vSphere client provides performance data, the esxtop and resxtop performance utilities offer more advanced information to ease virtualization troubleshooting efforts. In this tip, we focus on using esxtop and resxtop; but the same performance statistics can be viewed from the vSphere client. Esxtop and resxtop run in a shell session, and manual coding can be intimidating. But don’t let the format discourage you. Once you get used to the controls and how to interpret the data, these tools become invaluable for reading how CPUs handle the workloads of hosts and virtual machines (VMs).

Esxtop vs. resxtop

While esxtop runs only inside an ESX service console — either directly at the console or remotely using a secure shell console –resxtop is a remote version of esxtop. Resxtop is included in the Linux version of the vSphere command line interface (CLI) and is part of the vSphere Management Assistant (vMA). Esxtop and resxtop function the same way and provide the same information, but resxtop supports only the interactive and batch modes and cannot be run in replay mode.

Read the full article at SearchVMware.com…

VMware’s vSphere 4 brings a number of new vSphere networking features to the table, including tighter VM traffic management and control with the vNetwork Distributed Switch (vDS) , as well as support for third-party virtual switches (vSwitches). Along with that come a new high-performance virtual NIC, VMXNET3, the ability to create private VLANs and support for IPv6.

Implementation and benefits of private VLANs with a vSphere network

Private VLANs allow communication between VMs on a vSwitch to be controlled and restricted. This feature, which is normally available on physical switches, was added only to the vDS and not the standard vSwitch. Normally, traffic on the same vSwitch port group has no restrictions and any VM in that port group can see the traffic from other VMs. Private VLANs restrict this visibility and in essence act as firewalls within the VLAN. Private VLANs must first be configured on the physical switch ports of the uplink NICs on the vDS. Private VLANs are then configured by editing the settings of a vDS and selecting the Private VLANs tab.

Read the full article at searchnetworking.com…

If designing a physical server is similar to designing a house, designing a virtualized infrastructure is almost like designing a small city. There are lots of interrelated components, and you have to make many critical design decisions to ensure that all of the residents’ needs are met properly.

If you don’t properly account for water, gas and electric needs, for example, your houses won’t have the resources they need for basic services and peak loads. Similarly, when designing a virtualized infrastructure for customers, solutions providers need to size the storage, network, CPU and memory resources correctly, or the virtual machines (VMs) will not have the resources they need to run applications.

Besides hardware resources, you have to make other decisions when designing a vSphere virtualized infrastructure, many of which will dictate your hardware requirements. The vSphere features you’ll need are often tied to the type of server hardware you use. If you do not make the correct hardware decisions when designing your customer’s virtual environment, you may find that you cannot use some of vSphere’s features. Therefore, it’s important to understand vSphere’s requirements and limitations early on in your design phase.

Read the full article at searchsystemschannel.com…

Security is critical in a vSphere environment. Virtual machine (VM) architecture, access methods and management is much different from that for physical servers. Because VMs are encapsulated into a single file that resides on a shared data store, additional attack vectors need to be secured. Further, any change or operation in a virtual environment can have a ripple effect on other residing VMs because all share common infrastructure components. Consequently, having proper security access controls in place is paramount to protect hosts and their VMs.

Because they have multiple components, virtual environments are secured in layers. You can do much of the work to secure an environment through vCenter Server, which provides centralized authentication and authorization services at many different levels inside vSphere. VCenter Server features four main components:

• Privileges. A privilege enables or denies users access to perform actions in vSphere.
• Roles. A role is a set of privileges that can be assigned to a user or group.
• Users and groups. Users and groups are used in permissions to assign roles from Active Directory (AD) or local Windows users/groups.
• Permissions. A permission is assigned to an object in vSphere and is composed of users/groups and a role.

Read the full article at searchsystemschannel.com…

VMware has long claimed that ESXi will one day be the Palo Alto-based company’s main hypervisor, and the time has come for ESX to begin to gracefully make its exit. The recent release of VMware vSphere 4.1 will be the last release to include the ESX version of VMware’s hypervisor, which may not make ESX fanboys happy. The improvements in ESX 4.1, however, demonstrate that the time to start switching is now.

