Planet VMware

The beta release of VMware Studio 2.0 and using it to create vApps was the topic of this week's podcast. Studio 1.0 came out last year; this beta moves the bar significantly. We also got into why you as a VMware admin should care about vApps - without being too hyperbolic I think it's going to be the organizing paradigm that will change how we think of applications -- from a VM level to something much higher-level and more manageable. Going back to Studio, here's the high-level description:

VMware Studio 2.0 helps configure, build, deploy, customize and maintain vApps and virtual appliances. These solution stacks can be deployed on VMware vSphere 4.0 or in the cloud and can be managed from the VMware Studio web console or from VMware vCenter Server. In this webinar, software vendors, application developers and IT administrators will get an overview of vApps and virtual appliances followed by what's new in Studio 2.0. We will walk you through the entire build process by starting with an application created in Eclipse (via the Eclipse plug-in in Studio) and demonstrating how it can be packaged as either a vApp or virtual appliance in OVF format. The process will also reveal various automated tools available, for creating a clean out-of-box experience, such as specifying exact OS requirements, building an update repository, adding custom management services and adding existing VM builds as input.

As always, listen in via the widget to the right, the mp3, or via iTunes.

More links:

• VMware Studio 2.0 beta page
• VMware Studio 2.0 webinar recorded for your on-demand viewing pleasure from our VMware Coffee Talk Series  with more details and slides
• vApp Developers Blog <-- brand new! We'll be covering vApps, OVF, Studio, and topics related to building and using virtual appliances here. They are already off to a great start -- check out the opening post complete with very nice video of the vSphere OVF deployment wizard in action; and the second post talking about working with OVF from the command line.

Non-Studio topics we discussed:

• VMworld Technology Exchange Developer Day: announcement, more details, registration is open
• Virtualization Security Podcast with Special Guests Karen Hepner and Steve Beaver from vWire, Scott Lowe and Chris Wolf.
• Dave Convery: Dear VMware: Pick a Common (SUPPORTED) Virtual Appliance OS... Please...

A few of the podcast attendees have already weighed in with their reactions - mostly about the significance of using vApps in the enterprise. I wasn't kidding when I used the word 'paradigm' above.

Stu from vinternals.com, who is known to tell it like it is, liked it, he really liked it.

Rich Brambley:  VMware Studio 2.0 and OVF Exports: Blurred Products or Outside The Box Thinking? | VM /ETC.

I’ll outline potential Studio / OVF usage that may be “outside of the box” from the VMware software’s intended purpose. Or is it? You tell me.

vCenter / Deploy from template

The ability to export any VM as an OVF from the VI Client by itself, let alone VMware Studio, opens the door for template deployment in environments without vCenter. Build a VM to desired corporate standards and then export a copy of it to a shared network drive where it can be used as a master image for future deployments on any virtual platform that supports OVF.

With VMware Studio build a multiple VM apllication as a vApp. Configure the web server and the database for example, and before adding any data export the combination as an OVF. Deploy the vApp OVF as a master template as needed.

Sure, vCenter offers so much more automation for this process, but what about for deployment between ESX hosts that are not managed by the same vCenter or don’t share the same storage? ...

Daniel Eason: Virtually Insane?: The Virtual Glue.

By deploying turnkey Virtual Appliances with for example a new SAP ERP Landscape on 10-20 Machines in a period of say 2-3 days rather than 2-3 Machines in 10-20 days clearly shows that current long deployment processes are redced and less people need to be involved on a deployment when using Virtual Appliances alongside side orchestration and groupings such as vApp. The problem however with this is you get people protective on roles and the oldage turf war developing so it is not something that can be just implemented straight away. ...

vApps functionality in vSphere enables organisations to reduce even more manual and people process. It enables you to compile the complete application stack and configure all associated components by one single master definition. Tie this in with some VMware orchestration capability where you could say deploy via API the Database components as part of the VM build and provision the relevant Networking components and it is clear the potential is going to be huge.

For the Canadians hiding among us, happy belated Canada Day. For the USians, happy Fourth. For the rest of the world, keep on working and we'll see you next week.

