My name is Brian O’Connell. I work for VMware as part of the Cloud Infrastructure Business Group working on VMware Cloud Foundation (VCF) architecture design. I am an IT geek at heart and love playing with new technologies. I started my career in an IT services role as a Systems administrator for SMB’s and moved to EMC in 2010 where I worked for the EMC vLab team developing content for the ever expanding vLab cloud platform. I moved into working with the EMC Cloud Engineering Team primarily focused on the EMC Enterprise Hybrid Cloud Solution (EHC). I am also a husband to a beautiful wife, father to 2 beautiful daughters and a musician (or failed rock star depending on how you look at it!). Hope you fins my content useful!
The first step in preparing for a VCF 5.2 to 9.0 upgrade is to update your Depot configuration to use token based authentication instead of username & password. This was a change that was made recently to how customers authenticate to the VMware/Broadcom software depots.
I am not going to repeat all the pre-reqs and steps from the KB here. The following steps assume you have retrieved your support entitlement token along with taking the necessary backups.
To run the script in interactive mode (with a menu) just run the following
.\VMwareDepotChange.ps1
Run option 1 to set the deployment type and enter Y when prompted to confirm it is a VCF deployment
Enter the SDDC Manager details when prompted and hit enter to validate the credentials
Run option 2 to input your Broadcom download token
Run option 4 to Update your depot configuration to use the token
Once the depot URLs are updated with your token you should now be able to download the required SDDC Manager bundles.
VCF 9.0 is deployed using the new VCF Installer (replacement for the old Cloud Builder appliance). During a VCF 9.0 bringup, you have the option to let the installer autogenerate all passwords to cut down on inputs. At the end of the installer workflow, there is a button you can click to show all passwords so you can make note of them.
But how do you retrieve them if you closed the installer wizard?
VCF 5.2.1 ships with Aria Lifecycle Manager 8.18. When you attempt to deploy an environment you will be met with the following error:
No content found corresponding to SDDC Manager version 5.2.1 This could be due to version incompatibility between VMware Aria Suite Lifecycle and SDDC Manager.
The reason for this is you need a product support pack (pspak) for Aria LCM 8.18 – specifically VMware Aria Suite Lifecycle 8.18.0 Product Support Pack 3. See this KB for more details on which product support pack maps to which release.
Download the pack from the Broadcom support site and log into Aria LCM. Navigate to Lifecycle Operations > Settings > Product Support Pack and click Upload.
Take a snapshot of Aria LCM and then click Select file and select the product support pack, and click Import.
Monitor the upload process in the Requests pane. Once the upload completes, navigate back to the Product Support Pack screen. The support pack will be shown. Click Apply Version & Submit. Aria LCM will restart services during the install.
Once the install completes, you should not have a list of available products when creating an environment.
When configuring vSphere Replication between 2 vCenter Servers, you need to add a dedicated VMKernel to each host in the source & target vCEnter Server clusters. Depending on the number of hosts per cluster, this can be a time-consuming manual task. Here is a quick script leveraging PowerCLI to retrieve the hosst from a specified cluster and loop through them adding a dedicated vSphere Replication VMKernel.
#Source VC vmks
$vCenterServer = "sfo-m01-vc01.sfo.rainpole.io"
$vCenterServerUser = "administrator@vsphere.local"
$vCenterServerPassword = "VMw@re1!VMw@re1!"
$clusterName = "sfo-m01-cl01"
$PortGroupName = "sfo-m01-cl01-vds01-pg-vlr"
$VLANID = 1116
$VSwitch = "sfo-m01-cl01-vds01"
$VMKIP = "10.11.16." # last octet will be incremented
$lastOctetStart = 101
$SubnetMask = "255.255.255.0"
$mtu = 9000
# Connect to vCenter
Connect-VIServer -Server $vCenterServer -user $vCenterServerUser -password $vCenterServerPassword
# Get Esxi hosts in cluster
$ESXiHosts = Get-cluster -name $clusterName | Get-VMHost
# Loop through each host and add an adapter with vSphere Replication Services enabled
$index = $lastOctetStart
foreach ($ESXi in $ESXiHosts) {
Write-Host "Processing host: $ESXi"
# Define VMkernel IP for this host
$VMKIPAddress = "$VMKIP$index"
$index++
# Add VMkernel adapter
Write-Host "Adding VMkernel adapter $VMKIPAddress to $ESXi"
$vmk = New-VMHostNetworkAdapter -VMHost $ESXi -VirtualSwitch $VSwitch -PortGroup $PortGroupName -IP $VMKIPAddress -SubnetMask $SubnetMask -VMotionEnabled $false -mtu $mtu
$vnicMgr = Get-View -Id $ESXi.ExtensionData.ConfigManager.VirtualNicManager
$vnicMgr.SelectVnicForNicType('vSphereReplication',$vmk.Name)
$vnicMgr.SelectVnicForNicType('vSphereReplicationNFC',$vmk.Name)
Write-Host "VMkernel adapter added successfully on $ESXi"
}
# Disconnect from vCenter
Disconnect-VIServer -Confirm:$false
When you deploy a component using VMware Aria Suite Lifecycle, it stores the credentials in it’s locker. If you need to SSH to a VCF Operations appliance and you dont know the root password, you need to retrieve the root password from the VMware Aria Suite Lifecycle locker. To do this you need to query the Aria Suite Lifecycle API for a list of locker entries using basic auth.
