My talk at VMware Explore 2024

I will be giving a presentation on the migration of a vSAN cluster at this year’s VMware Explore in Barcelona. This is not just about the technical implementation, but rather about the decision-making process. If plan A doesn’t work, you should have a plan B ready. Or – as in my practical example – a plan C and ultimately a plan D.

The easy way is not always the best and even a less attractive alternative can ultimately lead to success.

CODE1405BCN

The presentation is listed in the VMware Explore Content Catalog under the number 1405 .

Monday, November 4 – 15:00 CET.

I am delighted.

vSAN Cluster Live-Migration to new vCenter instanceIf you can’t make it to Barcelona but are still interested in the topic (spoiler alert!), you can find the full story here on my blog.

17. February 202429. December 2024

A deeper look into vSphere roles and privileges

Originally, this article was supposed to be called “The role paradox”. On further reflection, I came to the conclusion that this is not a paradox in the true sense of the word. The vCenter is just doing its job.

Authorizations under vSphere are basically simple (as long as we do not want to use restricted authorizations). If we are a member of the administrator group and have unrestricted access to all objects in the data center, privileges and roles are quickly explained.

Definition of terms

A privilege is the smallest unit. It allows the execution of a very specific action.

A role is a collection of privileges. The administrator role contains all available privileges. The no-access role, on the other hand, does not contain any privileges. “No access” is not to be understood here as an explicit denial, but as a lack of privileges. What may initially seem like a semantic quibble is an important difference to other authorization concepts such as Active Directory.

Missing privillege != denial

A permission is always made up of three components: A vSphere object, a role and a user or user group. A user (or a group) can have different roles on different objects. Permissions on objects can be propagated to child objects.

The challenge

Things get interesting when I assign rights globally, but then want to restrict them to certain objects.

Example: The administrators group should have access to all objects, with the exception of some VMs in a defined VM folder. Sounds simple – but it’s not.

I became aware of the problem described here through my colleague Alexei Prozorov, who came across this phenomenon in a customer project. The topic was so interesting that I had to recreate it in the laboratory.

17. January 202415. March 2024

Cluster Retreat Mode gone wrong – vSphere Client lockout

With the release of vSphere 7.0 Update 1, vSphere Cluster Services VMs (vCLS) appeared in vSphere clusters for the first time. This made cluster functions such as Distributed Resource Scheduler (DRS) and others independent of the availability of the vCenter Server Appliance (VCSA) for the first time. The latter still represents a single point of failure in the cluster. By outsourcing the DRS function to the redundant vCLS machines, a higher degree of resilience has been achieved.

Retreat Mode

The vSphere administrator has little influence on the provisioning of these VMs. Occasionally, however, it is necessary to remove these VMs from a datastore if it is to be put into maintenance mode, for example. There is a procedure for setting the cluster to retreat mode. This involves setting temporary advanced settings that lead to the deletion of the vCLS VMs by the cluster.

According to the VMware procedure, the Domain ID must be determined to activate Retreat Mode. The domain ID is the numerical value between ‘domain-c’ and the following colon. In the example from my lab, it has the value 8, but the number can also have four digits or more.

The domain ID has to be transferred to the Advanced Settings of the vCenter.

config.vcls.clusters.domain-c8.enabled = false

Admin error occured during activation of retreat mode.

After activating retreat mode on a vSAN cluster, administrators had lost all privileges to all objects in the vSphere Client.

A review of the services showed that the vCenter Server Daemon (vpxd) was not running.

28. June 202227. June 2022

Project Arctic – Delivering Benefits of the Cloud to On-Prem Workloads

In the last few years we’ve seen a clear trend to adopt cloud strategies on customer side. Some already pusue a multi cloud strategy to get the most benefit from different offerings. But we may not forget, that infrastructure on-premises – the so called private cloud – is still the most common kind of virtual infrastructure. This is no surprise because on-premises infrastructure has without doubt some advantages. It’s not alone aspects of data privacy, data security and data sovereignty. There are also performance aspects such as low latency that keep customers from migration special workloads to the (public) cloud.

On the other hand there are some advantages of cloud offerings too. Such as flexible consumption, minimal maintenance, built in resilience, developer agility and the possibility to manage from anywhere.

To bridge the gap between on-premises needs and cloud based offerings, VMware has announced Project Arctic during VMworld 2021. Delivering benefits of the cloud to on-premises workloads.

Category: vCenter [en]