Note: This is issue 1, and its likely subsequent issues will be vmware.com. We working on it…
Hello and welcome to the very first vCloud Suite Digest, a compilation of common technical questions and answers on vCloud Suite architecture and implementation. Co-authoring this Digest is my colleague, Pang Chen, a Principal Consultant in VMware’s Global Technology Solutions. Pang keeps tabs on current questions being raised by VMware customers and partners through SEs, PSO, Trainers, TAMs, and TSEs and helps track down their answers. Behind Pang is a legion of people a group of people far too numerous to mention (for me these are the unsung heroes of VMware)- who provide definitive answers and guidance. People fixing problems on a daily basis, that don’t get half the spotlight that jumped up evangelists like I do…;-)
I’ve partnered with Pang to add more context and detail, including occasional screen grabs, to the Q&A to showcase here in my own blog posts. Ever the self-promoter you see? 😀
But joking a part I’ve always thought before joining VMware that there was likely to be a mine of useful information that could be shared with the community. This digest is a classic example. So I see it as part of my “Senior Cloud Infrastructure Social Media Competitive Evangelist” role to find ways of getting this stuff to the wider world. Yes, that’s right I work with our competitive team and I spend all day bad-mouthing Microsoft and saying how awful they are… :-O So if next your boss is asking some loony-toon questions such as why you don’t run Oracle RAC on Oracle VM, you can contact me for help and advice…
If you like this Digest, we’ll compile more. And here it goes:
VMRC and USB Redirection
Q. Do we support USB redirection to vCloud Director VMs through VMRC client? This is something you can do with something like VMware View client where you can plug-in a USB stick into your laptop and access it in your virtual desktop…
A. No, unfortunately USB redirection is not supported with the VM Remote Console within vCloud Director at this time. USB redirection will likely come down the road when VMware View and vCloud Director become harmonized.
vCloud Director and SSO
vCloud Director 5.1 introduces support for the Single Sign-On (SSO) functionality included in vCenter. It’s enabled on by the SysAdmin of the vCloud Director cell. Once enabled if the SysAdmin types the name of the vCloud Director URL s/he will be redirected to the all-new vSphere Web Client front-end. When they successfully authenticate a SAML authentication is generated, and the web-page refreshes displaying the vCloud Director web-pages. The SysAdmin can then right-click a vCenter to which they have rights, and open the web client on it – without needing to re-login.The SAML token is passed along enabling single-sign on (for administration purposes) to the vCloud Solution.
Once enabled if the SysAdmin types the name of the vCloud Director URL s/he will be redirected to the all-new vSphere Web-Client front-end. When they successfully authenticate a SAML authentication is generated, and the web-page refreshes displaying the vCD web-pages. The SysAdmin can then right-click an vCenter to which they have rights, and open the web-client on it – without needing to re-login. The SAML token is passed along enabling single-sign on (for administration purposes) to the vCloud Solution.
Q. Is SSO mandatory for vCloud Director functionality? When would I want to enable SSO for vCloud Director?
A. You have to distinguish between the vCenter SSO and SAML SSO. Neither is mandatory. The former is just for vCloud Administrators and you would enable it if you want to manage their access from vCenter SSO. You can still use LDAP authentication for vCloud Director admin purposes without SSO. When considering SSO, it depends on if you are talking about the System scope or Organizations. vCloud Director v5.1 supports an external IP for Organizations only, and does not support vSphere SSO for Organizations. vCloud Director 5.1’s System scope, as well as vCenter/Next Generation Client 5.1 only support vSphere SSO, but not external IdPs.
Q. In vCloud Networking and Security v5.1.x, do we support SSO group-based role assignment?
A. Yes, but for group-based role assignment, we only support the FQDN\groupname format. The domain alias based format is currently not supported.
Q. Resetting the SSO Administrator password automatically expires 365 days later by default. How do I change this expiration policy?
A. The password lifetime can be changed from the Web Client. Log in as SSO administrator (by default this is the root account on the vCenter Server Appliance, but it can be modified), then go to Administration -> Sign-on and Discovery -> Configuration, select the Policies tab, and then the Password Policies sub-tab.
