Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)

2010/11/13

VMware VAAI Certification Test Summary

Filed under: virtualization — Tags: , , , , , , , — iben @ 17:47

VMware VAAI Certification Test Summary

Based on the VMware VAAI Certification Guide Revision date: 20101011

This guide is intended for VMware partners who want to certify VAAI storage with ESX to claim compatibility in the VMware HCLs.

The vStorage API calls off load certain storage operations to the storage array and optimize the storage operation. They are the new application programming interfaces in the VMKernel. Using a small set of primitives or fundamental operations that can be issued to an array supporting these interfaces, ESX can improve the performance on certain storage operations such as cloning, snapshotting, mirroring, zeroing blocks, and replication.

You certify these offload operations with your storage arrays and use this certification to obtain a listing in the VMware compatibility guide:

  • Atomic Test and Set (ATS) also known as Hardware Assisted Locking: a mechanism to modify a disk sector to improve the performance of ESX updating metadata.
  • Full Copy: given a source range of LBAs, copies them into the given destination range of LBAs.
  • Block Zeroing or Write Same: zeroes out the given range of LBAs.

VAAI Certification Test Process List

  1. BlockZeroDiskTest
    1. This test verifies that when ESX uses the VAAI BlockZero primitive, an eager‐zeroed‐thick vmdk volume is created faster.
    2. The operation compares execution time with and without enabling the VAAI BlockZero primitive. The test passes only if the execution time with VAAI enabled is less than with VAAI disabled.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. IMPORTANT Do not run any extraneous workloads on the storage array under test during the first 30 minutes of this test to avoid the possibility of non‐constant workloads skewing the test times and causing a test failure.
    5. Estimated test time: 30 minutes
  2. BlockZeroRDMTests
    1. This test verifies that zeroing a vmdk volume on an RDM disk is performed correctly when ESX uses the VAAI BlockZero primitive. The test is run on both a non‐pass‐through RDM as well as a pass‐through RDM disk.
    2. The operation is conducted with and without enabling the VAAI BlockZero primitive. The test logs note the execution times with and without the VAAI BlockZero primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 5 minutes to 3 hours
  3. BlockZeroMultiOffloadTests
    1. This test verifies that simultaneous creation of virtual disks on a shared datastore from two ESX hosts with VAAI BlockZero primitive enabled functions properly.
    2. The operation is conducted with and without enabling the VAAI BlockZero primitive. The test logs note the execution times with and without the VAAI BlockZero primitive, but the time does not determine test passing or failing.
    3. This test is conducted with no I/O to the array under test.
    4. Estimated test time: 10‐20 minutes
  4. FullCopyDiskTest
    1. This test verifies that when ESX uses the VAAI FullCopy primitive, a vmdk volume clones faster.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times with and without the VAAI FullCopy primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 36 hours, with a majority of the time spent verifying cloned volume contents.
  5. FullCopyRDMTests
    1. This test verifies that cloning a vmdk volume to an RDM disk is done correctly when ESX host uses the VAAI FullCopy primitive. The test is run with both a non‐pass‐through RDM as well as a pass‐through RDM disk as the destination disk.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times with and without the VAAI FullCopy primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 18 hours, with a majority of the time spent verifying cloned volume contents.
  6. FullCopyCloneVMTests
    1. This test verifies that virtual machine cloning operations function properly with the VAAI FullCopy primitive enabled.
    2. The test clones a virtual machine to both the same datastore as the source virtual machine as well as to a different datastore.
    3. The operation compares execution time with and without enabling the VAAI FullCopy primitive. The test passes only if the execution time with VAAI enabled is less than with VAAI disabled.
    4. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    5. IMPORTANT Do not run any extraneous workloads on the storage array under test during the first 30 minutes of this test to avoid the possibility of non‐constant workloads skewing the test times and causing a test failure.
    6. Estimated test time: 1 hour
  7. FullCopyCloneVMRDMTests
    1. This test verifies that virtual machine cloning operation from a non‐pass‐through RDM LUN to a pass‐through RDM LUN functions properly with the VAAI FullCopy primitive enabled.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times with and without the VAAI FullCopy primitive, but the time does not determine test passing or failing.
    3. The test is conducted with continuous I/O to the array under test from four virtual machines running on the ESX host.
    4. Estimated test time: 32 minutes
  8. FullCopyMultiOffloadTests
    1. This test verifies that the VAAI feature improves concurrent Full Copy from two ESX hosts.
    2. The operation is conducted with and without enabling the VAAI FullCopy primitive. The test logs note the execution times, but the time does not determine test passing or failing.
    3. This test is conducted with no I/O to the array under test.
    4. Estimated test time: 20 minutes
  9. ATSFileOpTests
    1. This test verifies that when ESX enables the VAAI ATS primitive, the file create, delete, read and write operations perform faster with simultaneous access to the LUN from two ESX hosts.
    2. The operation compares execution time with and without enabling the VAAI ATS primitive. The test passes only if the execution time with VAAI enabled is less than with VAAI disabled.
    3. This test is conducted with no I/O to the array under test.
    4. IMPORTANT Do not run any extraneous workloads on the storage array under test during the first 30 minutes of this test to avoid the possibility of non‐constant workloads skewing the test times and causing a test failure.
    5. Estimated test time: 12‐20 minutes
  10. ATSMultiLengthFileTests
    1. This test verifies that when ESX hosts use the VAAI ATS primitive, simultaneous file modifications from two ESX hosts function properly.
    2. The operation compares execution time with and without enabling the VAAI ATS primitive. The operation is conducted with and without enabling the VAAI ATS primitive. The test logs note the execution times, but the time does not determine test passing or failing.
    3. This test is conducted with no I/O to the array under test.
    4. Estimated test time: 3‐10 minutes
  11. ATSReserveTests
    1. This test verifies that when ESX hosts use the VAAI ATS primitive, file locking and unlocking modifications from two ESX hosts function properly.
    2. This test is conducted with no I/O to the array under test.
    3. Estimated test time: 3‐5 minutes

