Archive for the ‘Applications’ Category

h1

Quick-Take: vCenter Server 5.0 Update 1b, Appliance Replaced DB2 with Postgres

August 17, 2012

VMware announced the availability of vCenter Server 5.0 Update 1b today along with some really good news for the fans of openness:

vCenter Server Appliance Database Support: The DB2 express embedded database provided with the vCenter Server Appliance has been replaced with VMware vPostgres database. This decreases the appliance footprint and reduces the time to deploy vCenter Server further.

vCenter 5.0U1b Release Notes

Ironically and despite its reference in the release notes, the VMware Product Interoperability Matrix has yet to be updated to include 5.0U1b for reference, so  the official impact of an upgrade is as-yet unknown.

VMware Product Interoperability Matrix not updated at time of vCenter 5U1b release.

Also, couple of new test questions are going to be tricky moving forward as the support for Oracle has been expanded:

  • vCenter Server 5.0 Update 1b introduces support for the following vCenter Databases
    • Oracle 11g Enterprise Edition, Standard Edition, Standard ONE Edition Release 2 [11.2.0.3] – 64 bit
    • Oracle 11g Enterprise Edition, Standard Edition, Standard ONE Edition Release 2 [11.2.0.3] – 32 bit

Besides still not supporting IPv6 and continuing the limitation of 5 hosts and 50 VMs, there is some additional leg work needed to upgrade the vCenter Server Appliance 5.0U1a to U1b as specified in KB2017801:

  1. Create a new virtual disk with size 20GB and attach it to the vCenter Server Appliance.
  2. Log in to the vCenter Server Appliance’s console and format the new disk as follows:
    1. At the command line, type, “echo “- – -” > /sys/class/scsi_host/host0/scan”.
    2. Type, “parted -s /dev/sdc mklabel msdos”.
    3. Type, “parted -s /dev/sdc mkpartfs primary ext2 0 22G”.
  3. Mount the new partition under /storage/db/export:
    1. Type, “mkdir -p /storage/db/export”.
    2. Type, “mount /dev/sdc1 /storage/db/export”.
  4. Repeat the update process.
  5. You can remove the new disk after the update process finishes successfully and the vCenter Server Appliance is shut down.

SOLORI’s Take: Until the interop matrix is updated, it’s hard to know what you’re getting into with the update (Update: as you can see from Joshua Andrews’ post on SOS tech), but the inclusion of vPostgres – VMware’s vFabric deployment of PostgreSQL 9.1.x – makes taking a look at the “crippled” appliance version a bit more tantalizing.  Hopefully, the next release will “unshackle” the vCenter Appliance beyond the 5/50 limitations – certainly vPostgres is up to the task of managing many, many more hosts and VMs (vCD anyone?) Cheers, VMware!

h1

Quick-Take: How Virtual Backup Can Invite Disaster

August 1, 2012

There have always been things about virtualizing the enterprise that have concerned me. Most boil down to Uncle Ben’s admonishment to his nephew, Peter Parker, in Stan Lee’s Spider-Man, “with great power comes great responsibility.” Nothing could be more applicable to the state of modern virtualization today.

Back in “the day” when all this VMware stuff was scary and “complicated,” it carried enough “voodoo mystique” that (often defacto) VMware admins either knew everything there was to know about their infrastructure, or they just left it to the experts. Today, virtualization has reached such high levels of accessibility that I think even my 102 year old Nana could clone a live VM; now that is scary.

Enter Veeam Backup, et al

Case in point is Veeam Backup and Recovery 6 (VBR6). Once an infrastructure exceeds the limits of VMware Data Recovery (VDR), it just doesn’t get much easier to backup your cadre of virtual machines than VBR6. Unlike VDR, VBR6 has three modes of access to virtual machine disks:

  1. Direct SAN  Access – VBR6 backup server/proxy has direct access to the VMFS LUNs containing virtual machine disks – very fast, very low overhead;
  2. Virtual Appliance – VBR6 backup server/proxy, running as a virtual machine, leverages it’s relation to the ESXi host to access virtual machine disks using the ESXi host as a go-between – fast, moderate overhead;
  3. Network – VBR6 backup server/proxy accesses virtual machine disks from ESXi hosts similar in a manner similar to the way the vSphere Client grants access to virtual machine disks across the LAN – slower, with more overhead;

