VWannabe

Category: VMware

  • VCP 6 – DCV Study Guide: Section 9 – Objective 9.1

    Section 9: Configure and Administer vSphere Availability Solutions

    Objective 9.1: Configure Advanced vSphere HA Features: In this objective we should be covering these topics:
    • Explain Advanced vSphere HA settings
    • Enable/Disable Advanced vSphere HA settings
    • Explain how vSphere HA interprets heartbeats
    • Interpret and correct errors during conversion
    • Identify virtual machine override priorities
    • Identify Virtual Machine Component Protection (VMCP) settings

    vSphere HA Advanced Options
    You can set advanced options that affect the behavior of your vSphere HA cluster.

    vSphere HA Advanced Options

    HA-adv-optionsHA-adv-options-2HA-adv-options-3Note
    If you change the value of any of the following advanced options, you must disable and then re-enable vSphere HA before your changes take effect.

    ■ das.isolationaddress[…]
    ■ das.usedefaultisolationaddress
    ■ das.isolationshutdowntimeout

    For a complete list of vSphere HA advanced options, see the VMware knowledge base article at http://kb.vmware.com/kb/2033250.

    Set Advanced Options
    To customize vSphere HA behavior, set advanced vSphere HA options.

    Prerequisites
    Verify that you have cluster administrator privileges.
    Procedure
    1. In the vSphere Web Client, browse to the vSphere HA cluster.
    2. Click the Manage tab and click Settings.
    3. Under Settings, select vSphere HA and click Edit.
    4. Expand Advanced Options.
    5. Click Add and type the name of the advanced option in the text box. You can set the value of the option in the text box in the Value column.
    6. Repeat step 5 for each new option that you want to add and click OK.
    The cluster uses the options that you added or modified.
    What to do next
    Once you have set an advanced vSphere HA option, it persists until you do one the following:

    ■ Using the vSphere Web Client, reset its value to the default value.
    ■ Manually edit or delete the option from the fdm.cfg file on all hosts in the cluster.

    Customize an Individual Virtual Machine
    Each virtual machine in a vSphere HA cluster is assigned the cluster default settings for VM Restart Priority, Host Isolation Response, VM Component Protection, and VM Monitoring. You can specify specific behavior for each virtual machine by changing these defaults. If the virtual machine leaves the cluster, these settings are lost.

    Procedure
    1. In the vSphere Web Client, browse to the vSphere HA cluster.
    2. Click the Manage tab and click Settings.
    3. Under Settings, select VM Overrides and click Add.
    4. Use the + button to select virtual machines to which to apply the overrides.
    5. Click OK.
    6. (Optional) You can change other settings, such as the Automation level, VM restart priority, Host isolation response, VMCP settings,VM Monitoring, or VM monitoring sensitivity settings.

    Note
    You can view the cluster defaults for these settings by first expanding Relevant Cluster Settings and then expanding vSphere HA.
    7. Click OK.
    The virtual machine’s behavior now differs from the cluster defaults for each setting that you changed.

    Datastore Heartbeating
    When the master host in a vSphere HA cluster can not communicate with a slave host over the management network, the master host uses datastore heartbeating to determine whether the slave host has failed, is in a network partition, or is network isolated. If the slave host has stopped datastore heartbeating, it is considered to have failed and its virtual machines are restarted elsewhere.

    vCenter Server selects a preferred set of datastores for heartbeating. This selection is made to maximize the number of hosts that have access to a heartbeating datastore and minimize the likelihood that the datastores are backed by the same LUN or NFS server.

    You can use the advanced option das.heartbeatdsperhost to change the number of heartbeat datastores selected by vCenter Server for each host. The default is two and the maximum valid value is five.

    vSphere HA creates a directory at the root of each datastore that is used for both datastore heartbeating and for persisting the set of protected virtual machines. The name of the directory is .vSphere-HA. Do not delete or modify the files stored in this directory, because this can have an impact on operations. Because more than one cluster might use a datastore, subdirectories for this directory are created for each cluster. Root owns these directories and files and only root can read and write to them. The disk space used by vSphere HA depends on several factors including which VMFS version is in use and the number of hosts that use the datastore for heartbeating. With vmfs3, the maximum usage is approximately 2GB and the typical usage is approximately 3MB. With vmfs5 the maximum and typical usage is approximately 3MB. vSphere HA use of the datastores adds negligible overhead and has no performance impact on other datastore operations.

    vSphere HA limits the number of virtual machines that can have configuration files on a single datastore. See Configuration Maximums for updated limits. If you place more than this number of virtual machines on a datastore and power them on, vSphere HA protects a number of virtual machines only up to the limit.

    Note
    A Virtual SAN datastore cannot be used for datastore heartbeating. Therefore, if no other shared storage is accessible to all hosts in the cluster, there can be no heartbeat datastores in use. However, if you have storage that can be reached by an alternate network path that is independent of the Virtual SAN network, you can use it to set up a heartbeat datastore.

    VM Component Protection
    If VM Component Protection (VMCP) is enabled, vSphere HA can detect datastore accessibility failures and provide automated recovery for affected virtual machines.

    VMCP provides protection against datastore accessibility failures that can affect a virtual machine running on a host in a vSphere HA cluster. When a datastore accessibility failure occurs, the affected host can no longer access the storage path for a specific datastore. You can determine the response that vSphere HA will make to such a failure, ranging from the creation of event alarms to virtual machine restarts on other hosts.