2010/10/28

HyTrust Appliance 2.1 Available

Filed under: virtualization — Tags: , , , , , , , , , , , , — iben @ 14:36

HyTrust recently celebrated its 3-year birthday.  HyTrust was founded in October 2007 to bring secure access control and policy to virtual infrastructure, enabling wider adoption of virtualization throughout the enterprise — exactly the same focus that we have today.

It’s amazing to see what we have achieved in the last three years: great enterprise customers; solid partnerships with the major players in virtualization (VMware, Cisco, RSA, Intel and Symantec); numerous accolades, including Best of Show at VMworld; and, of course, several significant releases of HyTrust Appliance…

So we’re excited to let you know that HyTrust Appliance 2.1 is now generally available. It is chock-full of exciting new enterprise features, including protection for the control of Cisco Nexus 1000V, application-level high availability, and smart card support.  As always, we have also made 2.1 available in the Community Edition form, which can be downloaded for free here: 
http://info.hytrust.com/appliance.html

New HyTrust Appliance Capabilities At a Glance

  • Support for VMware vSphere 4.1
  • Integrated access control, policy and audit logging for Cisco Nexus 1000V CLI management (NX-OS command set)
  • Support for complex, multi-domain Active Directory environments
  • Single sign-on via Windows pass-through authentication with smart card integration
  • New ESX hardening templates including VMware Hardening Guide 4.0 and (Sarbanes Oxley) SOX hardening template
  • Application-level high availability (in addition to VMware HA/FT and federation)

If you would like to take a look at the new functionality, we have recorded demos of the new version available for your viewing pleasure.
http://info.hytrust.com/recorded_product_demo.html

For those of you currently evaluating HyTrust Appliance, we’d like to extend an added incentive to make your purchase in Q4: for a limited time, HyTrust is offering a free “jump-start” professional services package to help you get up and running quickly. Contact sales (sales@hytrust.com) for more information.

2010/03/25

List of log files VMware vSphere ESX Classic version 4

Filed under: virtualization — Tags: , , , , , , , , — iben @ 11:02
The following log files contain information that needs to be track on a VMware vSphere ESX 4 Classic Host to be in compliance with many security standards and best practices such as CIS Benchmark, PCI-DSS, SOX section 404, HIPPA, CPNI, COSO, ISO 20001, COBIT, and so on.
You can use syslog or splunk lightweight forwarders for this purpose.

