Virtual Nomad: 2017

Monday, 6 November 2017

Validating NSX VTEP connectivity

This post was inspired by recent incident at the customer environment where VMs were experiencing networking issues due to MTU size misconfiguration on the TOR switches.

If you ever worked with NSX-V and Logical Switches you are aware that NSX configures VTEP vmnics with MTU equal to 1600 bytes. This allows to support VxLAN encapsulation.
However, between every two VTEP interfaces is an L2 or L3 networking device that is potentially not configured to support baby Jumbo frames (that's another name for 1600 bytes packets).

There are many posts explaining how to check MTU size and network connectivity between VTEP interfaces. It is a simple ping using esxcli:

esxcli network diag ping --netstack=vxlan --host vmknic_IP --df --size=1572

Now, imagine you have a small transport zones with 10 hosts and each host has 2 VTEP interfaces.

You will need to run the esxcli command 360 times to validate all combinations of VTEP pairs.

With 64 hosts the number of required ping tests reaches 16,128. Well, that's obviously something that requires automation.

Hopefully, the future versions of NSX will have this validation step as part of NSX Health Check.

Meanwhile, we can take advantage of Powershell to make our VTEP validation test a bit easier.

I didn't spend much time writing the script and had only my home lab for a test, so it definitely may have some bugs.

Here is the logic of the script:

Connects to NSX/vCenter and validates that connection was established successfully
Builds array of Transport Zones and Hosts
Builds array of Hosts and their VTEPs
Iterate through each TZ-Host-VTEP and ping all other VTEPs in the transport zone. This is a full-mesh test.
The script uses pings with 2 different sizes – 64 and 1572 bytes. The first allows to check for connectivity issues and the larger packet validates that MTU size is configured correctly along the path between two VTEPs.
The results are displayed on the screen in real-time
Two reports are produced for each transport zone:

Summary - a table with Source Host, Destination Host and the test result
Detailed - a table that contains Hosts, VTEP names and IP Addresses, test result for different packet sizes and the error message, if any.

Script has been tested with vSphere 6.5 U1 and NSX 6.3.x

Update (9/11/2017) - the script was updated to work with ESXi 6.0 and 6.5 versions.

The following screenshot provides and example of successful tests:

This is an example of error messages when using packet size 1573

As you can see the script can detect different types of issues.

here is a couple of reports' screenshots

Summary Report

Detailed Report

Here is the script code

	# Author: Askar Kopbayev
	#
	# Description: Powershell script to automate validation of NSX-v VTEP connectivity and MTU size along the path.
	# Blog post: https://vmnomad.blogspot.com/2017/11/validating-nsx-vtep-connectivity.html
	#
	# The script requires vCenter an NSX names and credentials and produces two reports: Detailed and Summary.
	#

	# clean up all variables
	foreach ($i in (ls variable:/*)) {rv -ea 0 $i.Name}

	# Environment variables
	$vcName = 'updateMe'
	$nsxServerIP = 'updateMe'
	$vcUsername = 'updateMe'
	$vcPassword = 'updateMe'

	# Connect to NSX server
	Connect-NsxServer -vCenterServer $vcName -Username $vcUsername -password $vcPassword -ErrorAction SilentlyContinue \| Out-Null

	# validate connection
	if(($DefaultNSXConnection.VIConnection.name -eq $vcName) -and ($DefaultNSXConnection.Server -eq $nsxServerIP)){
	Write-host -Fore:green "Connection to NSX server $($DefaultNSXConnection.Server) was established successfully"
	}
	else{
	Write-host -Fore:red "Connection to NSX server failed. Exiting..."
	Exit
	}

	sleep 3

	# Getting current path
	$path = Split-Path -parent $PSCommandPath

	# timestamp for report filename
	$startTime = (get-date).ToString("yyyy-MM-dd_HH-mm")

	#error message definitions
	$Fail1 = "The number of receieved packets is less than number of transmitted packets."
	$Fail2 = "Zero packets received. This could be wrong MTU size or network misconfiguration"
	$Fail3 = "The source VMK MTU is too small to fit largest VXLAN packet"

	#ping function
	function vtep_ping{
	param(
	[string]$hostname,
	[string]$destIP,
	[string]$source_VMK,
	[string]$size
	)

	$result = ""
	$arguments = @{}
	$esxcli = Get-ESXCLI -vmhost $hostname -V2

	$arguments = $esxcli.network.diag.ping.CreateArgs()
	$arguments.host = $destIP
	$arguments.count = 3
	$arguments.netstack = "vxlan"
	$arguments.df = $true
	$arguments.interface = $source_VMK
	$arguments.size = $size

	try{
	Write-Host -Fore:white "`nPacket size $size"
	$result = $esxcli.network.diag.ping.Invoke($arguments)
	if($result.summary.Transmitted -eq $result.summary.Recieved){
	Write-Host -Fore:green "Ping was successful"
	Return "Pass"
	}
	elseif(($result.summary.Transmitted -$result.summary.Recieved) -gt 0){
	Write-Host -Fore:yellow "Packets transmitted $($result.summary.Transmitted) - Packets received $($result.summary.Recieved)"
	return "Fail1"
	}
	else{
	Write-host -Fore:red "Zero packets received`n"
	Write-Host -fore:yellow "This could be due MTU size or network misoncfiguration`n"
	return "Fail2"
	}
	}
	catch{
	if($_.Exception.Message -match "Message too long"){
	write-host -Fore:red "Ping failed because the source VMK MTU is too small to fit largest VXLAN packet`n"
	return "Fail3"
	}
	}
	}


	function host_to_host_ping{
	param(
	[int]$source
	)

	for($i = 0; $i -lt $Hosts_vteps.Count; $i++){
	if($Hosts_vteps[$source].hostName -ne $Hosts_vteps[$i].hostName){
	Write-host "`nsource host: "$Hosts_vteps[$source].hostName "- destination host: "$Hosts_vteps[$i].hostName
	foreach($s_vtep in $Hosts_vteps[$source].vteps){
	foreach($d_vtep in $Hosts_vteps[$i].vteps){
	Write-host "Source VMK $($s_vtep.Name), IP $($s_vtep.IPv4)"
	Write-host "Destination VMK $($d_vtep.Name), IP $($d_vtep.IPv4)"
	$ping64 = vtep_ping -hostname $($Hosts_vteps[$source].hostName) -destIP $d_vtep.IPv4 -source_VMK $s_vtep.name -size 64
	$ping1572 = vtep_ping -hostname $($Hosts_vteps[$source].hostName) -destIP $d_vtep.IPv4 -source_VMK $s_vtep.name -size 1572

	#building detailed report
	$b = New-Object -TypeName psobject
	$b \| Add-Member -MemberType NoteProperty -Name source_host -value $Hosts_vteps[$source].hostName
	$b \| Add-Member -MemberType NoteProperty -Name destination_host -value $Hosts_vteps[$i].hostName
	$b \| Add-Member -MemberType NoteProperty -Name source_VMK -value $s_vtep.Name
	$b \| Add-Member -MemberType NoteProperty -Name source_IP -value $s_vtep.IPv4
	$b \| Add-Member -MemberType NoteProperty -Name destination_vmk -value $d_vtep.Name
	$b \| Add-Member -MemberType NoteProperty -Name destination_IP -value $d_vtep.IPv4

	switch($ping64){

	"Fail1" {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_64 -value "Fail"
	$b \| Add-Member -MemberType NoteProperty -Name Error_Message_64 -value $Fail1
	}

	"Fail2" {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_64 -value "Fail"
	$b \| Add-Member -MemberType NoteProperty -Name Error_Message_64 -value $Fail2
	}
	"Fail3" {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_64 -value "Fail"
	$b \| Add-Member -MemberType NoteProperty -Name Error_Message_64 -value $Fail3
	}
	default {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_64 -value "Pass"
	}

	}

	switch($ping1572){

	"Fail1" {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_1572 -value "Fail"
	$b \| Add-Member -MemberType NoteProperty -Name Error_Message_1572 -value $Fail1
	}

	"Fail2" {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_1572 -value "Fail"
	$b \| Add-Member -MemberType NoteProperty -Name Error_Message_1572 -value $Fail2
	}

	"Fail3" {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_1572 -value "Fail"
	$b \| Add-Member -MemberType NoteProperty -Name Error_Message_1572 -value $Fail3
	}
	default {
	$b \| Add-Member -MemberType NoteProperty -Name Ping_1572 -value "Pass"
	}

