Saturday, March 18, 2017

VMware vSphere 6.5 products enhancements and basic concepts behind

VMware Tech Marketing have produced a bunch of cool vSphere 6.5 related whiteboard videos. Great stuff to review to understand VMware products enhancements and basic concepts behind.

It is definitely worth to watch it but please, keep in mind that the devil is in details so be prepared for further planning, designing and testing before you implement it in to the production.

Friday, March 10, 2017

High level introduction to VMware products

My blog posts usually go to low level technical details and are targeted to VMware subject matter experts. However, sometime is good to step back and watch things from high level perspective. It can be especially helpful when you need to explain VMware products to somebody who is not an expert in VMware technologies.

vSphere Overview Video

What is vCenter (Watch the first two minutes)

HTML5 Web Client (This is how vSphere is managed now - no more client. Minute 3 shows you how to create a virtual machine)

vR Ops Overview

Troubleshooting VM Performance in vR Ops

How to Build Blueprints in vRA - Single Machine, Application, and with AWS

NSX - Network Concepts Overview (Watch up until minute 4)

NSX - Microsegmentation (Watch 2:50 to 4:40)

vSAN Overview

Hope you find it useful! Either way, sharing is welcome!

Sunday, March 05, 2017

ESXi localcli

I have just read very informative blog post "Adding new vNICs in UCS changes vmnic order in ESXi". The author (Michael Rudloff) is using localcli with undocumented functions to achieve correct NIC order. So what is this localcli? All vSphere admins probably know esxcli command for ESXi configuration. esxcli manages many aspects of an ESXi host. You can run ESXCLI commands remotely or in the ESXi Shell.

You can use esxcli in following three ways
  • vCLI package.Install the vCLI package on the server of your choice, or deploy a vMA virtual machine and target the ESXi system that you want manipulate. You can run ESXCLI commands against a vCenter Server system and target the host indirectly. Running against vCenter Server systems by using the -vihost parameter is required if the host is in lockdown mode.
  • ESXi shell. Run ESXCLI commands in the local ESXi shell to manage that host.
  • You can also run ESXCLI commands from the vSphere PowerCLI prompt by using the Get-EsxCli cmdlet.
So esxcli is well known but what about localcli. Based on VMware documentation, it is a set of commands for use with VMware Technical Support. localcli commands are equivalent to ESXCLI commands, but bypass hostd. The localcli commands are only for situations when hostd is unavailable and cannot be restarted. After you run a localcli command, you must restart hostd. Run ESXCLI commands after the restart.

Warning: If you use a localcli command in other situations, an inconsistent system state and potential failure can result.
So it is obvious that usage of LOCALCLI is unsupported and should be used only when instructed by VMware Support.
However, the command is very interesting because when you use special internal plugin directory some undocumented namespaces will appear. You can browse these namespaces and discover some cool functionality. Just login to your ESXi and use command localcli --plugin-dir /usr/lib/vmware/esxcli/int/

 [root@esx11:~] localcli --plugin-dir /usr/lib/vmware/esxcli/int/   
 Usage: localcli [disp options]    
 For esxcli help please run localcli --help  
 Available Namespaces:   
 boot       operations for system bootstrapping                                          
 debug       Options related to VMkernel debugging. These commands should be used at the direction of VMware Support Engineers.   
 device      Device manager commands                                                
 deviceInternal  Device layer internal commands                                             
 elxnet      elxnet esxcli functionality                                              
 esxcli      Commands that operate on the esxcli system itself allowing users to get additional information.            
 fcoe       VMware FCOE commands.                                                 
 graphics     VMware graphics commands.                                               
 hardware     VMKernel hardware properties and commands for configuring hardware.                          
 hardwareinternal VMKernel hardware properties and commands for configuring hardware, which are not exposed to end users.        
 iscsi       VMware iSCSI commands.                                                 
 network      Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands   
          to manipulate virtual networking components (vswitch, portgroup, etc) as well as local host IP, DNS and general   
          host networking settings.  
 networkinternal  Operations used by partner software, but are not exposed to the end user. These operations must be kept compatible   
          across releases.  
 rdma       Operations that pertain to remote direct memory access (RDMA) protocol stack on an ESX host.              
 rdmainternal   Operations that pertain to the remote direct memory access (RDMA) protocol stack on an ESX host, but are not   
          exposed to the end user. These operations must be kept compatible across releases.  
 sched       VMKernel system properties and commands for configuring scheduling related functionality.               
 software     Manage the ESXi software image and packages                                      
 storage      VMware storage commands.                                                
 system      VMKernel system properties and commands for configuring properties of the kernel core system and related system   
 systemInternal  Internal VMKernel system properties andcommands for configuring properties of the kernel core system.         
 user       VMKernel properties and commands for configuring user level functionality.                       
 vm        A small number of operations that allow a user to Control Virtual Machine operations.                 
 vsan       VMware Virtual SAN commands                                              
 Available Commands:   