Mike’s Comment: I wrote about SSO and vCloud Director here a couple of months ago:
vCloud Director: Accessing Media from Public Catalog
As you might know vCD has a concept of a “catalog” which is used to “store” vApp Templates and Media. It’s possible to make the catalog private to an Organization or allow it be published. If it “published” it visible to ALL the Organization vDCs within the Organization itself. So perhaps the ‘company’ catalog is published/public – but the “Test/Dev” catalog is not – because those vApp and Media are not ready for consumption. So a catalog can be visible to just one Organization or many….
Here the CorpHQ Organization has two catalogues – the CorpHQ Catalog is publish and is available to both the “Production Virtual Datacenter” and the “Test/Dev Virtual Datacenter” within the CorpHQ Org. The Development Catalog is only available to the development group – the permission for this are on the properties of the catalog itself. By publishing the CorpHQ Catalog its also visible to my “tenants” those in the COIG, the iStoxs and the Quark Organization.
Q. I cannot mount a media from a public catalog without first copying the media to a private catalog. Am I doing something wrong?
A. No, this is by design. Let’s say a user in a subscribing organization has the ISO inserted into a VM, but the publishing organization wishes to delete, update, move that catalog object…if vCD just allows them to do so it would disrupt the subscribing user experience; if it prevents it then it creates a complex path of one Organization needing to discuss with other Organizations as to who has the media in use.
Mike’s Comment: I wrote about how to publish catalogs and set permissions on them a couple of weeks ago:
vCloud Director: Which VDC owns a Organizational Network?
When you create a Virtual Datacenter within a Organization – you can add Organization Networks to them. So if you liked the “Production Virtual Datacenter” could have or Organization Network, completely seperate from say the “Test & Dev Virtual Datacenter”. You make so they couldn’t see each other. The are, however times when you want an Organization Network to be available ACROSS many Organization vDCs. The last thing you’d want to do would be to have to define each one manual. That would be administrator chore. Fortunately you can share an Organization Network, which makes it visable to ALL the Virtual Datacenters. If you want my view its great feature – but approach with caution. By putting the tick in the box your exposing the network(s) of one Organization vDC to another… is that always desirable, the best way or secure?
You can enable sharing – when you first define an Organization – and use the same wizard to create its first Organization Network – or later after the Organization Network has been created.
Q. When sharing an Org VDC network to multiple VDCs, is there a way to determine the “owning” VDC for that network? Or does the network become detached from the original VDC? When I look at the vCloud Director web-pages I can’t see where I would find that out?
A. Yes, there is a way to find which Org VDC does the Org VDC network belong to. You can find that under the Org VDC networks tab. It has a column that says “Owner”. That is the VDC to which the Org VDC network belongs to. So here the “CorpHQ-CorpOrgNetwork” has been shared, and so it appears in both the “Production” and “Test/Dev” Virtual Datacenters. Within the “Test & Dev” Virtual Datacenter you can see the network is “Shared” and where its source comes from…
Mike’s Comment: I mentioned this in passing in this article:
vCloud Director Installation Instance Name
In the first post-configuation of vCD a wizard runs which allows you to set the vCD “instance name”. This must unique because its used as the string for generating unique MAC addresses.
Q. How can I determine what the instance name specified in the initial configuration wizard is for a vCloud Director deployment?
A. You can query the vCloud Database using a SQL statement: select value as “Installation Name” from config where name=’SystemName’;
Or look in vCenter > VM and Templates > the root folder holding all the vCloud Director
workloads should be the name of the vCloud Director instance
Note: You’ll notice my System Name doesn’t match my folder. That’s because these screen grabs were taken at different times – the first under vCloud Director 5.1 and the second vCloud Director 5.1.1
Q. How can I find the Installation ID?
A. Using a database query: select value as “Installation ID” from config where name=’Installation ID’ or through the Portal, log in as Admin > Click Administration > Select System Settings > General, then scroll to the bottom.
Multi-Cell vCloud Director and Load Balancer
vCloud Director allows multiple cells (or servers if you prefer!) within single instance. So just you would with any web-based application you can have more than one cell (or web-server) and then use a load balancer in front of the cells – to distributed load. Most quality LB appliance can detect a node is down and redirect traffic to the remaining nodes. So this handy for upgrades and providing fault tolerence to the vCloud Director layer generally – of course, don’t neglect the availability of the backend database the vCloud Director cells share. If course that LB appliance could be stand-alone instance of VMware’s very own vCloud Networking and Security Edge Gateway or it could be any other commercial LB such as F5’s BIG-IP….
