Eric Siebert has opened up voting for the Top vBlog 2018. I’m listed on the vLaunchpad and you can vote for me under storage and independent blog categories as well. There are a bunch of great blogs listed on Eric’s vLaunchpad, so if nothing else you may discover someone you haven’t heard of before, and chances are they’ll have something to say that’s worth checking out. If this stuff seems a bit needy, it is. But it’s also nice to have people actually acknowledging what you’re doing. I’m hoping that people find this blog useful, because it really is a labour of love (random vendor t-shirts notwithstanding).
This is a quick and easy one. I came across a virtual appliance the other day that had an expired certificate.
When you click Next you’ll get an error saying the package is signed with an invalid certificate.
ovftool.exe --skipManifestCheck c:\tmp\old.ova c:\tmp\new.ova
You’ll then be able to deploy the appliance without it barfing. Remember, though, that this is a bit of a rough workaround, and you should really contact the appliance vendor in the first instance as they’ll likely be keen to fix the issue. In my case I was able to continue with my testing while the vendor went ahead and fixed things on their side.
Eric Siebert has opened up voting for the Top vBlog 2017. I’m listed on the vLaunchpad under the top 100, and you can vote for me under storage and independent blog categories as well. I climbed the heady heights to number 78 last year. So thanks to my mother for voting for me. You can go directly to the voting survey here. There are a bunch of great blogs listed on Eric’s vLaunchpad, so if nothing else you may discover someone you haven’t heard of before, and chances are they’ll have something to say that’s worth hearing. Or reading. Look, you know what I mean. If this stuff seems a bit needy, it is. But it’s also nice to have people actually acknowledging what you’re doing. This all means nothing without your validation.
I’ve previously changed my tune on asking for votes in this competition, not because I don’t think it’s a good bit of fun, but I think there’re a bunch of other bloggers you should be voting for. A few people like to huff and puff about it being a popularity contest, but if nothing else I’ve found these types of lists (and Eric’s site in general) to be extremely useful when tracking down links to things on the internet that I know I need but can’t remember how I googled them in the first place. A lot of work goes into the site, so thanks Eric, and please keep it up! Thanks also to anyone who did throw a vote my way, I do actually appreciate it.
I’ve been using Ravello a bit recently, thanks primarily to their kind offer of free time for vExperts. I thought it would be worth while doing a few posts on what you need to do to get started. While this information is available via a number of sources already, I thought I’d update it a little to reflect the steps required when using the latest version of the dashboard and ESXi 6. Documentation is also a good way for me to learn things, and it’s my blog so I can afford to be self-indulgent.
In any case, the original steps I followed are here. The article I did is available here. Justin Warren did a nice series on using Ravello, and his post on “How To Import OVA/OVF Into Ravello” was particularly useful. Emad Younis also has an excellent article on deploying the vCenter Server Appliance 6 on Ravello – you can read it here.
I like what Ravello does, so much so that I put a little badge on my blog. And I think there’s a crapload of cool use cases for this technology. If you’re a vExpert and not taking advantage of Ravello’s offer – what’s wrong with you? Get on there and check it out.
As part of a recent vSphere 5.5 deployment, I installed a small vSphere Replication 5.8 proof-of-concept for the customer to trial site-to-site replication and get their minds around how they can do some simple DR activities. The appliance is fairly simple to deploy, so I thought I’d just provide a few links to articles that I found useful. Firstly, esxi-guy has a very useful soup-to-nuts post on the steps required to deploy a replication environment, and the steps to recover a VM. You can check it out here. Secondly, here’s a link to the official vSphere Replication documentation in PDF and eBook formats – just the sort of thing you’ll want to read while on the treadmill or sitting on the bus on the way home from the salt mines. Finally, if you’re working in an environment that has a number of firewalls in play, this list of ports you need to open is pretty handy.
One problem we did have was that we’d forgotten what the password was on the appliance we’d deployed at each site. I’m not the greatest cracker in any case, and so we agreed that re-deploying the appliance would be the simplest course of action. So I deleted the VM at each site and went through the “Deploy from OVF” thing again. The only thing of note that happened was that it warned me I had previously deployed a vSphere Replication instance with that name and IP address previously, and that I should get rid of the stale version. I did that at each site and then joined them together again and was good to go. I’m now trying to convince the customer that SRM might be of some use to them too. But baby steps, right?
Note also that, if you want to deploy additional vSphere Replication VMs to assist with load-balancing in your environment, you need to use the vSphere_Replication_AddOn_OVF10.ovf file for the additional appliances.
