What’s new in VMware vSphere 7

vSphere 7 is built for supporting modern applications and the hybrid cloud. In the coming years, enterprises will build more and more applications using cloud-native tools and methods. There is a lot more complexity in deploying and managing modern applications. vSphere 7 with Kubernetes (formerly known as Project Pacific) is based on VMware Cloud Foundation 4 (VCF) and will help with this complexity. The developer doesn’t need to deal with infrastructure anymore and the VI Admin can provision and manage the infrastructure workloads with the same tools they already known.

VMware Cloud Foundation 4 is a full Software-defined infrastructure with compute (vSphere 7), network (NSX-T), storage (vSAN 7), and management (vRealize 8.1). This modern infrastructure is for deploying Kubernetes at cloud scale.

Besides Kubernetes on VMware Cloud Foundation, vSphere 7 adds improvements on these three keys areas:

  • Simplified Lifecycle Management
  • Intrinsic Security
  • Application Acceleration

Here an overview of the new improvements in these three key areas:

vCenter Server

  • vCenter Server Profiles. Profiles can import and export vCenter Server configuration via REST APIs (management, network, authentication and user configurations). This is not the same as Host Profiles. These are the settings you can make in the vCenter Server Appliance Management Interface (VAMI). With this, you can maintain version control between vCenter Servers (max 100 vCenter Servers are supported).

  • vCenter Server Multi-Homing is now officially supported. It has a maximum of 4 NICs that are supported per vCenter Server. vCenter Server NIC1 is reserved for vCenter HA (vCHA).
  • vCenter Server Scalability Enhancements. The scalability is improved as in each new release (for more information you can refer to the configmax.vmware.com website).

  • vCenter Server CLI tools. The vSphere SSO domain consolidation tool (cmsso-util) has been simplified. The repointing option is gone, now you have the ‘unregister’ and ‘domain-repoint’ arguments for that.
  • Content Library VM templates versioning. Check-in/Check-out and versioning. When editing a VM template you can check-out the template and make changes and check-in the template. After that, you see the versioning (history) information.

  • Automatic migration of a vCenter Server external Platform Services Controller (PSC). When migrating a vCenter Server with an external Platform Services Controller (PSC), it will be automatically converged to a vCenter Server with an embedded Platform Services Controller. The vCenter Server converged tool is no longer available from the ISO.
  • vCenter Server Update Planner. vCenter Server Update Planner is a new tool that helps with discovering, planning and upgrading a vCenter Server. In the vSphere client you receive notifications when an upgrade or update is available. The cool thing is that it detects installed VMware products and if they are compatible or not.

 

 

 

 

 

vSphere Lifecycle Manager (vLCM)

  • Single cluster Image Manager. This is all about consistency across ESXi hosts in a cluster. The desired state of cluster can be managed with this model also known as single image management. When a host is not compliant (anymore) you can remediate it to the desired state. The host firmware management can be done from within vSphere and works in conjunction with vendor management tools like Dell OpenManage and HPE OneView. The VMware Compatibility Guide (VCG ) and Hardware Compatibility List (HCL) checks remove the risks of unsupported drivers and firmware levels. Single image cluster management is available in the GUI and REST API. vSphere Lifecycle Manager includes desired state vSAN management.

Hardware & Performance

  • Improved Distributed Resource Scheduler (DRS). In earlier releases of vSphere DRS was based on a cluster-wide standard, equally utilized across the cluster. With vSphere 7, DRS is improved and based on a workload centric standard so it ready for the modern application. In the screenshot, you see the old DRS and the improved DRS standard with the VM DRS score. The VM DRS score is the new metric that migrate or balance the workload across the cluster. The VM DRS score is calculated using the following metrics such as performance, capacity, and migration:
    • CPU %RDY (Ready) time
    • Memory swap (overcommit)
    • CPU cache behavior
    • Headroom for the workload to burst
    • Migration cost

  • DRS Scalable shares: Relative resource entitlement to other resource pools depending on a number of VMs in the resource pool. Setting a share level to ‘high’ ensures prioritization over lower share VM entitlements. The share allocation dynamically changes when spinning up more VMs. This is not enabled by default in vSphere 7.
  • Assignable Hardware. It’s a framework that allows Dynamic DirectPath I/O (supports NVIDIA GRID vGPU devices) to use vSphere HA and DRS for initial placement. In earlier releases of vSphere, the VM was stuck on the host. A VM with a pass-thru device. Assignable hardware requires hardware version 17 of the VM. When powering on a VM with a NVIDIA vGPU profile DRS will look if it can place that VM with the vGPU profile on a other host. DRS load balancing of  Dynamic DirectPath I/O devices is not available yet. So only for the initial placement of the VM.