	}

	$script:detailed_report += $b
	}
	}

	#bulding summary report
	$c = New-Object -TypeName Psobject
	$c \| Add-Member -MemberType NoteProperty -Name source_host -value $Hosts_vteps[$source].hostName
	$c \| Add-Member -MemberType NoteProperty -Name destination_host -value $Hosts_vteps[$i].hostName

	if(($detailed_report \| ?{($_.source_host -eq $Hosts_vteps[$source].hostName) -and ($_.destination_host -eq $Hosts_vteps[$i].hostName)}) -match "Fail"){
	$c \| Add-Member -MemberType NoteProperty -Name Result -Value "Fail"
	}
	else{
	$c \| Add-Member -MemberType NoteProperty -Name Result -Value "Pass"
	}
	$script:summary_report += $C
	}
	}
	}


	# get transportZone-host array
	$tz_hosts = @()
	Get-NsxTransportZone \| %{
	$Props = @{
	tzName = $_.Name
	clusterNames = $_.clusters.cluster.cluster.name
	hostNames = ($_.clusters.cluster.cluster.name \| %{get-cluster -name $_ \| get-vmhost}).name
	}
	$tz_hosts += New-Object PSObject -Property $Props
	}

	# iterate through zones/host/vteps
	foreach($tz in $tz_hosts){
	Write-host -Fore:magenta "Testing ESXi hosts in Transport Zone $($tz.tzname)"

	# reset reporting arrays for each transport zone
	$detailed_report = @()
	$summary_report = @()

	# Collecting host-vteps array
	$Hosts_vteps = @()
	foreach($vmhost in $tz.hostNames){
	#create esxcli object for a host
	$esxcli = Get-ESXCLI -VMHost $vmhost -V2
	$esxVersion = ($esxcli.system.version.get.Invoke()).version

	#collecting VTEP VMK names and IP Addresses
	$vteps = $esxcli.network.ip.interface.list.Invoke() \| ?{$_.netstackinstance -eq "vxlan"} \| select Name, Enabled, MTU

	#collect IP addresses for each VTEP
	foreach($vmk in $vteps){
	if($esxVersion -eq "6.0.0"){
	$ipv4 = ($esxcli.network.ip.interface.ipv4.get.Invoke() \| ?{$_.name -eq $vmk.name}).IPv4Address
	}
	else{
	$ipv4 = ($esxcli.network.ip.interface.ipv4.address.list.Invoke() \| ?{$_.name -eq $vmk.name}).IPv4Address
	}
	$vmk \| Add-Member -MemberType NoteProperty -Name IPv4 -Value $ipv4 -force
	}

	# update Host-VTEP array with host name and VTEP info
	$a = New-Object -TypeName psobject
	$a \| Add-Member -MemberType NoteProperty -Name hostName -Value $vmhost
	$a \| Add-Member -MemberType NoteProperty -Name vteps -Value $vteps
	$hosts_vteps += $a
	}


	for($i = 0; $i -lt $Hosts_vteps.Count; $i++){
	host_to_host_ping -source $i
	Write-host
	}

	# Exporing reports
	$detailedFileName = $startTime + "_" + $($tz.tzName) + "_detailed_report.csv"
	$detailedFilePath = Join-Path -Path $path -ChildPath $detailedFileName

	$summaryFileName = $startTime + "_" + $($tz.tzName) + "_summary_report.csv"
	$summaryFilePath = Join-Path -Path $path -ChildPath $summaryFileName

	Write-host "Detailed report for transport zone $($tz.tzName) is exported to $detailedFilePath file"
	write-host "Summary report for transport zone $($tz.tzName) is exported to $summaryFilePath file"
	$detailed_report \| Export-Csv -Path $detailedFilePath -NoTypeInformation
	$summary_report \| Export-Csv -Path $summaryFilePath -NoTypeInformation

	if($summary_report -match "Fail"){
	write-host -fore:red "There were issues detected in transport zone $($tz.tzName) during VTEP validation test, please check reports for details"
	}
	else{
	write-host -fore:green "No issues were detected in transport zone $($tz.tzName) during VTEP validation test"
	}
	}

view raw Validate-VTEP.ps1 hosted with ❤ by GitHub

Feel free to provide feedback on any bugs you may encounter using this script.

Sunday, 27 August 2017

Updating configuration of NSX Controllers and Edge appliances

If you have been playing with NSX you may have noticed that you cannot edit settings of virtual appliances deployed by NSX, e.g. controllers or Edge appliances. That's how VMware want to ensure the best performance of NSX in your environment. However, there might be cases when you still need to adjust some NSX appliances' settings.