    Types of Failure
    There are two types of datastore accessibility failure:

    PDL
    PDL (Permanent Device Loss) is an unrecoverable loss of accessibility that occurs when a storage device reports the datastore is no longer accessible by the host. This condition cannot be reverted without powering off virtual machines.
    APD
    APD (All Paths Down) represents a transient or unknown accessibility loss or any other unidentified delay in I/O processing. This type of accessibility issue is recoverable.

    Configuring VMCP
    VM Component Protection is enabled and configured in the vSphere Web Client. To enable this feature, you must select the Protect against Storage Connectivity Loss checkbox in the edit cluster settings wizard. The storage protection levels you can choose and the virtual machine remediation actions available differ depending on the type of database accessibility failure.

    PDL failures
    A virtual machine is automatically failed over to a new host unless you have configured VMCP only to Issue events.
    APD events
    The response to APD events is more complex and accordingly the configuration is more fine-grained.

    After the user-configured Delay for VM failover for APD period has elapsed, the action taken depends on the policy you selected. An event will be issued and the virtual machine is restarted conservatively or aggressively. The conservative approach does not terminate the virtual machine if the success of the failover is unknown, for example in a network partition. The aggressive approach does terminate the virtual machine under these conditions. Neither approach terminates the virtual machine if there are insufficient resources in the cluster for the failover to succeed.

    If APD recovers before the user-configured Delay for VM failover for APD period has elapsed, you can choose to reset the affected virtual machines, which recovers the guest applications that were impacted by the IO failures.

    Configure Virtual Machine Responses
    The Failure conditions and VM response page allows you to choose settings that determine how vSphere HA responds to host failures and isolations. These settings include the VM restart priority, host isolation response, settings for VM Component Protection, and VM monitoring sensitivity.

    Virtual Machine Response page is editable only if you enabled vSphere HA.
    Procedure
    1. In the vSphere Web Client, browse to the vSphere HA cluster.
    2. Click the Manage tab and click Settings.
    3. Under Settings, select vSphere HA and click Edit.
    4. Expand Failure Conditions and VM Response to display the configuration options.

    vmcp

    5. Click OK.
    Your Virtual Machine Response settings take effect.

    vSphere HA Checklist
    The vSphere HA checklist contains requirements that you must be aware of before creating and using a vSphere HA cluster.

    Review this list before you set up a vSphere HA cluster. For more information, follow the appropriate cross reference.

    ■ All hosts must be licensed for vSphere HA.
    ■ A cluster must contain at least two hosts.
    ■ All hosts must be configured with static IP addresses. If you are using DHCP, you must ensure that the address for each host persists across reboots.
    ■ All hosts must have at least one management network in common. The best practice is to have at least two management networks in common. You should use the VMkernel network with the Management traffic checkbox enabled. The networks must be accessible to each other and vCenter Server and the hosts must be accessible to each other on the management networks. SeeBest Practices for Networking.
    ■ To ensure that any virtual machine can run on any host in the cluster, all hosts must have access to the same virtual machine networks and datastores. Similarly, virtual machines must be located on shared, not local, storage otherwise they cannot be failed over in the case of a host failure.

    Note
    vSphere HA uses datastore heartbeating to distinguish between partitioned, isolated, and failed hosts. So if some datastores are more reliable in your environment, configure vSphere HA to give preference to them.
    ■ For VM Monitoring to work, VMware tools must be installed. See VM and Application Monitoring.
    ■ vSphere HA supports both IPv4 and IPv6. See Other vSphere HA Interoperability Issues for considerations when using IPv6.
    ■ For VM Component Protection to work, hosts must have the All Paths Down (APD) Timeout feature enabled.
    ■ To use VM Component Protection, clusters must contain ESXi 6.0 hosts or later.
    ■ Only vSphere HA clusters that contain ESXi 6.0 or later hosts can be used to enable VMCP. Clusters that contain hosts from an earlier release cannot enable VMCP, and such hosts cannot be added to a VMCP-enabled cluster.
    ■ If your cluster uses Virtual Volume (vVol) datastores, when vSphere HA is enabled a configuration vVol is created on each vVol datastore by vCenter Server. In these containers, vSphere HA stores the files it uses to protect virtual machines. vSphere HA does not function correctly if you delete these containers. Only one container is created per vVol datastore.

    Troubleshooting checklist for VMware Converter (1016330)

  • VCP 6 – DCV Study Guide: Section 10 – Objective 10.2

    Section 10: Administer and Manage vSphere Virtual Machines

    Objective 10.2: Create and Manage a Multisite Content Library: In this objective we should be covering these topics:
    • Configure Content Library to work across sites
    • Configure Content Library authentication
    • Set/Configure Content Library roles
    • Add/Remove Content Libraries
    Using Content Libraries
    Content libraries are container objects for VM templates, vApp templates, and other types of files. vSphere administrators can use the templates in the library to deploy virtual machines and vApps in the vSphere inventory. Sharing templates and files across multiple vCenter Server instances in same or different locations brings out consistency, compliance, efficiency, and automation in deploying workloads at scale.

    A content library is managed from a single vCenter Server instance, but can be shared across multiple vCenter Server systems.

    Each VM template, vApp template, or another type of file in a library is a library item. An item can contain a single file or multiple files. In the case of VM and vApp templates, each item contains multiple files. For example, because an OVF template is a set of multiple files, when you upload an OVF template to the library, you actually upload all the files associated with the template (.ovf, .vmdk, and .mf), but in the vSphere Web Client you see listing only of the .ovf file in the content library.

    You can create two types of libraries: local or subscribed library.

    Local Libraries
    You use a local library to store items in a single vCenter Server instance. You can publish the local library so that users from other vCenter Server systems can subscribe to it. When you publish a content library externally, you can configure a password for authentication.