Q. I have a multi-cell vCD configuration with a load balancer in front. I have created a single keystore file with 2 certificates http and console proxy and the 2 FQDN of the load balancer (public http and console proxy address). During the vCD’s configuration of each vCD cell, will I use this unique keystore file? So in this case, what will be the impact if the load balancer is not available? Can I still connect to the cloud directly to one vCD cell (private network)?
A. Yes, you can connect directly to the cells but the certificate will not match and you will get a browser security error which you might ignore if you are sure that a man-in-the-middle attack is not possible. Note, if you use load balancer SSL offload for the http public IP you can have different certificates on each cells as the client – VCD session is terminated at the LB and another is established between LB – VCD cell. You cannot have SSL offload for consoleproxy IP—only pass-through works.
Q. Is there any way to have with vCNS Load Balancer configured in Active/Passive mode?
A. If the vCNS Edge is configured with HA enabled, the Load Balancer will work in Active/Passive mode. However, our Load Balancer does not support stateful switch over, which means, when the Active Edge is down and the Passive Edge takes over, the existing connections (from clients) to the Load Balancer will be terminated and the clients will have to the reconnect to Load Balancer.
vCD and VXLAN
As you might know vCloud Director 5.1 introduced support for yet another type of network virtualization or network layering as its sometimes called. You say that the vCD Network Isolation is type of network virtualization – but some might take an issue with that. At the heart of these projects is trying to get way from merely using the VLAN construction in the firmware of the physical network to segment the network. VLANs were original designed to reduce broadcast traffic without the need of buying more network gear – over the years they have “mutated” into a “security context” for a lot of folks. That’s lead to a proliferation of VLAN IDs which has become unwieldy. Additionally, the name space of VLANs is relatively “small” when put in the context of large scale public and private clouds. Whereas VLANs bottom out about 4096, network virtualization scales into the 1,000’s and into millions when it comes to VXLANs.
Q. I am trying to set up a pVDC with vCDNI network pool but I am getting an error that I am not licensed for VXLAN (which is obviously not included by default in vCloud Director). How can I configure my pVDC with vCDNI network pool?
A. The error can be ignored and is of no consequence if you are not using VXLAN. vCD 5.1 automatically attempts to create a VXLAN network pool even though you may not be licensed to use VXLAN. If the VXLAN fabric is not prepared, then you will get a VXLAN network pool with an error. There’s nothing stopping you from making a vCDNI network pool and using it. In this scenario, an error is thrown, but you are not prevented from manually going in to the network settings and setting up a vCDNI network pool. (This is an unfortunate user experience since vCloud Director does not ship with a VXLAN license.)
Mike’s Comment: I came across this in my early days of the vCloud Journey Journal. If you are licensed for VXLAN and want to avoid unpleasant red exclamation marks in vCD, then I’d be tempted to say put configuring VXLAN in the C# vSphere Client one of those steps you do before deploying vCD5.1. Just my personal view…
Q. Does vCNS v5.1.x provide any way of checking what ports are OPEN?
A. Yes, vCloud Networking and Security v5.1.x has a NEW CLI command that was introduced to check that all the relevant ports 443 and 902 are open – manager# debug connection. This takes both IP and Hostname. It also checks DNS is configured correctly.
vCD and vCNS and vSphere 5.1 Dependency
Q. If I install vCD 5.1.1 with vCNS 5.1.1 but do not upgrade vCenter or the ESXi hosts to 5.1 and they continue to run on 5.0, are there any features that will not be available?
A. You will not be able to have Provider vDCs with more than 8 hosts on VMFS (since that’s a vSphere 5.1 specific feature). Also, if you use NFS with VAAI and Linked Clones, there are some specific gotchas there as you’ll need vSphere 5.1 to properly Storage vMotion the VMs around. You will also not have access to VXLAN which is a 5.1 feature.
Q. Is it possible to downgrade a vCNS Edge Gateway from full to compact?
A. The vCNS Edge Gateway upgrade is one way only, from compact to full. You cannot go back.
Mike’s Comment: You do this from the vShield Manager under the Datacenter container, Network Virtualization tab and Edges….
That’s all folks!!!