VVols-GA

Since the official release of vSphere 6.0, Virtual Volumes (VVols) has generated a great deal of interest with customers, field consultants, and the VMware community. Now that VVols is available customers can begin testing functionality and capabilities. There have been many questions about what VMware products and vSphere features are compatible and currently interoperate with VVols.

Because VMware’s product portfolio continues to expand exponentially, identifying all of the new products and features that interoperate with VVols can be a tedious and potentially time-consuming task. In the interest of time and efficiency, the need for a centralized Virtual Volumes interoperability guide is eminent, so here is one.

Below is a list of VMware products and vSphere 6.0 features that as of today March 30th, 2015 are supported and interoperate with VVols. Please keep in mind that the interoperability and supportability of any of these products and features can change with a future patch or product release. It is highly recommended to check the VMware compatibility matrix guide for the official and up to date list of products and features that are interoperable with VVols.

Read Full Article →

VSAN-Hytrust

Customers from different industries and institutions are very interested in Virtual SAN as a storage solution not just because of the technological value it delivers today, but because of the product’s undeniable value around operational efficiency, ease of management, and flexibility.

Some of these customers are from financial, healthcare and government institutions, and conduct their business in areas that are governed by regulatory compliance laws such as HIPPA, PCI-DSS, FedRAMP, Sarbanes-Oxley, etc. These laws demand compliance with numerous security measures, one of them being the ability to guarantee data integrity by securing data with some form of encryption.

Today Virtual SAN does not include encryption as one of its data services as this feature is currently under development for a future release. Now, when considering Virtual SAN as a potential solution wherever data encryption is a requirement based on regulatory compliance laws, it’s important to know what options are currently available.

In Virtual SAN the encryption data service capabilities are offloaded to hardware-based offerings available through Virtual SAN Ready Nodes. Data encryption data services are exclusively supported on Virtual SAN Ready Node appliances that are comprised with all of the certified and compatible hardware devices that provide encryption capabilities such as self-encrypting drives, and/or storage controllers. The Virtual SAN Ready Node appliances are offered by just about all the OEM hardware vendors that are part of VMware’s ecosystem.

An alternative option to the Virtual SAN Ready Nodes is a software based solution developed and offered by a company called Hytrust. Hytrust is one of the members of VMware’s partner ecosystem whose business is focused around the delivery of data security services for private and public cloud infrastructures. The solution I want to highlight in particular is called Hytrust DataControl.

Hytrust DataControl is a software-based solution that is designed with the capability of protecting virtual machines and their data throughout their entire lifecycle (from creating to decommission). Hytrust DataControl delivers both encryption and key management services.

This solution is built specifically to address the unique requirements of private, hybrid and public clouds, combining robust security, easy deployment, exceptional performance, infrastructure independence, and operational transparency. Hytrust DataControl ease of deployment and management capabilities complies with one of the main principles of Virtual SAN which is simplicity and ease of management.

Hytrust DataControl virtual machine edition is based on a software agent that encrypts data from within the Windows or Linux operating system of a virtual machine, ensuring protection and multi-tenancy of data in any infrastructure. DataControl also allows you to transfer files between VMs, so you can securely migrate stored data from your private to the public cloud.

The deployment of the Hytrust DataControl solution and installation and configuration of the software is done in a couple of easy steps which take just a few minutes. Once the software is resident, any data written to storage by an application will be encrypted both in motion, as it travels securely through the hypervisor and network, and also at rest on the Virtual SAN datastore.

HT-deployment

Note: The agent download and configuration steps can be mitigated with the use of virtual machine templates. Also the entire configuration can be automated via the Hytrust Command Line Interface (hlc).

The demonstration below showcases the procedure to enable the Hytrust DataControl encryption services on a single virtual machine. The application that is being protected is Tier 1 a database server (SQL Server 2014) that is currently residing on Virtual SAN datastore with an availability requirement of FTT=1. The virtual machine is levering the performance and availability capabilities delivered by Virtual SAN. The demonstration also highlights the ease of management and configuration of the solution from the key manager registration to the actual encrypting of the drives. The demonstration also displays the centralized and control management capability for managing the addition and removal of encrypted resources.

Hytrust DataControl Supported Operating Systems

  • Windows 2012 Server R2 with Service Pack 1
  • Windows 2008 Server
  • Windows 7 64-Bit with Service Pack 1
  • Centos 5.8, 6.2, and 6.3
  • Ubuntu 10.04 server and desktop
  • Ubuntu 12.04 server
  • Ubuntu 12.10 server
  • Red Hat Enterprise Linux Server 6
  • Debian 6.0.7 (requires cryptsetup)
  • Savvis Linux – Red Hat Enterprise Linux Server 5.3 and 6.1

Some of Hytrust’s DataControl capabilities and benefits include:

Strong FIPS-Approved Encryption – Hytrust DataControl encrypts data using AES-128/256, ensuring VMs are secure from the time they are created until they are securely decommissioned.