A colleague of mine has been doing some data centre failover testing for a customer recently and ran into an issue with VMware’s Site Recovery Manager (SRM) 5.8 running on vSphere 5.5 U2. When attempting to perform a recovery, and you’re running Linked Mode, and the protected site is off-line, the recovery may fail. The upshot of this is “The user is unable to perform a recovery at the recovery site, in the event of a DR scenario”. Here’s what it looks like.
The Reason and Resolution
You can read more about the problem in this VMware KB article: Performing a Recovery using the Web Client in VMware vCenter Site Recovery Manager 5.8 reports the error: Failed to connect Site Recovery Manager Server(s). In short, there’s a PowerShell script you can run to make the recovery happen.
I don’t know what to say about this. I’d like to put the boot into whomever at VMware is responsible for this SNAFU, but I’m guessing that they’ve already had a hard time of it. At least, I guess, there’s a workaround, if not a fix. But you’d be a bit upset if this happened for the first time during a real failover. But that’s why we test before we handover. And what is it with everything going pear-shaped when Linked Mode is in use?
*Update – 29/10/2015*
I’ve come across a few slightly odd things that I hadn’t accounted for during a recent vSphere 5.5 U2 deployment and thought it would be handy to document them. In this post (which is hopefully the last one) I’d like to cover off SSL certificates.
A lot of people don’t bother trying to deploy custom certificates because it invariably involves interaction with an in-house InfoSec team. This can be a royal pain in the arse. I understand completely. That said, getting custom certs into your vSphere environment has become a lot easier in recent times.
Firstly, there’s a few KB articles you should read:
- Deploying and using the SSL Certificate Automation Tool 5.5 (2057340)
- Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)
- Implementing CA signed SSL certificates with vSphere 5.x (2034833)
- Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment
- Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108)
Here’s the output from the Certificate Automation Tool
================================================================== Main menu Enter the action you want to run 1. Plan your steps to update SSL certificates(Update Steps Planner) 2. Generate Certificate Signing Requests 3. Update Single Sign-On 4. Update Inventory Service 5. Update vCenter Server 6. Update vCenter Orchestrator(vCO) 7. Update vSphere Web Client and Log Browser 8. Update vSphere Update Manager(VUM) 9. End the update process and exit The chosen action is: 1
And here’s what the Update Steps Planner gives you to work through.
The chosen action is: 1 ================================================================== 1. Plan your steps to update SSL certificates(Update Steps Planner) Choose the services you want to update: 1. Single Sign-On 2. Inventory Service 3. vCenter Server 4. vCenter Orchestrator 5. vSphere Web Client 6. Log Browser 7. vSphere Update Manager 8. All services(listed above) 9. Return to the main menu Example: To choose the certificate update of Inventory Service, vCenter Server and vSphere Web Client you would enter: 2,3,5 You chose (enter comma-separated list of numbers): 8 Input arguments:  Selected services: Single Sign-On, Inventory Service, vCenter Server, vCenter Orchestrator, Web Client, Log Browser, vSphere Update Manager Detailed Plan to follow: 1. Go to the machine with Single Sign-On installed and - Update the Single Sign-On SSL certificate. 2. Go to the machine with Inventory Service installed and - Update Inventory Service trust to Single Sign-On. 3. Go to the machine with Inventory Service installed and - Update the Inventory Service SSL certificate. 4. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Single Sign-On. 5. Go to the machine with vCenter Server installed and - Update the vCenter Server SSL certificate. 6. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Inventory Service. 7. Go to the machine with Inventory Service installed and - Update the Inventory Service trust to vCenter Server. 8. Go to the machine with vCenter Orchestrator installed and - Update vCenter Orchestrator trust to Single Sign-On. 9. Go to the machine with vCenter Orchestrator installed and - Update vCenter Orchestrator trust to vCenter Server. 10. Go to the machine with vCenter Orchestrator installed and - Update the vCenter Orchestrator SSL certificate. 11. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to Single Sign-On. 12. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to Inventory Service. 13. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to vCenter Server. 14. Go to the machine with vSphere Web Client installed and - Update the vSphere Web Client SSL certificate. 15. Go to the machine with Log Browser installed and - Update the Log Browser trust to Single Sign-On. 16. Go to the machine with Log Browser installed and - Update the Log Browser SSL certificate. 17. Go to the machine with vSphere Update Manager installed and - Update the vSphere Update Manager SSL certificate. 18. Go to the machine with vSphere Update Manager installed and - Update vSphere Update Manager trust to vCenter Server.