Today we published what someone here termed the Grand-daddy of all KB's for Timekeeping issues with Linux guests. This is a frequently discussed topic in our forums and in the blogosphere in general, and the new KB is meant to guide you to the earliest resolution possible for any issues with clock speed in your Linux VMs.

Troubleshooting timekeeping issues in Linux guest operating systems (1011771)

Rumor has it that another, similar KB, about timekeeping issues in Windows guests is in the works.  Keep an eye on this space…

Here are our top 20 most used articles for the month of June.

This paper tackles the subject of DMZ security and virtualization. It covers a number of DMZ security requirements and scenarios, presenting how vSphere users can implement the Cisco Nexus 1000V virtual switch in a DMZ.

In the previous blog post, I showed how to deploy a multi-tiered OVF package using the Deploy OVF Template Wizard in the vSphere Client. The interactive workflow provided by the vSphere Client is hard to beat in terms of ease of use and simplicity. However, the graphical user interface also has it drawbacks. In particular, it can be fairly cumbersome to use if you have a large set of similar OVFs that needs to be deployed, or you want to automate a deployment. In those cases, a command-line utility is often preferred. Well, we have exactly the solution for that: OVF Tool 1.0.

OVF Tool provides a slew of different features, such as converting between OVF and .vmx formats and import/export of OVF 1.0 to vSphere 4.0, VirtualCenter 2.5/ESX 3.5 and earlier releases.

In the following I will show how to deploy the SugarCRM solution from the command-line and get exactly the same result as I got from the vSphere Client last week.

First, I probe the SugarCRM.ova to figure out what it contains and particular what parameters can be customized.

f:\>ovftool --hideEula http://aar-ovfrepo/ovf/SugarCRM.ova
Opening OVA source: http://aar-ovfrepo/ovf/SugarCRM.ova
OVF version:   1.0
Name:          SugarCRM
Version:       4.5.1e
Full Version:  4.5.1e-build 131
Vendor:        SugarCRM Inc
Product URL:   http://www.sugarcrm.com/crm/products/crm-products.html
Vendor URL:    http://www.sugarcrm.com/crm/

Annotation:  The sweet way to manage customer relationships.

End-user License Agreements:
  Present:     Yes (1)

Download Size:   764.49 MB

Deployment Sizes:
  Flat disks:     20.00 GB
  Sparse disks:    1.55 GB

Networks:
  Name:        Network
  Description: The network that the SugarCRM application will be available on

Virtual Hardware:
  Family:       vmx-04
  Disk Types:   SCSI-lsilogic

Properties:
  Key:         emailAdmin
  Category:    Application
  Label:       Administrator Email Address
  Type:        string
  Description: Enter email address for administrator. This is displayed on the help page.

  Key:         theme
  Category:    Application
  Label:       Theme
  Type:        string["Sugar", "RipCurl", "Retro", "Paradise", "Love",
               "Sunset"]
  Description: Select the default color/graphic scheme

  Key:         concurrentSessions
  Category:    Performance
  Label:       Concurrent Sessions
  Type:        int(10..1000)
  Description: The maximum allowed concurrent sessions.

  Key:         dbIp
  Category:    Network
  Label:       Database instance IP address
  Type:        ip:Network
  Description: IP address for the database instance (in dot-notation).

  Key:         webIp
  Category:    Network
  Label:       SugarCRM IP Address
  Type:        ip:Network
  Description: IP address on the SugarCRM application server. The service is made accessible at this IP address.

Deployment Options:
  Id:          small
  Label:       Evaluation
  Description: Use this configuration for evaluation purposes only. The number of CPUs required and amount of memory used is minimized, making it possible to run the system on a desktop system.

  Id:          medium
  Label:       Production
  Description: Standard settings for a typical product environment. This deployment option is suitable for a SMB production environment with less than 500 users.

  Id:          large
  Label:       Enterprise
  Description: Settings for large enterprise production environments. This deployment option is suitable for a large enterprise production environment with more than 500 users.

IP Allocation Policy:
  Schemes:     ovfenv dhcp
  Protocols:   IPv4

Completed successfully

By examining this output, I can gather the same information as was shown in the vSphere Client, such as product information, download sizes, end-user license agreements, deployment options, properties that can be customized, and supported IP policy schemes.

