What’s new in VMware vSphere 7

vSphere 7 is built for supporting modern applications and the hybrid cloud. In the coming years, enterprises will build more and more applications using cloud-native tools and methods. There is a lot more complexity in deploying and managing modern applications. vSphere 7 with Kubernetes (formerly known as Project Pacific) is based on VMware Cloud Foundation 4 (VCF) and will help with this complexity. The developer doesn’t need to deal with infrastructure anymore and the VI Admin can provision and manage the infrastructure workloads with the same tools they already known.

VMware Cloud Foundation 4 is a full Software-defined infrastructure with compute (vSphere 7), network (NSX-T), storage (vSAN 7), and management (vRealize 8.1). This modern infrastructure is for deploying Kubernetes at cloud scale.

Besides Kubernetes on VMware Cloud Foundation, vSphere 7 adds improvements on these three keys areas:

  • Simplified Lifecycle Management
  • Intrinsic Security
  • Application Acceleration

Here an overview of the new improvements in these three key areas:

vCenter Server

  • vCenter Server Profiles. Profiles can import and export vCenter Server configuration via REST APIs (management, network, authentication and user configurations). This is not the same as Host Profiles. These are the settings you can make in the vCenter Server Appliance Management Interface (VAMI). With this, you can maintain version control between vCenter Servers (max 100 vCenter Servers are supported).

  • vCenter Server Multi-Homing is now officially supported. It has a maximum of 4 NICs that are supported per vCenter Server. vCenter Server NIC1 is reserved for vCenter HA (vCHA).
  • vCenter Server Scalability Enhancements. The scalability is improved as in each new release (for more information you can refer to the configmax.vmware.com website).

  • vCenter Server CLI tools. The vSphere SSO domain consolidation tool (cmsso-util) has been simplified. The repointing option is gone, now you have the ‘unregister’ and ‘domain-repoint’ arguments for that.
  • Content Library VM templates versioning. Check-in/Check-out and versioning. When editing a VM template you can check-out the template and make changes and check-in the template. After that, you see the versioning (history) information.

  • Automatic migration of a vCenter Server external Platform Services Controller (PSC). When migrating a vCenter Server with an external Platform Services Controller (PSC), it will be automatically converged to a vCenter Server with an embedded Platform Services Controller. The vCenter Server converged tool is no longer available from the ISO.
  • vCenter Server Update Planner. vCenter Server Update Planner is a new tool that helps with discovering, planning and upgrading a vCenter Server. In the vSphere client you receive notifications when an upgrade or update is available. The cool thing is that it detects installed VMware products and if they are compatible or not.

 

 

 

 

 

vSphere Lifecycle Manager (vLCM)

  • Single cluster Image Manager. This is all about consistency across ESXi hosts in a cluster. The desired state of cluster can be managed with this model also known as single image management. When a host is not compliant (anymore) you can remediate it to the desired state. The host firmware management can be done from within vSphere and works in conjunction with vendor management tools like Dell OpenManage and HPE OneView. The VMware Compatibility Guide (VCG ) and Hardware Compatibility List (HCL) checks remove the risks of unsupported drivers and firmware levels. Single image cluster management is available in the GUI and REST API. vSphere Lifecycle Manager includes desired state vSAN management.

Hardware & Performance

  • Improved Distributed Resource Scheduler (DRS). In earlier releases of vSphere DRS was based on a cluster-wide standard, equally utilized across the cluster. With vSphere 7, DRS is improved and based on a workload centric standard so it ready for the modern application. In the screenshot, you see the old DRS and the improved DRS standard with the VM DRS score. The VM DRS score is the new metric that migrate or balance the workload across the cluster. The VM DRS score is calculated using the following metrics such as performance, capacity, and migration:
    • CPU %RDY (Ready) time
    • Memory swap (overcommit)
    • CPU cache behavior
    • Headroom for the workload to burst
    • Migration cost

  • DRS Scalable shares: Relative resource entitlement to other resource pools depending on a number of VMs in the resource pool. Setting a share level to ‘high’ ensures prioritization over lower share VM entitlements. The share allocation dynamically changes when spinning up more VMs. This is not enabled by default in vSphere 7.
  • Assignable Hardware. It’s a framework that allows Dynamic DirectPath I/O (supports NVIDIA GRID vGPU devices) to use vSphere HA and DRS for initial placement. In earlier releases of vSphere, the VM was stuck on the host. A VM with a pass-thru device. Assignable hardware requires hardware version 17 of the VM. When powering on a VM with a NVIDIA vGPU profile DRS will look if it can place that VM with the vGPU profile on a other host. DRS load balancing of  Dynamic DirectPath I/O devices is not available yet. So only for the initial placement of the VM.