For block-based storage, option (1) appears to be the best way to go: it’s fast with very little overhead in the data channel. For those of us with grey hair, think VMware Consolidated Backup proxy server and you’re on the right track; for everyone else, think shared disk environment. And that, boys and girls, is where we come to the point of today’s lesson…

Enter Windows Server, Updates

For all of its warts, my favorite aspect of VMware Data Recovery is the fact that it is a virtual appliance based on a stripped-down Linux distribution. Those two aspects say “do not tamper” better than anything these days, so admins – especially Windows admins – tend to just install and use as directed. At the very least, the appliance factor offers an opportunity for “special case” handling of updates (read: very controlled and tightly scripted).

The other “advantage” to VMDR is that is uses a relatively safe method for accessing virtual machine disks: something more akin to VBR6’s “virtual appliance” mode of operation. By allowing the ESXi host(s) to “proxy” access to the datastore(s), a couple of things are accomplished:

  1. Access to VMDKs is protocol agnostic – direct attach, iSCSI, AoE, SAS, Fiber Channel and/or NFS all work the same;
  2. Unlike “Direct SAN Access” mode, no additional initiators need to be added to the target(s)’ ACL;
  3. If the host can access the VMDK, it stands a good chance of being backed-up fairly efficiently.

However, VBR6 installs onto a Windows Server and Windows Server has no knowledge of what VMFS looks like nor how to handle VMFS disks. This means Windows disk management needs to be “tweaked” to ignore VMFS targets by disabling “automount” in VBR6 servers and VCB proxies. For most, it also means keeping up with patch management and Windows Update (or appropriate derivative). For active backup servers with a (pre-approved, tested) critical update this might go something like:

  1. Schedule the update with change management;
  2. Stage the update to the server;
  3. Put server into maintenance mode (services and applications disabled);
  4. Apply patch, reboot;
  5. Mitigate patch issues;
  6. Test application interaction;
  7. Rinse, repeat;
  8. Release server back to production;
  9. Update change management.

See the problem? If Windows Server 2008 R2 SP1 is involved you just might have one right around step 5…

And the Wheels Came Off…

Service Pack 1 for Windows Server 2008 R2 requires a BCD update, so existing installations of VCB or VBR5/6 will fail to update. In an environment where there is no VCB or VBR5/6 testing platform, this could result in a resume writing event for the patching guy or the backup administrator if they follow Microsoft’s advice and “fix” SP1. Why?

Fixing the SP1 installation problem is quite simple:

Quick steps to do this in case you forgot are:

1.  Run DISKPART

2.  automount enable

3.  Restart

4.  Install SP1

Technet Blogs, Windows Servicing Guy, SP1 Fails with 0x800f0a12

Done, right? Possibly in more ways than one. By GLOBALLY enabling automount, rebooting Windows Server and installing SP1, you’ve opened-up the potential for Windows to write a signature to the VMFS volumes holding your critical infrastructure. Fortunately, it doesn’t have to end that way.

Avoiding the Avoidable

Veeam’s been around long enough to have some great forum participants from across the administrative spectrum. Fortunately, a member posted a solution method that keeps us well away from VMFS corruption and still solves the SP1 issue in a targeted way: temporarily mounting the “hidden” system partition instead of enabling the global automount feature. Here’s my take on the process (GUI mode):

  1. Inside Server Manager, open Disk Management (or run diskmgt.msc from admin cmd prompt);
  2. Right-click on the partition labled “System Reserved” and select “Change Drive Letter and Paths…”
  3. On the pop-up, click the “Add…” button and accept the default drive letter offered, click “OK”;
  4. Now “try again” the installation of Service Pack 1 and reboot;
  5. Once SP1 is installed, re-run Disk Management;
  6. Right-click on the “System Reserved” partition and select “Change Drive Letter and Paths..”
  7. Click the “Remove” button to unmap the drive letter;
  8. Click “Yes” at the “Are you sure…” prompt;
  9. Click “Yes” at the “Do you want to continue?” prompt;
  10. Reboot (for good measure).

