Archive for the ‘Virtualization’ category

Tech Support Mode Warnings Revisited In vSphere 5

September 2nd, 2011

A few months ago I authored a blog post titled Tech Support mode Warnings.  It dealt with the yellow balloon warnings attached to a host object in vCenter when Local Tech Support Mode was enabled (as well as Remote Tech Support via SSH).

Without surprise, the warnings are back in vSphere 5, albeit with the warning messages slightly changed.

Configuration Issues

ESXi Shell for the host has been enabled

SSH for the host has been enabled

Snagit Capture

In the previous blog post, I referenced VMware’s KB article which stated there was no way to hide the messages while the offending configuration was in place.  That may have been the official stance but it certainly wasn’t the case from a technical standpoint as there are a few workarounds to suppress the messages.

VMware has shown us a little love in vSphere 5.  Both messages can be suppressed with a modification of an Advanced Setting on each host.  Even better, there is no reboot of the host or recycle of a service required.  In my testing, Maintenance Mode was also not required and could be performed with running VMs on the host.  Although if you’re wondering if this is going to be safe to perform in a running production environment, be sure to take a step back and consider not only the immediate impact of the task, but also the longer term impact of the change because by this point you’ve already enabled or you’re thinking of enabling the Local ESXi Shell and/or remote SSH via the network.  Reference your security plan or hardening guidelines before proceeding.

Following is the tweak to suppress the warnings which I found in VMware KB 2003637:

Snagit Capture

Again, this is performed for each host during the time that it is built or after it is deployed.  In the figure above, the change is made via the vSphere Client, but it can also be scripted via command line with esxcfg-advcfg.

Somewhat related, in the same yellow balloon area you may also see a host warning message which states “This host currently has no management network redundancy” as shown below:

Snagit Capture

In production environment, you’ll want to resolve the issue by adding network redundancy for the Management Network.  However, in a lab or test environment, a single Management Network uplink may be acceptable but nonetheless you want the warning messages to disappear.  This warning is squelched by configuring an HA Advanced Option:  das.ignoreRedundantNetWarning with a value of true as shown below.  After that step is completed, Reconfigure for vSphere HA on the host and the warning will disappear.  Reconfigure for HA step will need to be applied separately for each host with a non-redundant Management Network configuration.

Snagit Capture

Update 9/5/11: Duncan Epping also has also written on this subject back in July. Be sure to bookmark his blog, subscribe to his RSS feed, and follow him on Twitter.  He is a nice guy and very approachable.

Update 10/15/12: Added section for “No Management Network Redundancy” which I should have included to begin with.

vCenter Server 5.0 and MS SQL Database Permissions

August 20th, 2011

It’s that time again (to bring up the age old topic of Microsoft SQL database permission requirements in order to install VMware vCenter Server).  This brief article focuses on vCenter 5.0.  Permissions on the SQL side haven’t changed at all based on what was required in vSphere 4.  However, the error displayed for lacking required permissions to the MSDB System database has.  In fact, in my opinion it’s a tad misleading.

To review, the vCenter database account being used to make the ODBC connection requires the db_owner role on the MSDB System database during the installation of vCenter Server.  This facilitates the installation of SQL Agent jobs for vCenter statistic rollups.

In the example below, I’m using SQL authentication with an account named vcenter.  I purposely left out its required role on MSDB and you can see below the resulting error:

The DB user entered does not have the required permissions needed to install and configure vCenter Server with the selected DB.  Please correct the following error(s):  The database user ‘vcenter’ does not have the following privileges on the ‘vc50’ database:

EXECUTE sp_add_category

EXECUTE sp_add_job

EXECUTE sp_add_jobschedule

EXECUTE sp_add_jobserver

EXECUTE sp_add_jobstep

EXECUTE sp_delete_job

EXECUTE sp_update_job

SELECT syscategories

SELECT sysjobs

SELECT sysjobsteps

Snagit Capture

Now what I think is misleading about the error thrown is that it’s pointing the finger at missing permissions on the vc50 database.  This is incorrect.  My vcenter SQL account has db_owner permissions on the vc50 vCenter database.  The problem is actually lacking the temporary db_owner permissions on the MSDB System database at vCenter installation time as described earlier.

The steps to rectify this situation are the same as before.  Grant the vcenter account the db_owner role for the MSDB System database, install vCenter, then revoke that role when vCenter installation is complete. While we’re on the subject, the installation of vCenter Update Manager 5.0 with a Microsoft SQL back end database also requires the ODBC connection account to temporarily have db_owner permissions on the MSDB System database.  I do believe this is a new requirement in vSphere 5.0.  If you’re going to install VUM, you might as well do that first before going through the process of revoking the db_owner role.

An example of where that role is added in SQL Server 2008 R2 Management Studio is shown below:

Snagit Capture

VMware Social Media Guy Leaks VMworld 2011 Backpack Details

August 17th, 2011

In a surprise move, VMware employee John Troyer flipped on his internet web camera and proceeded to lose his mind.  Troyer is normally a cool cat who knows how to play by the rules of social media and embargoed information.  He lives by these standard sets of commandments on a daily basis – and commonly conveys them to others.

We’re not sure what happened here. An isolated incident for sure.  He sent out a tweet asking followers to help him test a new webcam site.  That was the hook.  Shortly after gaining live viewers he reached down to the floor with his right hand and grabbed the prototype backpack which he claims will be distributed at VMworld 2011.  Patrons of a Lakeville, MN Caribou Coffee shop happened to be logged on to the internet when they witnessed the streaming video.  A Dutch guy on the internet responded “This guy is a vIdiot. He puts his name and company in the video & leaks intellectual property.”

A TMZ correspondent was anonymously logged into the Vokle.com chat room and captured these exclusive photos of the VMworld 2011 backpack – the holy grail of VMworld swag:

This is the first photo. We can see that the prototype is black and red with white emblem stitching.

8-17-2011 6-09-58 PM

Clearly this backpack says “VMworld 2011”

8-17-2011 6-10-01 PM

Inside the backpack will be a pocket designed to hold an iPad.  Not shown is a drink container on the side.

8-17-2011 6-10-28 PM

VMware is aware of the quality feedback on last year’s backpack stitching.  This year’s will be better and should hold up for the long haul.

8-17-2011 6-10-44 PM

The straps are padded for maximum comfort needed during a 4 day conference.  There was also some mention of headphones but those details are unclear.

8-17-2011 6-11-03 PM

This is the color red but we’re unsure of the final color until Mr. Troyer leaks more info.

8-17-2011 6-11-10 PM

** Of course I’m just having fun here.  John is a swell guy and I know he didn’t break any rules – I’m really looking forward to VMworld.  Thank you John for the impromptu preview of the VMworld 2011 backpack 🙂 **

Pulse Check and New Sponsor – Tintri

August 15th, 2011

Hello VMware virtualization enthusiasts!  The month of August has been intense as VMworld 2011 approaches.  I’ve been working on a few projects which need to get out the door before the the big event.  Unfortunately I’ve had no time to polish vCalendar 3.0 such that it’s ready by show time.  As usual, I’ve been collecting the new content throughout the past year but it’s nowhere near ready for presentation.  The good news is that it’s coming but it may not be until mid September or October.  AND… I’ll still plan on releasing the 2.0 PDF version at no cost.  If you’ve been counting on the new vCalendar, thank you in advance for your patience.

I’ve still got a lot of content in the queue to write about here on the blog.  A lot of it vSphere 5 related.  I’ve also been picking up a lot on SRM 5.  I’ll probably get back into the regular writing schedule after VMworld.  It’s a busy time for VMware and their partners.  I’ve always been busy around VMworld but now that I work for a partner, it’s a new level of busy.

Before I get back to it, I wanted to take this opportunity to introduce a new blog sponsor: Tintri.  They are in the business of providing VM-aware storage without complexity and performance bottlenecks.  Tintri offers 8.5TB of usable storage in a 4u single-datastore footprint.  You’ll find their banner on the right edge of this blog.  Check them out online or stop by their booth at VMworld 2011 in Las Vegas.  Last but not least, you can follow them on Twitter – @TintriInc.

Win a VMworld Pass from StarWind Software

August 7th, 2011

Snagit Capture

Win a Free VMworld Expo Only Pass* from StarWind Software!!!

Would you like to attend VMworld 2011 Expo in Las Vegas? It’s easy and free! Snagit Capture

Follow these simple steps:

1. Click “Like” on the StarWind Software Facebook Fan Page http://www.facebook.com/StarWind.Software

2. Post five benefits of the StarWind product on your Wall starting with the following words: “I like StarWind because…” and put a link to this posting in a comment on the StarWind Fan Page

3. Retweet the following message: I want to win #VMworld Expo Only Pass from #StarWind! http://ow.ly/5PvFD

That’s it! As soon as the number of our fans reaches 200, two Expo Only Passes, valued at $300 each, will be drawn between StarWind fans, and two people with the most interesting lists of benefits will attend VMworld Expo 2011 for free!

The Rules:

• You must be able to attend VMworld 2011 in Las Vegas, Nevada (29 August – 1 September)

• Only one valid entry per person

Note: Here you can view examples of StarWind benefits but don’t use them because we found them first! 🙂 http://www.starwindsoftware.com/benefits 

Read more about VMworld 2011 http://www.vmworld.com/index.jspa

*Expo Only (description):

Solutions Exchange floor access during OPEN hours only, including the Welcome Reception on Monday August 29 5:00-7:30pm. Expo Only passes are NOT admitted to General Sessions, Keynotes, Conference Sessions, Conference Meals or the VMworld Party. Additional Expo Only passes cannot be purchased and will NOT be allowed early access to the Solutions Exchange floor.

VMware Workstation & Fusion Christmas In August Sale!

August 2nd, 2011

30% off through August 4th! All boxed and shrink wrapped copies of VMware Workstation (for Windows & Linux) and VMware Fusion (for Mac) must go!  Hurry while supplies last!  Use promo code PREHOLSALE at checkout for your 30% discount.  Mention boche.net and it is likely that nothing additional will happen.

8-2-2011 11-12-56 PM

Configure a vCenter 5.0 integrated Syslog server

July 23rd, 2011

Now that VMware offers an ESXi only platform in vSphere 5.0, there are logging decisions to be considered which were a non-issue on the ESX platform.  Particularly with boot from SAN, boot from flash, or stateless hosts where logs can’t be stored locally on the host with no scratch partition due to not having local storage.  Some shops use Splunk as a Syslog server.  Other bloggers such as Simon Long have identified in the past how to send logs to the vMA appliance.  Centralized management of anything is almost always a good thing and the same holds true for logging.

New in the vCenter 5.0 bundle is a Syslog server which can be integrated with vCenter 5.0.  I’m going to go through the installation, configuration, and then I’ll have a look at the logs.

Installation couldn’t be much easier.  I’ll highlight the main steps.  First launch the VMware Syslog Collector installation:

Snagit Capture

The setup routine will open Windows Firewall ports as necessary.  Choose the appropriate drive letter and path installation locations.  Note the second drive letter and path specifies the location of the aggregated syslog files from the hosts.  Be sure there is enough space on the drive for the log files, particularly in medium to large environments:

Snagit Capture

Choose the VMware vCenter Server installation (this is not the default type of installation):

Snagit Capture

Provide the location of the vCenter Server as well as credentials to establish the connection.  In this case I’m installing the Syslog server on the vCenter Server itself:

7-23-2011 4-14-41 PM

 

The Syslog server has the ability to accept connections on three different ports:

  1. UDP 514
  2. TCP 514
  3. Encrypted SSL 1514

There’s an opportunity to change the default listening ports but I’ll leave them as is, especially UDP 514 which is an industry standard port for Syslog communications:

Snagit Capture

Once the installation is finished, it’s ready to accept incoming Syslog connections from hosts.  You’ll notice a few new items in the vSphere Client.  First is the VMware Syslog Collector Configuration plug-in:

Snagit Capture

Next is the Network Syslog Collector applet:

Snagit Capture

It’s waiting for incoming Syslog connections:

Snagit Capture

Now I’ll a configure host to send its logs to the vCenter integrated Syslog server.  This is fairly straightforward as well and there are a few ways to do it.  I’ll identify two.

In the vCenter inventory, select the ESXi 5.0 host, navigate to the Configuration tab, then Advanced Settings under Software.  Enter the Syslog server address in the field for Syslog.global.logHost.  The format is <protocol>://<f.q.d.n>:port.  So for my example:  udp://vcenter50.boche.mcse:514.  This field allows multiple Syslog protocols and endpoints separated by commas.  I could write split the logs to additional Syslog server with this entry:  udp://vcenter50.boche.mcse:514, splunk.boche.mcse, ssl://securesyslogs.boche.mcse:1514.  In that example, logs are shipped to vcenter50.boche.mcse and splunk.boche.mcse over UDP 514, as well as to securesyslogs.boche.mcse over 1514.  Another thing to point out on multiple entries.. there is a space after each comma which appears to be required for the host to interpret multiple entries properly:

Snagit Capture

There are many other Syslog loggers options which can be tuned.  Have a look at them and configure your preferred logging appropriately.

Another method to configure and enable syslog on an ESXi 5 host would be to use esxcli.  The commands for each host look something like this:

~ # esxcli system syslog config set –loghost=192.168.110.16
~ # esxcli system syslog reload

Now I’ll ensure outbound UDP 514 is opened on the ESXi 5.0 firewall.  If the Syslog ports are closed, logs won’t make it to the Syslog server:

Snagit Capture

Back to the vCenter (Syslog) Server, you’ll see a folder for each host sending logs to the Syslog server:

Snagit Capture

And here come the logs:

Snagit Capture

The same logs are going to the Splunk server too:

7-23-2011 4-00-48 PM

This is what the logs look like in Splunk.  It’s a very powerful tool for centrally storing logs and then querying those logs using a powerful engine:

7-23-2011 4-07-53 PM

And since this host actually has local disk, and as a result a scratch partition, the logs natively go to the scratch partition:

7-23-2011 4-04-33 PM

Notice the host I configured is also displayed in the Network Syslog Collector along with the general path to the logs as well as the size of each host’s respective log file (I’ve noticed that it sometimes requires exiting the vSphere Client and logging back in before the hosts show up below):

Snagit Capture

Earlier I mentioned that I’d show a second way to configure Syslog on the ESXi host.  That method is much easier and comes by way of leveraging host profiles.  Simply create a host profile and add the Syslog configuration to the profile.  Of course this profile can be used to deploy the configuration to countless other hosts which makes it a very easy and powerful method to deploy a centralized logging configuration:

Snagit Capture

For more information, see VMware KB 2003322 Configuring syslog on ESXi 5.0.