  • vMotion. vMotion is improved so that it reduces the performance impact on large (monster) VMs during a vMotionThis brings back vMotion capabilities for large workloads like SAP HANA or Oracle.
  • Enhanced vMotion Compatability (EVC). In vSphere 7 there is support for the Intel Cascade Lake and AMD Zen2 generation.
  • Virtual Machine Hardware version 17.  VM hardware version 17 is needed when using Assignable Hardware. Other new features in HW v17 are:
    • Watchdog Timer: Without a watchdog timer guest OSes and applications don’t know they are crashed. A watchdog timer helps by resetting the VM if the guest OS is no longer responding. This is important for clustered applications like databases and filesystems.
    •   Precision Time Protocol (PTP): This is for applications that require sub-millisecond accuracy such as financial and scientific applications. PTP requires both the in-guest device and ESXi service to be enabled. Choose between NTP or PTP for the entire ESXi host.

Security & Compliance

  • vSphere Software Guard Extensions (vSGX). This is called hardware protection for secrets. It allows applications to work with hardware to create a secure enclave that cannot be viewed by the guest OS or hypervisor. Applications can move sensitive logic & storage into this enclave. This is only support by Intel.
  • Improved Certificate Management. In vSphere  6.x you have a lot of certificates. In vSphere 7 the certificate management is much simpler. And you can manage the vCenter Server certificates programmatically by using APIs.
  • vSphere Trust Authority (vTA).  This is all about secure the vSphere infrastructure, how do we trust that our hosts are configured correctly. vTA takes care of this.
  • Identify Federation. Standard-based federation authentication with an enterprise provider (idPs) such as ADFS. This reduces the audit scope and vSphere admin workload. SSO still exists.

 

vSAN 7.0 

  • Simpler Lifecycle Management. See the vSphere Lifecycle Manager (vLCM) paragraph above for more details on this.
  • Native File Services. This integrated File Services is built-in the hypervisor and provides support for NFS v3 and 4.1 protocols. It is managed in vSAN and provides file shares within the vSAN cluster. The purpose for the integrated file services is for addressing file share needs from traditional and cloud-native workloads on vSAN cluster. So it is not built for replacing a large filer.

  • Enhanced Cloud Native Storage. Integration of Kubernetes running on vSphere and vSAN using file-based persistent volumes.

 

Besides these main improvements, there are dozens of other great enhancements on operations, efficiency, and management level. My favorite vSphere 7 improvement is the vSphere Lifecycle Manager (vLCM) enhancement because it makes updating and maintaining vSphere clusters (with vSAN) a lot easier using the desired state model.

VMware homelab build of materials and configuration

William Lam has started a great initiative. William asked (link) everyone who owns a homelab to share there build of materials (BOM) and configuration so the vCommunity can benefit and learn from. I have a simple homelab configuration. Here an overview of the materials I used and configuration:

Internet

Cable modem in bridge mode with 250 Mbit/s down and 25 Mbit/s upload.

Router 

Ubiquiti EdgeRouter Lite 3-Port router

Access Point

Ubiquiti UniFi AP AC PRO

Layer 2 switches

2 x HP ProCurve 1810G (8 x 1GbE) manageable switches.

Compute

Shuttle SH370R6 Plus and Shuttle SH370R8 Plus. Each barebone has:

  • 500 W Plus Silver PSU
  • Intel Core i7 8700 with 6 cores and 12 threads
  • 64 GB memory
  • Samsung 970 EVO 1 TB m.2
  • Kingston datatraveler 100 G3 32 GB USB disk
  • 2 x 1 GbE Network cards

Network Attached Storage (NAS)

QNAP TS-251+ NAS with two Western Digital (WD) Red 8 TB disk in a RAID-1 configuration.

Software

  • VMware vSphere 7 (ESXi, vCenter)
  • VMware vSAN
  • VMware Horizon
  • VMware NSX-V /
  • VMware NSX-T
  • vRealize

Build of materials (BOM)

Components Costs ~  Link to blog post
Ubiquiti EdgeRouter Lite 3-Poort Router € 93
Ubiquiti UniFi AP AC PRO € 136
HP ProCurve 1810G € 75 each. Not available anymore.
Shuttle SH370R6 Plus € 1200 Link
Shuttle SH370R8 € 1200 Link
QNAP TS-251+ € 314
2 x Western Digital (WD) Red 8 TB € 258 each. Total € 516

 

ControlUp 8.1 Native VMware Horizon integration

In part 2 we highlight the native support for VMware Horizon 7 and higher environments in ControlUp 8.1. The integration is based on the SOAP API. Adding a VMware Horizon environment is easy, click on the Add EUC environment and enter the name a Horizon Connection Server and click ‘OK’. ControlUp discovers Horizon components such as Connection Servers, Cloud Pod Architecture (CPA), desktop pools and sessions automatically.