This process assumes that there are no non-standard deployments of the Server 2008 R2 boot volume. Of course, if there is no separate system reserved partition, you wouldn’t encounter the SP1 failure to install issue…

SOLORI’s Take: The takeaway here is “consider your environment” (and the people tasked with maintaining it) before deploying Direct SAN Access mode into a VMware cluster. While it may represent “optimal” backup performance, it is not without its potential pitfalls (as demonstrated herein). Native access to SAN LUNs must come with a heavy dose of respect, caution and understanding of the underlying architecture: otherwise, I recommend Virtual Appliance mode (similar to Data Recovery’s take.)

While no VMFS volumes were harmed in the making of this blog post, the thought of what could have happened in a production environment chilled me into writing this post. Direct access to the SAN layer unlocks tremendous power for modern backup: just be safe and don’t forget to heed Uncle Ben’s advice! If the idea of VMFS corruption scares you beyond your risk tolerance, appliance mode will deliver acceptable results with minimal risk or complexity.

h1

Short-Take: vSphere Client for iPad, Preview

March 18, 2011

I highlighted the installation and use of VMware’s vCenter Moble Access (vCMA) appliance in a post in late February. For the most part, vCMA has not changed much since our initial download back in April of 2009. If you downloaded the OVF early this February and looked at the updated instructions from the “fling” site, you may have noticed the following “curious” statements:

  • Once it powers on, you will need to configure your iPad by going into Settings, the vSphere client (usually bottom left corner of screen, in the Apps section), then you enter the IP address of your mobile appliance.
  • Finally, you can access your environment from the vSphere iPad app by entering your vCenter server info or ESX server info, with appropriate username and password.

vSphere Client for iPad

Having a heads-up from the vExpert team briefing by Srinivas Krishnamurti, Sr. Director for Mobile Solutions and Marketing at VMware, plus earlier press coverage from VMworld 2010 (see below), I knew what this “information leak” was hailing. Fortunately, the offending section (text above) was quickly redacted and VMware managed to avoid spoiling the surprise pending today’s [press release].

However, that was not the only source of “information leakage” prior to today’s announcement: you just had to know where to look. For instance, while looking deeper into the virtual appliance for our vCMA how-to, I found bread-crumbs pointing to more “curious” iPad wanderings. The following “Easter egg” was discovered in the “action-config.xml” file (which we held back under the spirit of the information embargo):

<!-- VCMA iPad Actions -->
 <action name="vcmaAbout" type="com.vmware.vcma.action.VcmaAboutAction"></action>
 <action name="vcmaLogin" type="com.vmware.vcma.action.VcmaLoginAction"></action>
 <action name="vcmaLogout" type="com.vmware.vcma.action.VcmaLogoutAction"></action>
 <action name="vcmaHome" type="com.vmware.vcma.action.VcmaHomeAction"></action>
 <action name="vcmaHostInfo" type="com.vmware.vcma.action.VcmaHostInfoAction"></action>
 <action name="vcmaHostOp" type="com.vmware.vcma.action.VcmaHostOperationAction"></action>
 <action name="vcmaVmInfo" type="com.vmware.vcma.action.VcmaVmInfoAction"></action>
 <action name="vcmaVmQuestion" type="com.vmware.vcma.action.VcmaVmQuestionAction"></action>
 <action name="vcmaVmAnswer" type="com.vmware.vcma.action.VcmaVmAnswerAction"></action>
 <action name="vcmaVmOp" type="com.vmware.vcma.action.VcmaVmOperationAction"></action>
 <action name="vcmaSnapshot" type="com.vmware.vcma.action.VcmaSnapshotAction"></action>
 <action name="vcmaPerf" type="com.vmware.vcma.action.VcmaPerfAction"></action>
 <action name="vcmaSearch" type="com.vmware.vcma.action.VcmaSearchAction"></action>
 <action name="vcmaPing" type="com.vmware.vcma.action.VcmaPingAction"></action>
 <action name="vcmaTracert" type="com.vmware.vcma.action.VcmaTraceRouteAction"></action>
 <action name="vcmaVmsList" type="com.vmware.vcma.action.VcmaVmListAction"></action>
 <action name="vcmaMonitorTask" type="com.vmware.vcma.action.VcmaMonitorTaskAction"></action>

