VCP 2019 Study Guide Section 4 (No objectives in 3)

Section 4 – Installing, Configuring, and Setting Up a VMware vSphere Solution

Objective 4.1 – Understand basic log output from vSphere products

VMware has come a long way from when I started troubleshooting their products. Their logs have gotten easier to get to, and improved in their quality. What I will do here is give you a quick overview of where to find the logs and how to read them.

ESXi Logs

Where before the easiest option was to open a SSH session to the host and look at the logs, you can easily do that from within the host UI now. If you go to Monitor you can see a list of all the logs available to peruse.

Here in the screenshot, you can see

  1. Monitor menu and the tab for logs
  2. Logs available
  3. Log output

And here is a list of the logs on the ESXi host along with a description for what the log keeps track of.

You can still access these logs through the DCUI or a SSH session as well.

Alright so you got the log now… How do you use it? Here is a sample taken from a VMKernel.log. This was after shutting down a switch port using a Software ISCSI controller to a SAN LUN.

2013-12-05T21:42:47.944Z cpu25:8753)<3>bnx2x 0000:04:00.0: vmnic4: NIC Link is Down

2013-12-05T21:43:12.090Z cpu16:8885)WARNING: iscsi_vmk: iscsivmk_StopConnection: vmhba45:CH:0 T:0 CN:0: iSCSI connection is being marked “OFFLINE” (Event:4)

2013-12-05T21:43:12.090Z cpu16:8885)WARNING: iscsi_vmk: iscsivmk_StopConnection: Sess [ISID: 00023d000001 TARGET: TPGT: 1 TSIH: 0]

2013-12-05T21:43:12.090Z cpu16:8885)WARNING: iscsi_vmk: iscsivmk_StopConnection: Conn [CID: 0 L: R:]

2013-12-05T21:43:22.093Z cpu31:8261)StorageApdHandler: 248: APD Timer started for ident [naa.6090a098f007640ff6f0b43aa9c87311]

2013-12-05T21:43:22.093Z cpu31:8261)StorageApdHandler: 395: Device or filesystem with identifier [naa.6090a098f007640ff6f0b43aa9c87311] has entered the All Paths Down state.

Let’s decipher this a bit more.

  1. This part is the time stamp of the log entry.
  2. This is what is the reporter. In this case it is the bn2x driver
  3. This is what it is reporting on, specifically vmnic4 at the hardware address referenced 0000:04:00:0
  4. This is data about what it saw. Namely the NIC link went down.

Some entries are a bit more difficult to read than others but the structure stays pretty close. You can also use something like Log Insight to help search through the logs and decipher them.

vCenter Server Logs

We have logs we may need to retrieve for vCenter Server as well. Unfortunately, it doesn’t have a browser like the hosts. (Hint Hint VMware) Here is where you can get to them though.

This is accessing the Appliance Config at port 5480.

Once this is done downloading you have a decent size .tar file. You will need to unzip this a couple times. When you finally have a regular directory structure all the logs will be under the /var/log/vmware folder. Here is a list of the files and locations and what they do.

Windows vCenter Server vCenter Server Appliance Description
vmware-vpx\vpxd.log vpxd/vpxd.log The main vCenter Serverlog
vmware-vpx\vpxd-profiler.log vpxd/vpxd-profiler.log Profile metrics for operations performed in vCenter Server
vmware-vpx\vpxd-alert.log vpxd/vpxd-alert.log Non-fatal information logged about the vpxd process
perfcharts\stats.log perfcharts/stats.log VMware Performance Charts
eam\eam.log eam/eam.log VMware ESX Agent Manager
invsvc invsvc VMware Inventory Service
netdump netdumper VMware vSphere ESXi Dump Collector
vapi vapi VMware vAPI Endpoint
vmdird vmdird VMware Directory Service daemon
vmsyslogcollector syslog vSphere Syslog Collector
vmware-sps\sps.log vmware-sps/sps.log VMware vSphere Profile-Driven Storage Service
vpostgres vpostgres vFabric Postgres database service
vsphere-client vsphere-client VMware vSphere Web Client
vws vws VMware System and Hardware Health Manager
workflow workflow VMware vCenter Workflow Manager
SSO SSO VMware Single Sign-On

It would be simpler again to use a program like Log Insight to help you parse through the logs. And you wouldn’t need to download them as they are being streamed to Log Insight. You’ll see output similar to what I mentioned above.