    VM templates and vApps templates are stored as OVF file formats in the content library. You can also upload other file types, such as ISO images, text files, and so on, in a content library.
    Subscribed Libraries
    You subscribe to a published library by creating a subscribed library. The subscribed library can be created in the same vCenter Server instance where the published library is, or in a different vCenter Server system. When creating a subscribed library you have the option to download all the contents of the published library immediately after the subscribed library is created, or to download only metadata for the items from the published library. If you download only metadata for the items in a subscribed library, you save storage space. A subscribed library, which is set with the option to download all the content of the published library immediately, automatically synchronize with the published library on regular intervals to ensure the contents are up-to-date. You have to manually synchronize a subscribed library, which is set with the option to download contents from the published library only when needed.

    If you use a subscribed library, you can only utilize the content, but cannot contribute with content. Only the administrator of the published library manages the templates and files.

    Source Objects to Which You Can Subscribe By Creating a Subscribed Library in The vSphere Web Client.
    content-libsLibraries store content on a file system or a datastore. To ensure optimal performance, use file systems for libraries that are published, and use datastores for local and subscribed libraries.
    Create a Library
    You can create a content library in the vSphere Web Client, and populate it with templates, which you can use to deploy virtual machines or vApps in your virtual environment.
    Prerequisites
    Required privileges: Content library. Create local library or Content library. Create subscribed library on the vCenter Server instance where you want to create the library.
    Procedure
    1. In the vSphere Web Client navigator, select vCenter Inventory Lists > Content Libraries.
    2. Click the Objects tab.
    3. Click the Create a New Library icon ( ).
    4. Enter a name for the content library, and in the Notes text box, enter a description for the library, and click Next.
    5. Select the type of content library you want to create.
    content-libs-26. Click Next.
    7. Enter the path to a storage location where to keep the contents of this library.
    content-libs-38. Review the information on the Ready to Complete page, and click Finish.
    Synchronize a Subscribed Library
    To ensure that your subscribed library displays the latest content of the published library, you can manually initiate a synchronization task.
    You can also have subscribed libraries automatically synchronize with the content of the published library. To enable automatic synchronization of the subscribed library, select the option to Enable automatic synchronization with the external library in the subscribed library settings. Take into account that the automatic synchronization requires a lot of storage space, because you download full copies of all the items in the published library.
    Prerequisites
    Required privilege: Content library. Sync subscribed library on the library.
    Procedure
    1. In the vSphere Web Client navigator, select vCenter Inventory Lists > Content Libraries.
    2. Right-click a subscribed library from the list and select Synchronize Library.
    A new task for synchronizing the subscribed library appears in the Recent Tasks pane. After the task is complete, you can see the updated list with library items in the Related Objects tab under Templates and Other Types.
    Edit the Settings of a Local Library
    You can change the settings of a content library. As an administrator of a content library, you can publish a local library from your vCenter Server instance to share its contents across multiple vCenter Server systems. From the Edit Setting dialog box, you can obtain the URL of your library and send it to other users to subscribe. If the library is already published, you can change its password for authentication. Users who are subscribed to your library must update the password to keep access to the published library.
    Prerequisites
    Required privileges: Content library. Update library and Content library. Update local library on the library.
    Procedure
    1. In the vSphere Web Client navigator, select vCenter Inventory Lists > Content Libraries.
    2. Right-click a content library and select Edit Settings.
    3. Edit the settings for the library.
    content-libs-44. Click OK.

    Edit the Settings of a Subscribed Library
    You can edit the settings of a subscribed library to optimize storage space and network bandwidth by switching between the options to download content from the published library. You might also need to update the password for authentication to the library if the administrator of the published library changes the password.

    Prerequisites
    Required privileges: Content library. Update subscribed library and Content library. Probe subscription information on the subscribed library.
    Procedure
    1. In the vSphere Web Client navigator, select vCenter Inventory Lists > Content Libraries.
    2. Right-click a subscribed library and select Edit Settings.
    3. Edit the settings of the subscribed library.

    ■ Enable or disable the automatic synchronization with the published library.
    ■ Update the password for authentication to the published library.
    ■ Select a download method. You can either download all library content immediately or download library content only when needed.

    If you switch from the option to download content only when needed to the option to immediately download all library content, after confirming the dialog a synchronization task starts and content starts to download. The number and size of items in the published library determine the amount of time and network bandwidth that the task requires.
    4. Click OK.

    Delete a Content Library
    You can delete a content library that you no longer want to use.

    Prerequisites
    Required privilege: Content library. Delete subscribed library or Content library. Delete local library on the type of library you want to delete.
    Procedure
    1. In the vSphere Web Client navigator, select vCenter Inventory Lists > Content Libraries.
    2. Right-click a content library from the list and select Delete.
    3. In the Delete library confirmation dialog box, click Yes.
    The content library and all its contents are deleted.

    Hierarchical Inheritance of Permissions for Content Libraries
    vSphere objects inherit permissions from a parent object in the hierarchy. Content libraries work in the context of a single vCenter Server instance. However, content libraries are not direct children of a vCenter Server system from an inventory perspective.

    The direct parent for content libraries is the global root. This means that if you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and so on, but does not apply to the content libraries that you see and operate with in this vCenter Server instance. To assign a permission on a content library, an Administrator must grant the permission to the user as a global permission. Global permissions support assigning privileges across solutions from a global root object.

    The figure illustrates the inventory hierarchy and the paths by which permissions can propagate.

    vSphere Inventory Hierarchy

    vSphere Inventory Hierarchy

    To let a user manage a content library and its items, an Administrator can assign the Content Library Administrator role to that user as a global permission. The Content Library Administrator role is a sample role in the vSphere Web Client.