This grouping of action/command definitions identify 17 of 23 vCMA action classes. These classes meant four things to me: (1) the actions are tuned specifically for a non-HTML-only client; (2) the limitations of vCMA’s web interface do not bind the iPad client; (3) there is significant potential for “capabilities drift” between the iPad client the “generic” mobile access client (i.e. HTML) as time goes by (read: richer feature set, user options); and (4) other “tablet” or “mobile” clients can’t be too far behind.

Since it is not feasible to have iPad software previews for vExperts (i.e. via iTunes) for pre-release products, this “pre-view” is based on exposure to product briefing and other pre-launch sources (direct and indirect). We’ll be following-up within the week with actual hands-on experience… That said, here’s what’s going on with VMware and iPad:

vSphere Client for iPad

Today, VMware CIO Steve Herrod announced the launch of version 1.0 of the vSphere Client for iPad (vCiP). The aptly named utility runs on Apple’s current generations of iPad and provides access to many of the basic administrative functions available to vCenter and the standard vSphere Client. This release must be seen as a quick, 1-2-3 punch of mobile and management-centric releases for VMware in the span of two weeks: vCenter Ops, View Client for iPad and now vSphere Client for iPad.

This iPad application is not truly a “native” or “fat” client for vSphere in the “conventional Windows sense.” Instead, VMware’s new app deploys as a web service reliant application (typical of its iPad ilk), and it is accordingly “small, light and elegant.” As you might guess from the [leading] introduction, the “heavy lifting” is actually performed by VMware’s vCenter Mobile Access (vCMA) appliance through the set of new classes (conveniently listed above).

VMware diagram showing (optional) placement of firewall, vCMA, vCenter and vSphere clusters. The use of a VPN connection to your firewall is strongly recommended as vCMA deploys with its web service without SSL enabled.

This illustration depicts the “best practice” recommended deployment for the iPad client by way of a trusted VPN connection. Again, this information was provided to us from Srinivas and his team “pre-launch” and hence was also prior to the recently released enhancements in vCMA (see below). In either case, the connection from iPad to vCenter is always translated through vCMA.

Like the standard Windows “fat” client (now conveniently available as a ThinApp’d zero-install package), the iPad client login requires the following credentials:

  1. The IP address or DNS host name for your vCenter;
  2. A valid user name with rights to access/manage the target vCenter;
  3. The password for the vSphere user.

Unlike the Windows variant, the following must be configured into the iPad’s “Settings” for the vSphere app prior to initial connection:

  1. The IP address or DNS host name for your vCMA appliance (displayed as “Web Server” in “Settings”).

vCMA’s web service is not SSL encrypted, and these credentials could be passed “in the clear.” (see updated post, SSL added to vCMA this Tuesday.) Given this client is targeted for mobile use, the risk of exposure to insecure networks (Internet, public WiFi, etc) without SSL would have created “special” opportunities for man-in-the-middle attacks. However, the use of a mobile VPN connection for the iPad client is strongly recommended, but no longer strictly necessary.

Read the rest of this entry ?

h1

Quick-Take: vCMA Updated, SSL now Default

March 17, 2011
vCMA Login Screen, iPhone

vCMA Login Screen

In February, we detailed the installation and first use of the VMware vCenter Mobile Access appliance (version 1.0.41). In that write up, we pointed out that vCMA had some security issues and said the following:

Being HTTP-only, vCMA doesn’t lend itself to secure computing over the public Internet or untrusted intranet. Instead, it is designed to work with security layer(s) in front of it. While it IS possible to add HTTPS to the Apache/Tomcat server delivering its web application, vCMA is meant to be deployed as-is and updated as-is – it’s an appliance.