Key Management – Hytrust KeyControl provides a highly-available security- hardened key management system that is simple to deploy and easy to use. KeyControl is a locked-down virtual appliance (though it can also be installed on physical hardware). KeyControl is fully multi-tenant and supports active-active clustering for availability. The appliance can be installed on your premise or at your service provider (vCloud Air). Administrators define policies for key retention or zero-downtime rekeying in accordance with compliance or other requirements.

Hardware-Accelerated Performance – Hytrust DataControl automatically detects and leverages AES-NI hardware acceleration built into most modern Intel and AMD chipsets, ensuring minimal latency.

Transparency – Hytrust DataControl is deployed into the operating system of the virtual machine and is completely transparent to applications and users. Administrators can manage their infrastructure with the same tools they always have, with no change to process.

As organizations seek to build multi-tenant and private cloud infrastructures, as well as adopt hybrid and public clouds, Hytrust DataControl can be utilized to mitigate the risk of data exposure, by locking down data in a way that is optimized to work with the highly dynamic nature of virtual infrastructure.

Hytrust DataControl solution is comprised of the following major components:

HyTrust KeyControl Nodes and clusters – supporting an active-active cluster, the KeyControl cluster stores keys, policies and configuration data related to the cluster, or any number of virtual machines where HyTrust DataControl Policy Agent is installed. Administration of the system is through a web-browser-based GUI or through a set of REST-based APIs. Communications between the browser and the KeyControl cluster is over HTTPS. Since this is a full active-active cluster, the browser can point at any KeyControl node in the cluster. Any changes made are immediately reflected on all cluster nodes.

HyTrust DataControl Policy Agent – the HyTrust DataControl Policy Agent (the DataControl agent) is a software module that runs inside Windows and Linux virtual machines, either local or in a private, public or hybrid cloud, providing encryption of virtual disks and individual files. The DataControl agent is typically used to provide encryption of virtual machines (or physical servers) in the data center. All VMs that have the DataControl agent installed can also securely share encrypted files. Encryption keys (keyIDs) can be used by selected VMs to encrypt and decrypt files. Encrypted files can also be sent to cloud storage such as vCloud Air and only accessed by the selected VMs where the DataControl agent is installed.

Hytrust DataControl solution features:

  • Hytrust appliances based on Hytrust hardened FreeBSD OS
  • Hytrust KeyControl Nodes and Clusters
  • Web based administrative Interface
  • REST based API
  • Flexible administrative framework suitable for small and large organizations
  • Key Management capability services
  • Secured authentication of new nodes
  • Secure protocol support between nodes
  • Support for VM in-guest encryption using the Hytrust DataControl Policy Agent
  • Secure data migration

Hytrust KeyControl virtual appliance characteristics:

  • Hytrust SecureOS
  • Single vCPU
  • 1 GB of RAM
  • 1 Virtual Disk
  • 1 Network Adapter

Overall, the data encryption features and capabilities provided by the Hytrust DataControl solution can very easily be utilized for virtual machines and their applications stored on VMware Virtual SAN in a private datacenter and expanded for hybrid cloud services such as vCloud Air. For more detailed information about Hytrust DataControl please visit the Hytrust product page.

Hytrust DataControl Product Page

– Enjoy

For future updates on Virtual SAN (VSAN), vSphere Virtual Volumes (VVols) and other Software-defined Storage technologies as well as vSphere + OpenStack be sure to follow me on Twitter: @PunchingClouds.

.

VSAN-Upgrade

Virtual SAN 6.0 introduced new changes to the structural components of its architecture. One of those changes is a new on-disk format which delivers better performance and capability enhancements. One of those new capabilities allows vSphere Admins to perform in-place rolling upgrades from Virtual SAN 5.5 to Virtual SAN 6.0 without introducing any application downtime.

Upgrading an existing Virtual SAN 5.5 cluster to Virtual SAN 6.0 is performed in multiple phases and it requires the re-formating of the of all of the magnetic disks that are being used in a Virtual SAN cluster. The upgrade is defined as a one-time procedure that is performed from RVC command line utility with a single command.

Upgrade Phase I: vSphere Infrastructure Upgrade

This phase of the upgrade is all components are upgraded to the vSphere 6.0 release. All vCenter Servers and ESXi hosts and all infrastructure related components need to be upgraded to version their respective and corresponding 6.0 software release. Any of the vSphere supported procedures for the individual components is supported.