In my case I needed to be able to change Memory Reservation settings. The thing is that all NSX appliances are deployed with 100% of memory reservation. My home lab grew up to almost 200Gb of RAM, but I still struggle with lack of memory especially when I run few nested deployments, each with its own NSX.

I am a big fan on PowerCLI so I tried to use Set-VMResourceConfiguration command let, but that attempt wasn't successful.

as you can see in the screenshot this method is disabled.

You can check all the methods disabled for VMs using this command

(get-vm VMname).ExtensionData.disabledmethod

As you can see the ReconfigVM_Task is in the list of disabled methods, which prevents any changes to the VM config.

There is a way to enable this method, but it can only be done through vSphere MOB, but I personally find it really confusing and not user friendly. And I had no clue how to automate this process. So, I gave up on this.

Then I thought there should be a way to change NSX appliances config through NSX RestAPI. And actually there is.

Here is how you can change the memory reservation of NSX edges using curl. Update the values in bold before using.

1. Grab the NSX edge config and save it in XML file

curl -k -u 'username:password' -H "Content-Type: application/xml" -X GET https://nsxFQDN:443/api/4.0/edges/Edge-ID/appliances/highAvailabilityIndex > XXX.xml

2. Update the memory reservation in xml file.

<memoryReservation>
<limit>-1</limit>
<reservation>YYY</reservation>
</memoryReservation>

3. Update the edge config

curl -k -u 'username:password' -H "Content-Type:application/xml" PUT https://nsxFQDN:443/api/4.0/edges/Edge-ID/appliances/highAvailabilityIndex -d "@XXX.xml"

As you can see you can change some settings of the Edge, but you cannot do the same with controllers. At least I couldn't find anything similar for controllers in NSX RestAPI guide.

Also, it is not easy to automate.

Here is an example of how you can use PowerCLI to automate RestAPI calls

	# Get-AuthHeader function - used to collect vRO credentials and produce authorization header

	function Get-AuthHeader($string) {
	$bytes = [System.Text.Encoding]::UTF8.GetBytes($string);
	$encoded = [System.Convert]::ToBase64String($bytes);
	$cred = "Basic $($encoded)"
	return $cred;
	}

	Function Get-NSXRestAPI{

	Param(
	[string]$usr,
	[string]$pwd,
	[string]$NSXServer
	[string]$apiFormat = 'xml', # either xml or json
	)

	add-type @"
	using System.Net;
	using System.Security.Cryptography.X509Certificates;
	public class TrustAllCertsPolicy : ICertificatePolicy {
	public bool CheckValidationResult(
	ServicePoint srvPoint, X509Certificate certificate,
	WebRequest request, int certificateProblem) {
	return true;
	}
	}
	"@

	[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

	$auth= Get-AuthHeader("$($usr):$($pwd)")

	$headers = @{"Authorization"=$auth;"Content-Type"="application/$($apiFormat)"}
	$URLpost = "https://$($NSXServer)/api/4.0/edges/edge-6/appliances"
	$ret = Invoke-WebRequest -Method get -uri $URLpost -Headers $headers

	[xml]$rxml = $ret.content

	return $rxml
	}

	$result = Get-NSXRestAPI -usr Username -pwd Password -NSXServer NSXmanagerFQDN

view raw Get-NSXRestAPI.ps1 hosted with ❤ by GitHub

And here what you can get from the output

From here you can update anything you need and change the config using similar PowerCLI function.

As you can see it is more time consuming way of doing things. and again, this is not applicable for NSX controllers.

So I thought I should go back to the original idea of enabling ReconfigVM_task method and started searching for instructions when I found out (once again) that William Lam has already done this. In this post he explains how you can disable vMotion for some of the VMs by disabling MigrateVM_task method. But the most amazing part of that post was that he created PowerCLI functions to enable/disable any methods without using vSphere MOB.

From here it was really easy to create the following script which changes the memory reservation on any VMs - whether they are deployed by NSX or not.