    Users who are Administrators can also manage libraries and their contents. If a user is an Administrator at a vCenter Server level, they have sufficient privileges to manage the libraries that belong to this vCenter Server instance, but cannot see the libraries unless they have a Read-Only role as a global permission.

    For example, a user has an Administrator role that is defined at a vCenter Server level. When the Administrator navigates to Content Libraries in the object navigator, he sees 0 libraries despite there are existing libraries in the vSphere inventory of that vCenter Server instance. To see the libraries, the Administrator needs a Read-Only role assigned as a global permission.

    Administrators whose role is defined as a global permissions can see and manage the libraries in all vCenter Server instances that belong to the global root.

    Because content libraries and their children items inherit permissions only from the global root object, when you navigate to a library or a library item and click Manage tab, you can see there is no Permissions tab. An Administrator cannot assign individual permissions on different libraries or different items within a library.

    Sample User Role for Working with Content Libraries
    vSphere Web Client provides a sample role that lets you be an administrator of content libraries. You can modify the role or use it as an example to create custom roles for specific tasks you want to allow other users to perform.

    Content Library Administrator

    Content Library Administrator role is a predefined role that gives a user privileges to monitor and manage a library and its contents.

    A user who has this role can perform the following tasks:

    ■ Create, edit, and delete local or subscribed libraries.
    ■ Synchronize a subscribed library and synchronize items in a subscribed library.
    ■ View the item types supported by the library.
    ■ Configure the global settings for the library.
    ■ Import items to a library.
    ■ Export library items.

  • VCP 6 – DCV Study Guide: Section 10 – Objective 10.1

    Section 10: Administer and Manage vSphere Virtual Machines

    Objective 10.1: Configure Advanced vSphere Virtual Machine Settings
    • Identify available virtual machine configuration settings

    Virtual Machine Option Overview

    You can view or change virtual machine settings from the vSphere Web Client. Not all options are available to every virtual machine and some options rarely need to change from their defaults.

    The host that the virtual machine runs on and the guest operating system must support any configurations that you make.

    When you select Edit Settings from a virtual machine right-button menu and click VM Options, you can select one of the following options.

    Virtual Machine Options
    Options Description
    General Options Virtual machine name and location of the virtual machine configuration file and virtual machine working location. View or change the type and version of the guest operating system.
    VMware Remote Console Options Locking behavior and settings for simultaneous connections,
    VMware Tools Power Controls behavior, VMware Tools scripts, automatic upgrades, and time synchronization between the guest and host.
    Power Management Virtual machine Suspend behavior and wake on LAN.
    Boot Options Virtual machine boot options. Add a delay before booting, force entry into the BIOS or EFI setup screen, or set reboot options.
    Advanced Advanced virtual machine options. See the table below.
    Fibre Channel NPIV Virtual node and port World Wide Names (WWNs).

    When you select Edit Settings from a virtual machine right-button menu, click VM Options, and click Advanced, you can select one of the following options.

    Advanced Virtual Machine Options
    Advanced Options Description
    Settings Specify acceleration and logging settings.
    Debugging and statistic Specify the level of debugging information that is being collected.
    Swap file location Specify the swap file location.
    Configuration Parameters View, modify, or add configuration parameters.
    Latency Sensitivity Set a value for latency sensitivity.
    • Interpret virtual machine configuration files (.vmx) settings

    View the Virtual Machine Configuration and Working File Location

    You can view the location of the virtual machine configuration and working files. You can use this information when you configure backup systems.

    Prerequisites

    Verify that the virtual machine is powered off.

    Procedure

    1. Right-click a virtual machine in the inventory and select Edit Settings.

    2. Click VM Options tab and expand General Options.

    The path to the location of the virtual machine configuration file appears in the VM Config File text box. The path to the virtual machine working location appears in the VM Working Location text box.

    What Is a Virtual Machine?

    A virtual machine is a software computer that, like a physical computer, runs an operating system and applications. The virtual machine consists of a set of specification and configuration files and is backed by the physical resources of a host. Every virtual machine has virtual devices that provide the same functionality as physical hardware are more portable, more secure, and easier to manage.

    A virtual machine consists of several files that are stored on a storage device. The key files are the configuration file, virtual disk file, NVRAM setting file, and log file. You configure virtual machine settings through the vSphere Web Client, one of the vSphere command-line interfaces (PowerCLI, vCLI) or the vSphere Web Services SDK.

    Virtual Machine Files
    File Usage Description
    .vmx vmname.vmx Virtual machine configuration file
    .vmxf vmname.vmxf Additional virtual machine configuration files
    .vmdk vmname.vmdk Virtual disk characteristics
    -flat.vmdk vmname-flat.vmdk Virtual machine data disk
    .nvram vmname.nvram or nvram Virtual machine BIOS or EFI configuration
    .vmsd vmname.vmsd Virtual machine snapshots
    .vmsn vmname.vmsn Virtual machine snapshot data file
    .vswp vmname.vswp Virtual machine swap file
    .vmss vmname.vmss Virtual machine suspend file
    .log vmware.log Current virtual machine log file
    -#.log vmware-#.log (where # is a number starting with 1) Old virtual machine log files