Let me tell you again that this command is unsupported, therefore do not use it in production. On the other hand, it is very cool to test it in our labs ...

Tuesday, February 28, 2017

Maximum client sessions vCenter server can accept

I work as VMware TAM (Technical Account Manager) and one my customer had recently significant incident when clients (vSphere admins) was not able connect to vCenter server. It did not work nighter from old C# client nor new Web Client. It was interesting that sometimes some admins were able to connect and stay connected but others where not able to connect.

The error message was very general saying ...
Call "ServiceInstance.RetrieveContent" for object "ServiceInstance" on Server "" failed.
C# Client returned another further explanation ...
The server '' could not interpret the client's request. (The remote server returned an error: (503) Server Unavailable.) 
See error messages in screenshot below ...

C# Client error messages
As you can see, both error messages are very general and further holistic troubleshooting was necessary. After multiple theories, one customer's vSphere/Windows administrator did a Windows OS analysis with Windows perfmon tool and realized that during the incident there were more then 1400 open threads with client connections to vCenter server. This turned in to the hypothesis that we have reached the maximum of client sessions vCenter can accept.

The hypothesis is always very important but even more important is the proof that hypothesis is valid and it is the root cause of particular issue.

Unfortunately, the maximum of total client sessions to vCenter server is not documented. The only numbers documented in "Configuration Maximums - vSphere 5.5" are ..
Concurrent vSphere Client connections to vCenter Server = 100Concurrent vSphere Web Clients connections to vCenter Server = 180
However, my customer is using automation extensively, therefore PowerCLI can have additional connections. The only way how to know the maximum is to test it.

My customer is still on vCenter 5.5 but I have prepared and executed the test in my home lab where I have vCenter 6.0 U2. I prepared PowerCLI script to create 2000 new client sessions and keep sessions open. The purpose of script is to find the maximum of established sessions vCenter can accept and see what will be the error message when maximum will be achieved.

The PowerCLI script is available on GitHub here
and it is based on excellent blog post and scripts "List and Disconnect vCenter Sessions" prepared by Alan Renouf.

I run the script in my lab and waited when it fails to find the maximum. You can see the expected failure on screenshot below ...

Expected connection failure to find what is the maximum
And the result is ...
vCenter Server 6.0 U2 accepts maximally 1995 established client sessions
When the above maximum is exceeded you are not able to connect to vCenter server any more and you will see the error messages mentioned at the beginning of this article.

Business impact and visibility

It is good to mention that this technical issue was observed during Disaster Recovery fail-over test and it silently disappeared after fail back of all services. That's the reason why this incident had very high internal business visibility and the issue was escalated to top IT management which required very quick Root Cause Analysis and proper problem management.

That's just another proof how vCenter and vSphere platform is critical in modern IT environments.

It seems, that my customer is using some automation script which establish connection to vCenter server, but because of some circumstances which happening only when services are running on disaster recovery backup site, the script does not disconnect sessions and the vCenter server maximum is exceeded and it does not accept any new connections. In such situation, vSphere platform is unmanageable.

This is good to know, especially in the age of automation, where single badly written automation script, can crash vSphere manageability.

As VMware TAM, I can communicate and justify my customer's product feature requests internally inside VMware organization.  That's another benefit of VMware TAM Program.

So here is publicly written vCenter Product Feature Request which I will open with our Product Management.