	# Created by Askar Kopbayev
	# Description: Changes VM Memory reservations on all VMs to 99%, including NSX Edges and Controllers where ReconfigureVM_Task method is disabled.
	# Credit to William Lam for amazing functions to Enable and Disable Methods http://www.virtuallyghetto.com/2016/07/how-to-easily-disable-vmotion-cross-vcenter-vmotion-for-a-particular-virtual-machine.html

	Function Enable-vSphereMethod {
	param(
	[Parameter(
	Position=0,
	Mandatory=$true,
	ValueFromPipeline=$true,
	ValueFromPipelineByPropertyName=$true)
	]
	[String]$vmmoref,
	[string]$vc_server,
	[String]$vc_username,
	[String]$vc_password,
	[String]$enable_method
	)

	$secpasswd = ConvertTo-SecureString $vc_password -AsPlainText -Force
	$credential = New-Object System.Management.Automation.PSCredential($vc_username, $secpasswd)

	# vSphere MOB URL to private enableMethods
	$mob_url = "https://$vc_server/mob/?moid=AuthorizationManager&method=enableMethods"

	# Ingore SSL Warnings
	add-type -TypeDefinition @"
	using System.Net;
	using System.Security.Cryptography.X509Certificates;
	public class TrustAllCertsPolicy : ICertificatePolicy {
	public bool CheckValidationResult(
	ServicePoint srvPoint, X509Certificate certificate,
	WebRequest request, int certificateProblem) {
	return true;
	}
	}
	"@
	[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

	# Initial login to vSphere MOB using GET and store session using $vmware variable
	$results = Invoke-WebRequest -Uri $mob_url -SessionVariable vmware -Credential $credential -Method GET

	# Extract hidden vmware-session-nonce which must be included in future requests to prevent CSRF error
	# Credit to https://blog.netnerds.net/2013/07/use-powershell-to-keep-a-cookiejar-and-post-to-a-web-form/ for parsing vmware-session-nonce via Powershell
	if($results.StatusCode -eq 200) {
	$null = $results -match 'name="vmware-session-nonce" type="hidden" value="?([^\s^"]+)"'
	$sessionnonce = $matches[1]
	} else {
	Write-host "Failed to login to vSphere MOB"
	exit 1
	}

	# The POST data payload must include the vmware-session-nonce variable + URL-encoded
	$body = @"
	vmware-session-nonce=$sessionnonce&entity=%3Centity+type%3D%22ManagedEntity%22+xsi%3Atype%3D%22ManagedObjectReference%22%3E$vmmoref%3C%2Fentity%3E%0D%0A&method=%3Cmethod%3E$enable_method%3C%2Fmethod%3E
	"@

	# Second request using a POST and specifying our session from initial login + body request
	$results = Invoke-WebRequest -Uri $mob_url -WebSession $vmware -Method POST -Body $body

	# Logout out of vSphere MOB
	$mob_logout_url = "https://$vc_server/mob/logout"
	Invoke-WebRequest -Uri $mob_logout_url -WebSession $vmware -Method GET
	}

	Function Disable-vSphereMethod {
	param(
	[Parameter(
	Position=0,
	Mandatory=$true,
	ValueFromPipeline=$true,
	ValueFromPipelineByPropertyName=$true)
	]
	[String]$vmmoref,
	[string]$vc_server,
	[String]$vc_username,
	[String]$vc_password,
	[String]$disable_method
	)

	$secpasswd = ConvertTo-SecureString $vc_password -AsPlainText -Force
	$credential = New-Object System.Management.Automation.PSCredential($vc_username, $secpasswd)

	# vSphere MOB URL to private disableMethods
	$mob_url = "https://$vc_server/mob/?moid=AuthorizationManager&method=disableMethods"

	# Ingore SSL Warnings
	add-type -ErrorAction Ignore -TypeDefinition @"
	using System.Net;
	using System.Security.Cryptography.X509Certificates;
	public class TrustAllCertsPolicy : ICertificatePolicy {
	public bool CheckValidationResult(
	ServicePoint srvPoint, X509Certificate certificate,
	WebRequest request, int certificateProblem) {
	return true;
	}
	}
	"@
	[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

	# Initial login to vSphere MOB using GET and store session using $vmware variable
	$results = Invoke-WebRequest -Uri $mob_url -SessionVariable vmware -Credential $credential -Method GET

	# Extract hidden vmware-session-nonce which must be included in future requests to prevent CSRF error
	# Credit to https://blog.netnerds.net/2013/07/use-powershell-to-keep-a-cookiejar-and-post-to-a-web-form/ for parsing vmware-session-nonce via Powershell
	if($results.StatusCode -eq 200) {
	$null = $results -match 'name="vmware-session-nonce" type="hidden" value="?([^\s^"]+)"'
	$sessionnonce = $matches[1]
	} else {
	Write-host "Failed to login to vSphere MOB"
	exit 1
	}

