In this chapter, we will cover the follow recipes:
Choosing the right vSphere and vCenter edition
Booting a VM from a virtual CD-ROM
Using hosts with different CPUs in one cluster
Fixing VMware tools to autostart after Linux updates
Running vCenter on a VM
Managing several vCenter Servers from one client
Accessing new vCenter features
Accessing hosts via SSH
Securing host management access
Storing host logs on a shared datastore
Configuring remote logging
This chapter covers some basic tasks and features administrators may need to use while working with vCenter. Most of the tips and advices in this chapter as well as in this book assume that you already have vCenter deployed and that it already has some hosts and datastores connected. You may be running vCenter with a trial license, which will work just fine if you decide to try some of the how-tos in this chapter. All features and settings described in this chapter exist in any vSphere 5 version unless otherwise noted.
The vCenter edition required for a particular environment is very much determined by the vSphere edition in use. The vSphere edition in turn is chosen based on the size of the environment and features that will be used.
To choose the vCenter edition that's right for your environment you need to:
Determine the vSphere features required.
Choose the vSphere edition based on environment size, features required, and growth expected.
Select the vCenter edition if it's not included in the chosen vSphere edition.
A vSphere license can be bought as part of a kit or separately. Kits include a vCenter license while other vSphere editions require a separate vCenter license. When choosing a vSphere edition, it may be a good idea to take a look at its kits first. An included vCenter license will save costs. If you determine that none of the available kits include the required features and capacity, select one of the separate vSphere editions.
The following table compares five main kits available and shows the features that are included in each kit:
|
Features |
Essentials kits |
Operations management kits (vSOM) | |||
|---|---|---|---|---|---|
|
Essentials |
Essentials Plus |
Standard |
Enterprise |
Enterprise Plus | |
|
Physical CPUs included |
6 |
6 |
6 |
6 |
6 |
|
Hypervisor |
+ |
+ |
+ |
+ |
+ |
|
vMotion |
+ |
+ |
+ |
+ | |
|
High Availability (HA) |
+ |
+ |
+ |
+ | |
|
Data Protection (DP) |
+ |
+ |
+ |
+ | |
|
vSphere Replication (VR) |
+ |
+ |
+ |
+ | |
|
Operations monitoring, optimization and visibility |
+ |
+ |
+ | ||
|
Fault Tolerance (FT) |
+ |
+ |
+ | ||
|
Storage vMotion |
+ |
+ |
+ | ||
|
Distributed Resource Scheduler (DRS) |
+ |
+ | |||
|
Distributed Power Management (DPM) |
+ |
+ | |||
|
Storage DRS |
+ | ||||
|
Distributed switch |
+ | ||||
|
Flash Read Cache |
+ | ||||
Kit editions are meant for smaller environments and have their limitations. Six processors included determine that the environment cannot be larger than three servers with two physical processors each. As a result, if there is a plan to grow the environment in the near future, choose one of the separate vSphere editions.
The following table shows the available vSphere editions and features included:
|
Features |
Standard |
Enterprise |
Enterprise Plus |
Standard with vSOM |
Enterprise with vSOM |
Enterprise Plus with vSOM |
|---|---|---|---|---|---|---|
|
Physical CPUs included (per-CPU license entitlement) |
1 |
1 |
1 | |||
|
Hypervisor (basic virtualization capabilities) |
+ |
+ |
+ | |||
|
Operations monitoring, optimization and visibility |
+ |
+ |
+ | |||
|
vMotion |
+ |
+ |
+ |
+ |
+ |
+ |
|
High Availability (HA) |
+ |
+ |
+ |
+ |
+ |
+ |
|
Data Protection (DP) |
+ |
+ |
+ |
+ |
+ |
+ |
|
vSphere Replication (VR) |
+ |
+ |
+ |
+ |
+ |
+ |
|
Fault Tolerance (FT) |
+ |
+ |
+ |
+ |
+ |
+ |
|
Storage vMotion |
+ |
+ |
+ |
+ |
+ |
+ |
|
Distributed Resource Scheduler (DRS) |
+ |
+ |
+ |
+ | ||
|
Distributed Power Management (DPM) |
+ |
+ |
+ |
+ | ||
|
Storage DRS |
+ |
+ | ||||
|
Distributed switch |
+ |
+ | ||||
|
Flash Read Cache |
+ |
+ |
Remember that vSphere 5 is licensed per physical CPU. For instance, two physical servers with two CPUs each will require four vSphere 5 CPU licenses. If DRS is a requirement, four Enterprise licenses will be needed. To take advantage of the Storage DRS, you will need four Enterprise Plus licenses in this case.
