Welcome to Kraft Kennedy

Quite a while back I saw that Eric Sloof had figured out how to add his Twitter feed directly into the VI Client.  I thought it was clever but didn’t really give it much more thought than that.

Today I decided to take that concept and extend it to systems that you might manage alongside your VI3/vSphere environment.  Storage management seemed like the obvious first choice.
Continue reading…

For quite a while there has been confusion over how VMware’s Transparent Page Sharing (TPS) feature works with vSphere 4 running on Nehalem (or other modern) processors. Many people were noticing that it appeared that TPS was not actually working anymore and looked for ways to fix the problem.

In my recent post on the effects of ASLR in vSphere the comments turned into a discussion about TPS on modern processors. And there are countless posts about this issue on the VMTN forums where folks are looking for a fix. In reality nothing is broken and there is no need to fix the issue.
Continue reading…

When VMware released vSphere 4 last year, one of the changes they made was a completely re-written software iSCSI initiator. This was done to optimize performance which is great considering how popular iSCSI SANs have become. They also gave the ability to use Round Robin MPIO (mutlipathing) in the software initiator in addition to Fixed Path and MRU which were previously available.

I’m working on a vSphere implementation using Dell EqualLogic SANs and wanted to configure Round Robin on all of my datastores. Dell has a great whitepaper on how to set this up, but unfortunately the document fails to mention one key thing: this doesn’t change the default path selection plugin (PSP) from Fixed to Round Robin.   That means that you’ll have to set the multipathing policy to Round Robin on all of your existing datastores and will have to remember to do that on all future datastores. When you’ve got multiple ESX hosts with lots of  datastores this can quickly become a pain.

Continue reading…

I’ve seen a lot of talk lately about VMware’s Transparent Page Sharing (TPS) and how it is affected by ASLR in Windows 2008/Windows 7. I wanted to see if there was any real measurable reduction in shared memory when using ASLR vs. when it was disabled. First, let’s talk about what TPS and ASLR actually are and what the acronyms mean.

Continue reading…

With the release of VMware vSphere 4, VMware has released a very powerful management tool called Fault Tolerance (FT).  At a basic level, FT allows you to keep two virtual machines (a Primary VM and a Secondary VM) running in lockstep on two different physical ESX hosts.  If one of the ESX hosts were to experience a hardware failure, the VM protected with FT would remain running on the second host without any downtime.  This can greatly reduce downtime due to hardware failures and provide increased service levels for important applications.

FT is often compared to Microsoft Windows Failover Clusters, formerly Microsoft Cluster Server (MSCS), and in fact many have talked about how FT can replace Microsoft clustering altogether.  Rather than jump to conclusions like this, it is important to understand the use cases for both technologies.  In addition, there are several limitations to FT that need to be considered. Here are some important points to remember about FT:

Continue reading…

In a previous post, I discussed how to expand virtual machine boot volumes with no downtime using Dell’s ExtPart utility.  Using this method is useful if you are using Windows Server 2000/2003, but is no longer required when using Windows 2008.  With Windows 2008 becoming the preferred server operating system going forward, using the method described below will become more and more common.

Microsoft has made it possible to expand boot volumes easily and on the fly without downtime without the need for any additional tools.  In this example, we’ll expand the C: drive of a Windows 2008 virtual machine from 25GB to 30GB.

1. Expand the size of the virtual disk.

2. Launch Disk Management by right clicking on My Computer, selecting Manage, and then selecting Storage\Disk Management.  If you do not see the unallocated space, right click on Disk Management and select “Rescan Disks.”

Continue reading…

Installing the VMware Tools package inside a VMware virtual machine improves overall performance and allows the use of advanced features and faster virtual hardware drivers.  The installation package also installs a tray icon that controls guest access to virtual hardware, time synchronization, etc.  Since most virtual machines are servers and end users don’t typically access the console of a server, worries about the security implications of leaving that tray application running have been fairly minimal.  However, as firms move towards solutions like virtualized XenApp servers or virtual desktops, this becomes more of a concern.

Removing administrator access to end users is unfortunately not enough.  For example, a user can open the VMware Tools tray icon and select the Devices tab, and from there can uncheck “NIC1″ and click Apply.  What happens?  You guessed it – the virtual NIC is disconnected and the user loses connection.  That’s bad in a virtual desktop environment since it will orphan the desktop and likely require a connection broker like XenDesktop to create another desktop but it is even worse on a XenApp server where the user potentially just disconnected dozens of other users as well.

This, and several other things found in the VMware Tools, can be dangerous to leave available to an end user even if they have no rights to the server itself.  To get around this, there are two approaches that make sense:

1) Remove access to the VMware Tools for end users.