The next step is to deploy this to my vSphere 4.0 server. OVF Tool provides a handy pseudo-interactive mode for probing the vSphere inventory, so I do not have to open the vSphere client to look up the inventory organization or names of networks and datastores. To get started, I simply try and deploy it:

f:\>ovftool http://aar-ovfrepo/ovf/SugarCRM.ova vi://aar-dev-cluster-vc1
Opening OVA source: http://aar-ovfrepo/ovf/SugarCRM.ova
Please enter login information for target vi://aar-dev-cluster-vc1/
Username: VMWAREM\renes
Password: *********
Error: Found wrong kind of object (Folder)
Possible completions are:   
  aar-dev-datacenter/
  Jan's Test Datacenter/   

Ok, so the first completion is: vi://aar-dev-cluster-vc1/aar-dev-datacenter/. After a few more iterations, I get to this:

f:\>ovftool --acceptAllEulas http://aar-ovfrepo/ovf/SugarCRM.ova vi://VMWAREM%5Crenes@aar-dev-cluster-vc1/aar-dev-datacenter/host/Cluster/Resources/DemoPool
Opening OVA source: http://aar-ovfrepo/ovf/SugarCRM.ova
Please enter login information for target vi://aar-dev-cluster-vc1/
Username: VMWAREM\renes
Password: *********
Opening VI target: vi://VMWAREM\renes@aar-dev-cluster-vc1/aar-dev-datacenter/host/Cluster
Error: No target datastore specified
Datastores found on target:
  Cluster VMFS
  Storage1

It now provides completions for datastores. Simlilarly, OVF Tool will provide completions for networks (if there are multiple choices). The final command to deploy, customize, and power-on the SugarCRM OVF package is:

f:\>ovftool "--datastore=Cluster VMFS"
            "--network=VM Network"
            --acceptAllEulas
            -ipAllocationPolicy=transient
            --prop:emailAdmin=admin@vmware.com
            --prop:theme=Retro
            --powerOn
            http://aar-ovfrepo/ovf/SugarCRM.ova
            vi://VMWAREM%5Crenes@aar-dev-cluster-vc1/aar-dev-datacenter/host/Cluster/Resources/DemoPool
Opening OVA source: http://aar-ovfrepo/ovf/SugarCRM.ova
Please enter login information for target vi://aar-dev-cluster-vc1/
Username: VMWAREM\renes
Password: *********
Opening VI target: vi://VMWAREM\renes@aar-dev-cluster-vc1/aar-dev-datacenter/host/Cluster/Resources/DemoPool
Target: vi://aar-dev-cluster-vc1/aar-dev-datacenter/host/Cluster/Resources/DemoPool
Disk Transfer Completed
Powering on vApp: SugarCRM
Completed successfully

Voila! (Standard disclaimer: I inserted a few line breaks to make it more readable. How to escape spaces in parameters varies whether you are on Linux or Windows).

This was just a very quick preview of the features of OVF Tool. Consult the documentation for more examples, and download the tool today to try it out for yourself. Next time, I will dive into the internal structure of the SugarCRM OVF package.

There’s been a lot of PowerCLI-related stuff going on lately that’s worth checking out.

vProfiles and more.

Monsieur Alan Renouf has been hard at work lately and had turned out some really amazing stuff. The first is what he calls vProfiles. From the looks of it, vProfiles is still in a fairly early stage, but right now it is able to duplicate virtual switch and portgroup information between two ESX hosts via a graphical interface. Alan also posted a video showing the script in action.

vProfiles from Alan Renouf on Vimeo.

This looks really exciting and Alan is looking to improve its functionality over time to include more than just networking. Chances are it’s also very easy to extend this to apply a configuration to an entire cluster rather than just a single host, and I think we’ll see that ability pop up in the near future.