	# The POST data payload must include the vmware-session-nonce variable + URL-encoded
	$body = @"
	vmware-session-nonce=$sessionnonce&entity=%3Centity+type%3D%22ManagedEntity%22+xsi%3Atype%3D%22ManagedObjectReference%22%3E$vmmoref%3C%2Fentity%3E%0D%0A%0D%0A&method=%3CDisabledMethodRequest%3E%0D%0A+++%3Cmethod%3E$disable_method%3C%2Fmethod%3E%0D%0A%3C%2FDisabledMethodRequest%3E%0D%0A%0D%0A&sourceId=self
	"@

	# Second request using a POST and specifying our session from initial login + body request
	$results = Invoke-WebRequest -Uri $mob_url -WebSession $vmware -Method POST -Body $body
	}

	### Update this section ###

	$vc_server = "vcenter.home.local"
	$vc_username = "administrator@vsphere.local"
	$vc_password = "Password"
	$method_name = "ReconfigVM_Task"

	# Connect to vCenter Server
	$server = Connect-VIServer -Server $vc_server -User $vc_username -Password $vc_password

	# Get all VMs with 100% of RAM reservation
	$VMs = get-vm \| ?{$_.MemoryGB -eq (Get-VMResourceConfiguration -vm $_).MemReservationGB}

	# Split them into 2 arrays
	$NsxVMs = $VMs \| ?{$_.extensiondata.disabledmethod -contains "ReconfigVM_Task"}
	$regularVMs = $VMs \| ?{$_.extensiondata.disabledmethod -notcontains "ReconfigVM_Task"}

	# Change mem reservations for VM where ReconfigVM_Task methdod is not disabled
	foreach($vm in $regularVMs){

	Get-VMResourceConfiguration -vm $vm.name \| Set-VMResourceConfiguration -MemReservationGB $($vm.MemoryGB*0.99) \| Out-Null
	Write-host "$VM has"$vm.MemoryMB "MB assigned and" $((Get-VMResourceConfiguration -vm $vm.name).MemReservationMB)"MB reserved"
	}

	# Enabled ReconfigVM_Task method for the second array
	foreach($vm in $NsxVMs){
	Enable-vSphereMethod -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vmmoref $vm.ExtensionData.MoRef.Value -enable_method $method_name \| out-null
	}

	sleep 5

	# Change mem reservations
	foreach($vm in $NsxVMs){
	Get-VMResourceConfiguration -vm $vm.name \| Set-VMResourceConfiguration -MemReservationGB $($vm.MemoryGB*0.99) \| Out-Null
	Write-host "$VM has"$vm.MemoryMB "MB assigned and" $((Get-VMResourceConfiguration -vm $vm.name).MemReservationMB)"MB reserved"
	}

	# Disable ReconfigVM_Task method
	foreach($vm in $NsxVMs){
	Disable-vSphereMethod -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vmmoref $vm.ExtensionData.MoRef.Value -disable_method $method_name \| out-null
	}

	# Get all VMs with 100% of RAM reservation
	$NewVMs = get-vm \| ?{$_.MemoryGB -eq (Get-VMResourceConfiguration -vm $_).MemReservationGB}
	If($newVMs){
	Write-host -Fore:red "The following VMs still have 100% of memory reservations"
	$newVMs
	}
	else{
	Write-host -Fore:green "No VMs with 100% of RAM reservations were detected"
	}

	# Disconnect from vCenter Server
	Disconnect-viserver $server -confirm:$false

view raw ChangeMemReservations.ps1 hosted with ❤ by GitHub

The script grabs all VMs with 100% of memory reservations and changes this value to 99%. You can change this value to whatever you prefer. If ReconfigureVM method is disabled the script will re-enable it first. After the memory reservation is updated the script will change the ReconfigVM method back to disabled.

All you need to do is to update the vCenter name and credentials before you run the script.

Here is the example of the script output

A word of caution - this is not officially supported way of changing the settings of NSX appliances. It works but it's at your own risk.

Monday, 8 May 2017

Testing new vSphere 6.5 feature - DRS CPU overcommitment

I am currently working on a project where one of the customer's requirements is to use strict pCPU to vCPU ratio. Luckily, VMware introduced new feature called CPU over-commitment ratio in vSphere 6.5 which helps to meet the requirement. I spent an evening playing with this new feature and would like to share my experience.