SOLORI’s blog, 28-Feb-2011

Seems VMware is listening. Yesterday, VMware announced the release and immediate availability of vCMA v1.0.42 with HTTPS/SSL enabled by default. We got this from the “vSphere MicroClient Functional Specification Guide:”

SSL Connections
By default “https” (or SSL certificate) is enabled in the appliance for the vCMA for enhanced security. You can replace the out-of-the-box certificate with your own, if needed. However, http->https redirection is currently not supported.

Other deployment considerations

  1. The vCMA server comes with a default userid/password. For security reasons, we strongly recommended that you change root password.
  2. If you prefer, you can set a hostname or IP address for the appliance.
  3. Using standard Linux utilities, you can change the date and time in the appliance.
  4. You can also upgrade the hardware version and VMware Tools in the vCMA appliance following standard procedures.

SOLORI’s Take: This welcomed change circumvents any additional kludge work necessary to secure the appliance. Using an HTTPS proxy was cumbersome and kludgey in its own right and “hacking” the appliance was tricky and doomed to be reversed by the next appliance update. VMware’s move opens the door for more widespread use vCMA and (hopefully) more interesting applications of its use in the future.

h1

Short-Take: Windows 7 for iPad, Free

March 9, 2011
Windows7 running on iPad

Windows7 running on iPad

Remember that announcement about View 4.6 and the PCoIP Software Gateway (PSG) a week or so back? If the existence of PSG got your imagination drifting towards running Windows7 over PCoIP on your iPad or Android tablet, then some of you are going to be very excited and some of you will have to wait a little bit longer.

Today VMware is taking mobile desktop to a new level by announcing the general availability of the View Client for iPad V1.0 – Android tablet users will have to wait! This is a iPad-native, PCoIP-only client for View 4.6 environments (i.e. PCoIP w/PSG support) with  gesture-enabled navigation and virtual mouse pad. If you liked accessing your View desktop in Wyse’s PocketCloud for iPhone & iPad (RDP mode only), you’re going to love the View Client for iPad because it unlocks the rich, PCoIP goodness that you’ve been missing.

Last week a group of vExperts were briefed on the iPad app by its development team leader Tedd Fox who came to VMware in August, 2010 after nearly 8 years of work at Citrix (co-inventor/designer of Citrix Reciever for iPad & iPhone). To say Tedd knows iPad/mobile and remote app/desktop is an understatement, and VMware has committed to an aggressive “feature update” schedule for the iPad app on the order of every 1-2 months (typical of mobile application norms.)

Needless to say, we had a few questions. Here’s just a few of the responses from our Q/A and demonstration session:

vExpert: Will there be a iPhone link for touchpad control?

Tedd: No. Due to some patent-pending issues, we decided not to tread on that ground.

vExpert: Has it been enhanced for the iPad2?

Tedd: No. It’s [iOS] 4.3 “ready” but nobody’s got an iPad2 so no one knows if there application’s going to work. We’ve tested on dual-core architecture before, just not Apple’s dual-core architecture.

vExpert: Dual-core tested? So there’s an Android app coming?

Tedd: Android app is coming! We’re looking at mid-year for the Android. I just spent a few weeks in China getting that in alpha-alpha mode; so we actually have a UI and everything – we’re just building-up the bits… it’s going to be tablet only. It works on a 7″ right now, but we’re not sure if that’s a useful form.

vExpert: Is that because it’s too small [i.e. 7″ screen]?

Tedd: It’s because of the mouse pad and everything… it just doesn’t feel right – the resolution and everything.

vExpert: Not even with panning and side scrolling [small screen]?

Tedd: Not really. Panning a windows desktop is “okay” for like 10 minutes, after which you develop something like Tourette syndrome with curse words and all. We actually ran tests on that to figure that out, but it could change [given the right demand/use case.]

vExpert: Will it support bi-directional audio?

Tedd: No, uh, uni-directional is definitely on the roadmap so doctors can dictate and stuff like that. Otherwise, we’re going to see how the protocol matches up for [more complex] audio applications.

vExpert: Can we get more information on the Android app?

Tedd: I don’t want to get into the Android client because everything is still “in flux” and we’re still designing it…

vExpert: Will [View Client for iPad] work with bluetooth mouse and keyboard?

