Posts

Posted on

Teach-The-Expert: vSAN Diskgroup Management on CLI

As part of my work as a trainer, I often come across questions on topics that are only covered in passing or not at all in the course. This series of articles provides trainee IT experts with tools for everyday use.

Intro – What are Diskgroups?

VMware vSAN OSA (original storage architecture) structures the vSAN datastore into disk groups (DG). Each vSAN node can contain up to 5 disk groups. Each of these disk groups consists of exactly one cache device (SSD) and at least one to a maximum of 7 capacity devices per group. These may be either magnetic disks or SSDs, but no combination of the two. We differentiate between cache tier and capacity tier.

Disk groups can be managed using the graphical user interface (GUI). However, there are situations where disk group management on the command line interface (CLI) is necessary or more appropriate.

UUID

Each disk device of a vSAN cluster (OSA) has a universally unique identifier (UUID).

We can list all devices of a vSAN node on the CLI with this command:

esxcli vsan storage list

The sheer amount of information may be a bit too much and we only want to display the lines containing the UUID.

esxcli vsan storage list | grep UUID

We receive a list of all disk devices in the vSAN node. We also receive the UUID of the disk group to which the device is assigned.

If you take a closer look at the output, you will notice that there are some devices whose UUID is identical to the UUID of the diskgroup. Is this a contradiction to the statement that the UUID is unique? No. These are cache devices. Each diskgroup in vSAN OSA consists of exactly one cache device. The disk group adopts the UUID of its cache device. In this way, we can quickly distinguish a cache device from a capacity device.

Continue reading “Teach-The-Expert: vSAN Diskgroup Management on CLI”
Posted on

A deeper look into vSphere roles and privileges

Originally, this article was supposed to be called “The role paradox”. On further reflection, I came to the conclusion that this is not a paradox in the true sense of the word. The vCenter is just doing its job.

Authorizations under vSphere are basically simple (as long as we do not want to use restricted authorizations). If we are a member of the administrator group and have unrestricted access to all objects in the data center, privileges and roles are quickly explained.

Definition of terms

A privilege is the smallest unit. It allows the execution of a very specific action.

A role is a collection of privileges. The administrator role contains all available privileges. The no-access role, on the other hand, does not contain any privileges. “No access” is not to be understood here as an explicit denial, but as a lack of privileges. What may initially seem like a semantic quibble is an important difference to other authorization concepts such as Active Directory.

Missing privillege != denial

A permission is always made up of three components: A vSphere object, a role and a user or user group. A user (or a group) can have different roles on different objects. Permissions on objects can be propagated to child objects.

The challenge

Things get interesting when I assign rights globally, but then want to restrict them to certain objects.

Example: The administrators group should have access to all objects, with the exception of some VMs in a defined VM folder. Sounds simple – but it’s not.

I became aware of the problem described here through my colleague Alexei Prozorov, who came across this phenomenon in a customer project. The topic was so interesting that I had to recreate it in the laboratory.

Continue reading “A deeper look into vSphere roles and privileges”
Posted on

Cluster Retreat Mode gone wrong – vSphere Client lockout

With the release of vSphere 7.0 Update 1, vSphere Cluster Services VMs (vCLS) appeared in vSphere clusters for the first time. This made cluster functions such as Distributed Resource Scheduler (DRS) and others independent of the availability of the vCenter Server Appliance (VCSA) for the first time. The latter still represents a single point of failure in the cluster. By outsourcing the DRS function to the redundant vCLS machines, a higher degree of resilience has been achieved.

Retreat Mode

The vSphere administrator has little influence on the provisioning of these VMs. Occasionally, however, it is necessary to remove these VMs from a datastore if it is to be put into maintenance mode, for example. There is a procedure for setting the cluster to retreat mode. This involves setting temporary advanced settings that lead to the deletion of the vCLS VMs by the cluster.

According to the VMware procedure, the Domain ID must be determined to activate Retreat Mode. The domain ID is the numerical value between ‘domain-c’ and the following colon. In the example from my lab, it has the value 8, but the number can also have four digits or more.

The domain ID has to be transferred to the Advanced Settings of the vCenter.

config.vcls.clusters.domain-c8.enabled = false
Correct Retreat Mode settings.

Admin error occured during activation of retreat mode.

After activating retreat mode on a vSAN cluster, administrators had lost all privileges to all objects in the vSphere Client.

A review of the services showed that the vCenter Server Daemon (vpxd) was not running.

Continue reading “Cluster Retreat Mode gone wrong – vSphere Client lockout”
Posted on

VMware Explore EMEA 2023 – Know before you go

In a few days, VMware Explore 2023 EMEA will open its doors in Barcelona at the Fira Gran Via. For all those attending for the first time, this should be a small guide to help you find your way around. I had already published a small survival guide for this in 2018, which is still largely accurate. Even though the event is now being held for the second time with the name VMware Explore instead of the original name VMworld.

From the Airport to the City

There are regular shuttle buses from the airport to the city center. The Aerobus lines T1 and T2 start at Terminal 1 and 2 and both go via Placa Espana to the Placa Catalunya station near the old town. The prices have increased slightly, but are still a cheap and fast way to get to the city center. A return ticket costs €11.65 per person.

If you stay near the Fira, you can also take the L9 metro from the airport to Fira.

Getting to the Fira

The public transport network in Barcelon is well organized. No matter where you live, the nearest metro station is usually no more than 2 blocks away. Trains run very frequently. The destination station is either Europa/Fira, with a 10-minute walk to VMwareExplore, or you can change trains again to Fira station from where it’s just a 5 minute walk.

The public transport company TMB offers a 10-trip ticket. 10 journeys throughout the city for just under €12.

Pro tip: Ask for a Metro Ticket when registering for VMware Explore. The above-mentioned 10-ticket was only issued to participants on request.

Activities beyond VMware Explore

VMware Explore will challenge you physically. Lots of talks, technical deep dives, interesting sessions and, above all, long distances. During the course of the day, you will walk many steps to get from the trade fair (Expo) to the presentations or to lunch. If you still have energy left, you can plunge into the nightlife. There are numerous parties and vBeers all over the city. My friend and vExpert colleague Fred Hofer (vBrain.info) has collected the most important events in his blog post “VMware Explore 2023 Barcelona – Parties and Gatherings“.

Particularly noteworthy is the traditional vBreakfast on Tuesday mornings between 7:00 and 8:30 before the General Session. This is where the part of the community that makes it out of bed so early meets. Even though the event is generously sponsored by Runecast, it has nothing in common with an promotional event. This is a meeting place for bloggers, VMUG leaders or simply people interested in the community. Even if you don’t know anyone yet – you’ll know a lot of interesting people afterwards. Guaranteed!

Community

Aside from the technical content of the presentations, it is of course all about making contacts, networking and maintaining friendships. I didn’t know anyone when I attended VMworld for the first time. To my surprise, I was quickly welcomed by well-connected members. I still count many of these first acquaintances among my circle of friends today and look forward to meeting them again every year.

Dresscode

Rule number 1: leave the office clothes in the wardrobe. Put on comfortable shoes that you can easily walk around in all day.

Nobody expects a jacket and shirt here. On the other hand, T-shirts from a past VMware or VMUG event are always good conversation starters.

Registration

When you register for VMware Explore, you will receive your exhibition badge, which gives you access to the exhibition site and the sponsored evening events.

Registration is open on all days of the fair. If you arrive early, you can pick up your badge on Sunday from 3 pm.