  • vMotion. vMotion is improved so that it reduces the performance impact on large (monster) VMs during a vMotionThis brings back vMotion capabilities for large workloads like SAP HANA or Oracle.
  • Enhanced vMotion Compatability (EVC). In vSphere 7 there is support for the Intel Cascade Lake and AMD Zen2 generation.
  • Virtual Machine Hardware version 17.  VM hardware version 17 is needed when using Assignable Hardware. Other new features in HW v17 are:
    • Watchdog Timer: Without a watchdog timer guest OSes and applications don’t know they are crashed. A watchdog timer helps by resetting the VM if the guest OS is no longer responding. This is important for clustered applications like databases and filesystems.
    •   Precision Time Protocol (PTP): This is for applications that require sub-millisecond accuracy such as financial and scientific applications. PTP requires both the in-guest device and ESXi service to be enabled. Choose between NTP or PTP for the entire ESXi host.

Security & Compliance

  • vSphere Software Guard Extensions (vSGX). This is called hardware protection for secrets. It allows applications to work with hardware to create a secure enclave that cannot be viewed by the guest OS or hypervisor. Applications can move sensitive logic & storage into this enclave. This is only support by Intel.
  • Improved Certificate Management. In vSphere  6.x you have a lot of certificates. In vSphere 7 the certificate management is much simpler. And you can manage the vCenter Server certificates programmatically by using APIs.
  • vSphere Trust Authority (vTA).  This is all about secure the vSphere infrastructure, how do we trust that our hosts are configured correctly. vTA takes care of this.
  • Identify Federation. Standard-based federation authentication with an enterprise provider (idPs) such as ADFS. This reduces the audit scope and vSphere admin workload. SSO still exists.

 

vSAN 7.0 

  • Simpler Lifecycle Management. See the vSphere Lifecycle Manager (vLCM) paragraph above for more details on this.
  • Native File Services. This integrated File Services is built-in the hypervisor and provides support for NFS v3 and 4.1 protocols. It is managed in vSAN and provides file shares within the vSAN cluster. The purpose for the integrated file services is for addressing file share needs from traditional and cloud-native workloads on vSAN cluster. So it is not built for replacing a large filer.

  • Enhanced Cloud Native Storage. Integration of Kubernetes running on vSphere and vSAN using file-based persistent volumes.

 

Besides these main improvements, there are dozens of other great enhancements on operations, efficiency, and management level. My favorite vSphere 7 improvement is the vSphere Lifecycle Manager (vLCM) enhancement because it makes updating and maintaining vSphere clusters (with vSAN) a lot easier using the desired state model.

Upgrading a vCenter Server Appliance (VCSA) to version 6.7

Last week VMware launched vSphere 6.7. In this blog post I show how easy it is to upgrade a vCenter Server 6.x appliance to a new vCenter Server 6.7 appliance using the graphical interface (GUI) upgrade. The GUI upgrade uses a two stage process:

  • Stage 1: Deploy a new vCenter Server 6.7 appliance
  • Stage 2: Transfer the services and configuration data from the old to the new appliance

Upgrading the vCenter Server Appliance includes deploying a new appliance (version 6.7). The configuration and data is transferred from old (6.0 or 6.5)  appliance to the new vCenter Server 6.7 Appliance.  The old appliance is still available in a powered down state in the vCenter Server inventory after the upgrade.

vSphere 6.7 is the last release to include vCenter Server for Windows. After this release, vCenter Server for Windows will not be available! So make sure that all new deployments and upgrades are using the the vCenter Server Appliance (VCSA)!