The VMware documentation is quite laconic when it discusses new DRS features. So, after reading the documentation I still had few questions on how CPU over-commitments works:

Does it count vCPUs against Physical or Logical Processors?
What is DRS behaviour when the ratio is violated?
Is over-commitment ratio applied per host or per cluster?
Will HA respect this ratio when restarting VMs after the host failure?
Is ratio changed when host is placed into maintenance mode?

So, let's try to answer all these questions using my lab.

1. Does it count vCPUs against Physical or Logical Processors?

Usually I run most of my tests in the nested labs using nested ESXi servers, but to answer this question I had to use one of my physical clusters which supports hyperthreading and thus provides physical and logical processors.

The cluster consists of 2 x SuperMicro Servers and each of the servers runs on Xeon D-1528 CPU with 6 physical cores. So, in total I have 12 physical / 24 logical processors in the cluster.

Currently I am running 4 VMs with 11 vCPUs assigned in total. DRS is enabled and CPU overcommitment is configured to 100%. I am planning to power on a another VM with 2 vCPUs.
If DRS counts over-commitment ratio using physical CPUs it should give me some kind of warning.

Here is the result of my attempt to power-on another VM.

As you can see it actually answers the second question too.

We can tell now that DRS definitely counts only physical CPUs. Interestingly, in this case DRS behaves as HA Admission Control prohibiting VM power-on operation as it will violate CPU over-commitment ratio.

3. Is over-commitment ratio applied per host or per cluster?

To answer this question I used my nested lab. Here are quick specs of the test cluster:

3 x ESXi servers
2 x CPU per server
3 x virtual machines configured with 2 vCPUs each
CPU over-commitment is set to 100%

So, I am running 6 vCPU in total on 6 CPUs in DRS cluster. Attempt to power on one more VM in this cluster will definitely fail as it will violate cluster level ratio.

Now, I vMotioned VM-2 to ESXi-1 which brought the pCPU to vCPU over-commitment ratio on that host to 200%. As you can see this vMotion didn't fail and no warning were generated.

DRS generate recommendations every 15 minutes and soon this cluster was balanced again, but that's part of DRS functionality that existed in previous versions of vSphere 6.5.

So, we can tell that this over-commitment ratio is applied per cluster.

4. Will HA respect this ratio when restarting VMs after the host failure?

It was the most tickling question for me. Taking into the consideration similarity of CPU over-commitment and HA Admission Control features I was wondering whether over-commitment ratio should be adjusted to take into the consideration host failure.

I used the same lab setup you saw above in question 3. I verified that each host has been running one dummy VM.

Then I restarted vesxi65-3 host and 2 minutes later the VM-3 was successfully restarted on vesxi65-1 server even though the CPU over-commitment ratio was equal to 150%.

This proves that HA restart has higher priority over CPU over-commitment ratio. This totally makes sense to me as VM's availability is more important that potential performance impact.

5. Is ratio changed when host is placed into maintenance mode?

I reverted my lab back to default settings and tried to place the host into maintenance mode which would result in 4 pCPU to 6 vCPU ratio which would violate configured CPU over-commitment ratio.
The tasks didn't fail so I at first I assumed that there would be no problem.

5 minutes later that task was still running so I checked the DRS Faults and immediately found the following.

Clearly, DRS would always respect its own over-commitment rule when trying to generate vMotion recommendations.

So, the main takeaways for today are:

Only physical CPUs are used in calculations - no hyper threading
CPU over-commitment works very similar to Admission Control by preventing VMs to power on if it will violate the configured ratio.
During HA failover the CPU overcommitment setting is ignored - makes sense as recovering VMs is more critical than respecting overcommitment ratio
The over-commitment ratio is applied at cluster level
DRS will prevent placing the host into maintenance mode if it breaks its rules.

Thursday, 4 May 2017

Creating replica seeds for vSphere Replication

I have known for a while that vSphere Replication allows to use replica seeds to significantly save time of initial sync.

This approach is recommended when there is not sufficient bandwidth between sites to complete replication in time. In this case it is recommended to create copies of the VM disks, transfer them to the destination site using external media, e.g. external USB hard drive. Once the files are copied to the target datastore vSphere Replication can be instructed to use them as replica seeds. The source and target disks will be scanned and only modified blocks of data will be transferred.