Feature Request: Maximum of supported client sessions should be documented in "vSphere Configuration Maximums" document. When the maximum is exceeded, vCenter server should accept at least one more connection for vSphere Administrator (for example administrator@vsphere.local) which should be used as last resort or back door if you wish. Such special "back door" connection should be terminated and re-established by the most recent connection of vSphere Admin to allow manageability in such situation.

Sunday, February 26, 2017

How to install VMware tools on FreeBSD server

FreeBSD is my favorite operating system. All my FreeBSD servers (except embedded systems on physical micro computers) are running as virtual machines. FreeBSD is officially supported GuestOS by VMware so nothing stops to virtualize FreeBSD even for productional use.

VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Although the guest operating system can run without VMware Tools, you would lose important functionality and convenience. In other words, VMware tools are not necessary but highly recommended to use on virtual machines running on top of VMware ESXi hosts.

There are multiple options how to install VMware tools on FreeBSD but I personally use Open VM Tools native FreeBSD package as using Open VM Tools is actually the latest VMware's recommendation for unix like systems which is the case of FreeBSD. The reason why I use Open VM Tools instead of VMtools delivered by VMware on ESXi hosts or VMware download site is that I can use default FreeBSD package management system (pkg) for simple deployment. It is fast, convenient and fully integrated with standard operating system update and upgrade procedures.

As you can see below, the installation on FreeBSD 10.x and above is very straight forward. Essentially, the single command and 5 lines in FreeBSD system config file.

# You have to switch to administrator account (root)
su -l root

# and install Open VM Tools by FreeBSD package manager
pkg install open-vm-tools-nox11

To run the Open Virtual Machine tools at startup, you must add the following settings to your /etc/rc.conf


Easy, right?

And just for your information, Open VM tools is set of four kernel modules (vmemctl, vmxnet, vmblock, vmhgfs) and one daemon (guestd).

vmemctl is driver for memory ballooning
vmxnet is paravirtualized network driver
vmhgfs is the driver that allows the shared files feature of VMware Workstation and other products that use it. This is not optimal to use on server therefore we do not enable it.
vmblock is block filesystem driver to provide drag-and-drop functionality from the remote console.
VMware Guest Daemon (guestd) is the daemon for controlling communication between the guest and the host including time synchronization.

On Windows and Supported Linux Distributions exists other VMtools modules/drives but those are not supported on FreeBSD. For further information about all VMtools components look at

Tuesday, January 24, 2017

VMware vSphere 6.0 PSC and SSO Domain useful resources

I do not have real numbers but it seems obvious and logical that SMB and midrange customers are adopting the latest VMware software much quicker then large enterprise customers. To be more precise, they are probably already running vSphere 6.0 and planing to upgrade to 6.5 now or soon. Some of them just waiting for 6.5 U1 which is expected soon.

On the other hand, the largest VMware customers are logically more conservative and starting migrations from vSphere 5.5 to 6.0 just now, in time of writing this article (beginning of 2017). These large customers have significantly larger scale therefore their PSC/SSO topology is much more complex.

During last few weeks I have discussed some vSphere 6 PSC/vCenter topology design decision points with these customers and I have decided to write down blog post about few useful, publicly available, resources / documents for such discussions.

First and foremost,  FAQ below is the most comprehensive VMware KB article about this topic.

FAQ: VMware Platform Services Controller in vSphere 6.0 (2113115)

The most surprised information, even for long time VMware customers, are following two Q&A's from FAQ above.

Q: Can I merge two vSphere Domains together?
A: No, there is no way to merge two vSphere domains together.

Q: Can I get Enhanced Linked Mode (ELM) between two, separate vSphere domains?
A: No, Enhanced Linked Mode requires that all PSCs be in the same domain and replicating. Since two separate vSphere Domains do not have a means of replicating, the new APIs that provide ELM cannot display the contents of both domains.

What does it mean?
Well, if you have multiple independent vSphere 5.5 SSO domains and you want to merge them, you have to do it in vSphere 5.5 before upgrade to 6.0 because you will not be able to do so in vSphere 6 and later.
Note: I do not know how it will change in longer term but it is the true even for vSphere 6.5 which is the latest version in time of writing this blog post.

