Tag Archive for VMware

Assigning vCenter Permissions and Roles for DRS Affinity Rules

DRS

Today I was looking at a permissions element for a solution. The requirement was to provide a customer with sufficient permissions to be able to configure host and virtual machine affinity / anti-affinity groups in the vCentre console themselves, without providing any more permissions than absolutely necessary.

After spending some time trawling through vCentre roles and permissions, I couldn’t immediately find the appropriate setting; certainly nothing specifically relating to DRS permissions. A bit of Googling and Twittering also yielded nothing concrete. I finally found that the key permission required to be able to allow users to create and modify affinity groups is the “Host \ Inventory \ Modify Cluster” privilege. Unfortunately the use of this permission is a bit like using a sledgehammer to crack a nut!

roles

By providing the Modify Cluster permission, this will also provide sufficient permissions to be able to enable, Configure and disable HA, modify EVC settings, and change pretty much anything you like within DRS. all of these settings are relatively safe to modify without risking uptime (though they do present some risk in the event of unexpected downtime); what is a far more concerning is that these permissions and allow you to enable, configure and disable DPM! It doesn’t take a great deal of imagination to come up with scenario where for example a junior administrator accidentally enables DPM on your cluster, a large percentage of your estate unexpectedly shuts down overnight without the appropriate config to boot back up, and all hell breaks loose at 9am!

The next question then becomes, how do you ensure that this scenario is at least partly mitigated? Well it turns out that DPM can be controlled via vCenter Scheduled Tasks. Based on that, the potential workaround for this solution is to enable the Modify Cluster privilege for your users in question, then set a scheduled task to auto-disable DPM on a regular basis (such as hourly). This should at least minimise any risk, without necessarily eradicating it. Not ideal, but it would work. I’m not convinced as to whether this would be such a great idea for use on a critical production system. Certainly a bit of key training before letting anyone loose in vCenter, even with “limited” permissions, is always a good idea!

I have tested this in my homelab on vSphere 5.5 and it seems to work pretty well. I don’t have vSphere 6 set up in my homelab at the moment, so can’t confirm if the same configuration options are available, however it seems likely. I’ll test this again once I have upgraded my lab.

It would be great to see VMware provide more granular permissions in this area, as even basic affinity rules such as VM-VM anti-affinity are absolutely critical in many application solutions to ensure resilience and availability of services such as Active Directory, Exchange, web services, etc. To allow VM administrators achieve this, it should not be necessary to start handing out sledgehammers to all and sundry! :)

If anyone has any other suggested solutions or workarounds to this, I would be very interested to hear them? Fire me a message via Twitter, and I will happily update this post with any other suggested alternatives. Unfortunately due to inundation with spam, I removed the ability to post comments from my site back in 2014. sigh

 

Free vSphere 6 Training! (Yes this title is blatant click bait!)

VMUG

Yes I fully admit that this article is click bait, but i can promise you that attending the event below will help you learn all about VMware’s latest and greatest release (and a few other things besides), as well as having the opportunity to network with some awesome like-minded individuals!

The event agenda is below and follows the usual mix of vendor sponsors and top notch community sessions, followed by a couple of cheeky lemonades at the vBeers event at the Pavilion End at the end of the day.

As an added bonus it seems that the night before the meeting, the crew from TECHUnplugged will be in town and everyone is invited to a vWhatever session (vBeers, vWine, vCurry, vWhatever!), location TBC. Keep an eye on Jane Rimmer’s blog for more info!

London VMUG 23rd April 2015 Agenda

I am hoping to be at the event, having only missed one in about the last 3 years, so if you do spot me there (I’m the 6’7” Scottish bloke”)!

HP Discover Europe 2014 – Day 2 Roundup

hp-icon-hq

Day 2 started early with the first sessions beginning around 8.30am. I won’t bore you with the details of my day, but I will go through three really great new products / features I spent time learning about. Much of the info below came from slides, or discussions with product managers / engineers, so should not be taken as gospel!

HP OneView
I have to admit I have been a little lax in having a look at OneView as yet. I took the opportunity at the event to have a chat with some of the OneView engineers, and take the hands on lab. If you haven’t already done so, and you have any HP kit on premises, I strongly suggest you take a look at this product! I’m not going to go into any depth here, except to describe one of my favourite features.

OneView has the ability to connect into your servers, storage, and fabric, then auto-deploy, configure and manage your environment, end-to-end. An example of this might be if you are provisioning a new server. OneView can create new volumes based on specific policies, auto-configure all of your SAN zoning between your server initiator and targets (with single initiator, multiple target or single initiator, single array options only for now), then build the OS, configure and mount the storage on the server. How cool is that?