There is an issue with this approach. According to VMware documentation the virtual machine has to be powered off before creating disk copies of the original VM. In most environments this kind of action require Request for Change and it can take quite a while before this request approved.

As a workaround you can clone powered on VM, but the disks of the cloned VM will have new UUID. When vSphere Replication is instructed to use replica seeds it compares source and destination disks using two criteria - VMDK name and UUID. If one of them doesn't match in both disks you won't be able to configure vSphere Replication for this VM.

Therefore, I thought it is a nice opportunity to simplify process of creating replica seeds for vSphere Replication with no outage for virtual machines.

So, the whole process is quite simple:

1. Clone running VM. The cloned VM will need to have the same name to keep the disk names identical. Since VMs will have the same name they will need to be placed into different folders.

2. Run the script that will update the cloned VM's disk with original UUIDs.

	<#
	.SYNOPSIS
	This script allows to create replica seeds for vSphere Replication without powering off the source VM and keeping identical UUID
	.NOTES
	File Name : xMove-VM.ps1
	Author : Askar Kopbayev - @akopbayev
	Version : 1.0
	.LINK
	http://vmnomad.blogspot.com/creatingreplicaseedsforpoweredOnVMs.html
	.LINK
	https://github.com/vmnomad
	#>

	$vdm = get-view -id (get-view serviceinstance).content.virtualdiskmanager

	# Get Datatcenter
	$dc=get-datacenter

	# Get Original VM
	$sourceVM = get-folder -name Source \| get-VM -name TestVM

	# Get VM Clone
	$destVM = get-folder -Name Clone \| get-VM -name $SourceVM.Name

	# Get VM disks
	$SourceHDs = $SourceVM \| Get-HardDisk
	$DestHDs = $DestVM \| Get-HardDisk

	# replace destination disk UUID
	for($i=0; $i -lt $sourceHDs.count; $i++) {
	# retrieve UUID of the original disk
	$SourceUUID = $vdm.queryvirtualdiskuuid($SourceHDs[$i].filename , $dc.id)

	# Assigning original UUID to the cloned disk
	$vdm.setVirtualDiskUuid($DestHDS[$i].filename, $dc.id, $SourceUUID)
	}

view raw ReplaceUUID.ps1 hosted with ❤ by GitHub

Tuesday, 28 March 2017

Migration options with VMware

I have been recently working on one large IT transformation project. While I have been involved in the design of vSphere, vSAN and NSX of the new environment my main focus was on the the migration strategy of the existing virtual workload.

While going through numerous options I realised that if you run vSphere & SRM you already have tools that could cover most of the migration scenarios.

So, I thought I would post a quick summary of the few migration options which will cover each solution's pros and cons and requirements.

Learn more

Saturday, 14 January 2017

Upgrade to ESXi 6 failed - Upgrade option is missing in the consecutive attempts

Recently I had an issue while upgrading the customer's environment from ESXi 5.5 to 6.

This was very sensitive vSAN cluster with numerous issues so I had to manually upgrade hosts.
One of the hosts failed during the upgrade process with an error "[Errno 28] No space left on device"

After some troubleshooting I found that the /locker/packages folder contained 5.5.0 and 6.0.0 packages folder so I moved both these folders to a shared datastore to cleanup up some space.

However, when I tried to run the upgrade for the second time the installer didn't provide Upgrade option. If you open the details of the disk where ESXi is installed, in my case SD card, you will see that the Installer cannot find ESXi there.

However, I could still boot ESXi host just fine.

Well, the thing is that ESXi contains two boot partisions with two symbolic links to boot partitions /bootbank and /altbootbank.

When ESXi is updated/upgraded the new files are actually writtent to the /altbootbank partition and then the symlinks are updated so that /altbootbank partition becomes /bootbank partition and vice versa.

That allows to rollback the ESXi update/upgrade if something goes wrong with the /bootbank.

In my case the /altbootbank wasn't fully updated due to the failed upgrade process and it didn't containg the state.tgz file which is actually a collection of configuration files. Some othere files were missing too and the sizes of two partitions differ significantly.

So, it looks like when the /altbootbank is corrupted and doesn't contain all files the Installer refuses to recognize installed ESXi.

Therefore, I deleted all files from the /altbootbank partition and copied the content of /bootbank over and on the next attempt I was suggested to upgrade the ESXi host.