/var/log/vmkernel

/var/log/secure

/var/log/vmkwarning

/var/log/vmksummary

/var/log/vmksummary.txt

/var/log/messages

/var/log/vmware/*.log

/var/log/vmware/aam/*.log

/var/log/vmware/aam/*.err

/var/log/vmware/webAccess/*.log

/var/log/vmware/vpx/vpxa.log

/vmfs/volumes/*/*/*.log

 

Table with Explanation of files to log for VMware vSphere ESX Classic version 4

Component

Location

Purpose

 VMkernel

 /var/log/vmkernel

 Records activities related to the virtual machines and ESX

VMkernel warnings

/var/log/vmkwarning

Records activities with the virtual machines

VMkernel summary

/var/log/vmksummary

Used to determine uptime and availability statistics for ESX; comma separated

VMkernel summary human readable

/var/log/vmksummary.txt

Used to determine uptime and availability statistics for ESX; human‐readable summary

ESX host agent log

/var/log/vmware/hostd.log

Contains information on the agent that manages and configures the ESX host and its virtual machines

vCenter agent

 

/var/log/vmware/vpx/vpxa.log

Contains information on the agent that communicates with vCenter

Web access

Log all the files in the directory /var/log/vmware/webAccess/*.log
client.log, proxy.log, unitTest.log, viewhelper.log, objectMonitor.log, timer.log, updateThread.log

Records information on Web-based access to ESX
(service vmware-webAccess start on ESX host to enable this)

Authentication log

/var/log/secure

Contains records of connections that require authentication, such as VMware daemons and actions initiated by the xinetd.

Service Console

/var/log/messages

Contain all general log messages used to troubleshoot virtual machines or ESX

Virtual machines

The same directory as the affected virtual machine’s configuration files; named vmware.log and vmware‐*.log

/vmfs/volumes/<DS>/<VM>/vmware.log

/vmfs/volumes/<DS>/<VM>/vmware-*.log

Contain Virtual Machine Power Events, system crashes, Tools status and activity, Time Sync, Virtual Hardware changes, VMotion Migrations, Machine Clones,

Table  – List of ESX Host Files to Log

 

 

2010/03/19

Number of ports to use for standard and distributed virtual switches

VMware just updated their KB: Reserved or overhead ports for virtual switches (http://kb.vmware.com/kb/1008040) and we’ve run into this issue a number of times since upgrading to vSphere ESX 4. These new high memory hardware architectures allow an unprecedented number of virtual machine guests to be consolidated on a single ESX host.

By default a vswitch may not have enough ports to support the consolidation ratio your equipment can support. New ESX hosts can have 256 GB of RAM with 4 hex core processors and easily support 100 or more virtual machines. These virtual machines might have 1, 2, or more vNICs configured and each would need a port on the vswitch. One might imagine the need for 500 to 1000 ports needed per esx host. Why not just make it 2000 so we don’t have to worry about it later on?

Once you run out of vswitch ports you cannot power on any more vms on that host and even get errors about unplugged network cable.  Increasing the vSwitch port allocation seems easy enough, vmotion all workload off the host, put it in maintenance mode, change the vswitch config, reboot. Some system administrators run into this issue and decide to make the number of ports allocated to the vswitch really high to prevent this from ever being an issue. This can cause problems though.

There’s a limit of how many vswitch ports in total an ESX host has to hand out to it’s various vswitches. In addition, if security is a concern, you may start running firewall virtual appliances like vShield Zones or Catbird. WAN Accerators and Performance Monitoring tools like AppSpeed also require additional vSwitches to be created. Ports used on these vSwitches all take away from the total bucket of available ports.

Once 4096 ports are allocated to existing vSwitches you will not be able to add additional hosts to a vNetwork Distributed Switch either.

We also have the following Security Recommendation:

Only allocate vswitch ports to virtual machines on demand and as needed.

This will make it difficult if not impossible to “plug” a VM into the wrong network by accident. Testing for this can be done manually through the vSphere Client. If there are no ports available on a vSwitch then this is a positive test.

1. While connected to the vCenter Server Navigate to Home – Inventory – Networking in the vSphere Client and click on the vDS in question.
2. Click on the Ports Tab
3. If all of the ports in the list have a VM associated with it in the “connected”column then this is a positive test.