Objective 4.2 – Create and configure vSphere objects

Creating and configuring objects can be done several ways. You can do this through the HTML5 client, or you can do this from the CLI using PowerCLI or use commands at the ESXi SSH prompt. Inside the HTML5 client it is as simple as right clicking on the parent object (such as a cluster) and then selecting Add Host or New Virtual Machine. This is the window you may see when you right click on the parent object:

Configuring an object depends on the object. Configuring a VM is as simple as right clicking on it and Configuring Settings. You can also select the object and then use the center pane to bring up the Configure pane. This may give you different options to configure based on the object. Here is a screenshot of the Configure pane for a ESXi host.

As you can see there are a number of ways to accomplish this task.

Objective. 4.3 – Set up a content library

Setting up a content library is straightforward. To do this:

  1. Click on Menu at the top of your screen and then select Content Libraries
  2. Click on the ‘+’ to add a new Content Library
  3. Specify a Name for the library and any notes. Also if needed change what vCenter Server you will host this off of.
  4. This screen has options for how you want to use it. This can be setup as a Local or you can Subscribe to someone else’s library. If you do create a local library, do you want others to be able to subscribe to it. If publishing, will they need to authenticate.
  5. You need to store the Content Library somewhere. You do that on this screen.
  6. That’s it! Click Finish

Objective 4.4 – Set up ESXi hosts

Pre-requisites was gone over in Section 1, so I imagine if you got to this point you already know those. You can install ESXi several different ways.

  • Interactive Installation – this is you sitting at a console or in front of the server and running the installation. This can be installed from an ISO file, USB stick, CD-ROM, or PXE. The actual installation is fast and straightforward, taking about 15 min or so.
  • Scripted Installation – This is more efficient than the interactive as you can do many more at the same time and you aren’t required to answer prompts. The prompts are filled out automatically by an unattended file. The installation script needs to be stored in a location that the host can access with HTTP, HTTPS, FTP, NFS, CD-ROM, or USB.
  • Auto Deploy Installation – This can provision hundreds of machines at the same time. This can be setup to use a remote disk and can store that setup locally or pull it down every time the machine boots. These options are known as Stateless Caching and stateful installations. With Auto Deploy you create a host profile that allows you to configure the host with specific things like Virtual Standard Switches with a specific name etc. This is great for enterprise because it allows you to keep a standard image and settings.

Once the machine is setup you can further configure it using the configure pane as we saw in Objective 4.2 (screenshot). This allows you to change options such as NTP and more. These settings could be setup if using host profiles.

  1. To add hosts in vCenter Server, you first must have a Datacenter. You create that by right clicking on the vCenter Server and choose New Datacenter

  2. After that is created, you can right click on the Datacenter and Add Host.

  3. Enter the IP or Fully Qualified Domain Name (FQDN). Make sure it can be resolved by DNS

  4. Enter connection details for username and password

  5. You are asked to check the certificate and after approving it, you will be given a summary

  6. Assign a license to it

  7. Assign a lockdown mode if you want to use it

  8. Assign where you want to put the VMs from this host (if there are any on it)

  9. Click Finish and Complete it.

Objective 4.5 – Configure virtual networking

You configure virtual networking different ways, depending on your environment. Configuring VSSs can be done using the ESXi HTML5 client as seen here

Physical NICs are how you access your Physical Network. You create VMKernel ports which are how ESXi accesses the internal switch for management tasks and you have Virtual switches to connect both together. Finally, you have port groups which is a grouping of vNICs or the virtual machine NICs. A better way to show this is with a picture.

  1. These are the VMKernel ports – These are used for management tasks such as vMotion etc.
  2. pNICS or Physical Network cards are on the other side and how you reach the physical network.
  3. VM Network is the name of my Port Group which is how I group all the NICs from the VMs underneath. I group them to easier perform tasks on all of them.
  4. The construct in the middle is my Virtual Switch. This one is a VSS

The picture above can be accessed on the host page under the configure tab. You can also make changes there. A VDS is accessed under the sub category networking by using the menu up top or corresponding icon.

The picture for VDS looks much like the one for VSS but will mention all the different uplinks on each host.

You can make changes there as well. Or by right-clicking on the actual switch on the navigation pane on the left.

Objective 4.6 – Deploy and configure VMware vCenter Server Appliance (VCSA)

This objective is the installation and configuration of vCenter Server Appliance. The installation may vary a tad depending on the type of installation you do. Here is a workflow. I am going to assume you already have at least one ESXi host setup since we covered that a couple of objectives ago. There are two workflows. One for large environments and one for smaller.

The vCenter Server UI install, whether for a vCenter Server or PSC, is a two-stage process. The installer contains files for both GUI and CLI deployments so you only need the one ISO. The first stage is deployment of the OVA file into your environment. The second stage configures and starts all the services of your shiny new appliance. The CLI is slightly different. You run a CLI command against a JSON file you have inputted your configuration parameters in. This in turn creates an OVF Tool command that deploys and configures the appliance in one go.