Both the preceding tables include only the main features we believe are necessary to make a decision. A full feature comparison can be found on the Compare VMware vSphere Editions page at http://www.vmware.com/products/vsphere/compare.
Additional information on the existing features and editions as well as upgrade paths from vSphere 4 can be found at the following link: http://www.vmware.com/files/pdf/vsphere_pricing.pdf
Each of the following vSphere kit editions includes one instance of vCenter:
Essentials
Essentials Plus
vSOM Standard
vSOM Enterprise
vSOM Enterprise Plus
Other vSphere editions do not include a vCenter license, and if a separate vSphere edition has been chosen, there are two options for the vCenter edition:
vCenter Server Foundation
vCenter Server Standard
It is important to know that according to the End User License Agreement, customers licensed under Essentials or Essentials Plus are not allowed to purchase any other vCenter addition. If you need to manage more hosts, then the solution is to upgrade the existing license to vSphere Standard or above and purchase vCenter Standard.
The following table compares vCenter editions:
|
Feature |
Essentials (part of Essentials or Essentials Plus kit) |
Foundation |
Standard |
|---|---|---|---|
|
Maximum number of hosts that can be managed |
3 |
3 |
1,000 |
|
Management service |
+ |
+ |
+ |
|
Database server |
+ |
+ |
+ |
|
Inventory service |
+ |
+ |
+ |
|
vSphere Clients |
+ |
+ |
+ |
|
vCenter APIs |
+ |
+ |
+ |
|
Single Sign-On |
+ |
+ |
+ |
|
vCenter Orchestrator |
+ | ||
|
Linked Mode |
+ |
There is also an option to purchase a support plan from VMware along with the software. The two available options include:
Basic: Provides support during business hours
Production: Provides 24 x 7 support
The production support plan is recommended for critical environments. Both plans include an unlimited number of support cases. Any of the preceding subscriptions are required for at least one year.
VMware also offers an option for per incident support, which can be purchased in 1, 3, or 5-incident packs. This option is available for vSphere Essentials kit only.
If a VM has just been created and you are trying to install the operating system from a virtual CD-ROM, you can turn the VM on, connect the ISO image to the operating system, and reboot the VM. It will start booting from the CD-ROM right away.
If the operating system has already been installed and you need to boot this VM from the CD-ROM, it may be challenging, as the option to press Esc for Boot Menu is displayed for a very short period of time:
To increase the time for which this option is displayed so that you can press Esc, you'll need to change the Power On Boot Delay value. To do that, perform the following steps:
Go to VM Settings | Options | Boot Options.
Select the Power On Boot Delay option.
Set the value to
3,000so that the VM waits for 3 seconds for Esc.
The location of this setting in vCenter Web Client is similar:
Right-click on a VM
Go to Edit Settings...
Go to VM Options | *Boot options.
Adjust the Boot Delay (*) setting.
One of the core vSphere features is vMotion. It allows administrators to move a running virtual machine from one host to another without interruption.
Unfortunately, one of the requirements for vMotion is to use hosts with the same processors so that the virtual machine that has been moved can keep running on a new host. This is due to the fact that newer processors, even within the same family, typically have additional features. New generations of processors can also have a different set of instructions. When features or instructions an application is using are not available, the application will crash.
Clusters consisting of hosts with different CPU generations can use Enhanced vMotion Compatibility (EVC) mode. In this mode, vCenter hides CPU features and instructions that are not available on older hosts. This way, it makes all hosts' CPUs in the cluster look like they are the same.
The obvious downside of using this feature is that the cluster's processors will all be the same or lower than the oldest host's CPU.
Things to consider before enabling the feature are as follows:
All hosts must have either Intel or AMD processors.
All cluster VMs running on hosts where EVC mode will be enabled must be shut down before the feature can be turned on.
To enable EVC:
Switch to the Hosts and Clusters view.
Right-click on your cluster and choose Edit Settings.
Go to VMware EVC and click on Change EVC Mode.
Choose
AMDorInteldepending on the host's CPU.Choose the best available option for processor generation.