And then you have a nice list of stuff to work through. I’m not going to dump the whole process here, but here’s a grab of what updating your vCenter cert looks like.
================================================================== Main menu Enter the action you want to run 1. Plan your steps to update SSL certificates(Update Steps Planner) 2. Generate Certificate Signing Requests 3. Update Single Sign-On 4. Update Inventory Service 5. Update vCenter Server 6. Update vCenter Orchestrator(vCO) 7. Update vSphere Web Client and Log Browser 8. Update vSphere Update Manager(VUM) 9. End the update process and exit The chosen action is: 5 ================================================================== 5. Update the vCenter Server SSL Certificate 1. Update the vCenter Server Trust to Single Sign-On 2. Update the vCenter Server SSL Certificate 3. Update the vCenter Server Trust to Inventory Service 4. Rollback to the previous vCenter Server SSL Certificate 5. Return to the main menu to update other services The chosen service is: 2 [Thu 28/05/2015 - 10:39:54.86]: The services that are restarted as a part of this operation are: VMware VirtualCenter Server, VMware VirtualCenter Management Webservices and VMware vSphere Profile-Driven Storage Service. Enter location to the new vCenter Server SSL chain: C:\Install\ssl-certificate-updater-tool-1308332\vCenterServer-VC4002\chain.pem Enter location to the new vCenter Server private key: C:\Install\ssl-certificate-updater-tool-1308332\vCenterServer-VC4002\rui.key Enter vCenter Server administrator user name: domain\svc_vmware Enter vCenter Server administrator password (will not be echoed): "Important: Enter the password carefully. The Certificate Automation Update Tool does not check the validity of the vCenter Server database password." "A blank or incorrect password will leave the system in an inconsistent state, which will cause the vCenter Server to become unavailable. " "If the system becomes unstable due to a bad password, see the Troubleshooting Section of KB 2041600." Enter the vCenter Server original database password (will not be echoed): Enter Single Sign-On Administrator user: [email protected] Enter Single Sign-On Administrator password (will not be echoed): [.] WARNING: Certificate's `CN=VC4002.racqgroup.local, OU=vCenterServer-VC4002, O=Company, L=Location, ST=QLD, C=AU' signature uses weak one-way h ash (SHA-1). In a secure environment it is recommended to use SHA2-256 or a stronger hash algorithm. [.] The supplied certificate chain is valid. Loading 'screen' into random state - done "Restarting services... (This can take some time)" "Stopping vCenter Web Services..." "Stopping vCenter Server..." "Starting vCenter Server and other services..." [Thu 28/05/2015 - 10:45:42.32]: Last operation update vCenter Server SSL certificate completed successfully. [Thu 28/05/2015 - 10:45:42.33]: Go to the next step in the plan that was received from Update Steps Planner.
Once you’ve had your way with vCenter, etc, you can do your ESXi hosts. The following link has info on that – Configuring CA signed certificates for ESXi 5.x hosts, and you can grab the appropriate version of Win32 OpenSSL from here. Here’s what it looks like when you use OpenSSL to generate the requests for your ESXi hosts.
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Player1>cd \ C:\>cd OpenSSL\bin C:\OpenSSL\bin>openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg Loading 'screen' into random state - done Generating a 2048 bit RSA private key ........+++ ..........................................+++ writing new private key to 'rui-orig.key' ----- C:\OpenSSL\bin>openssl rsa -in rui-orig.key -out rui.key writing RSA key C:\OpenSSL\bin>
One thing to note. I found that HA got a bit irritable until all hosts in the cluster had custom certs installed. So it’s worth turning HA off until you’re finished. If, for some reason something goes wrong wit the ESXi certs, you can re-generate the default self-signed ones with the following command:
Updates In some of my previous posts, I talked about a few things that I had to do to get things working. In this post, I discussed the “Missing VMware Tools ISO”. I still don’t know why the tools files were missing from the installation, but I do know that once we applied some more recent vSphere Update Manager baselines to those hosts the correct ISO files were added to the hosts.
I also covered “HP Legacy BIOS Mode and ESXi” in this post. Interestingly, you’ll need to change back to UEFI BIOS mode if you’re trying to make VirtualConnect changes to a host, as my client found out the hard way.
I also spoke about ESXi hosts and Active Directory authentication in this post. I should point out that this post by Joseph also came in handy. If you find that when you restart the services on the host it bombs out, you’ll need to manually create /var/lock/subsys. There’s a KB article from VMware that says the same thing here.
mkdir /var/lock/subsys /etc/init.d/netlogond restart /etc/init.d/lwiod restart /etc/init.d/lsassd restart
And you should then be right.