Another really cool script Alan wrote recently was SnapReminder. SnapReminder will automatically generate an email nag to anyone who has left a snapshot sitting around too long. The most notable thing about SnapMinder in my opinion is that it blends together information from VMware vSphere and Active Directory in a completely seamless way. As if that weren’t enough there are some other great scripts Alan wrote between these two that are also worth checking out.

vWire.

vWire is a new product from the people who brought us Tripwire (some of us feel old when we think about the first time we used Tripwire.) Anyway, the vWire team has taken some of this knowhow and have produced a tool to monitor and analyze your VMware environment, and keep it running smoothly.

vWire has some videos that can help you get started, particularly their getting started video. vWire also offers some really powerful, SQL-based searching capabilities. You may be wondering what this has to do with PowerCLI, but vWire supports script actions, which let you run PowerCLI scripts to do things like display log files or change ESX host configuration. You can see all their content in their content library.

vWire lists for $295 per CPU + Support, and if you’ve got more than a very basic Virtual Infrastructure vWire might a great addition to your portfolio of management tools.

Lastly, but not leastly, PowerWF Studio.

I blogged about PowerWF Studio a while back on the VMware VIX blog, but since then they have also released support for PowerCLI. PowerWF Studio is a graphical workflow builder built on Windows Workflow Foundation

There are a lot of great PowerWF videos on YouTube but one of the best ones right now shows you you can take a PowerShell script you have already written and embed it in a workflow. If you’ve ever visited our communities, or read PowerCLI blogs you know that there are hundreds of really useful scripts out there that solve myriads of problems. With PowerWF it’s now easy to embed these in workflows.

As PowerWF continues to add more actions and adds the ability to talk to more and more software products it should be a tool worth watching.

VMotion, the VMware feature that enables live VM migration between ESX hosts is one of the major attractions of vSphere and before that, VMware Infrastructure (or VI for short). It’s simply quite amazing to watch a VM continue operation and maintain sessions while moving from one host to another.

As cool as this is, we’re often asked, “How do we take that one step further, and perform VMotion between datacenters?” This, of course, is a non-trivial thing to do.  There is the challenge of moving a VM over distance (which involves some degree of additional latency) without dropping sessions. To maintain sessions with existing technologies means stretching the L2 domain between the sites--not pretty from a network architecture standpoint. And then there is the storage piece. If you move the VM, it has to remotely access its disk in the other site until a Storage VMotion occurs.

Last year, Cisco and VMware began the task of trying to solve these long distance VMotion issues with the target of seamlessly migrating a VM between two datacenters separated by a reasonable distance. The joint Cisco/VMware lab in San Jose has run number of tests over varying distances (simulated with reels of optic fiber) as a proof of concept. We will demonstrate this proof of concept at Cisco Live this week in San Francisco. The demo as it stands incorporates a distance of 80km (50 miles). That’s around 400us latency each way over fiber or a round trip just under 1ms.

This proof of concept is aimed at the following requirements:

1. Load balance compute power over multiple sites: Migrate VMs between datacenters to “follow the sun”  or to simply load balance over multiple sites. Enterprises with multiple sites can also conserve power and cooling by dynamically consolidating VMs to fewer datacenters (automated by VMware Dynamic Power Management (DPM))—another enabler for the Green datacenter of the future.
2. Avoid downtime during DC maintenance: applications on a server or datacenter infrastructure requiring maintenance can be migrated offsite without downtime.
3. Disaster Avoidance: Data centers in the path of natural calamities (e.g. hurricanes) can proactively migrate the mission critical application environment over to another data center.

Use cases #2 and #3 above also require a Storage VMotion to move the disk image to the alternative datacenter.

Remember, this is a proof of concept, so we still have work to do in multiple areas. e.g. the storage VMotion for disaster avoidance and so on.

See and hear about it at Cisco Live this week…

Cisco Live is on this week in San Francisco. We will feature briefings in the VMware theatre (booth #531 …adjacent to the big Cisco booth). Refer to the theatre schedule posted at the VMware booth for session times. (of course, you can just come and ask us about it anytime)

See an update at VMworld in San Francisco—August 2009

We will demonstrate this again at VMworld (http://www.vmworld2009.com/) in San Francisco in August where we will also hold a technical breakout session on VMotion between datacenters. This will cover the proof on concept, test results, and reveal a little more of our plans to solve some of the remaining issues. Look for this session in the Technology and Architecture track.   