In a recent Virtualization Viewpoints column, I wrote about drawbacks of VMware ESXi and why widespread adoption of ESXi is not a reality. Some of the problems with ESXi included:

• No official support for booting ESXi from a storage area network (SAN),
• no Web-based console to manage virtual machines (VMs),
• no support for scriptable installations, and
• no support for Active Directory (AD) integration.

The article also outlined several suggestions for making ESXi more attractive to administrators used to working with ESX. While I have always preferred ESX over ESXi, I am now recommending that you start using ESXi and plan on migrating all of your current ESX installations to the ESXi platform.

Read the full article at searchvmware.com…

If you’re involved in virtualization, you probably can’t go a day without hearing the word cloud - and I don’t mean as part of your weather forecast. If you pay attention to companies like VMware and EMC, it seems as though everything is migrating toward the cloud — and it’s not a matter of if your environment will enter the cloud but when.

Today, virtualization seems to have taken a back seat to cloud computing. If you look at the VMworld 2010 tracks and sessions this year, they focus on cloud computing. But you can’t have internal cloud computing without virtualization, so virtualization remains on the hot topics list, even if it’s no longer in the No. 1 spot.

In this tip, we consider how clouds and virtualization go hand in hand and how to leverage the capabilities of VMware vSphere to create your own private cloud.

Read the full article at searchvmware.com…

You can use VMware vSphere without a shared storage device, but it limits the amount of advanced features that you can use with it. Certain features in vSphere require that a virtual machine (VM) reside on a shared storage device that is accessible by multiple hosts concurrently. These features include high availability (HA), Distributed Resource Scheduler (DRS), Fault Tolerance (FT) and VMotion, which provide high/continuous availability as well as workload load balancing and live migration of virtual machines. For some storage administrators, these features may only be nice to have, but they are also essential for many IT environments that cannot afford to have VMs down for an extended amount of time.

A few years ago, VMware shared storage typically meant using a Fibre Channel (FC) SAN, which was expensive, required specialized equipment and was complicated to manage. In recent years, other shared storage options that utilize standard network components to connect to storage devices have become popular and make for affordable, easy-to-use shared storage solutions. The protocols used for this are iSCSI and NFS, both of which are natively supported in vSphere. The performance of NFS and iSCSI are similar, but both can vary depending on a variety of factors including the data storage device characteristics, network speed/latency and host server resources. Since both protocols use software built into vSphere to manage the storage connections over the network there is some minimal CPU resource usage on the host server as a result.

Read the full article at searchsmbstorage.com…

To tap into some of VMware vSphere’s advanced features such as VMotion, fault tolerance, high availability and the VMware Distributed Resource Scheduler, you need to have shared storage for all of your hosts. vSphere’s proprietary VMFS file system uses a special locking mechanism to allow multiple hosts to connect to the same shared storage volumes and the virtual machines (VMs) on them. Traditionally, this meant you had to implement an expensive Fibre Channel SAN infrastructure, but iSCSI and NFS network storage are now more affordable alternatives.

Focusing on iSCSI, we’ll describe how to set it up and configure it properly for vSphere hosts, as well as provide some tips and best practices for using iSCSI storage with vSphere. In addition, we’ve included the results of a performance benchmarking test for the iSCSI/vSphere pairing, with performance comparisons of the various configurations.

Read the full article in the August 2010 issue of Storage Magazine at searchstorage.com…

I had a comment from a VMware engineer on my recent vSphere 4.1 Tidbits post that talked about the new power monitoring feature that clarified some things and I thought I would share it with everyone. There isn’t much documentation on this stuff yet so every little bit of information helps. From Tim Mann at VMware:

Let me clarify your paragraph on displaying host and VM power usage.  It muddles those two features together a bit.

(1) The feature of displaying the host power consumption is not
experimental and is always on, but will display 0 watts if the host
is not supported or does not have a power meter.  Hopefully most people
should not have to edit /usr/share/sensors/vmware to get support for
their host, but if you do, the instructions in the paragraph are OK.
Here are some more detailed instructions and additional lines that
are going into esx4.1u1:

#
# This file contains a list of power sensors that are known to VMware, Inc.
#
# OEMs: to add support for new machines, do not modify this file
# directly, but place a new file in this directory instead.
#
# Supported format:
#
#  EntryType:SensorType:Manufacturer:Product:Sensor1[,Sensor2...]:Units
#
# EntryType must be “default”, SensorType must be “power”, and Units
# must be “WATTS” (all without quotation marks).
#
# Manufacturer and Product are compared against the system’s DMI (also
# known as SMBIOS) information from its System Information (Type 1)
# record.  Manufacturer and Product are both case-insensitive and will
# match even if the actual name is longer; for example, “Dell” would
# match “DELL, INC.”.  Product may be “*” to match all products from
# the specified Manufacturer.
#
# Sensor names are case-sensitive and must match exactly.  If multiple
# Sensors are listed on a line (up to 4), sensord reads them all, sums
# them, and reports the total as the system power.  It is acceptable
# for not all of the sensors listed on a line to be present; sensord
# will skip any that are missing as long as at least one is present.
#
default:power:FUJITSU:*:Pwr Mon:WATTS
default:power:FUJITSU:*:Total Power:WATTS
default:power:FUJITSU:*:SYSTEM:WATTS
default:power:FUJITSU:*:PSU1 Power,PSU2 Power:WATTS
default:power:Dell:*:System Level:WATTS
default:power:HP:*:Power Supply 1,Power Supply 2:WATTS
default:power:Hewlett-Packard:*:Power Meter:WATTS
default:power:Hewlett-Packard:*:Power Supply 1,Power Supply 2:WATTS
default:power:NEC:*:POWER:WATTS
default:power:NEC:*:Power:WATTS
default:power:NEC:*:Input_Power:WATTS
default:power:NEC:*:System Power:WATTS
default:power:MITSUBISHI:*:POWER:WATTS
default:power:MITSUBISHI:*:Power:WATTS
default:power:TOSHIBA:*:POWER:WATTS
default:power:TOSHIBA:*:Power:WATTS
default:power:BULL:*:POWER:WATTS

(2) The feature of displaying per-VM power consumption is experimental
and off by default.  It can be turned on with an advanced config option
as the paragraph describes.  The per-VM power consumption feature is
dependent on the host power consumption feature.

Train Signal approached me a few months ago about doing some video training for them in their new Pro Series line of videos. They asked me for topic suggestions and I presented several ideas to them and they ultimately chose the one on vSphere advanced features. I really enjoy exploring new features, big and small, and I’m not content with just figuring out how to use them but also need to know how they work in-depth. As a result I spend a lot of time researching and playing around to find out all the in’s-n-out’s of a feature. I had plenty of experience with the features but the actual recording process was new to me. As a result I approached it as a producer might do for a movie. I first jotted down an outline to use for creating Powerpoint slides, next I created the slides themselves, once I had the slides finalized I created a script for each slide complete with all the text and any demonstration sections. The reason I created the script was because I didn’t want to leave anything out and I wanted everything to be perfect especially if I had to do multiple takes when recording the videos.

Once I had all that down I started creating the videos, I basically created an AVI file for each slide which the editors at Train Signal stitched together to create the final production. In some cases I recorded some slides several times as I don’t like even minor speaking mistakes to be present in the recordings. It was quite a long tedious process and the more I got into it the more comfortable I became with doing it. I think the end result was pretty good, I tend to be highly critical of myself and as a result try to make sure everything is perfect. I have a few work ethics I live by:

1. Don’t do anything half-ass
2. Go big or go home
3. Over-commit and over-deliver.

In a nutshell I try to deliver high-quality work all the time and always exceed expectations. So I think the videos turned out great and I hope you enjoy them, my advanced features videos covered the following features:

• VMCI
• VMDirectPath
• Dynamic Voltage and Frequency Scaling (DVFS)
• DPM
• Fault Tolerance
• pvSCSI adapters
• VMFS volume grow and VM disk hot-add (and other disk related stuff)
• VMotion and Storage VMotion
• Thin Provisioning

Combined with the other great content from David Davis, Sean Clark and Hal Rottenberg the vSphere Pro Series Volume 2 should be a great training resource for both beginning and experienced vSphere administrators. Overall I had a good experience creating the videos and I look forward to doing more of them in the future. Enjoy!