I’ve been covering a few workarounds, mishaps and random things I’ve had to do during a recent vSphere 5.5 U2 deployment. This is Part 4 in the series, and I hope some of it is useful. You can read my other posts here, here, and here.
Client Integration Plug-in for vSphere Web Client
Love it or hate it, the vSphere Web Client is here to stay. If, for some reason, you’re logged into a host with credentials that you want to use to log in to your vSphere environment with, you can use pass-through authentication if you install the Client Integration Plug-in for vSphere Web Client. You can get details on how to do that here.
HP Legacy BIOS Mode and ESXi
This was my first time using BL460c Generation 9 blades with ESXi. While I’ve been around the block with HP blades in the past, I’ve never used them with the SD card option before. I thought this was to blame when I’d reboot the hosts and configuration items (such as persistent scratch location, syslog configuration and core dump details) would disappear. Added to this, the networking configuration on vmk0 would disappear from time to time as well. I was also getting errors such as this when applying host profiles to hosts:
“Call “HostProfileManager.GenerateConfigTaskList” for object “HostProfileManager” on vCenter Server “hostname.domain” failed.
Failed to execute command to configure or query coredump partition.”
I did some searching and chanced upon this article BL460c Gen9 + ESXi 5.5 – Special procedure when using UEFI? Seems that setting the host’s Boot Mode to Legacy BIOS Mode makes for a happier installation and on-going experience. The guy who installed the blades had set them to Legacy mode for the installation and then set them back to UEFI. I can’t tell you why this needed to occur, nor can I tell you the disadvantages of taking this approach.
Windows 2012 R2 and .Net 3.5
If you’re running your VMware applications on Windows 2012 R2, there’s a chance you’ll need to install .Net 3.5 on your guest to get things working. This is handled via Server Roles. Microsoft has a TechNet article on how to do it here. Note that you’ll need your Windows installation media, and you’ll likely need to specify an alternate source – %CDROM%\sources\sxs.
Okay, so hopefully that was useful for someone. More to follow …
This is my third post in a series of articles on some workarounds and things I had to look into when doing a recent vSphere 5.5 U2 deployment. You In can find my previous articles here and here. In this episode I’m covering EVC, Host Profile Compliance Checks and ESXi Hosts and Active Directory Authentication.
VMware Enhanced vMotion Compatibility (EVC)
Wondering which EVC Intel mode (Merom, Penryn, Nehalem, Westmere, Sandy Bridge, Ivy Bridge) to use with your vCenter cluster? It depends. This KB article provides a good outline of your options. Note that in vCenter Server 5.1 and 5.5, the Intel “Ivy Bridge” Generation option is only displayed in the Web Client. That’s the man trying to keep you down ;)
But how do I set EVC on the cluster when vCenter is virtual and running in the cluster? As the cluster is no longer the boundary for vMotion, one way to do this is to create a new empty cluster. Add your first host and setup as appropriate. Then enable EVC and vMotion the first guest into the cluster and you’ll be good to go. If you can’t vMotion across clusters because VMs are using various features of the CPU (a more likely scenario), you’ll need to use the method outlined in the following article – Enabling EVC on a cluster when vCenter Server is running in a virtual machine. It’s a bit of a pain, particularly if you’re using Distributed vSwitch, but it works well enough. And when VMware say they recommend you change your VM to standard vSwitch – it’s a good idea to take their advice.
VMware also have a pretty useful FAQ on EVC and CPU Compatibility that you can access here.
Host Profile Compliance Checks
If you’re running Host Profiles at the cluster level, you may find that even if the host is compliant, it fails on Fault Tolerance checks. If you’re not using FT, disable those checks. Because we all live for green lights. Right-click the cluster and click Edit Settings > VMware HA > Advanced Options. You’ll need to add in a field and set it to false. Details on how to do this can be found here.
ESXi Hosts and Active Directory Authentication
Want to join your ESXi host to an Active Directory domain? Good idea. You’ll need this KB article. Be sure you’ve got Config.HostAgent.plugins.hostsvc.esxAdminsGroup set correctly, or you’ll have a difficult time getting in with your AD credentials. If you have issues, you can try restarting LDAP or forcing an update on the DC that you configured the ESXi host to look at. I found this article useful.
Okay, so hopefully that was useful for someone. More to follow …