    VMX files – a VMX file is the primary configuration file for a virtual machine. When you create a new virtual machine and answer questions about the operating system, disk sizes, and networking, those answers are stored in this file. As you can see from the screenshot below, a VMX file is actually a simple text file that can be edited with Notepad. Example:

    config.version = "8"
virtualHW.version = "3"
guestOS = "otherlinux"
displayname = "IPFire"
memsize = "256"
MemAllowAutoScaleDown = "FALSE"
usb.present = "TRUE"
ide0:0.present = "TRUE"
ide0:0.filename = "primaryMaster.vmdk"
#ide1:0.autodetect = "TRUE"
#ide1:0.filename = "auto detect"
#ide1:0.deviceType = "cdrom-raw"
ide1:0.present = "true"
ide1:0.deviceType = "cdrom-image"
ide1:0.filename = "ipfire-2.9.i586-full-core48.iso"
ide1:0.startConnected = "TRUE"
floppy0.present = "FALSE"
sound.present = "FALSE"
ethernet0.present = "TRUE"
ethernet0.addressType = "generated"
ethernet0.connectionType= "nat"
ethernet1.present = "TRUE"
ethernet1.addressType = "generated"
ethernet1.connectionType= "nat"
    • Identify virtual machine DirectPath I/O feature

    DirectPath I/O allows virtual machine access to physical PCI functions on platforms with an I/O Memory Management Unit.

    The following features are unavailable for virtual machines configured with DirectPath:

    ■ Hot adding and removing of virtual devices
    ■ Suspend and resume
    ■ Record and replay
    ■ Fault tolerance
    ■ High availability
    ■ DRS (limited availability. The virtual machine can be part of a cluster, but cannot migrate across hosts)
    ■ Snapshots

    The following features are only available for virtual machines configured with DirectPath I/O on Cisco Unified Computing Systems (UCS) through Cisco Virtual Machine Fabric Extender (VM-FEX) distributed switches.

    ■ vMotion
    ■ Hot adding and removing of virtual devices
    ■ Suspend and resume
    ■ High availability
    ■ DRS
    ■ Snapshots

    Enable DirectPath I/O with vMotion on a Virtual Machine
    You can enable DirectPath I/O with vMotion for virtual machines in a datacenter on a Cisco UCS system that has at least one supported Cisco UCS Virtual Machine Fabric Extender (VM-FEX) distributed switch.

    Prerequisites

    1. Enable high performance network I/O on at least one Cisco UCS port profile on a supported Cisco VM-FEX distributed switch. For supported switches and switch configuration, see Cisco’s documentation at http://www.cisco.com/go/unifiedcomputing/b-series-doc.

    2. Launch the vSphere Client and log in to a vCenter Server system.

    3. Power off the virtual machine.

    Procedure
    1. Log in to the vSphere Client and select the VMs and Templates inventory view.
    2. Right-click the virtual machine to modify and click Edit Settings.
    3. On the Resources tab, select Memory.
    4. Select Unlimited.
    5. On the Hardware tab, select the network adapter to configure as a passthrough device.
    6. Select a port profile with high performance enabled from the network label drop-down menu, and click OK.
    7. Power on the virtual machine.

    After the virtual machine is powered on, DirectPath I/O appears as Active on the Hardware tab of the virtual machine properties dialog box.

    DirectPath I/O vs SR-IOV
    SR-IOV offers performance benefits and tradeoffs similar to those of DirectPath I/O. DirectPath I/O and SR-IOV have similar functionality but you use them to accomplish different things.

    SR-IOV is beneficial in workloads with very high packet rates or very low latency requirements. Like DirectPath I/O, SR-IOV is not compatible with certain core virtualization features, such as vMotion. SR-IOV does, however, allow for a single physical device to be shared amongst multiple guests.

    With DirectPath I/O you can map only one physical function to one virtual machine. SR-IOV lets you share a single physical device, allowing multiple virtual machines to connect directly to the physical function.

    • Enable/Disable Advanced virtual machine settings

    Edit Configuration File Parameters
    You can change or add virtual machine configuration parameters when instructed by a VMware technical support representative, or if you see VMware documentation that instructs you to add or change a parameter to fix a problem with your system.

    Prerequisites

    Verify that you have the following privileges:

    Virtual machine.Configuration.Advanced on the destination folder or datacenter, if you are configuring advanced virtual machine settings.

    Procedure
    1. Right-click a virtual machine in the inventory and select Edit Settings.
    2. Click the VM Options tab and expand Advanced.
    3. Click Edit Configuration.
    4. (Optional) To add a parameter, click Add Row and type a name and value for the parameter.
    5. (Optional) To change a parameter, type a new value in the Value text box for that parameter.
    6. Click OK.

    Disable Virtual Machine Acceleration

    You might find that when you install or run software in a virtual machine, the virtual machine appears to stop responding. The problem occurs early in the program’s execution. You can get past the problem by temporarily disabling acceleration in the virtual machine.

    This setting slows down virtual machine performance, so use it only for getting past the problem with running the program. After the program stops encountering problems, deselect Disable acceleration. You might be able to run the program with acceleration.

    You can enable and disable acceleration when the virtual machine is running.

    Procedure

    1  Right-click a virtual machine in the inventory and select Edit Settings.
    2  Click the VM Options tab and expand Advanced.
    3  Click VM Options and expand Advanced.
    4  Select Disable acceleration.
    5  Click OK.
    You should be able to install or run the software successfully.

    Enable Virtual Machine Logging

    You can enable logging to collect log files to help troubleshoot problems with your virtual machine.

    ESXi hosts store virtual machine log files in the same directory as the virtual machine’s configuration files. By default, the log file name is vmware.log. Archived log files are stored as vmware-n.log, where n is a number in sequential order beginning with 1.

    Prerequisites

    Required privilege: Virtual machine.Configuration.Settings
    Procedure

    1  Right-click a virtual machine in the inventory and select Edit Settings.
    2  Click the VM Options tab and expand Advanced.
    3  In the Settings row, select Enable logging and click OK.
    You can view and compare log files in the same storage location as the virtual machine configuration files.