In vCenter Web Client, this setting can be found by going to vCenter | Cluster | Manage | Settings | VMware EVC:
Press the Edit... button next to the VMware EVC section to change EVC mode:
Virtual machines always have to be off when changing EVC mode to an older processor generation. This is not a requirement when EVC mode is being raised. Unfortunately, in this case, new CPU features will not be available to VMs until they are powered off and back on. Suspending or restarting VMs is not sufficient because virtual machine EVC mode is determined when it's turned on.
From time to time, VMware tools that have been working fine before refuse to start automatically when the Linux guest is rebooted. VMware tools can be started manually using the following command:
# /etc/vmware-tools/services.sh start
Note
The preceding command and other commands in this book assume RHEL or CentOS and can be different for Debian or other Linux distributions.
The following error message may be displayed:
In most cases, this issue is related to recent OS updates; in particular, the Linux kernel update, which breaks the existing VMware tools installation.
As servers are not rebooted often, it may be hard to correlate the issue of VMware tools not starting automatically and OS updates.
To fix the issue, simply reinstall VMware tools the same way they were installed the first time. The following commands have been tested on CentOS 5 and depending on the Linux distribution, the commands you use and their sequence may be different.
Initiate the VMware tools installation by going to VM menu and then navigating to Guest | Install/Upgrade VMware Tools:
For Linux guest, the Automatic option will not be available. Click on OK.
The VMware tools ISO image from the ESXi host will be connected to the virtual CD-ROM of the VM.
Mount the image as follows:
# mount /dev/cdrom /mnt/cdromExtract the archive with VMware tool's installation files:
# tar xzvf /mnt/cdrom/VMwareTools-<x.x.x-xxxx>.tar.gz -C /tmp/Start the installation. Switch
–dis for the unattended installation with default settings:# cd /tmp/vmware-tools-distrib/ # ./vmware-install.pl –d
Reboot the virtual machine. VMware tools should start automatically as soon as the guest OS is back up:
# shutdown –r now0
Additional details about the issue can be found in the VMware KB 2050592 article on the VMware Knowledge Base website at http://kb.vmware.com/kb/2050592.
Administrators have three options when it comes to deploying the vCenter Server. vCenter can be imported as a Linux-based virtual appliance or it can be installed on a physical or virtual Windows Server.
For smaller environments, it makes sense to choose a vCenter appliance. Its installation and configuration is easier than deploying your own vCenter Server:
Download the vCenter Server Appliance from my.vmware.com.
Deploy the appliance from a template using the Deploy OVF Template... option from the File menu.
Open your web browser and go to
http://<ip address of virtual appliance>:5480.Log in using the default credentials to configure vCenter:
Username:
rootPassword:
vmware
After logging in, go through the steps of the configuration wizard to start using the appliance.
vCenter Appliance has its limitations. First of all, if an embedded database is used, this server will be able to manage only up to five hosts and up to 50 virtual machines. In vSphere 5.5, this limit has been increased to 100 hosts and 3,000 virtual machines.
Also, this solution doesn't support the Linked Mode configuration. More information about the supported services and limitations can be found in the Knowledge Base article KB2002531 at http://kb.vmware.com/kb/2002531.
Running the vCenter Server on a virtual machine offers all virtualization advantages:
No additional hardware is needed, which means savings and flexibility.
Administrators can take advantage of using high availability features offered by vSphere—HA or FT.
vMotion offers additional flexibility and higher uptime.
Snapshots can be utilized as a rollback option.
Virtual machines are easier to manage but at the same time, there are a few concerns related to this approach:
The main concern is that issues with the vSphere environment potentially can affect the vCenter Server and as a result, the administrator's ability to manage the environment and troubleshoot issues.
For example, if a host where vCenter VM is running becomes unavailable, vCenter is not accessible until it's restarted and comes back online. In certain cases, HA fails to restart some VMs so vCenter may become unavailable for a longer time.
The administrator can connect to hosts directly using the vSphere Client but in this case, the core features offered by vCenter will not be available.
Another concern is related to environments that have only one host. Certain tasks such as ESXi updates require host maintenance mode, which means that all VMs need to be turned off. In this case, the vCenter Server has to be shut down and thus, Update Manager can't be used.
Updating ESXi from the command line can be more time consuming and challenging in certain cases. In other words, running the vCenter Server on a VM in environments with only one ESXi host can introduce some administrative difficulties.