Once setup, you log into the appliance with the username “root” and whatever password you set while deploying. Single Sign On comes later. Lets see what the install looks like.

  1. For a Microsoft Windows admin station, you will mount the ISO and go to <CD-ROM Drive Letter>\vcsa-ui-installer\win32\installer.exe and double-click.
  2. You are then presented with this screen

  3. We are going to Install so click on that box. The first stage then begins.

  4. Click Next and Accept the End User Agreement. The next screen is where we decide what type of installation we want to perform.

  5. I am going to choose embedded. Notice the External PSC model will soon not be supported.
  6. We now need to choose the ESXi host to install to (or vCenter Server). Generally the port will be 443 unless you have changed your environment.

  7. Accept the Certificate warning
  8. Enter in the name you want to give your vCenter Server that will appear in the VM inventory. Type in a password that you want to use for the vCenter Server.

  9. Decide on Deployment Size and Storage Size. Keep in mind if this vCenter will be doing heavy processing you may want to upsize it. This will give it more vCPUs and memory to use.

  10. Select the datastore you want to install to and if you want to use Thin Disk Mode or Thick. You can also create a vSAN datastore to install to.

  11. Network settings now need to be entered in.

  12. It is now ready to complete stage 1. Let it finish.

  13. Stage 2 begins. You need to decide how to synchronize time and if SSH access will be open.

  14. You then need to create a SSO domain or join an existing one. If you create one, make sure it is not the same name as your Windows Domain as that can cause all sorts of issues. This is also where to set the password for Administrator@SSODomainyoumakeup.something.

  15. Decide if you and your company want to share anonymized data with VMware.

  16. Finish and watch it work.

That’s all there is to the setup. You can configure it when its done through the appliance setup page. This is the normal address for the vCenter Server but put :5480 at the end. For example https://vCenter.vsphere.local:5480

That page will allow you make changes to many of the parameters as you can see here.

There are quite a few setting you can set through the HTML5 UI as well as seen here.

Objective 4.7 – Set up identity sources

You can setup additional identity sources in your VMware environment to allow more granular control of permissions and for better management. You can set them up by going to the Menu at the top and clicking on Administration. Then going to configuration and adding the identity source.

An Active Directory, AD over LDAP, or OpenLDAP identity source can be used. You can use a machine account in Active Directory or a Service Principle Name to authenticate.

Objective 4.8 – Configure an SSO domain

The only real way of configuring SSO that I can find is just users. This is done from within the same place as our identity sources. Instead of configuration menu item, you click on Users and Groups right above that. This allows you to see the Users for your SSO. You then click on the 3 dots in front of the user to change/edit/delete them.

That’s it. Moving on!

VCP 2019 Study Guide – Section 2

Section 2 – VMware Products and Solutions

Objective 2.1 – Describe vSphere integration with other VMware products

VMware has just a few products on the market (/sarcasm), and they show no letup in acquiring other companies and expanding to new technologies. One thing I appreciate about them is their ability to take what they buy, make it uniquely theirs, and integrate it with their current solutions. While this is not always done quickly and it make take a few versions, it usually pays dividends. Other products such as their Software Defined Networking product, NSX-V and T, and vSAN (SDS storage) and more, round out their offerings making it a complete solution for their customers. While definitely not altruistic, having a single place to get a complete solution can make life easier. Let’s look at some of the VMware products that are commonly used with vSphere core products.

If you look at products grouped together on VMware’s download site, you’ll see the core vSphere products of ESXi and vCenter. You also see Log Insight, NSX, Operations, and Orchestrator. I will try to give you a high-level of each of those products and how they fit into the vSphere world.

vRealize Log Insight

vRealize Log Insight is a syslog server on steroids. It is described as a Log Management and Analytics Tool by VMware. It integrates with vCenter Server and vRealize Operations. Log Insight can be used as a regular syslog server for other solutions not in VMware. Using it as a single logging repository and being able to search across your entire company’s infrastructure is its true superpower. But wait… there’s more.

You can also load content packs to manage specific solutions. One example of this is I am using a specially created Rubrik content pack that allows me to create specific dashboards to monitor my backups. Log Insight has the ability to have multiple users and assign them separate permissions to create their own dashboards and metrics. You can see my walkthrough on Log Insight (albeit 4.3 instead of 4.6) here. I also have a few videos to show you how you might customize dashboards here and how you can track a error in the logs here.