Q: One of my customers asked me if the same vSphere SSO name (vsphere.local) in their two separate datacenters means that it is the same vSphere domain.
A: No. If you do not have replication between domains, there are not the same domain even they have the same name.

Another good question, you have to ask yourselves is, if you should or should not merge your vSphere domains. The typical reason for single vSphere domain is requirement for Enhanced Linked Mode (ELM). What Enhanced Linked Mode will give you? Below are several benefits of ELM:
  • You can log in to all linked vCenter Server systems simultaneously with a single user name and password.
  • With Enhanced Linked Mode, you can view and search across all linked vCenter Server systems. This mode replicates roles, permissions, licenses, and other key data across systems.
  • You can view and search the inventories of all linked vCenter Server systems within the vSphere Web Client.
  • Roles, permission, licenses, tags, and policies are replicated across linked vCenter Server systems.
  • You can use WebClient GUI to do cross vCenter vMotion
However, any technology has some limits. In case of vSphere, we should always look at vSphere Configuration Maximums. The relevant information from configuration maximums are

  • Maximum PSCs per vSphere Domain - 8
  • Maximum PSCs per site, behind a load balancer - 4
  • Maximum number of VMware Solutions connected to a single PSC - 4
  • Maximum number of VMware Solutions in a vSphere Domain - 10
What are VMware Solutions?
A VMware Solution is defined as a product that creates a Machine Account and one or more Solution User (a collection of vSphere services) within the VMware Directory Service when the product is joined to the PSC, thus the vSphere Domain. The Machine Account and Solution User(s) are used to broker and secure communication between other Solutions available within the vSphere environment. In order to count against these maximums, the Machine Account and Solution Users must be fully integrated with all of the PSC's available feature sets (Identity Management and Authentication Brokering, Certificate Management, Licensing, etc.) such that the product makes full use of the PSC. At this time, only vCenter Server is defined as a fully integrated solution and counts against these maximums. Partially integrated solutions, such as vCenter Site Recovery Manager, vCloud Director vRealize Orchestrator, vRealize Automation Center, and vRealize Operations, do not count against these defined maximums.
So in other words, vCenters are currently the only solutions which counts into maximum of 10 VMware solutions. 

Now, when you know if you really need and want to merge vSphere domains it must be done in vSphere 5.5 because in vSphere 6 it is not possible.

I was asked by one of my customers, where is written that vSphere domain merging is supported and how it can be done.

Bellow are two blog post written by blogger Thom Greene ...

Merging SSO Domains in vCenter 5.5 part 1: Why?

Merging SSO Domains in vCenter Server 5.5 pt 2: How?

and very detailed blog post of Andreas Peetz referred by Thom in his posts.

Re-pointing vCenter Server 5.5: A Survival Guide to KB2033620

... but resources above are not VMware official documents so where are VMware official documents? Andreas' blog posts are referring to following VMware KB's

Migrating two VMware vCenter Single Sign-On embedded VMware vCenter Servers in the same VMware vCenter Single Sign-On domain (2130433)

How to repoint and re-register vCenter Server 5.1 / 5.5 and components (2033620)

VMware vCenter Server 5.1/5.5 fails to start after re-registering with vCenter Single Sign-On (2048753)

Old but still informative blog post ... vSphere Datacenter Design – vCenter Architecture Changes in vSphere 6.0 – Part 1

Additional VMware resources:

Platform Services Controller Topology Decision Tree

vCenter Server Topology Considerations

Reconfigure a Standalone vCenter Server with an Embedded Platform Services Controller to a vCenter Server with an External Platform Services Controllerlink

How to repoint vCenter Server 6.x between External PSC within a site (2113917)

Using the cmsso command to unregister vCenter Server from Single Sign-On (2106736)

and just another related blog post from William Lam
How to split vCenter Servers configured in an Enhanced Linked Mode (ELM)?

Useful VMware KB article before upgrade to vSphere 6.5

I have just found following very useful VMware KB articles and blog posts which should be read before any vSphere 6.5 upgrade and design refresh.