According to the original vSphere feature list there is a new security feature called “VMkernel Protection” that uses a technology called Trusted Platform Module (TPM) to add a layer of protection to the VMkernel. The VMkernel (hypervisor) is the most critical component of a virtual host because if it is compromised the VM’s running on it can easily be compromised. Therefore VMware introduced a new protection mechanism in vSphere to ensure the integrity of the VMkernel both on disk and in memory. Here is how it is described by VMware:

VMkernel Protection - As part of ongoing efforts to protect the hypervisor from common attacks and exploits, mechanisms were introduced to assure the integrity of the VMkernel and loaded modules as they reside on disk and in memory. Disk-integrity techniques protect the boot-up of the hypervisor using the Trusted Platform Module (TPM), a hardware device embedded in servers. To ensure the authenticity and integrity of dynamically loaded code, VMkernel modules are digitally signed and validated during load-time. These disk integrity mechanisms protect against malware, which might attempt to overwrite or modify VMkernel as it persists on disk. VMkernel also uses memory integrity techniques at load-time coupled with microprocessor capabilities to protect itself from common buffer-overflow attacks that are used to exploit running code. These techniques create a stronger barrier of protection around the hypervisor. See the ESX Configuration Guide and the ESXi Configuration Guide.

Having a strong interest in security I was curious about this feature and wanted to try it out so I did some research on it. TPM is a security specification developed by Trusted Computing Group (TCG) that uses cryptographic keys to protect information. It relies on a TPM chip which has a unique RSA key burned into it and is capable of performing platform authentication and can be used to verify that software has not been changed. vSphere can use TPM to digitally sign VMkernel modules and validate them when the host is starting up to protect against malware that might overwrite them. This feature is similar to the Windows File Protection feature that Microsoft has built-in to Windows to prevent critical system files from being modified or overwritten.

TPM is integrated into processors and chipsets so just like every other technology Intel has their version of it and AMD their own. Intel’s is called Trusted Execution Technology (TXT) which has been available for some time and AMD’s is called Secure Execution Mode (AMD has very little information on this) and is not widely available. For TPM to work you must have both a CPU with the necessary processor extensions for TPM and a chipset that supports TPM. TPM uses Platform Configuration Registers (PCRs) that are like containers that can hold 160-bit values in them in the following manner:

• At boot PCRs are all initialized to a known value (either 0 or -1)
• An application can then measure things by computing its hash value
• The resulting measurement is inserted into a PCR, this process is called “extending the PCR”
• PCRs can be extended multiple times until a final value is calculated
• Each code segment is measured and validated and control passes from one code segment to the next
• PCRs represent an accumulated measurement of the history of the executed code beginning with power-up
• TPM signing keys can be used to sign the values of PCRs
• The system state can then be verified from the hashes that get stored into the PCRs

The technology behind TPM is a bit complex and if you wish to read more there are some great resources at the end of this post that you can check out. As I wanted to see this technology in action I ordered a TPM chip for one of our servers so I could try it out. The chips are fairly cheap, for HP servers they are about $39. They consist of a small little circuit board that plugs into a TPM slot located on the motherboard of the server.

There is also a pin that secures it so if it is ever removed you will know it has been tampered with.

Once the chip is inserted some new security options will appear in the server BIOS to configure the TPM chip as shown below.

Once I received the chip and put it in the server I turned to the vSphere documentation to set it up. The problem there was there was no documentation on how to do this despite it being advertised as a new vSphere security feature. The ESXi configuration guide had one little paragraph on TPM which didn’t tell how to set it up and use it:

This module is a hardware element that represents the core of trust for a platform and enables attestation of the boot process, as well as cryptographic key storage and protection. As part of the boot process, ESXi measures the VMkernel by the TPM, and changes to the VMkernel are logged from one boot to the next. Measurement values are propagated to vCenter Server, and can be retrieved by third-party agents using the vSphere API.

Frustrated I reached out to VMware to figure out how to use this feature, some of the information I was able to get is below:

• TPM is only supported with ESXi.
• You need a TCG compliant BIOS, TXT needs to be enabled from the BIOS. Once it is enabled, you need to enable use of tboot from the UI Advanced configuration option for the ESXi host (the host has to be added to VC to be able to do this).
• There are some logs in serial log which can be used to monitor TPM. A 3rd party VC API is provided to fetch the TPM PCRs. If TXT was successful, then VMkernel fingerprint is reported in PCR19 otherwise, if the host has TPM but TXT was not used, then it will show in PCR8, otherwise PCRs should be NULL.
• There might not be any production server platforms out there ‘today’ which can support TXT.

I never did find the “tboot” advanced parameter that was supposed to be enabled. I checked all through the VMkernel advanced settings and didn’t see anything that was even close. It seems like while TPM provides some additional great protection for the VMkernel it is not yet ready to be used. The building blocks are currently there in vSphere but none of the necessary support features to be able to use it effectively exist yet. For example there is no way to monitor the feature so even if you could enable it there would be not much value to it. I expect both 3rd party vendors and VMware will develop the missing pieces in a future release (note the ESX & ESXi 4.1/4.5 version #’s in the videos) and look forward to being able to fully utilize this new security feature.

• Introduction to the TPM 1.2
• Trusted Computing Group. TPM Specification version 1.2
• Thoughts about Trusted Computing - Joanna Rutkowska
• On ESX/ESXi 4.0, A TPM-related warning is issued even though TPM is unavailable on the system (KB article)
• Data security in HP ProLiant servers using the Trusted Platform Module and MS Windows BitLocker Drive Encryption
• Trusted Computing Platforms (YouTube video)
• IDF 2009: “Intel Trusted Execution Technology — A Building Block for Enterprise Security (YouTube video)
• Trusted Execution Technology (TXT) with VMware and HyTryst Demo (YouTube video)
• VMworld 2009: ” Intel Server Security Technologies” (YouTube video)

VMware publishes a list of all server hardware that is supported with vSphere which includes servers, I/O adapters and storage and SAN devices. This list is continually updated and is most commonly referred to as the Hardware Compatibility List (HCL),  VMware changed the name for it a while back to the VMware Compatibility Guide as it is now referred to. The guide used to be published as PDF files only that you could read through to see if your hardware was listed but is now available as an online interactive webpage that is searchable and filterable as well. The guide lists hardware that is supported by vSphere but if hardware is not listed it does not mean it will not work with vSphere. In many cases the hardware will still work but because it is not listed VMware may not provide you support if you have problems with it. Servers and storage devices are two areas that are very common where they work with vSphere despite not being listed in the guide. I/O devices like network adapters and storage controllers though are less likely to work if they are not listed because they rely on drivers loaded in the VMkernel to work properly. If the driver is not one of the limited ones load in the VMkernel than your device is not going to work.

I don’t go through the guide that often as I assume the new mainstream hardware from large vendors like HP will always work and be supported. However last week that assumption bit me. We had just received some new hardware from HP which included a DL385 G6 server and an MSA G2 iSCSI storage array. I wanted to use hardware iSCSI initiators with TCP/IP Offload Engines (TOE) due to high CPU and I/O demands of the applications running on that server so I initially ordered HP’s only TOE card that was available which was the NC380T, however after we placed the order we were informed that the card was no longer available and was replaced by the newer NC382T. After receiving everything and assembling it and loading ESX on it I found that the NC382T was not listed under Storage Adapters in the vSphere Client as TOE cards should be as they are not treated as network adapters in vSphere. Only my SATA adapter, P410 smart array controller for local storage, Fibre Channel adapters and iSCSI software iniator were showing up under Storage Adapters.

The NC382T was showing up under Network Adapters instead and could not be used as a hardware initiator.

So this new TOE card from HP that we bought to use as a hardware initiator could not be used for that purpose. After discovering this I checked VMware’s hardware guide to see what HP iSCSI adapters were listed. Much to my surprise there was only one HP model listed and after looking up that adapter on HP’s website I found that it was for blade systems only and was therefore no use to my server.

Now HP OEM’s many of their storage adapters as many of  them are made by QLogic and Emulex. Most of the other vendors listed in the guide for iSCSI adapters had many QLogic adapters re-branded under their name but not HP.

After confirming with HP that the blade adapter was the only one that they OEM’d I was forced to get the QLogic branded adapter instead. The card that seemed to be the most popular was the QLE4062C adapter, so now we have one of those on order and may end up just using the NC382T as a regular NIC instead.

So the moral of this story is always check the Compatibility Guide especially when ordering a I/O adapters so you don’t end up with hardware that you can’t use with vSphere. If you want to know more about the guide such as how hardware gets added/removed from it and VMware’s support policy check out this blog post that I did a while ago on it.