VMworld is this week! While I am sad I cannot see many of you in person, I wanted to spend some time to review a few sessions that are rather pertinent for our global cloud providers. I am going to break this out into specific categories. The sessions I list below are not exhaustive in nature as there are over 40+ sessions that are Cloud Provider focused.Continue reading “VMworld 2020 – Top Cloud Provider Sessions”
VMware and Amazon Web Services are making a significant investment in providing a vSphere experience in a hyperscaler environment and we continue to see adoption for Cloud Service Providers utilizing VMware Cloud on AWS as an offering for managed services.
In this post, I will review my approach, what to expect on the exam, and my raw study notes.
I decided to prepare for the VMware Cloud on AWS Management Exam 2019 (Exam 5v0-31.19) and sit for it. While there’s a lot of great material that I will review below, I wanted to provide my approach for others.
- Always start with the blueprint. I print this out and go through line to verify I have a base level understanding of the objective and what I need to focus on.
- First off, there is some great material already online that I reviewed:
- I went through the VMware Cloud on AWS: Deploy and Manage – On Demand course on VMware Education.
- This was beneficial as it covered a lot of the fundamentals including some AWS concepts I was not aware of.
- I would highly recommend this for people even new to VMware vSphere as it reviews many of these concepts at a high-level.
- Went through the VMware Hands on Lab for VMware Cloud on AWS (1987-01-HBD) – this is great to get your hands-on and experience setting up a SDDC. Walks through many of the same concepts I saw in the Deploy and Manage course.
It’s 30 questions and is done via the Pearson Vue site online. I thought it was very fair as a skill/badge exam and goes over many of the fundamental requirements. As expected, it’s true to the blueprint.
My Raw Notes
For me, I always prepare a final checklist of things I review before I take any examination. Below is my list of raw notes I used before I took the exam. As they are my raw notes, expect some abbreviations.
Anyway, enjoy the exam and I look forward to the expansion of VMware Cloud on AWS!
VMC on AWS Study Notes:
- Use Cases:
- Extension of onprem DC to the public cloud to expand resource capacity, increase disaster avoidance and recovery options, or localize application instances.
- Peering the private and public cloud that allows for application mobility
- Global compliance – ISO, SOC1-3, GDPR, and HIPAA
- Many different AWS regions available plus GovCloud
- Minimum of 3 hosts and maximum of 32 hosts
- Up to 10 clusters can be added to a SDDC
- Stretched Cluster – between two AZ’s (min of 6 hosts and max of 28)
- Host Configuration
- 2 18 core sockets – Broadwell
- 512 gibibytes of memory (550GB)
- 14.3TB of NVMe SSD’s – 3.6TB for flash, 10.7TB for capacity
- 1 AWS ENA – 25Gbps
- Two Disk Groups per host
- Dedupe/Compression is on by default
- Encryption is happening at the drive level
- Two different datastores – WorkloadDatastore (for workloads) and vsanDatastore (management VMs, cannot be modified)
- Default policy is PFTT 1, RAID1
- Can pick from PFTT of 1 to 3, RAID1/5/6 (if available hosts)
- Since All Flash, reads are from cap tier
- Stretched Cluster
- Sync writes between two AZ’s
- Witness host is added and not charged to customer
- Requires a AWS VPC with two subnets, one subnet per AZ
- Smallest SC is 6, largest is 28
- Must grow in pairs
- Adding hosts trombones between AZs – first one is added to AZ1, next is AZ2, next is AZ1, and so on
- Site Disaster Tolerance – default is dual site mirroring
- Traffic is separate between management and compute gateways
- Amazon Direct Connect allows for low-latency connections between on-prem and AWS.
- ENA’s are highly redundant even though there’s a single pNIC per host
- Two types of VPCs
- One created and managed by VMware – underlying VPC that is created when the SDDC is created
- Second – VPC that you create so you can peer with native AWS services
- Default deny all
- Must add rules for vCenter access, IPsec, etc
- Firewall Rule Accelerator created a group of rules to accelerate successfully connecting a VPN tunnel
- Logical Networks
- Routed network – internal communication over a IPsec or Internet connection. Normal overlay network that we are used to.
- External Network – utilized for L2VPN connectivity. Requires Tunnel ID. Think of this as a subint
- Inter-Networking Scenarios
- Compute GW – IPsec for guest OS connectivity
- Compute CW – L2VPN for vMotion, same L2 domain
- Direct Connect with pub virtual interface – in conjunction with IPsec or L2VPN or Pub Internet. Used for AWS services
- Direct Connect with private virtual interface – secured to direct SDDC
- Hybrid Linked Mode
- Allows for a single management interface between on-prem vCenter and VMC
- Pre-req for migration from on-prem to VMC
- Same SSO is not needed
- Configuration is only done from one of the vCenters to configure HLM. Will only be visible from this vCenter for future management. So, no bi-directional UI support.