Update sequence for vSphere 6.5 and its compatible VMware products (2147289) 

Important information before upgrading to vSphere 6.5 (2147548)

Best practices for upgrading to vCenter Server 6.5 (2147686)

Platform Services Controller Topology Decision Tree

Reconfigure a Standalone vCenter Server with an Embedded Platform Services Controller to a vCenter Server with an External Platform Services Controller

How to repoint vCenter Server 6.x between External PSC within a site (2113917)

Wednesday, January 11, 2017

Using esxtop to identify storage performance issues for ESX / ESXi

ESXi performance are exposing to administrators through vSphere Clients. You can see real-time performance statistics which are collected in 5 minute intervals where each interval consists of fifteen 20 seconds samples. It is obvious that 20 second sample is pretty large for storage performance where we are working in mili or even micro second scale.
20 seconds contains 20,000 milliseconds
Let's be clear here, we will never have full visibility but smaller monitoring sample will give as better clue what is really happening inside the system. It is similar to microscope device.

The smallest monitoring samples can be achieved by ESXi utility ESXTOP. The default esxtop delay between monitoring points (sample) is 5 seconds. However, it can be lowered up to 2 seconds by parameter -d 2

For real analytics the esxtop data must be exprted to external file. In esxtop terminology it is batch mode and it is achieved by parameter -b 

Another important factor is what statistics (metrics) we are going to collect. The best is to collect all statistics because during performance analytics you have to correlate multiple values against each other. It is achieved by parameter -a

And last parameter is -n which defines how many iterations you want to perform in batch mode. So in example below we will have 30 iterations with delay between each other 2 seconds. So we will do total monitoring for 60 seconds.

esxtop -b -a -d 2 -n 30 > esxtop-data.csv

For all esxtop parameters see screenshot below.

 [root@esx11:~] esxtop -h  
 usage: esxtop [-h] [-v] [-b] [-l] [-s] [-a] [-c config file] [-R vm-support-dir-path]   
         [-d delay] [-n iterations]  
        [-export-entity entity-file] [-import-entity entity-file]   
        -h prints this help menu.  
        -v prints version.  
        -b enables batch mode.  
        -l locks the esxtop objects to those available in the first snapshot.  
        -s enables secure mode.  
        -a show all statistics.  
        -c sets the esxtop configuration file, which by default is .esxtop60rc  
        -R enables replay mode.  
        -d sets the delay between updates in seconds.  
        -n runs esxtop for only n iterations. Use "-n infinity" to run esxtop forever.  
        -----Experimental Features-------------  
        -export-entity writes the entity ids into a file, which can be modified  
         to select interesting entities.  
        -import-entity reads the file of selected entities. If this opion   
         is used, esxtop only shows the data for the selected entities.  

It is important to know, that esxtop will give you significantly more statistics you can see in vSphere Client level. That's another important benefit of esxtop. But each benefit has also some drawbacks or impact. The impact is, that single esxtop output line can have several thousands statistic counters. For example ESXi 6.0 host with just 2 running VMs in my home lab has 27,314 counters. My customer's product ESXi host has over 330,000 counters! So the output file can be pretty large in case you run it for 24 hours. Count on it.

In the file are very interesting counters. Following counters for physical disk devices are the most interesting
### Reponse times
Average Guest MilliSec/Command
Average Kernel MilliSec/Command
Average Queue MilliSec/Command
Average Queue MilliSec/Read
Average Driver MilliSec/Command
Average Driver MilliSec/Write
### Queue
Adapter Q Depth
### IOPS
### MB/s
MBytes Read/sec
MBytes Written/sec"
### Split commands
Split Commands/sec
### SCSI Reservations
Failed Reserves/sec
### Failures
Failed Commands/sec
Failed Reads/sec
Failed Writes/sec
Failed Bytes Read/sec
Failed Bytes Written/sec
Some of above counters are not available in vSphere Client but the big benefit is that esxtop will give you data in 2 second interval which is much better granularity.

I hear your questions - So what now? How to analyze esxtop output file?
Well, you can replay it back in esxtop or you can use any of following tools

  • VisualEsxtop
  • perfmon
  • excel
  • esxplot
To be honest, none of tools above fulfilled my requirements therefore I'm writing my own python script for esxtop output analysis.

I will blog about it in next post when script will be good enough for public usage and published on github.

Stay tuned.