  • Upgrade vCenter Server 5.5 to 6.0 first (Windows or Linux based)
  • Upgrade ESXi hosts from 5.5 to 6.0 (Interactive, Update Manager, Re-install, Scripted Updates, etc)
  • Use Maintenance Mode (Ensure accessibility – recommended for reduced times, Full data migration – not recommended unless necessary
Upgrade Phase II: Virtual SAN 6.0 Disk Format Conversion (DFC)

This phase is where the previous on-disk format (VMFS-L) is replaced on all of the magnetic disk devices with the new on-disk format (VSAN FS). The disk format conversion procedures will reformat the disk groups and upgrade all of the objects to the new version 2. Virtual SAN 6.0 provides supports for both the previous on-disk format of Virtual SAN 5.5 (VMFS-L) as well as its new native on-disk format (VSAN FS).

While both on-disk formats are supported, it is highly recommended to upgrade the Virtual SAN cluster to the new on-disk format in order to take advantage of the performance and new available features. The disk format conversion is performed sequentially performed in a Virtual SAN cluster where the upgrade takes place one disk group per host at a time. The workflow illustrated below is repeated for all disk groups on each host before the process moves onto another host that is a member of the cluster.

DFC-Workflow

Read Full Article →

VSANPowerCLIAlarmLogoI was recently involved in a couple customer conversations where the main topics were focused on monitoring and troubleshooting events in vCenter particularly for Virtual SAN. I know that particular topic has been covered a few times in the past, not only on the VMware corporate storage blog but also by other community blogs. To be more specific, one of the VSAN Champions William Lam has covered this extensively on his personal blog.

The work that we have done on the topic of vCenter Server Alarms and Virtual SAN stems from the findings identified in two articles published by William. For more information on what are the recommended vCenter Server Alarms for Virtual SAN and how to add and configure them take a look at the articles listed below:

With vSphere 6.0 and Virtual SAN 6.0 nearing generally available very soon, this script can make things a lot easier for all Virtual SAN customers and provide a simplified way to get all the available vCenter Server alarms for Virtual SAN added and configured within seconds.

I got a chance to work on this little nugget with one of the world’s baddest PowerCLI gurus on the planet and also another VSAN Champion Alan Renouf and William Lam as well whom are members of the VMware virtualization team codename #TheWreckingCrew. Here is a PowerCLI sample code that can be utilized to add and configure all of the vCenter Server Alarms for Virtual SAN. These alarms are applicable to both Virtual SAN versions 5.5 as well as 6.0. Read Full Article →

VSAN-60-All-FlashSince the official announcement of VMware Virtual SAN All-Flash architecture, most of the conversations have been focused about the solutions incredible performance capabilities and attributes with regards to IOPS, predictable performance, sub-millisecond latencies. All of those attributes are great and part of the reason as to why Virtual SAN 6.0 as a storage platform and its use cases have been expanded to also focus on business critical applications and large enterprise environments.

I want to turn the spotlight onto one of the many supported use cases for Virtual SAN 6.0 and highlight one of the invaluable capabilities of the new platform with regards to Virtual Desktop Infrastructures (VDI).

Some of the functional requirements for large enterprise infrastructure designs for VDI include the characterization of boot, refresh, and provision times for standard operations and worst case scenarios.

I have seen a fair share of VDI designs and demonstrations of different platforms showcasing bootstorms, refresh and rebuilds times they all do a pretty good job. Now with that said I wanted to take the opportunity to showcase the powerful capabilities of the Virtual SAN 6.0 by demonstrating a bootstorm at the maximum supported capabilities of the platform. This bootstorm demonstration consists of 6401 desktops on a Virtual SAN 6.0 All-Flash 64 node cluster (BigDaddy).
The key and impressive items showcased as part of the demonstration are the following:

  • BigDaddy – 64 Node All-Flash Virtual SAN Cluster
  • Desktops – booting all 6401 desktops in the cluster at once (in batches of 1024 at a time)
  • Boot Time – 24 minutes booting all desktops plus allocation of IP address about 19 minutes for a total of about 40 minutes

This demonstration does not contain tampered or custom configurations of any of the Virtual SAN settings. This is what we generally call an Out-of-the-Box experience. Another important thing to point out here is my definition for completed boot time. What I mean by complete boot, is not just when the desktop is powered on, but when all the desktops have successfully acquired an IP address and are really up and running and ready to be use.

In the interest of time, the demonstration has been sped up from its original length of time to about 5 minutes. Feel free to pay attention to the timestamp as it is displayed in the command line interface to validate the accuracy of the booting time.

This demonstration successfully highlights the one of the many powerful capabilities of Virtual SAN 6.0.

- Enjoy

For future updates on Virtual SAN (VSAN), vSphere Virtual Volumes (VVOLs) and other Software-defined Storage technologies as well as vSphere + OpenStack be sure to follow me on Twitter: @PunchingClouds