- IPsec VPN connection between on-prem and SDDC management gateway
- Network connectivity between your VMC vCenter and on-prem vCenter server and identity source
- Same DNS
- Less than 100ms RTT
- Misc ports needed for successful connectivity
- vCenter Cloud Gateway Appliance configured HLM.
- Can do migrations between vSphere 5.1 to VMC
- No charge
- Only one VPC can be connected to a SDDC
- VPC subnets can only reside in one AZ.
- Elastic IP addresses are public IPv4 addresses mapped to the AWS account, not the resource.
- Connecting –
- Must connect a Amazon VPC or if it’s a single node SDDC, can delay up to 14 days.
- Migrating VMs
- Cluster EVC and Per-VM EVC
- In 6.7, can enable disable or change the EVC mode at the VM level.
- Requirements for Hybrid Cold Migration
- vSphere 6.5 patch d or later, 6.0U3, vSphere 5.1/5.5
- IPsec VPN
- HLM but can use move-vm cmdlet
- Hybrid Migration with vMotion
- Minimum bandwidth of 250Mbps and less than 100ms RTT
- vSphere 6.5 patch d / vSphere 6.0U3
- IPsec VPN
- vCSS/vDS 6.0 or 6.5
- AWS DC with a private virtual interface
- HLM or move-vm cmdlet
- L2VPN to extend VM networks between on-prem and VMC
- All FW rules in order.
- VM hardware version 9, Cluster based EVC baseline on Broadwell
- Per-VM EVC
- Must be hardware version 14 or greater
- VM must be powered off to change Per-VM EVC
- Cluster EVC and Per-VM EVC
- Permissions and Security
- CloudAdmin –
- Necessary privileges for creating/managing workloads in the SDDC
- Does not allow changing the configuration of management components that are supported by VMW
- CloudGlobalAdmin –
- Associated with global privileges that allows you to create and manage content library objects and perform other global tasks.
- firstname.lastname@example.org is the default user generated during creation.
- Other users cannot be created until HLM is configured. DO NOT modify solution users associated with the VMC created in an on-prem vSphere domain
- CloudAdmin –
- Elastic DRS
- Allows the SDDC to scale based on resource thresholds
- Not supported for multi-AZ deployment or single host SDDC
- If a user adds or removes a host, current EDRS remediations are ignored
- On-Demand, One-Year and Three-Year Subscription models
- HLP discounts of up to 25%
- Site Recovery is an add-on cost
- All other AWS services are billed separately
- Cloud Services Roles
- Organization Owners –
- Can have one or more
- Owners can invite additional owners and users, manage access
- Organization Users –
- Access VMware Cloud services
- Cannot invite users, change access, or remove
- Organization Owners –
- Default Subnet CIDR is 10.2.0.0/16 – reservations for other RFC1918 addresses
- 192.168.1.0/24 is reserved for default compute
- Maximum hosts are dictated by the CIDR block you state
- Content Libraries
- Onboarding Assistant is a java CLI tool for transferring to VMC
- Can still utilize subscribe functionality
- Utilize vSphere Client to upload files
- Site Recovery
- vSphere Replication based
- Supports Active-Active, Active-Passive, Bidirectional
- vCenter 6.7/6.5/6.0U3, ESXi 6.0U3 or later
- SRM 8.x on-prem
I wanted to start off my Monday morning with a bang, so decided to schedule my VCAP 3v0-624 exam for the first in the morning. Well, I passed!
Before walking into this exam, I wasn’t sure if I prepared enough, but I felt kind of comfortable once the exam started. I’d like to share what I did to prepare for this exam, although this is my first ever VCAP-Design.
Summary of Study Material
- VMware Education Courses
- I took the vSphere: Design Workshop 6.5 course online a few months ago. This was good at providing a fundamental understanding of VMware’s approach to a virtualized design.
- However, I’ve taken other design courses (vCloud Director) so I felt that the approach is very similar. While I reflect positively on this class, I think if you’ve taken other design workshop classes and have a firm understanding of the design methodology, you probably can skip (or take another 6.5 class for my next point).
- One valuable thing was the instructor was careful to point on what has changed in vSphere 6.5 (or what’s new). This is very important in my opinion for the Design Exam. So again, positive and a good use of time.
- Books I read
- VMware vSphere 6.x Datacenter Design Cookbook
- I thought Hersey Cartwright’s book was solid on giving me a practical understanding of what to expect for a design and items to be thoughtful on.
- While Hersey did write this in the vSphere 6.0x days, it’s still very pertinent and covers many of the important business aspects which seem to be overlooked.
- IT Architect: Foundation in the Art of Infrastructure Design
- While I enjoyed reading this book, I thought there was more VCDX-preparation level material than specific material for this VCAP-Design test. Perhaps it provided me with a well-rounded approach and drove the thought process. Either way, this is one to keep around for any future planning.
- VMware vSphere 6.x Datacenter Design Cookbook
- Material I used
- Print out BOTH the 6.5 Exam Guide AND 6.0 Exam Guide and review both. For my own study method, I ensure I go through EVERY topic and write them out on my whiteboard. I ensure I cover each one to the best of my abilities.
- vBrownBag VCAP6-DCV Video Series
- This was AWESOME! I spent quite a bit of time going through each video and taking notes.
- I felt this material was very pertinent to the 6.5 Design Exam. Although the Visio drawings are not on the test anymore, the design methodologies remain constant and everyone did a great job of walking through each subsection.
- VMware Material
- Review the VMware Validated Design Material
- I downloaded ALL vSphere 6.5 new documents, along with the following:
- vSphere 6.5 DRS Performance Whitepaper
- Deploying Extremely Latency Sensitive Applications in vSphere Whitepaper
- vSphere 6.5 Virtual Machine Encryption Performance Paper
- vSphere 6.5 What’s New? Whitepaper vmw-white-paper-vsphr-whats-new-6-5
- vSphere 6 Fault Tolerance: Architecture and Performance Whitepaper
- Platform Services Controller 6.0 Topology Decision Tree
- vSphere Availability – VMware vSphere 6.5 Document
- vSphere Storage – VMware vSphere 6.5 Document
- I was pretty comfortable here, so did not review all of this since it’s the standard documentation.
- Other Material
- CADs- Constraints, Assumptions (Risk, Requirements) & Dependencies- see attached.
- Conceptual_Logical_Physical_It_is_Simple – see attached
- Design Example – pretty sure I found this on the VMware Community Forum. design examples – conceptual,logical,physical
- vCommunity Material – honestly, this was a huge component as many others have created some great material out there. This is not in any order, all is good and pertinent.
- Graham Barker’s VCAP6-DCV Exam Preparation Guide – very detailed for Sections 1 and 2. I loved how he created sample tests to gauge your knowledge of each section.
- Matt Callaway’s VCAP6-DCV Design Study Guide – links to many of the videos but other applicable notes he created.
- Hersey’s write-up on exam experience and study notes – again, very good and the callout for the books too.
- David Stamen’s summary and important notes – I would stress the importance of David’s tips. They are SPOT ON!
- Rene van den Bedem’s Availability Explained post – very good and thorough.
- VirtualTiers Sample Quiz by Jason Grierson – really cool site that provides a sample design. Again, many of the questions are the Visio-type stitching but drives the thought-process around the design.
- vMusketeers VCAP6-DCV Design Quiz – a lot of work was put into this. Again, driving and testing your knowledge
- I think many of the vCommunity members covered a lot of the specific things, but I will point out things that come top of mind.
- Know your Requirements, Assumptions, Constraints, and Risks. Practice, practice practice! I had a hard time understanding functional versus non-functional and then it finally clicked for me.
- Understand your AMPRS – Availability, Manageability, Performance, Recoverability, and Security. Again, practice these and understand what are the specific metrics and how non-functional requirements can be categorized in each respective role.
- Don’t be afraid of reviewing the 5.x and 6.0 VCAP-Design material. Again, all very pertinent.
- Be well prepared for anything that has changed in vSphere 6.5. There are many things that may have changed or enhanced so you’ll need to have knowledge of these aspects.
- Last of all, make sure you have working knowledge of design scenarios. I think this has to come with experience and dealing with actual customer situations. This does come with time and exposure.
- I thought the exam was very challenging, yet fair. Like I said before, this is my first VCAP-Design, so I cannot comment about the Visio-drawings that were required (albeit I heard these were difficult).
- Expect a lot of thought process on each question. TAKE YOUR TIME, you will have plenty of time. I had an hour left even after reviewing every question twice.
- Expect the multiple choice, select “x”, and drag and drop.
- Go with your instinct and ensure you read the questions clearly.
I hope this helps others – cheers!
Updated – July 9th, 2020 with password policy and complexity.
So I’ve been playing with Photon OS recently with a few of our Cloud Provider solutions, very nice lightweight appliance.
However, one thing that surprised me is the minimal/lightweight install does not have ping installed nor can you ping it (ICMP echo replies). In my opinion, this is a basic function for any type of network troubleshooting. I understand it’s minimal…but go cut something else out. 🙂
So how do we set up some basic network functions?
Setting up a Static IP
cd to /etc/systemd/network
vi (or use your preferred text editor) a file called 10-eth0.network
There’s three sections required: Match, Network, and DHCP
Below is the code required:
[Match] Name=eth0 [Network] Domains=HOSTNAME domain.local Gateway=192.168.110.1 Address=192.168.110.61/24 DHCP=no [DHCP] UseDNS=false
Save it (wq!), and now it’s time to chmod the file so it can be read by the OS
chmod 644 10-eth0.network
Now restart the network daemon service.
systemctl restart systemd-networkd
Installing Ping on Photon OS
Now there’s two different versions of Photon – version 1 and 2. On version 1, it’s pretty easy – type in the following:
yum install iputils
Now for Photon 2.0 (which I’m currently using), repos are disabled by default and so I was getting a message stating “package not found” which was odd. However, digging in further, I found the repos were not enabled.
Enabling Repos so we can pull iputils
I enabled three repos:
We need to edit each file and change the enabled=0 to enabled=1
Now let’s install it!
tdnf install iputils
Sucess! Ping is available now, along with netstat too.
Allow ICMP echo responses
This is a change in the firewall table. By default, ICMP echo and replies are dropped.
Here are the two commands required to enable ICMP traffic:
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
Currently, I found a DNS issue with the vami_config_net file with a Photon 3.0 appliance deployment – it was not setting the DNS correctly and resorting to a 127.0.0.53 address. Moreover, the /etc/resolv.conf file should not be modified and if it is, changes do not persist post-reboot.
- Set DNS inside of the /etc/systemd/network/10-eth0-static.network network configuration file
- Change it under /etc/systemd/resolved.conf
Option 1 Example:
root@vcav [ ~ ]# more /etc/systemd/resolved.conf ....... # See resolved.conf(5) for details [Resolve] DNS=10.96.88.2 #DNS= #FallbackDNS=184.108.40.206 220.127.116.11 2001:4860:4860::8888 2001:4860:4860::8844 #Domains= LLMNR=false #MulticastDNS=yes #DNSSEC=no #DNSOverTLS=no #Cache=yes DNSStubListener=yes
Resetting the Root Password
I’ve had situations where I’ve locked myself out of a Photon instance. The process is pretty simple – follow this link: https://github.com/vmware/photon/blob/master/docs/photon_troubleshoot/resetting-a-lost-root-password.md
Removing Password Expiration Policy
By default, Photon has a one year password expiration policy for accounts, including the root account. One can modify this and establish a no expiration policy, but also adjust other parameters.
From a root account, one can see the following:
root@vcd [ ~ ]# chage -l root Last password change : Mar 30, 2020 Password expires : Mar 30, 2021 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 365 Number of days of warning before password expires : 7
One can modify this by using the “chage” command.
chage -m 0 root
From there, we can now see the password expiration has been removed.
root@vcd [ ~ ]# chage -l root Last password change : Mar 30, 2020 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Photon utilizes the standard PAM modules for password complexity. For those of you in a lab environment that utilize the same password or standard password methodology, one might need to adjust this.
The configuration file is under:
We can see under this file that we have three lines –
root@usagemeter42 [ /etc/pam.d ]# more system-password # Begin /etc/pam.d/system-password password requisite pam_cracklib.so minlen=8 minclass=4 difok=4 maxsequence=0 retry=3 enforce_for_root password requisite pam_pwhistory.so retry=3 remember=5 enforce_for_root password required pam_unix.so sha512 shadow use_authtok # End /etc/pam.d/system-password
For me, I wanted to just disable the policy in its entirety. To do this, comment out the first line:
# Begin /etc/pam.d/system-password #password requisite pam_cracklib.so minlen=8 minclass=4 difok=4 maxsequence=0 retry=3 enforce_for_root password requisite pam_pwhistory.so retry=3 remember=5 enforce_for_root password required pam_unix.so sha512 shadow use_authtok # End /etc/pam.d/system-password
From there, one can change their password –
root@usagemeter42 [ /etc/pam.d ]# passwd New password: Retype new password: passwd: password updated successfully
Setting the Hostname
Need help changing it from the default photon-appliance hostname?
Hostnamectl is the command for permanently changing the name – not just editing the /etc/hosts file.
hostnamectl set-hostname DanielApp-B
Reboot the system.
One last tidbit – SSHD not starting?
During some of my testing, my lab environment went bottoms up – thanks, Timo 😉
After my Photon appliances started back up, I could not SSH to them. So after some troubleshooting and help from the VMware internal team, figured out what happened.
Steps to resolve:
Log into the console and ls -l /var/vmware/skip_sshd and you can also check the status of sshd by typing “systemctl status sshd”
If the file does exist, you need to remove it. No clue why it was added when I had a hard power outage, but it did.
Now start up ssh..
systemctl start sshd
Voila! we can now see it’s started
Other great details on Photon commands can be found here: Photon OS Troubleshooting Guide