Deployment scenarios where a very large number of uplinks are teamed together on a single virtual switch might significantly impact the number of  ports on that virtual switch available for virtual machine use, and the overall size of the virtual switch might need to be adjusted accordingly.
 
The current port utilization data for virtual switches can be reviewed by using the esxcfg-vswitch –list command.
 
The current overhead utilization on a given virtual switch can be calculated by subtracting the Used Ports value for all PortGroups from the Used Ports value for that virtual switch.

Recommendation: Use VNDS vNetwork distributed Switches for all Virtual Machine traffic and limit the number of ports assigned to each standard vSwitch used for vmkernel and service console.

Standard vSwitch Procedure:

Note: A server reboot is required to apply the following configuration change.  Migrate the virtual machines off the ESX host to prevent any downtime.   On the vswitch there is an option to specify the number of ports the vswitch supports.  

To view this setting:

  1. Click the Configuration tab of the ESX host in the Virtual Infrastructure Client (VI Client).
  2. Click Networking.
  3. Click Properties.

  4. Click on vSwitch.
  5. Click Edit.

  6. On the General tab select the number of ports you want and click OK.

 

  • Reboot the ESX host for changes to take effect.
  • Reference Links

    2009/04/28

    VMware Security Compliance Tools

    Filed under: virtualization — Tags: , , , , , , , , , — iben @ 10:37
    This is a short list of Tools and Documents concerning security in a Virtual Infrastructure.
    Tools – page 1
    Documents – page 2

    Tools

    Configuresoft

    • Configuresoft’s Center for Policy and Compliance (CP&C) has led the industry in forming opinion and bringing together published security and compliance information to build a rich library of compliance toolkits that are available for download by Configuresoft customers from www.configuresoft.com. These CP&C Compliance Toolkits include:
    • VMware Infrastructure 3 Security Hardening Guidelines and VMware Virtual Center Best Practices
    • FISMA Compliance Toolkit for Virtual Computing
    • GLBA Compliance Toolkit for Virtual Computing
    • HIPAA Compliance Toolkit for Virtual Computing
    • Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing
    • DISA STIG Compliance Toolkit for Virtual Computing
    • http://vmblog.com/archive/2008/04/08/configuresoft-expands-security-and-compliance-coverage-to-include-cis-vmware-esx-3-x-server-benchmark.aspx

    HyTrust

    HyTrust Appliance – http://www.hytrust.com/product/overview

    • The HyTrust™ Appliance offers IT managers and administrators of virtual
      infrastructure a centralized, single point of control and visibility for:
    • configuration management
    • compliance auditing
    • access management
    • best practices
    • process workflow
    • security controls

    TripWire

    http://www.tripwire.com/solutions/virtualization/

    ConfigCheck

    • ConfigCheck rapidly assesses the security of ESX 3.0 and 3.5 hypervisors compared to the Virtual Infrastructure 3 Security Hardening Guidelines.
    • ConfigCheck assesses nearly 100 configurations of the ESX server, and most VI professionals who run the test find significant vulnerabilities. ConfigCheck’s remediation report provides detailed, step-by-step guidance to bring your virtual environment into a state that is secure. ConfigCheck helps you:
      • Ensure recommended ESX configurations
      • Discover possible vulnerabilities
      • Deploy virtualization safely and securely
      • Increase security posture of the entire enterprise
      • Reduce configuration drift
    • http://www.vwire.com/free-tools/configcheck/

    VMinformer

    • VMinformer is a security tool designed to check the security posture of your VMware environment. The tool comes with pre-defined policies that can be customized to suit your specific requirements and are based on industry best practices such as ‘VMware’s Security best practice hardening guide’ and the ‘DISA ESX STIG’ hardening guide. The policies also contain rules that have been based on extensive research and industry experience.
    • Features:
    • Connects to your ESX hosts or Virtual Center (v3.0, 3.5 and VC 2.5)
    • Pre-defined policies based on industry best practices (VMware security hardening guide)
    • Policies can be customized for your environment
    • Provides full visibility and monitoring of your ESX hosts and Virtual machines
    • Dashboard – Provides a graphical overview of VM’s and Security Posture
    • Reporting
    • Remediation guidance

    (more…)

    Powered by WordPress