2) Modify the VMX configuration file to prevent these actions.

I prefer the second method since it allows for more granular control over security, though if you’re interested in option one then you can read VMware’s KB article on the subject.  In order to prevent this at the VMX (virtual machine configuration file) level, simply add the following lines to the virtual machine(s) that you wish to protect (after powering it down):

isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”

To see how to add one of these values to the VMX file via PowerShell and PowerCLI, it would look something like this:

$vm = Get-View (Get-VM NameofVM).ID
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=”isolation.device.connectable.disable”
$vmConfigSpec.extraconfig[0].Value=”true”
$vm.ReconfigVM($vmConfigSpec)

There are many other security parameters that can be set in the VMX file that are covered in VMware’s Security Hardening document (PDF).  The document covers this and many other common security best practices for virtual machines.  As always, test any change you make (especially the script above) before putting anything into production.

Microsoft has made a very interesting virtualization play this week by submitting source code for the Linux kernel. This will allow Linux guests to run on the maturing Windows 2008 hypervisor, Microsoft Hyper-V. This is an unexpected move from Microsoft to publicly release source code and an indicator of their appetite to compete with VMware’s dominate market share.

Microsoft stuns Linux world, submits source code for kernel

In an historic move, Microsoft Monday submitted driver source code for inclusion in the Linux kernel under a GPLv2 license. The code consists of four drivers that are part of a technology called Linux Device Driver for Virtualization.

Microsoft Linux Move Puts Pressure on VMware

Microsoft’s historic embrace of Linux technology could have wide-reaching impacts on the virtualization market and Microsoft’s rival VMware.

By allowing greater ability to run Linux on the Hyper-V virtualization platform, Microsoft is making a compelling case that it could be the virtualization vendor of choice for consolidation of Windows and Linux applications, says Gartner analyst George Weiss.

Microsoft has done a nice job of late regarding supporting their operating systems and applications when they are run in a virtual machine. First they created the Server Virtualization Validation Program to validate their software running on hypervisors from various vendors, including their own Hyper-V.  They’ve taken the SVVP one step further by adding a new tool called the Support Policy Wizard that makes it fast and simple to verify Microsoft support.  It can be found at the following link:

http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvpwizard.htm

This tool makes it easy to select a specific configuration, including operating system, hypervisor, and Microsoft application, and then verify it against the SVVP to ensure Microsoft supportability.  It also lists any specific application features that are or are not supported.  Validating your configuration against Microsoft’s Support Policy Wizard is an important step, especially when virtualizing mission critical applications like Exchange or SQL.

Try the wizard and see the results for yourself.  I tried it myself and the results are below.  I selected Exchange Server 2007 SP1 running on vSphere 4 with Windows Server 2008 x64 and received the following supportability statement back:

Summary Support Statement*
This configuration is Supported.

* Customers with Premier-level support agreements should contact their account manager for more information
* Additional information is available in the “Support policy for Microsoft software running in non-Microsoft hardware virtualization software” which can be viewed here

Support Statement Details
Product: Exchange Server 2007 Service Pack 1 on VMware vSphere with Windows Server 2008 (x64) Guest OS

Search the Knowledge Base for information related to this configuration

For Exchange Service 2007 Pack 1 and later, see here for specific configuration information. Note: The Exchange Server guest virtual machine must be deployed on the Windows Server 2008 operating system.

Specific third-party virtualization information is available at here

To get support on the virtualization solution, the customer also needs to have a support agreement with the third party vendor.

Supported features: Anti-Virus, Back-up Software, Virtual Machine Management Software, Cluster Continuous Replication (CCR), Virtual Processors

Unsupported features: Unified Messaging, Dynamically Expanding Virtual Disks, Virtual disks that use differencing or delta mechanisms, Hyper-V Quick Migration combined with Exchange Clustering, Virtual Machine Snap Shots

Discovering that your ESX hosts have been unknowingly creating open snapshots can be an alarming, not to mention dangerous, event.

Third party storage and backup vendors frequently call the vCenter API to issue a snapshot creation of running virtual machines before they grab a copy of the virtual machine’s hard disk – VMDK files – which are located on the VMware VMFS datastore. This process is typically followed by an immediate deletion of the snapshot file which will merge the changes back into the initial VMDK file. Problems can occur when this process does not complete successfully leaving you with an “open” snapshot. This problem is compounded when it occurs multiple times against the same guest.

Each open snapshot can significantly degrade virtual machine performance and also contribute to poor storage utilization. Unless you monitor each of your virtual machines on a daily basis, you could quickly be left with an uncomfortable situation on your hands.

Continue reading…