There is a way to manage more than one vCenter Server from the same vCenter client. This is accomplished by using Linked Mode groups. Linked Mode group is a group of vCenter Servers that allows managing other members by connecting to any one of them.
This feature is available only in vCenter Server Standard edition and cannot be used with vCenter Server Appliance (vCSA).
The main requirement is that all group members must run the same version of vCenter. Other requirements are as follows:
Members must belong to the same Active Directory domain or different domains that have two-way trust relationships with each other.
DNS has to be operational for Linked Mode groups to work properly.
vCenter must be licensed or in evaluation mode.
The domain account is the local administrator on both vCenter Servers—the one that is being joined to the group and the target server.
To be able to manage additional vCenter Servers, they need to be joined to the Linked Mode group.
The vCenter Server can be joined to a group either during installation or any time after. The Linked Mode group is created when the first member is being joined to a group that doesn't exist.
To join the running vCenter Server to the existing Linked Mode group, follow the ensuing steps:
On the vCenter Server, go to Start | All Programs | VMware.
Run vCenter Server Linked Mode Configuration.
Select Modify linked mode configuration.
Click on Join this vCenter server instance to an existing linked mode group or another instance.
Click on Next.
Enter the FQDN of an existing member and LDAP port.
In case role conflict has been detected, choose a way to resolve it. You can either let vCenter rename the group or you can rename it yourself.
Restart the vCenter Server.
If a member that is being joined to the Linked Mode group is running an older version of vCenter than other members of the group it has to be upgraded. Also, if vCenter on a member is upgraded, it will be disconnected from the group.
To remove vCenter from a Linked Mode group, execute the following steps:
On the vCenter Server, go to Start | All Programs | VMware.
Run vCenter Server Linked Mode Configuration.
Choose Modify linked mode configuration.
Select Isolate this vCenter server instance from linked mode group and click on Next.
Click on Continue and then on Finish.
Reboot the vCenter Server.
vSphere 5 introduced a new web client, which can be used to manage the environment along with the traditional vSphere Client we used before.
vCenter Web Client is just another way to access the environment using a web browser. Three major browsers—Internet Explorer, Firefox, and Chrome—are supported.
Web Client becomes the main administrative interface starting with vSphere 5.1 and while vSphere Client can still be used, a lot of new features introduced in vSphere 5 are available only through Web Client.
Some of these new features are:
Datastore cluster and Storage DRS
vSphere Replication vSphere Data Protection
Enhanced vMotion
Drag-and-drop actions as well as bulk operations for vSphere objects
To access your vSphere environment using Web Client, open your web browser and point it to
https://<vCenter Server IP address>:9443/vsphere-client.On the VMware vSphere welcome page, click on the Log in to vSphere Web Client link.
From this page, you will be able to log in to vCenter using the same credentials that work for older clients.
Take a look at the following error message:
If the preceding error message is displayed, add port 9443 after the vCenter Server address or name in the URL: https://<vcenter-server>:9443/vsphere-client/. This will take you to the same login page, assuming vCenter was installed with default port settings.
In certain cases, you may need to access the ESXi host via SSH. This may be needed to run a script, troubleshoot an issue, or use a command or a feature not available via vSphere Client.
SSH access to ESXi hosts is disabled by default and can be enabled using the ESXi console and command line or through vCenter. To enable it from vCenter:
Allow SSH port through the host's firewall.
Start the SSH service on the host.
To allow the SSH port through the firewall on the ESXi host, execute the following steps:
Go to the Hosts and Clusters view.
Select the host and go to the Configuration tab.
Click on Security Profile on the left.
Click on the Properties... link next to the Firewall section.
The Firewall Properties window will open. Check SSH Server under the Secure Shell section.
Click on the Firewall button to allow only certain IP addresses to connect. Click on OK when finished to apply the changes.
In Web Client, perform the following steps:
When it comes to managing ESXi hosts, there are a few interfaces available to perform management tasks:
Remote TSM has been covered in the Accessing hosts via SSH recipe in this chapter. Local TSM and DCUI are console options available if you have physical access to the host or remote console access such as iDRAC.
All interfaces except vSphere API can be managed from vCenter under host Configuration | Security Profile | Services:
Both TSM options can also be configured from the DCUI console.