It was a good week again. Some awesome blog posts of which the following five were my favorites. It seems like it is getting harder to create a top 5 every week. I picked technical and non-technical articles this week. Enjoy,

• Maish Saidel-Keesing - ESX 4.0 running a vSphere Lab - part 1 & 2
  I have a dedicated Blade server for this purpose, and IBM HS21 E542 CPU (Quad) with 2GB of RAM and 150GB HD. Now you might say - and rightfully so - what can you do with only 2gb of RAM?? Well nothing really - that is why I have upped the RAM on the server to 8GB so I can get some testing done. So since this is going to be a test bed for my full migration for the production system, I wanted to get it as close as possible to what my production system will be like.
• Steve Chambers - Stabilizing vSphere
  Gene Kim said once that “virtualization amplifies bad practice”, and this has been seen commonly out there (just today I saw, on Twitter, that a customer changed their SRM password – no change process – and killed their DR environment). Virtual server sprawl, eggs in one basket: there are many examples why if you are bad at IT, you’re going to be really bad at virtualization.
• Rodney Haywood - Attend VMworld 2009
  This morning on the VMTN podcast John Troyer stated it was time for some blogs post in the community on why go to VMworld. Hey, count me in. I do feel that I am qualified to comment here. I am a VMworld Alumni, having attended the last 3 years. For two years it was funded by my employer (thanks guys). One year, because I was in the period of transition between two employers, my wife paid, serious. Don’t forget, I live in Australia so it’ not an inexpensive exercise. I have lived through and succeeded in the task of negotiating with my wife as to why I should invest in taking an overseas trip just to attend VMworld.
• Duncan Epping - VMFS/LUN size?
  A question that pops up on the VMTN Community once every day is what size VMFS datastore should I create? The answer always varies,  one says “500Gb” the other says “1TB”. Now the real answer should be, it depends.
• Scott Lowe - New User’s Guide to Configuring VMware ESX Networking via CLI
  A lot of the content on this site is oriented toward VMware ESX/ESXi users who have a pretty fair amount of experience. As I was working with some customers today, though, I realized that there really isn’t much content on this site for new users. That’s about to change. As the first in a series of posts, here’s some new user information on creating vSwitches and port groups in VMware ESX using the command-line interface (CLI).

Although VMware Studio 2.0 Beta was originally scheduled to be released on Monday the VMware Studio team worked very hard and managed to release it yesterday.

We are pleased to announce that the beta version of VMware Studio 2.0 has been released and is available for download. We look forward to receiving your feedback - issues, feature requests, suggestions for improvement - through the Discussions forum in the VMware Studio 2.0 Beta Program Community.

If you already have a Store account on VMware.com, register for the beta directly.

If you do not have a Store account, please create an account AND join the beta. The VMware Team

Besides several fixes multiple new features have been added:

• Windows Support (32 bit and 64 bit) 2003 & 2008 Server
• Create multi-VM vApp and multi-VM VA
• 64 bit support for SLES 10.2, RHEL 5.2 & 5.3, CentOS 5.2 & 5.3
• Extensible in-guest Management Framework
• OVF 1.0 support
• Eclipse Plugin
• Enable ESX, ESXi, VC, Server 2.0 and Workstation as provisioning engine
• Automatic Dependency Resolution (Static)
• Publish OVF to VC
• Infrastructure enhancements – GUI and Builds
• Studio-created VM as Input

• If you already have a Store account on VMware.com, register for the beta directly.
• If you do not have a Store account, please create an account AND join the beta.

First off, thanks to the scripting community for spreading the word around about CodeCentral.
There is a lot more visibility for this site now and from this point CodeCentral could be used as an effective tool for the community to share scripts since it's, that's right, "Visible".

Talking about Visibility, I have done some research on how to make scripts visible themselves. I also uploaded a document somewhere in CodeCentral about script posting guidelines, and I thought I would put it up on the main page too. Then it occurred to me that I should get communities advise on this topic. Before I ask you community virtual beings, I wanted to share my opinion on guidelines.