    Configure Virtual Machine Debugging and Statistics

    You can run a virtual machine so that it collects additional debugging information that is helpful to VMware technical support in resolving issues.

    Prerequisites

    Power off the virtual machine.

    Procedure

    1  Right-click a virtual machine in the inventory and select Edit Settings.
    2  Click the VM Options tab and expand Advanced.
    3  Select a debugging and statistics option from the drop-down menu.

    • Run normally
    • Record Debugging Information
    • Record Statistics
    • Record Statistics and Debugging Information

    The number of debugging and statistics options available depends on the host software type and version. On some hosts, some options are not available.

    4 Click OK.
    Change the Swap File Location

    When a virtual machine is powered on, the system creates a VMkernel swap file to serve as a backing store for the virtual machine’s RAM contents. You can accept the default swap file location or save the file to a different location. By default, the swap file is stored in the same location as the virtual machine’s configuration file.

    Procedure

    1. Right-click a virtual machine in the inventory and select Edit Settings.
    2. Click the VM Options tab and expand Advanced.
    3. Select a swap file location option.
    4. Click OK.

    table-advance

    Edit Configuration File Parameters

    You can change or add virtual machine configuration parameters when instructed by a VMware technical support representative, or if you see VMware documentation that instructs you to add or change a parameter to fix a problem with your system.

    IMPORTANT Changing or adding parameters when a system does not have problems might lead to decreased system performance and instability.

    The following conditions apply:

    • To change a parameter, you change the existing value for the keyword/value pair. For example, if you start with the keyword/value pair, keyword/value, and change it to keyword/value2, the result is keyword=value2.
    • You cannot delete a configuration parameter entry.

    CAUTION You must assign a value to configuration parameter keywords. If you do not assign a value, the keyword can return a value of 0, false, or disable, which can result in a virtual machine that cannot power on.

    Procedure

    1  Right-click a virtual machine in the inventory and select Edit Settings.
    2  Click the VM Options tab and expand Advanced.
    3  Click Edit Configuration.
    4  (Optional) To add a parameter, click Add Row and type a name and value for the parameter.
    5  (Optional) To change a parameter, type a new value in the Value text box for that parameter.
    6  Click OK.

    Enabling the latency-sensitivity feature for a given VM.

    The latency-sensitivity feature is applied per VM, and thus a vSphere host can run a mix of normal VMs and VMs with this feature enabled. To enable the latency sensitivity for a given VM from the UI, access the Advanced Settings from the VM Options tab in the VM’s Edit Settings pop-up window and select High for the Latency Sensitivity

    enable-latency-sensitivity

  • VCP 6 – DCV Study Guide: Section 1 – Objective 1.1

    Section 1: Configure and Administer vSphere 6.x Security

    Objective 1.1: Configure and Administer Role-based Access Control

    Users, and roles control who has access to vSphere components and what actions each user can perform. A role is a predefined set of privileges. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role consists of read properties and of a set of rights to perform actions. The role allows a user to read and change virtual machine attributes. When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. A single user or group can have different roles for different objects in the inventory.

    Compare and contrast propagated and explicit permission assignments

    see Hierarchical Inheritance of Permissions below

    View/Sort/Export user and group lists

    You can view, sort, and export lists of a host’s local users to a file that is in HTML, XML, Microsoft Excel, or CSV format.

    Procedure
    1. Log in to ESXi using the vSphere Client.
    2. Click the Local Users & Groups tab and click Users .
    3. Determine how to sort the table, and hide or show columns according to the information you want to see in the exported file.

    ■ To sort the table by any of the columns, click the column heading.
    ■ To show or hide columns, right-click any of the column headings and select or deselect the name of the column to hide.
    ■ To show or hide columns, right-click any of the column headings and select or deselect the name of the column to hide.

    4. Right-click anywhere in the table and click Export List to open the Save As dialog box.
    5. Select a path and enter a filename.
    6. Select the file type and click OK.

    Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

    A permission is set on an object in the vCenter object hierarchy. Each permission associates the object with a group or user and the group’s or user’s access roles. For example, you can select a virtual machine object, add one permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role to User 2.

    By assigning a different role to a group of users on different objects, you control the tasks that those users can perform in your vSphere environment. For example, to allow a group to configure memory for the host, select that host and add a permission that grants a role to that group that includes the Host.Configuration.Memory Configurationprivilege.

    To manage permissions from the vSphere Web Client, you need to understand the following concepts:

    Permissions
    Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object.
    Users and Groups
    On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On. The users and groups must be defined in the identity source that vCenter Single Sign-On is using to authenticate. Define users and groups using the tools in your identity source, for example, Active Directory.
    Roles
    Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined onvCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom roles either from scratch or by cloning and modifying sample roles.
    Privileges
    Privileges are fine-grained access controls. You can group those privileges into roles, that you can then map to users or groups.

    Change Permissions
    After a user or group and role pair is set for an inventory object, you can change the role paired with the user or group or change the setting of the Propagate check box. You can also remove the permission setting.

    Procedure

    1. Browse to the object in the vSphere Web Client object navigator.
    2. Click the Manage tab and select Permissions.
    3. Click the line item to select the user or group and role pair.
    4. Click Change role on permission.
    5. Select a role for the user or group from the Assigned Role drop-down menu.
    6. To propagate the privileges to the children of the assigned inventory object, click the Propagate check box and click OK.

    Add a Permission to an Inventory Object

    After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions to multiple objects simultaneously by moving the objects into a folder and setting the permissions on the folder.