The following table summarizes different management interfaces and where each one can be configured:
|
Management interface |
Description |
Configuration from vCenter |
Configuration from DCUI |
|---|---|---|---|
|
CIM |
vCenter access |
Host's Services | |
|
DCUI |
ESXi console |
Host's Services | |
|
Local TSM |
Console CLI |
Host's Services |
Troubleshooting menu |
|
Remote TSM |
Host's Services |
Troubleshooting menu | |
|
APIs |
vSphere Client, PowerCLI, vCLI |
VMware offers a way to secure management access to hosts called Lockdown mode.
Lockdown mode is a security feature, which limits the administrator's ability to manage the ESXi host only through vCenter. When a host is in this mode, the administrator cannot use the command line or run scripts. Also, any third-party software cannot get or change any settings on this host.
The following table summarizes each management interface's behavior in Normal and Lockdown modes:
|
Management interface |
Normal mode |
Lockdown mode |
|---|---|---|
|
CIM |
User and group permissions |
Only vCenter server |
|
DCUI |
User root and users with administrator rights |
Only root user |
|
Local TSM |
Only root user |
None |
|
Remote TSM |
Only root user |
None |
|
APIs |
User and group permissions |
Only vCenter vpxuser |
Additional security always means inconvenience. If the vCenter VM crashed or didn't come up after the reboot, and access to vCenter has been lost, ESXi has to be reinstalled on hosts that are in Lockdown mode to restore access.
To enable lockdown mode from vCenter, execute the following steps:
Note
All the existing vCenter Client connections to the host will be dropped immediately.
Users that are currently logged in to DCUI or TSM will still have access after Lockdown mode has been enabled until they log off. Logged in users will not be able to switch Lockdown mode off in this case.
All the existing user and group permissions will be restored once Lockdown mode is disabled if it was enabled from vCenter.
To enable Lockdown Mode from Web Client, execute the following steps:
Select a host.
Go to Manage | Settings | Security Profile.
Scroll down to the Lockdown Mode section.
Click on the Edit next to the section.
Check Enable Lockdown Mode.
Click on OK.
ESXi server logs are stored locally by default on each host in the /var/log directory. In certain cases, there is a requirement to store logs on a datastore.
Possible scenarios are hosts without local storage, where all locally stored logs disappear after reboot, compliance requirements where there is a requirement to store logs in an alternative location, or space concerns where there are many hosts and the administrator has to keep older logs.
vCenter allows redirecting ESXi logs to one of the datastores accessible to the host. This can be accomplished by going to Configuration | Advanced Settings | Syslog by changing the variable Syslog.global.logDir to an appropriate value [Datastore]/Folder:
In vCenter Web Client, these options can be found by going to Host | Manage | Settings | Advanced System Settings, as shown in the following figure:
Once this change is made, you will see log files created in the configured folder if you browse the datastore.
From the same Advanced Settings section, you can configure the additional logging options:
The same logging parameters can also be configured from the ESXi command line using the esxcli system syslog command.
For example, to validate logging settings configured from vCenter use:
esxcli system syslog config get
VMware KB 2003322 gives more details about configuring syslog, including CLI command sequence, which is available at http://kb.vmware.com/kb/2003322.
For compliance and security reasons, administrators may need to redirect ESXi logs to a remote syslog server.
This configuration is done by going to Configuration | Advanced Settings | Syslog and changing the variable Syslog.global.logHost to <protocol>://<syslog host>:<port> as shown in the following screenshot:
From Web Client, perform the following steps:
Go to Manage | Settings | Advanced System Settings.
Select the Syslog.global.logHost option in the list.
Click on the Edit button above the list.
Adjust the value of the Syslog.global.logHost option.
Click on OK.
Note
In most cases, syslog uses UDP and that's why in case of high logging volume or high network utilization, some log entries may be lost. Consider this when planning the logging infrastructure.
You can configure the syslog and datastore logging mentioned in storing host logs on a shared datastore at the same time for each host.
Also, administrators may need to configure the ESXi firewall to allow outbound syslog traffic. This is done by going to Configuration | Security Profile | Firewall and performing the following steps:
Click on Properties next to the Firewall section.
Make sure syslog is chosen.
Click on OK.
Alternatively, from Web Client, perform the following steps:
Select a host.
Go to Manage | Settings | Security Profile.
Click on the Edit button next to the Firewall section.
Select syslog in the list.
Click on OK.
Once this configuration is completed the remote syslog server will start receiving logging data.