VMware NSX

What VMware did for Server hardware they did with Networking as well. While ESXi and vCenter Server already have VSS and VDS, this is the next step in networking evolution. Using NSX you can implement normally difficult configurations such as micro-segmentation in your datacenter with ease. Being able to do this all from a single UI makes it easy and saves time. Once the initial configuration of the physical networking is done, everything thereafter can be accomplished in VMware’s HTML5 client. Creating switches, routers, load balancers, firewalling, you name it.

Because NSX’s technology, ESXi essentially believes it is on a large L2 network allowing you to do things impossible before, such as vMotion over large geographic distances. NSX brings a lot to the table. There is a lot to learn about it, however and it has its own certification track.

vRealize Operations

vRealize Operations is a tool used to facilitate performance optimization, capacity management, forecasting, remediation, and compliance. It integrates right into the HTML5 client and keeps you constantly aware of how your environment is performing. Not only does vRealize Operations integrate with ESXi and vCenter, it also integrates with NSX and Log Insight. Here is a pic of what it looks like in the HTML5 client

I also have a few videos on how to perform actions in vSphere Operations here. While this is an old version it serves well to show you some of the things you can use vRealize Operations for.

You have a large number of dashboards to choose from and monitor. You can see things like disk usage and capacity graphically making it easy to pick out potential problems at a quick glance. Doing this paper vRealize notified I’ve been running my Plex Server on a snapshot for a long period of time… I didn’t have any idea until it told me. (Snapshot was created by Update Manager upgrade). Short story, you need this in your life.

vRealize Orchestrator

Most people know about the app IFTTT for your phone. This is kind of like that but way more powerful. Using vRealize Orchestrator you can create workflows that can perform a plethora of different tasks. It also integrates with vRealize Automation to create even more complex jobs. Using vRealize Orchestrator, you can:

  • Configure software or virtual hardware
  • Update databases
  • Generate work order tickets
  • Initiate system backups

And much more. This integrates with all of VMware’s other products and is a drag and drop worklflow solution.

Objective 2.2 – Describe HA solutions for vSphere

We already went over this, but we’ll touch on it again. The main High Availability solutions VMware provides are vMotion, svMotion and HA using clusters. I will include both HA parts so that you can read about HA in one fell swoop.

High Availability

HA works by pooling hosts and VMs into a single resource group. Hosts are monitored and in the event of a failure, VMs are re-started on another host. When you create a HA cluster, an election is held and one of the hosts is elected master. All others are slaves. The master host has the job of keeping track of all the VMs that are protected and communication with the vCenter Server. It also needs to determine when a host fails and distinguish that from when a host no longer has network access. HA has other important jobs. One is determining priority and order that VMs will be restarted when an event occurs. HA also has VM and Application Monitoring. Using this prompts HA to restart a VM if it doesn’t detect a heartbeat received from VM Tools. Application Monitoring will do the same with heartbeats from an application. VM Component Monitoring or VMCP allows vSphere to detect datastore accessibility and restart the VM if a datastore is unavailable. One last thing to note. In the past, VMware tried to trick people by using the old name for HA which was FDM or Fault Domain Manager

There are a several configuration options to configure. Most defaults work without drama and don’t need to be changed unless you have a specific use case. They are:

  • Proactive HA – This feature receives messages from a provider like Dell’s Open Manage Integration plugin. Based on those messages HA will migrate VMs to a different host due to possible impending doom of the original host. It makes recommendations in Manual mode or automatically moves them in Automatic mode. After VMs are off the host, you can choose how to remediate the sick host. You can place it in maintenance mode, which prevents running any future workloads on it. Or you could put it in Quarantine mode which allows it to run some workloads if performance is low. Or a mix of those with…. Mixed Mode.
  • Failure Conditions and responses – This is a list of possible host failure scenarios and how you want vSphere to respond to them. This is better and gives you way more control then in the past.
  • Admission Control – What good is a feature to restart VMs if you don’t have enough resources to do so? Not very. Admission Control is the gatekeeper that makes sure you have enough resources to restart your VMs in the case of host failure. You can ensure this a couple of ways. Dedicated failover hosts, cluster resource percentage, slot policy, or you can disable it (not good unless you have a specific reason). Dedicated hosts are dedicated hot spares. They do no work or run VMs unless there is a host failure. This is the most expensive (other than a failure itself). Slot policy takes the largest VM’s CPU and the largest VM’s memory (can be two different VMs) and makes that into a “slot” then it determines how many slots your cluster can satisfy. Then it looks at how many hosts can fail and still keep all VMs powered on based off that base slot size. Cluster Resources Percentage looks at total resources needed and total available and tries to keep enough resources to permit you to lose the number of hosts you specify (subtracting amount of resources of those hosts). You can also override this and set aside a specific percentage. For any of these policies, if the cluster can’t satisfy resources for more than existing VMs in the case of a failure, it prevents new VMs from turning on.
  • Heartbeat Datastores – Used to monitor hosts and VMs when the HA network as failed. It determines if the host is still running or if a VM is still running by looking for lock files. This automatically uses at least 2 datastores that all the hosts are connected to. You can specify more or specific datastores to use.
  • Advanced Options – You can use this to set advanced options for the HA Cluster. One might be setting a second gateway to determine host isolation. To use this you will need to set two options. 1) das.usedefaultisolationaddress and 2) das.isolationaddress[…] The first specifies not to use the default gateway and the second sets additional addresses.