HP OneView

HP OneView

This is currently based on a specific subset of vendors, mainly only HP and Brocade AFAIK, but other vendors are being added in the future.

Having played with it in the lab, I can confirm that it is pretty easy to learn and use, with most information and configurations layed out reasonably intuitively in the BUI.

For more information on OneView see HP’s site.

ProLiant Gen9 Features
As I understand it, one of the key strategies behind the new ProLiant range is to ensure that HP are not losing on price / value against some of their less pricey competitors (who shall of course remain nameless as you know who they are already!). The premise here is that instead of buying top of the range servers with all the wizardry built in by default (with an appropriately top of the range price!), you can start with a base unit and only add the features you actually need. A prime example of this being that you don’t need a storage controller if you just boot from USB for a hypervisor!

This strategy has led to the removal (by default, you can configure it back again) of things like 10Gb FlexibleLOM network ports, front panel fault indicators, the onboard RAID card is now a plugin module, etc. The theory being that the Gen 9 servers, though newer, should actually come in at a better price point than their Gen 8 ancestors. The marketing shpiel is that the new Gen 9 servers deliver “the right compute for the right workload at the right economics every time”.

HP Gen 9

HP Gen 9

Cheesy marketing slogan? Absolutely!

Do they seem to deliver on this? From some of the indicative pricing I’ve seen so far, I’d say yes…

Just as a quick overview of the new ranges:

  • 10 Series (DL60 / DL80 Gen 9)
    • The 10 series is designed to be an entry level model for SMBs. These also now come with dual PSU as a CTO option, which suddenly makes them a lot more attractive in my mind.
  • 100 Series (DL160DL180 Gen 9)
    • This is not the same as the old 100 series machines from the G7 era and before. It is effectively equivalent to a DL3x0e (entry) machine in the previous generation ranges.
  • 300 Series (DL360 / DL380 Gen 9)
    • This now equates to the original DL3x0p series of machines, and has the maximum scalability and performance in mind.
The following (poor photo sorry) is a great slide which just lists out the key differences between each model in the range:
HP Proliant DL80/180/380 Gen 9

HP Proliant DL80/180/380 Gen 9

I suggest checking the quick specs for more info!

3PAR File Personas
As regards one of my favourite announcements from the entire event (apart from The Machine, which I will do a post on some time in the future), I was able to gather some more info on the awesome new File Personas announcement.

The first, most notable fact was that the HP are so confident in the resilience of their new arrays, that they are offering a 99.9999% Availability Guarantee! Many SLAs in the IT industry are not necessarily a guarantee of a claimed level of availability, but more a level of commercial risk accepted by the vendor or provider. That said, going with “Six Nines” definitely shows belief in your product set!

HP 3PAR File Personas

HP 3PAR File Personas

A few nuggets of info I gleaned from attending the File Personas breakout session were as follows:

  • Priority Optimisation will work but is not currently certified as supported. The following technologies are inherited from block persona, and are supported from day one:
    • Wide striping
    • Replication
    • Thin Provisioning
  • From a multi tenancy perspective, the initial release will only utilise up to one Active Directory source per array (not per Virtual File Server) as the controllers each have machine accounts in your domain, which is somewhat disappointing as a service provider who always asks “can it be multi-tenanted?”. It will provide up to 4 IPs per virtual file server, and these can be on separate VLANs and trusts may be used, so there is some scope for flexibility.
  • Licensing and configuration of virtual file servers is always based on multiples of 1TiB (note TiB not TB), but you can then use quotas to subdivide your file store allocations below this.
  • The $129 per TiB is based on the amount allocated to a virtual file server, irrespective of the back end storage or thin provisioning utilisation. You will not be forced to license the entire array. For example:
    • You have an array with say 100 TiB of usable space
    • 10TiB allocation to a virtual file server
    • 5TiB in use by end user files
    • 10TiB of license required

The price point seems genuinely good value to me. Compared to the cost of purchasing, powering and managing something like a Windows File Server Cluster, it’s really a no-brainer!

That should just about do it for today! Final day tomorrow will be mainly comprised of a few more sessions followed by a looooong wait for my flight home…

Disclaimer: As an HP customer, HP kindly provided my accommodation and entry to the HP discover event, but there was no expectation or request for me to write about their products or services.

%d bloggers like this: