Why secure your vSphere environment with valid SSL certificates?
It's no secret that installing certificates from an internal CA is a pain in the...vCenter, but having just gone through the process of updating 3 vCenter installations with the 5-7 certificates required for each server I was asked "just why is it we need to do this again?"
Why does it require multiple certificates for my vCenter server?
In short, each service requires a certificate because it could feasibly be on a server (or servers) of it's own - take this hypothetical design - each role is hosted on it's own VM, and there are 7 certificates required - SSO, Inventory Service, vCenter Server, Orchestrator, Web Client, Log Browser and Update Manager. If you install all these services on one server you still have to create certificates for those individual services.
Using the VMware SSL Certificate Automation Tool with a Microsoft Certificate Authority
Updating vCenter Server certificates has always been a pain - it has only got worse with the sheer number of services that are running under vSphere 5.1 - each service requiring a unique certificate and to be installed in many complex steps.
Fortunately , with the release of the SSL Certificate Automation Tool, VMware have gone some way to reducing the headache.
Host disk write latency errors – troubleshooting – part 2
As some of you read previously, I had been experiencing disk latency issues on our SAN and tried many initial methods to troubleshoot and understand the root cause. Due to other more pressing issues this was placed aside until we started to experience VMs being occasionaly restarted by vSphere HA as the lock had been lost on a given VMDK file. (NOT GOOD!!)
The Environment:-
3x vSphere 5.1 Hosts
2x 4port Nics 1GBe (allowing 2x iSCSi vmkernel ports per host for redundancy)
Dedicated Switching (isolated from the LAN) for iSCSi and vMotion (on seperate respective VLANs)
MSA2312i SAN G2 (with 4 Shelves)
The iSCSi Multipathing policy was set to Round Robin.
SIOC is enabled.
After a great deal of digging I resolved to contacting VMware support whom pointed me in turn to the SAN as the Host log files had the following..
<span style="color: #ff0000;">2013-02-20T14:35:38.026Z cpu8:51055)ScsiDeviceIO: 2316: Cmd(0x4124401f31c0) 0x1a, CmdSN 0x6796 from world 0 to dev "naa.600508e00000000078c4a59a76937603" failed H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0. 2013-02-20T14:35:38.030Z cpu8:51055)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x85 (0x4124401f31c0, 91852) to dev "naa.600508e00000000078c4a59a76937603" on path "vmhba1:C1:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE 2013-02-20T14:35:38.030Z cpu8:51055)ScsiDeviceIO: 2316: Cmd(0x4124401f31c0) 0x85, CmdSN 0xab from world 91852 to dev "naa.600508e00000000078c4a59a76937603" failed H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. 2013-02-20T14:35:38.030Z cpu8:51055)ScsiDeviceIO: 2316: Cmd(0x4124401f31c0) 0x4d, CmdSN 0xac from world 91852 to dev "naa.600508e00000000078c4a59a76937603" failed H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. 2013-02-20T14:35:38.030Z cpu8:51055)ScsiDeviceIO: 2316: Cmd(0x4124401f31c0) 0x1a, CmdSN 0xad from world 91852 to dev "naa.600508e00000000078c4a59a76937603" failed H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0.</span>
So duely armed I contacted HP support whom immediately escalated the issue internally. During this time I had a very helpful conversation with a good friend @VirtualisedReal whom pointed me in the direction of the HP MSA best practice document. I applied the subnetting configuration it suggested, which seperates the iSCSi ports A1 & B1 from A2 & B2 on seperate subnets and also configured each of the hosts 2 iSCSi vmkernel ports to point to the seperate paired iSCSi ports on the SAN.
When HP did eventually come back to me they suggested the SAN was perfectly fine, However! enough time had passed since the iSCSi port configuration change that I could already see a noticable drop in latency.
I waited another week (and since then) and I am very glad to say the latency is considerably lower with no reoccurance of the locks being lost on VM vmdk files.
PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
I've previously posted around this topic as part of another problem but having had to figure out the process again I think it's worth re-posting a proper script for this. VMware KB 1016106 is snappily titled "ESXi/ESX hosts with visibility to RDM LUNs being used by MSCS nodes with RDMs may take a long time to boot or during LUN rescan" and describes the situation where booting ESXi (5.1 in my case) takes a huge amount of time to boot because it's attempting to gain a SCSI reservation on an RDM disk used by MS Clustering Services. It also details the fix.
The process is fairly simple, but a bit labour intensive if you're doing it manually on a large cluster.
- Retrieve the ScsiCanonicalName for each RDM
- Set the configuration for each RDM on each Host to "PerenniallyReserved"
VMware vCenter Linked Mode not supported through firewalls
This article originally started off life as a record of how I managed to get this working, as a lot of my posts do, but this time it appears I am foiled.
Last week, I had 3 vCenter Servers that appeared to be happily talking to each other in Linked Mode sharing a singe Multi-site SSO domain without any real issues. I had a single-pane-of-glass view of all 3 and I could manage them all from the one client. The reason for the 3 vCenter servers was segregation of LAN and DMZ networks: vCenter001 was in the LAN, vCenter002 sat in DMZ1 and vCenter003 sat in DMZ2.
Fixing the – the server fault invalidargument had no message – error message
Today while creating new VMs from a template I got the error "the server fault invalidargument had no message" when editing the VM settings, the settings were modified successfully but the error was present whether a change had been made or not to the settings of the VM.
A quick search of the web suggested removing said VM from the inventory and re-adding from the datastore, for many this fixed the issue but not for me.
Another suggested removing and reading the Host from the cluster which I did and still no joy. Finding little else to go on I elected to simply restart the host the VM/template was originally on.