GET https://flt-fm01.rainpole.io/lcm/locker/api/v2/passwords?from=0&size=10
From the response, locate the corresponding vmid for the VCF OPs appliance
Query the Aria Suite Lifecycle locker for the decrypted password, again with basic auth, passing the Aria Suite Lifecycle root password in the payload body.
#BODY (Aria Suite Lifecycle root password)
{
"rootPassword": "VMw@re1!VMw@re1!"
}
POST https://flt-fm01.rainpole.io/lcm/locker/api/v2/passwords/a789765f-6cfc-497a-8273-9d8bff2684a5/decrypted
HAProxy is a free opensource load balancer that is supported for use with VMware VCF Operations (formerly VMware Aria Operations). Here are the steps you need to install and configure it on a Debian VM. This configuration was for a lab deployment and may not be optimised for production. Use at your own risk!
EDIT: My colleague Ryan Johnson has very kindly written a shell script to perform the steps. Code available here.
Add an interface to the Debian VM for the VCF Operations VIP
vi /etc/network/interfaces
# Insert the following and save the changes substituting the VLANs/Subnets with your own
# VCF OPs VIP
auto eth1.1110
iface eth1.1110 inet static
address 10.11.10.30
netmask 255.255.255.0
mtu 9000
# Restart network service
systemctl restart networking.service
One of my most visited posts in the past was this however the process for Photon OS 4 has changed slightly. pam_tally2 is no longer available. Now you need to use “failback”. The command to use now is as follows
This is the 2nd post in a series on the native PowerCLI Module For VMware Cloud Foundation (VCF). If you haven’t seen the previous post, it is available here:
This post will focus on the Cloud Builder module to perform a bringup of a VCF instance. For this example, I am using a pre-populated JSON file. I will do a follow-up post on how to create the spec from scratch.
To get started we need a Cloud Builder connection.
And once the validation passes, do the following to start the bringup:
Invoke-VcfCbStartBringup -sddcSpec $sddcSpec
Bringup is a long-running task but you can monitor the status using something like this
# Retrieve the bringup task id
$bringupTaskId = (Invoke-VcfCbGetBringupTasks).elements.Id
#Poll the status of the task until it is no longer in progress
Do {
$bringupTask = Invoke-VcfCbGetBringupTaskByID -id $bringupTaskId
}
Until ($bringupTask.Status -ne 'IN_PROGRESS')
I got a question from someone internally if renewing the VMCA signed certificate on SDDC Manager in a VCF instance is possible. For context, out-of-the-box SDDC Manager is signed by the VMCA on the management domain vCenter Server, but there is no supported way to renew that certificate. So before the VMCA certificate expires, you must replace it with a signed CA cert from your internal CA, or from an external 3rd party CA.
That said, it is possible to leverage VMCA to renew the cert on SDDC Manager. Here are some notes I had from doing this previously in the lab.
Disclaimer: This is not officially supported by VMware/Broadcom, use at your own risk.
First generate a CSR for SDDC Manager in the normal way using the SDDC Manager UI
Download the CSR as sfo-vcf01.sfo.rainpole.io.csr
SSH to the Management vCenter Server and do the following
mkdir /tmp/certs
upload CSR to /tmp/certs
cd /tmp/certs
vi /tmp/certs/cert.cfg
# cert.cfg contents replacing FQDN appropriately
[ req ]
req_extensions = v3_req
[ v3_req ]
extendedKeyUsage = serverAuth, clientAuth
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = caIssuers;URI:https://sfo-m01-vc01.sfo.rainpole.io/afd/vecs/ca
Save /tmp/certs/cert.cfg
On the management vCenter Server, generate the cert
As you are no doubt aware I am a fan of PowerShell and PowerCLI. Since my early days working with VMware products, whether it was vCenter, vCloud Director or VMware Cloud Foundation (VCF), I have always leveraged PowerCLI to get the job done. Up until recently, there was no native PowerCLI support for the VMware Cloud Foundation API. Hence why I started the open-source PowerVCF project almost 5 years ago! PowerVCF has grown and matured as new maintainers came onboard. Open-source projects are a great way to deliver functionality to our customers that is not yet available in officially supported channels. Since the release of PowerCLI 13.1 I am delighted to say that we now have officially supported, native PowerCLI modules for VMware Cloud Foundation.
2 distinct modules are now part of PowerCLI. One for the Cloud Builder API and one for the SDDC Manager API.
This connection object is then stored in $defaultsddcManagerConnections
Note: If you are working in a lab environment with untrusted certs you can pass -IgnoreInvalidCertificate to each of the above commands.
Once you have an active connection, you can begin to query the API. The example below returns a list of all hosts from SDDC Manager. One thing you will notice, if you are a PowerVCF user, is that you will need to parse the response a little more than you needed to with the PowerVCF cmdlet Get-VCFHost.
Running Invoke-VcfGetHosts will return a list of host elements
So to parse the response, you can do something like this, which will return the details of all hosts
But lets say you would like to filter the response to just the hosts from a specific workload domain. You first need the Id of the workload domain, in this case sfo-m01.
And you can then get a filtered list of hosts for that domain
Hopefully, this introduction was helpful, I will put together a series of blogs over the next few weeks covering some of the main VCF operations, such as bringup, commissioning hosts, deploying workload domains etc. As always, comments & feedback are welcome. Please let me know what your experience is with the new modules and I can feed it back to the engineering team.
LifeOfBrianOC 