Tedd: Yes… You have to go into the iPad settings and pair them… then with you do the three-finger tap on the screen – like to activate the on-screen keyboard – that’s how you activate the bluetooth keyboard [only, no mouse support per Apple policy], and the [on-screen] toolbar drops down to the bottom of the screen… It’s very nice to use.

vExpert: Will it support multitasking, multiple sessions and session swapping?

Tedd: No. We’re working with Teradici on full-multitasking for one of the feature revs this year.

vExpert: It seemed that logging-in and getting to your desktop seemed pretty quick. What would you say?

Tedd: This [demo] is on 3G – by the way – so it’s fairly quick. The only [downside] is if you’re using RSA tokens: you’ve got to read the token and put it in… If the broker policy allows users to save their passwords, then you’d only need the token code.

vExpert: Is there a way to transfer data to/from the iPad from the [View client desktop]?

Tedd: Working on that – that’ll be in the next rev or two. There’s a grey area there with the shared foldering system in iOS – some people are like “yeah, awesome” but if you talk to DoD they’re like “heck no” so we’re working on an elegant solution.

vExpert: What about dropbox or something like that?

Tedd: If we have an internal solution then yes. I don’t want to be [bound by a third party] on our app – I want to keep it as “pure VMware” as possible. If the market screams for it in enough number, then of course I’m going to listen… If it’s allowed in your desktop’s environment [dropbox will work.]

vExpert: How’s the performance of the View client while other programs are in the background on the iPad?

Tedd: You don’t even notice it. If you know me you know I’ve constantly got white earbuds on. One of my test cases was working on a desktop while running on Pandora in the background.

vExpert: Price is free?

Tedd: Yeah, as long as I’m with VMware it will always be free.

Over the course of the demonstration, we saw Tedd put the application through its paces. It’s fast – even on the original iPad. The gesture interface looks well thought-out, has been thoroughly tested – Tedd says “rock solid” – and repeated three-finger abuses [rapid toggling the keyboard] won’t crash the View iPad app. Can’t wait to get it into SOLORI’s lab…

Gesture Help for iPad View Client

View Client for iPad Keyboard (three-fingers to pop-up)

View for iPad soft mouse pad and cursor keys

 

Client support for tap-hold loupe: zoom near mouse pointer.

Related Links:

[Update: View 4.x -> View 4.6 (iPad Client designed for View 4.6 and PSG). Added community blog link, virtual keyboard and loupe screenshots. Remote add -> Remote app. Added link to Andre’s VDI calculator. Clarification on bluetooth mouse support. Related links section with PCoIP off-load.]

h1

Short-Take: SQL Performance Notes

September 15, 2010

Here are some Microsoft SQL performance notes from discussions that inevitably crop-up when discussing SQL storage:

  1. Where do I find technical resources for the current version of MS SQL?
  2. I’m new to SQL I/O performance, how can I learn the basics?
  3. The basics talk about SQL 2000, but what about performance considerations due to changes in SQL 2005?
  4. How does using SQL Server 6.x versus SQL Server 7.0 and change storage I/O performance assumptions?
  5. How does TEMPDB affect storage (and memory) requirements and architecture?
  6. How does controller and disk caching affect SQL performance and data integrity?
  7. How can I use NAS for storage of SQL database in a test/lab environment?
  8. What additional considerations are necessary to implement database mirroring in SQL Server?
  9. When do SQL dirty cache pages get flushed to disk?
  10. Where can I find Microsoft’s general reference sheet on SQL I/O requirements for more information?

From performance tuning to performance testing and diagnostics:

  1. I’ve heard that SQLIOStress has been replaced by SQLIOSim: where can I find out about SQLIOSim to evaluate my storage I/O system before application testing?
  2. How do I diagnose and detect “unreported” SQL I/O problems?
  3. How do I diagnose stuck/stalled I/O problems in SQL Server?
  4. What are Bufwait and Writelog Timeout messages in SQL Server indicating?
  5. Can I control SQL Server checkpoint behavior to avoid additional I/O during certain operations?
  6. Where can I get the SQLIO benchmark tool to assess the potential of my current configuration?

That should provide a good half-day’s reading for any storage/db admin…