Horizon Connection Servers

On the top level, you see the stress of all the Horizon Connection Servers and in the view below that each individually Horizon Connection Server is listed with there metrics.

For all the Connection Servers, the following metrics are added to the view:

  • Horizon Pods
  • Stress Level
  • Connection Servers
  • Connection Server health
  • Connection Server Max connections
  • Average machine memory
  • Machine disk IO average latency
  • Machine Disk Transfers/sec
  • Machine Net Total

Per Horizon Connection Server, the following metrics are added such as:

  • Connection server Health
  • Amount of connection Servers
  • Active connections
  • Connection Server health
  • External URL
  • Connection Server certificate valid
  • Connection Server certificate expiration date
  • License model
  • Connection Server version
  • Horizon Pod
  • Horizon Site

When installing the ControlUp agent on the Connection Servers or VDI desktop, the hypervisor and in-guest metrics are combined with the Horizon metrics.

Desktop Pools

Below the Connection Servers, the desktop pools are displayed.

Each Desktop pool in the Horizon environment is displayed with metrics such as:

  • Pool name
  • Pools type
  • Stress level
  • Pool state
  • Provisioning enabled
  • Number of machines
  • Number of machines enabled
  • Sessions
  • Disconnects
  • Problem machines
  • Default protocol
  • Power policy
  • Logoff timeout

Per Horizon pool you can view the VDI desktop and Horizon Session with metrics such as:

  • Pool name
  • Session type
  • Machine name
  • State
  • Session start time
  • Protocol
  • Desktop source
  • Client name
  • Horizon client version
  • Horizon agent version

And from the Horizon session, you can dive deeper into the processes view to troubleshoot further.

The Virtual Expert in ControlUp includes Horizon specific suggestions such as for example the available desktops remaining in a desktop pool.

As you can see, the Horizon integration adds a lot of Horizon specific metrics. All these metrics gives great insight into what happens in the Horizon environment.

Automation

ControlUp can use automation to solve Horizon issues for you. For example, it is possible the check the Horizon agent state of each VDI desktop. If the Horizon agent state goes bad (such as agent unreachable, error, unknown and already used for example) an automated action can be configured to resolve the problem. To configure automated actions, triggers are used in ControlUp.

In this example (demoed by Trentent Tyle), 3 automation triggers are created:

  • Trigger 1 operate at 10 minutes, action: Horizon Agent restart if the horizon state is wrong
  • Trigger 2 operate at 15 minutes, action: VM restart if the horizon state is wrong
  • Trigger 3 operate at 20 minutes, action: Cold Boot VM if the horizon state is wrong

Trigger 1: operate at 10 minutes

When the VDI machine boots up it has 10 minutes to register the Horizon agent state in the Horizon Connection server. A normal VDI desktop has a READY state and is available. After 10 minutes, the trigger looks if the  Horizon agent reports the wrong state such as:

  • UNKOWN
  • *ERROR
  • ALREADY USED
  • DOMAIN FAILURE
  • AGENT UNREACHABLE

If the Horizon agent state is wrong, the following action is executed: Restart the VMware Horizon Agent.

The restart VMware Horizon Agent is a PowerShell script that restarts the VMware Horizon Agent service.

It’s easy to create scripts such as PowerShell, VBS, BAT, and CMD. ControlUp itself offers a huge library of predefined/community scripts that can be used also.

Trigger 2: operate at 15 minutes

This trigger looks at the same wrong Horizon Agent states used in the 10 minutes trigger. As an action, the VDI desktop VM is restarted using a simple command.

Trigger 3: operate at 20 minutes

This trigger looks at the same wrong Horizon Agent states used in the 10 minutes trigger. As an action, a hard reboot (cold boot) is executed using a simple command on the VDI Desktop.

Because of all the Horizon metrics available, it is possible to check and repair the Horizon agent states. For IT departments, morning checks can be easily automated to ensure the VDI desktops are ready for accepting connections.

Besides the example above, there is a huge list of other Horizon items/metrics that can be used for automated actions. Here is a short overview of some:

This huge list of  Horizon metrics/items in combination with custom scripted actions that can be used makes ControlUp very powerful.

Conclusion

ControlUp 8.1 adds support for VMware Horizon integration and discovers Horizon components such as Connection Servers, Cloud Pod Architecture (CPA), pools and sessions automatically. This integration gives great insight into what happens in the Horizon environment. Using automated actions (triggers) with the Horizon metrics and scripted actions makes it a very powerful tool for automating actions and solve specific issues as displayed for example in the example above.

More information and a trail can be found here, link.