    When you assign permissions from the vSphere Web Client, user and group names must match Active Directory precisely, including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.
    Prerequisites
    On the object whose permissions you want to modify, you must have a role that includes the Permissions.Modify permission privilege.
    Procedure

    1. Browse to the object for which you want to assign permissions in the vSphere Web Client object navigator.
    2. Click the Manage tab and select Permissions.
    3. Click the Add icon, and click Add.
    4. Identify the user or group that will have the privileges defined by the selected role.
      1. From the Domain drop-down menu, select the domain where the user or group is located.
      2. Type a name in the Search box or select a name from the list. The system searches user names, group names, and descriptions.
      3. Select the user or group and click Add. The name is added to either the Users or Groups list.
      4. (Optional) Click Check Names to verify that the user or group exists in the identity source.
      5. Click OK.
    5. Select a role from the Assigned Role drop-down menu. The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
    6. (Optional) To limit propagation, deselect the Propagate to Child Objects check box. The role is applied only to the selected object and does not propagate to the child objects.
    7. Click OK to add the permission.
    Determine how permissions are applied and inherited in vCenter Server

    The permission model for vCenter Server systems relies on assigning permissions to objects in the vSphere object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for the selected object.

    You need to understand the following concepts:

    Permissions
    Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object.
    Users and Groups
    On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On. The users and groups must be defined in the identity source that vCenter Single Sign-On is using to authenticate. Define users and groups using the tools in your identity source, for example, Active Directory.
    Roles
    Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined onvCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom roles either from scratch or by cloning and modifying sample roles.
    Privileges
    Privileges are fine-grained access controls. You can group those privileges into roles, that you can then map to users or groups.

    vSphere PermissionsTo assign permissions to an object, you follow these steps:

    1. Select the object in the vCenter object hierarchy to which you want to apply the permission.
    2. Select the group or user that should have privileges on the object.
    3. Select the role, that is the set of privileges, that the group or user should have on the object. By default, permissions propagate, that is the group or user has the selected role on the selected object and its child objects.

    Hierarchical Inheritance of Permissions

    When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.

    vSphere Inventory Hierarchy

    vSphere Inventory HierarchyMost inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.

    Create/Clone/Edit vCenter Server Roles

    Creating a Custom Role

    You can create vCenter Server custom roles to suit the access control needs of your environment.

    If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems.

    Prerequisites
    Verify that you are logged in as a user with Administrator privileges.

    Procedure
    1. Log in to vCenter Server with the vSphere Web Client.
    2. Select Home, click Administration, and click Roles.
    3. Click the Create role action (+) button.
    4. Type a name for the new role.
    5. Select privileges for the role and click OK.

    Once you’ve created or modified the roles as needed, you can assign the roles to the users and groups associated with your ESX/ESXi host or vCenter Server.

    Cloning a Role
    You can make a copy of an existing role, rename it, and edit it. When you make a copy, the new role is not applied to any users or groups and objects. You must assign the role to users or groups and objects.

    If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared acrossvCenter Server systems.
    Prerequisites
    Verify that you are logged in as a user with Administrator privileges.
    Procedure
    1. Log in to vCenter Server with the vSphere Web Client.
    2. Select Home, click Administration, and click Roles.
    3 Select a role, and click the Clone role action icon.
    4 Type a name for the cloned role.
    5 Select or deselect privileges for the role and click OK.

    Edit a Role
    When you edit a role, you can change the privileges selected for that role. When completed, these privileges are applied to any user or group that is assigned the edited role.

    If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems.
    Prerequisites
    Verify that you are logged in as a user with Administrator privileges.
    Procedure
    1. Log in to vCenter Server with the vSphere Web Client.
    2. Select Home, click Administration, and click Roles.
    3. Select a role and click the Edit role action button.
    4. Select or deselect privileges for the role and click OK.

    Configure VMware Directory Service

    The VMware Directory service (vmdir) is associated with the domain you specify during installation and is included in each embedded deployment and on each Platform Services Controller. This service is a multi-tenanted, multi-mastered directory service that makes an LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.

    If your environment includes more than one instance of the Platform Services Controller, an update of vmdir content in one vmdir instance is propagated to all other instances of vmdir.

    Starting with vSphere 6.0, the VMware Directory Service stores not only vCenter Single Sign-On information but also certificate information.

    Replace the VMware Directory Service Certificate (from the Security Guide)
    If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.
    If you unpublish the VMCA root certificate, you must replace the SSL Signing Certificate that is used by vCenter Single Sign-On. See “Refresh the Security Token Service (STS) Root Certificate,” on page 36. You must also replace the VMware Directory Service (vmdir) certificate.
    Prerequisites
    Request a certificate for vmdir for your third-party or enterprise CA.
    Procedure

    1. Stop vmdir.
      Linux: service-control –stop vmdird
      Windows: service-control –stop VMWareDirectoryService
    2. Copy the certificate and key that you just generated to the vmdir location.
      Linux: cp vmdir.crt /usr/lib/vmware-vmdir/share/config/vmdircert.pem
      cp vmdir.priv /usr/lib/vmware-vmdir/share/config/vmdirkey.pem
      Windows: copy vmdir.crt C:\programdata\vmware\vCenterServer\cfg\vmdird\vmdircert.pem
      copy vmdir.priv C:\programdata\vmware\vCenterServer\cfg\vmdird\vmdirkey.pem
    3. Restart vmdir from the vSphere Web Client or using the service-control command.
      Linux: service-control –start vmdird
      Windows: service-control –start VMWareDirectoryService
    Apply a role to a User/Group and to an object or group of objects

    There a few things to keep in mind when configuring access controls in VMware, however. First of all, if a group is assigned a role, all of the users in that group are given those same privileges unless the users have roles of their own assigned. Second of all, if a user is assigned privileges in VMware, those privileges take precedence over the privileges of the group.