There are a few other solutions that touch more on Fault Tolerance and Disaster Recovery.

Fault Tolerance or FT creates a second live shadow copy of a VM. In the even the primary goes down, the secondary kicks in and it then creates a new shadow VM.

Disaster Recovery options include vSphere Replication and Site Recovery Manager. Both of these can be used in conjunction to replicate a site or individual VMs to another site in case of failure or disaster.

Objective 2.3 – Describe the options for securing a vSphere environment

There are a number of options available to secure your vSphere environment. We will start with ESXi and move on to a few others.

ESXi Security

  • Limit access to ESXi – this goes for both the physical box but also any other way of accessing it. SSH, DCUI, or remote console via IPMI or iDRAC/iLO etc. You can also take advantage of lockdown modes to limit access to just vCenter.
  • Use named users and least privilege – If everyone is root than no one is special. Only give users that need it, access. Even then only give them the access and rights they need to do their job. Make sure they all log in as the user you give them. This allows for tracking and accounting.
  • Minimize open ports – your ESXi host has a stateless firewall but if all the ports are open, it’s not providing any protection for you.
  • Smart Card authentication – ESXi now supports smart cards for logging on instead of user name and passwords.
  • Account lockouts – After a number of incorrect tries to log in, have the account lock.
  • Manage ESXi certificates – While there is a Certificate Authority in vCenter, you might want look into using third-party or enterprise CA certificates.
  • VIB Integrity – try to use and only allow your ESXi hosts to accept VMware accepted or VMware Certified VIBs.

vCenter Server Security

  • Harden all vCenter host machines – make sure all security patches and the host machines are up to date.
  • Assign roles to users or groups – This allows you to better keep track of what users are allowed to do if they are part of a role.
  • Setup NTP – time stamps will be accurate and allow you to better track what is going on in your environment.
  • Configure Single Sign On – Keep track of the identity sources you allow to authenticate to your vSphere environment.
  • vCenter Certificates – remove expired or revoked certificates and failed installations.

VM Security

  • Protect the guest operating system – Keep your OS up to date with patches and any anti-malware or anti-spyware. Most OSs also have a firewall built-in. Use that to keep only necessary ports open.
  • Disable unnecessary functionality – Turn off and disable any services not needed. Turn off things like HGFS (host-guest filesystem) that allows you to copy and paste between the VM and remote console.
  • Use templates and scripted installations – After you spend all the time making an OS secure, use that as a template so that you don’t have to perform the same on the next machine. This also makes sure you don’t forget settings or configurations that may end up being disastrous. Script management of machines and installations for the same reason.
  • Minimize use of the virtual machine console – Just like you would secure access to the physical machine, you should secure access and use sparingly the console.
  • Use UEFI secure boot when possible – If the OS supports it, you can use this to prevent changes to the VM.

Network Security

  • Isolate network traffic – Separation of network traffic into segments allows you to isolate important networks. A prime example of this is creating a management network that is separate from regular VM traffic. You can perform this easily using VMware NSX or even as simple as creating a separate subnet and locking that down virtually or physically to ports.
  • Use firewalls – Again using NSX this becomes really simple to create firewall and micro-segmentation. Mentioned above, you can also utilize firewalls in the OS but that can get unwieldy with 1,000s of VMs. Physical firewalls are a staple as well.
  • Consider Network Policies – Switches in your virtual environment have security policies you can implement to prevent malicious attacks. These are promiscuous mode, MAC address changes, and forged transmits.
  • Secure VM networking – same as above with securing OSs and firewalling.
  • VLANs – These can be used to segment your network and provide additional security. This also breaks up your broadcast domain which can cut down on unwanted broadcast traffic.
  • Secure connection to your Storage – Usually companies setup separate networks for their storage. This is for security but also performance. You can also implement authentication on your storage array such as CHAP. Fibre Channel is particularly secure as it is difficult to tap a fibre cable.