Lo and behold this fixed the issue!
VM Power On fails with error: cpuid.coresPerSocket must be a number between 1 and 8
Had a strange one after deploying an XP VM from a template today - the VM would not power on and threw the following error:
An error was received from the ESX host while powering on VM [VM name].
cpuid.coresPerSocket must be a number between 1 and 8
Digging around on google the error seemed to be related to over-allocating vCPUs (e.g. assigning 8 vCPUs on a VM with 4 physical CPU cores). This was a single vCPU machine on a 12 processor host, so not likely to be that! It did give me the idea that maybe the VMX had an error, so I edited the VM hardware and added an extra CPU and saved the config. I then edited it back to a single CPU and powered on the machine - it worked!
Examining the vmx showed that the coresPerSocket was set to zero which is incorrect:
cpuid.coresPerSocket = "0"
And after the change, the numvcpus setting was added and coresPerSocket updated:
cpuid.coresPerSocket = "1" numvcpus = "1"
Fortunately, it's a simple fix and once I'd updated the template, not something that will bother me again!
Installing the VMware Support Assistant
So VMware's Support Assistant is pretty awesome and it's free! I thought I'd do a quick run through of the installation and set up for anyone who was interested, it's fairly straightforward and if you raise a lot of calls or have multiple calls on the go it's a time saver!
VMware's official page for the Support Assistant is here - https://www.vmware.com/products/datacenter-virtualization/vcenter-support-assistant/overview.html
Passed the VCP510 exam – VCP5-DV Qualified!
I'm very pleased to say that as of 21st December, I passed my VCP510 exam and am now VCP5 qualified! It's something that I've wanted to do for a long time (since VCP3) but have never been able to get funding for the required course. My current employer sent me on the vSphere 5 Fast Track course earlier this year, so I was all set to take the exam.
My exam experience was somewhat marred by a very poor first attempt which I narrowly failed. The exam I sat had dozens of spelling and grammatical mistakes, inaccuracies and other problems and I spent far too long commenting on those than concentrating on the questions. Fortunately I was eventually able to speak with VMware Education and they issued me with an exam voucher (they will also be releasing a new version of the exam soon, which I'm assured will resolve these problems). My second attempt was a lot better and I smashed the 300 point pass mark by 128 points, which went some way to restoring confidence in my own knowledge of the subject!
I'm now looking forward to studying for the VCAP-DCA and DCD exams with a view to completing them in 2013...
vCenter 5.1 Single Sign On Multi-Site error: User credentials are incorrect or empty
While adding an additional vCenter Server to our Multi-Site Single Sign On instance I encountered a problem as I entered the details of the existing SSO.
The error thrown was:
User credentials are incorrect or empty. Provide correct credentials.
After a couple of hours online with VMware support I took a guess at the problem. On the existing Single Sign On Configuration I have added the Active Directory domain DefinIT and in order to enable integrated authentication from the vSphere Client I moved it to the top of the list - this meant that System-Domain is no longer the default authentication domain. The SSO admin account (admin@System-Domain) is a part of that domain and so my guess is that the installer tries to authenticate using admin@definit.local rather than System-Domain, which of course failed.
Moving System-Domain back to the top of the list allowed me to install correctly, and once finished I could drop it back down to allow integrated authentication again.
Recent Comments
- Why secure your vSphere environment with valid SSL certificates? « DefinIT on Using the VMware SSL Certificate Automation Tool with a Microsoft Certificate Authority
- John Wiersma on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- Sam McGeown on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- John Wiersma on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- Sam McGeown on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
Top Posts & Pages
- Configuring a Guest wireless network with restricted access to Production VLANs
- Installing and Configuring OTRS 3.0.9 on Windows Server 2008 R2
- Upgrading to ESXi 5.0 Update 1 using VMware Update Manager
- PowerShell: Recursively taking ownership of files and folders and adding permissions without removing existing permissions
- Unable to access admin shares (c$, d$, ADMIN$, IPC$) on Windows Server 2008 in a Workgroup
Categories
Qualifications
_1084_1085_thumb.jpg "MCITP Logo")
Archives
- May 2013 (2)
- April 2013 (2)
- March 2013 (2)
- February 2013 (4)
- January 2013 (1)
- December 2012 (2)
- November 2012 (3)
- October 2012 (4)
- September 2012 (1)
- August 2012 (4)
- July 2012 (1)
- June 2012 (1)
- May 2012 (1)
- February 2012 (1)
- January 2012 (4)
- October 2011 (2)
- August 2011 (1)
- July 2011 (1)
- June 2011 (2)
- April 2011 (1)
- March 2011 (7)
- February 2011 (4)
- January 2011 (1)
- December 2010 (1)
- November 2010 (3)
- October 2010 (1)
- September 2010 (5)
- August 2010 (3)
- July 2010 (5)
- June 2010 (4)
- May 2010 (2)
- April 2010 (3)
- March 2010 (6)
- February 2010 (5)
- January 2010 (1)
- December 2009 (2)
- November 2009 (1)
- October 2009 (3)
- September 2009 (3)
- July 2009 (3)
- May 2009 (1)
- April 2009 (2)
- February 2009 (2)
- January 2009 (4)
- December 2008 (2)
- November 2008 (1)
- October 2008 (3)
- September 2008 (5)
- August 2008 (1)
- July 2008 (6)
- May 2008 (8)
- April 2008 (2)
- March 2008 (1)
- February 2008 (1)
- January 2008 (1)
- November 2007 (1)
- October 2007 (1)
- July 2007 (1)
- June 2007 (6)
- May 2007 (2)