New enhancements

Some cool enhancements of the vCenter Server 6.7 appliance are:

  • The vCenter Server with Embedded PSC supports Enhanced Linked Mode. This gives the following benefits:
    • No load balancer required for high availability and fully supports native vCenter Server High Availability.
    • SSO Site boundary removal provides flexibility of placement.
    • Supports vSphere scale maximums.
    • Allows for 15 deployments in a vSphere Single Sign-On Domain.
    • Reduces the number of nodes to manage and maintain.
  • vSphere 6.7 supports repointing a vCenter Server to another external Platform Services Controller in the same SSO site and different SSO site within the same SSO domain
  • vSphere 6.7 supports repointing a vCenter Server (Appliance only) to another external Platform Services Controller in a different SSO domain.
  • The vSphere Appliance Management Interface (VAMI) on port 5480 has some great new enhancements:
    • Upgraded Clarity interface
    • Dedicated monitor tab
    • Services tab. See the status of the VCSA services and the ability to: stop, start and restart services. So no CLI is needed for that anymore!
    • Backup scheduler. The backup scheduler let you schedule a backup of the VCSA and select how many backups are retained. The supported protocols for backup locations are: FTP, FTPS, HTTP, HTTPS and SCP.
  • The vSphere Client (HTML5) has updated and includes new workflows on Update Manager and vSAN for example.

Before upgrading

Before upgrading make sure to check this:

  • Check the compatibility of the VMware and third party products you are using. When writing this blog the following VMware products are not compatible (yet) with vSphere 6.7:
    • NSX
    • Horizon. Horizon 7.4 is not compatible with the Instant Clone API used in vSphere 6.7. Instant Clone support for vSphere 6.7 will be available in an upcoming Horizon release.
    • VMware Integrated OpenStack (VIO)
    • VMware vSphere Integrated Containers (VIC)
    • vCloud Director
  • For the upgrade order of multiple VMware products see the “Update sequence for vSphere 6.7 and its compatible VMware products (53710)” KB, link
  • It’s only possible to upgrade the vCenter Server Appliance version 6.0 or 6.5 to 6.7.
  • It’s not supported to upgrade from 6.5 U2 to 6.7! It will be provided in a future release! With vSphere 6.7 Update 1 (not available yet) it’s possible to upgrade from vSphere 6.5 U2 to vSphere 6.7 U1.
  • For vSphere 5.5 you must first upgrade to vSphere 6 or vSphere 6.5 before upgrading to vSphere 6.7
  • Make sure you have enough capacity in the cluster to add an extra vCenter Server Appliance (VCSA). The old appliance can be removed when the upgrade is successful. Here’s an overview of the hardware specifications needed.
  • In vSphere 6.7, only TLS 1.2 is enabled by default. vSphere 6.7 disables TLS 1.0 and TLS 1.1 protocols for improved security. Some applications might support only the older protocols. To revert TLS 1.0 and TLS 1.1 protocols use the TLS reconfigurator tool. The tool can be found in the appliance under: /usr/lib/vmware-TlsReconfigurator/VcTisReconfigurator.
  • Windows 2003 and XP are no longer supported.

Platform Services Controller (PSC) hardware sizing

Option Environment vCPU Memory (GB) Default Storage (GB)
Platform Services Controller 2 4 60

vCenter Server Appliance (VCSA) hardware sizing

Option Environment vCPU Memory (GB) Default Storage (GB)
Tiny Up to 10 hosts or 100 VMs 2 10 250
Small Up to 100 hosts or 1000 VMs 4 16 290
Medium Up to 400 hosts or 4000 VMs 8 24 425
Large Up to 1000 hosts or 10000 VMs 16 32 640
X-Large Up to 2000 hosts or 35000 VMs 24 48 980
  • Use a temporary fixed IP address
  • Make sure that you have the SSO administrator and root account information of the existing VCSA
  • Have a backup of the VCSA
  • Disable Fully Automated DRS during the upgrade

The upgrade steps

In the following steps a single vCenter Server  Appliance with an embedded PSC and vCenter Server role will be upgraded to version 6.7.

  • Mount the VCSA ISO (VMware-VCSA-all-6.7.0-8217866.iso)
  • Navigate to the <drive letter>:\vcsa-ui-installer\win32\ folder and open the installer.exe
  • Choose for the upgrade option. With the option you can upgrade a PSC and vCenter Server appliance.

  • 1. The upgrading process will enter “stage 1”, deploy the appliance.

  • 2. Accept the End user License Agreement.

  • 3. Connect to the source vCenter Server 6.x appliance and ESXi server.  Enter the SSO and root username of the VCSA and the ESXi server that manages the source appliance. Accept the certificate warning.

  • 4. Select the deployment target. I use the same ESXi host where the source VCSA is running. Accept the certificate warning.

  • 5. Set up the target appliance VM name and root password. The upgrade will maintain the original FQDN name of the VCSA. This name will be used as VM name in the VCSA inventory and can be changed later!