    For example, User A and User B are assigned to Group 1. Group 1 has been assigned the Read-Only role. User A doesn’t have a role assigned to it, so it automatically gets all of the permissions given to Group 1. User B, however, has been assigned the No Access role, so User B has no permissions at all.

    VMware also validates the users and groups in Windows Active Directory against the users and groups in vCenter Server. So, if a user or group exists in vCenter Server, but doesn’t exist in the domain, VMware will delete all of the permissions associated with the user or group during validation.

    You can also assign privileges to multiple inventory objects in VMware by creating a folder and moving all of the appropriate objects to that folder.

    Assigning a Role
    1. Go to Home, Inventory, and then Hosts and Clusters. Click the inventory object and then click “Permissions.”
    2. Right-click an empty area in the right pane, then click “Add Permissions” to open the Assign Permissions window.
    3. Click “Add” and insert the appropriate user(s) or group(s). Select the desired role for the user(s) from the drop-down menu.
    4. Review the list of permissions in the right pane. To prevent access to child objects, uncheck “Propagate to Child Objects.”
    5. Click “OK” to assign the permissions to the selected user(s) or group(s).

    Change permission validation settings

    vCenter Server periodically validates its user and group lists against the users and groups in the Windows Active Directory domain. It then removes users or groups that no longer exist in the domain. You can change the interval between validations.

    Procedure

    1. From the vSphere Client connected to a vCenter Server system, select Administration > vCenter Server Settings.
    2. In the navigation pane, select Active Directory.
    3. (Optional) Deselect the Enable Validation check box to disable validation. Validation is enabled by default. Users and groups are validated when vCenter Server system starts, even if validation is disabled.
    4. If validation is enabled, enter a value in the Validation Period text box to specify a time, in minutes, between validations.
    Determine the appropriate set of privileges for common tasks in vCenter Server

    Many tasks require permissions on more than one object in the inventory. You can review the privileges that are required to perform the tasks and, where applicable, the appropriate sample roles.

    If the task that you want to perform is not in this table, the following rules can help you determine where you must assign permissions to allow particular operations:

    • Any operation that consumes storage space, such as creating a virtual disk or taking a snapshot, requires the Datastore.Allocate Space privilege on the target datastore, as well as the privilege to perform the operation itself.
    • Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object.
    • Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the Resource.Assign Virtual Machine to Resource Pool privilege.

    The images below present common tasks that require more than one privilege. You can add permissions to inventory objects by pairing a user with one of the predefined roles, or you can create custom roles with the set of privileges that you expect to use multiple times.

    Required Privileges for Common TasksDeploy a Virtual Machine From TemplateTake a virtual machine snapshotMove a virtual machine into a resource poolInstall a guest operating system on a virtual machine Migrate a virtual machine with vMotion Cold migrate (relocate) a virtual machine Migrate a virtual machine with Storage vMotion

    Compare and contrast default system/sample roles

    vCenter Server provides system roles and sample roles by default:

    System roles
    System roles are permanent. You cannot edit the privileges associated with these roles.
    Sample roles
    VMware provides sample roles for certain frequently performed combination of tasks. You can clone, modify or remove these roles.

    vCenter Server System Roles
    A role is a predefined set of privileges. When you add permissions to an object, you pair a user or group with a role. vCenter Server includes several system roles, which you cannot change. vCenter Server provides a small number of default roles. You cannot change the privileges associated with the default roles. The default roles are organized as a hierarchy; each role inherits the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do not inherit privileges from any of the system roles.

    • Administrator Role
      Users assigned the Administrator role for an object are allowed to view and perform all actions on the object. This role also includes all privileges inherent in the Read Only role. If you are acting in the Administrator role on an object, you can assign privileges to individual users and groups. If you are acting in the Administrator role in vCenter Server, you can assign privileges to users and groups in the default vCenter Single Sign-On identity source. Supported identity services include Windows Active Directory and OpenLDAP 2.4.
      By default, the administrator@vsphere.local user has the Administrator role on both vCenter Single Sign-On and vCenter Server after installation. That user can then associate other users with the Administrator role on vCenter Server.
    • No Access Role
      Users assigned the No Access role for an object cannot view or change the object in any way. New users and groups are assigned this role by default. You can change the role on an object-by-object basis.
      The administrator@vsphere.local user, the root user, and vpxuser are the only users not assigned the No Access role by default. Instead, they are assigned the Administrator role. You can remove the root user from any permissions or change its role to No Access as long as you first create a replacement permission at the root level with the Administrator role and associate this permission with a different user.
    • Read Only Role
      Users assigned the Read Only role for an object are allowed to view the state of the object and details about the object. With this role, a user can view virtual machine, host, and resource pool attributes. The user cannot view the remote console for a host. All actions through the menus and toolbars are disallowed.

    vCenter Server Sample Roles

    • Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host
    • Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM
    • Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
    • Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines
    • Datacenter Administrator: Permits a user to add new datacenter objects
    • VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run
    • Datastore Consumer: Allows the user to consume space on a datastore
    • Network Consumer: Allows the user to assign a network to a virtual machine or a host

    For a list of Common Privileges, scroll down to “Determine the appropriate set of privileges for common tasks in vCenter Server

    Click here for a complete list of Defined Privileges.

    Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products

    Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

    Each solution has a root object in its own object hierarchy. The global root object acts as a parent object to each solution object. You can assign global permissions to users or groups, and decide on the role for each user or group.