  • 6. Select the (new) size of the new appliance.

  • 7. Select the datastore

  • 8. Configure the network settings. Make sure to use an new temporarily IP address for the upgrade. After the upgrade the new appliance will use the original IP address!

  • 9. Click finish to start stage 1

 

 

 

 

 

  • After a while the following message appears and you’re ready to continue to stage 2.

  • 1. Introduction. Stage 2 will copy data from the source vCenter Server Appliance to the new deployed appliance.

  • 2. A pre-upgrade check will run, after the pre-upgrade check has finished warning messages will be shown such as:
    • Disable Fully Automated DRS during the upgrade
    • Files that cannot be used with Update Manager 6.7 will not be copied from the source.
    • An NSX extension has been found that may not work after the upgrade

  • 3. The data types that needs to migrated can be selected. A new cool thing is that the amount of time that’s involved is displayed for the Configuration data.

  • 4. Configure the VMware Customer Experience Improvement Program (CEIP)

  • 5. Ready to start fase 2 by selecting “I have backed up the source vCenter Server and all the required data from the database.

  • A shutdown warning is displayed, the source VCSA will be shut down.

  • The data transfer and appliance setup is running

  • A couple of messages will be displayed about for example Auto Deploy and that TLS 1.0 and TLS 1.1 are disabled in vSphere 6.7.

  • Stage 2 is completed and the vCenter Server Appliance is deployed.

  • Now you can access the vCenter Server by using vSphere Client (HTML5), the vSphere Web Client or VMware Appliance Management Interface by using the original FQDN of the vCenter Server Appliance.

After the upgrade the VCSA is upgraded to version 6.7.

vMotion between two vCenter Servers with different SSO domains

Last week i did my first vMotion between two vCenter Servers with different SSO domain by using PowerCLI. This functionality is also known as “cross vCenter vMotion” and is not included in the vSphere Web Client yet. Without downtime it’s possible to live migrate VMs from one vCenter Server to another. Cool stuff!

Before starting the following requirements must be met:

  • VMware vSphere 6.0 and later for the source and destination environment
  • PowerCLI 6.5 and later
  • vSphere Enterprise Plus license per ESXi host
  • An active connection to the source and destination  vCenter Server

I created a simple script to vMotion the VMs between the two SSO domains. See the more information section for more advanced PowerCLI scripts from for example William Lam and Romain Decker.

In the script the following variables must be defined:

  • Source vCenter Server, username and password
  • Destination vCenter Server, username and password
  • VM name will be moved
  • Destination vSwitch
  • Destination Portgroup
  • Destination datastore

Only VMs with one NIC are supported

PowerCLI example script

Import-Module VMware.PowerCLI
 
#Variables
$sourceVC = 'sourcevc'
$sourceVCUsername = 'administrator@vsphere.local'
$sourceVCPassword= 'password!'
 
$destVC = 'destinationvc'
$destVCUsername = 'administrator@vsphere.local'
$destVCPassword= 'password'
$destESXi = 'destinationesxi'
 
$vmname = 'vmname'
$Switchname = 'destinationswitch'
$NetworkName = 'destinationvlan'
$datastorename = 'destinationdatastore'
 
# Connect to the vCenter Servers
$sourceVCConn = Connect-VIServer -Server $sourceVC -user $sourceVCUsername -password $sourceVCPassword
$destVCConn = Connect-VIServer -Server $destVC -user $destVCUsername -password $destVCPassword
 
$vm = Get-VM $vmname -Server $sourceVCConn
$networkAdapter = Get-NetworkAdapter -VM $vm -Server $sourceVCConn
 
$destination = Get-VMHost -name $destESXi -Server $destVCConn
$destinationPortGroup = Get-VirtualPortGroup -VirtualSwitch $Switchname -name $NetworkName -VMHost $destination
$destinationDatastore = Get-Datastore -name $datastorename -Server $destVCConn
 
Move-VM -VM $vm -Destination $destination -NetworkAdapter $networkAdapter -PortGroup $destinationPortGroup -Datastore $destinationDatastore

With this script I migrated a couple of VMs between to vSphere 6.5 environment with different SSO domains without any downtime.

More information:

  • PowerCLI blog on the Move-VM cmdlet, link
  • William Lam, Automation Cross vCenter vMotion, link
  • Romain Decker Cross vMotion script from, link