In my opinion the following attributes to a sample code makes it visible and user friendly:

• A Descriptive name to sample script/code
• Note on what task your script/code is performing
• Relevant tags for searching
• A screen shot of your script's trail run
• A well documented script/code
• Additional links(resources, related sample codes, etc)

A Descriptive name

I'm not going to dwell on this since the importance of this is known to all you programmers out there. But to beat the dead horse, here's the link

Relevant Tags

I want to emphasize on the usage of tags because it is critical to my routine stand up on "visibility". A script/code's visibility is enhanced and in some case the only source of visibility comes by using proper, relevant and multiple unique tags.

To make my point more clearer, I am using a previously posted script as an example. The below script has more tags attached that one of the CodeCentral's suggested tag, i.e., "storage".

Then I did a google search for this script

Tada!, the first result is the relevant script.

Coming up with tags is no art, they come out of your code's task. Usage of default tags suggested in addition will help organize the content better. So this will give the ability to click on the relevant tags and get relevant results in the search which is shown below:

A screen shot of your script's trail run

William Lam pointed out that most of the scripts at CodeCentral do not have a sample run attached with them. I think it's a valid point because for a person like me who is new to visualization scripting, it would be very helpful to know what I'm supposed to expect after I start running a script. I urge the community to attach sample on run on content you are going to be posting. 

I'm not going to talk too much about well documented code and additional links. Most coders in this community post documented code which is understandable hence no point in wasting your time about it. As far additional links go, they are optional and it would certainly help for someone lagging prerequisites in understanding a script to post links to VMware documentation or community blogging sites explaining the same concept. 

With that I will close my opinions and now I'm open for your views on what you should be the guidelines for posting scripts. You may comment here or email me about it. I will also put up a suggestions box on CodeCentral soon. Stay tuned for more to come! Thanks

    VMware recently published a whitepaper titled “Performance and Scalability of Microsoft SQL Server on VMware vSphere 4“ that demonstrates VMware vSphere 4.0 can virtualize large SQL Server deployments with excellent performance and scalability. The paper documents results for a resource intensive OLTP workload running against a SQL Server 2008 database on the Windows Server 2008 operating platform and highlights single-VM as well as multi-VM performance.

• In an 8vCPU virtual machine, we achieve OLTP throughput that is 86% of physical machine performance 
• In consolidation experiments with multiple 2-vCPU virtual machines, aggregate throughput scales linearly until physical CPUs are saturated 

Single-VM Performance Relative to Native 

    The table below summarizes the performance relative to the physical machine as we scale-up the vCPUs in a VM running our workload.

Yesterday someone took the liberty of upgrading one of my ESX servers that I use to run a virtual vSphere lab. Fortunately he was kind enough to preserve all of the VMs, and they were restored and re-registered after the upgrade.

There was one detail that he didn’t notice, which was that my virtual vSphere lab VMs were all connected to an internal network called “Internal”. When I got in today my lab didn’t work at all because there was no networking between vCenter and the ESX hosts or their shared storage. The network cards all said they were attached to the “Internal” network, but there was no Internal network! Fortunately this was pretty easy to fix with PowerCLI.

First, let’s look at a script that will identify any VM that is connected to a non-existent network:

# Search for VMs that are connected to a non-existent portgroup.

$pgNames = Get-VirtualPortGroup | Foreach { $_.Name }

Get-VM | Where { $_ | Get-NetworkAdapter | Where { $pgNames -notcontains $_.NetworkName } }

This code starts by getting a list of all portgroup names. Then it goes through all VMs and identifies any VM that has at least one network adapter connected to a non-existent portgroup. Note that this assumes we are connected directly to ESX. If you need to use something like this against vCenter you should do it on a host-by-host basis. Anyway, when I ran it here was the result:

These are all the VMs of my virtual lab. Now let’s go about fixing the problem. First, creating the Internal virtual switch and portgroup are pretty easy:

# Create the missing switch and portgroup.

New-VirtualSwitch -Name Internal

Get-VirtualSwitch -Name Internal | New-VirtualPortGroup -Name Internal

Now the portgroup exists but there is one last problem: the VMs are not actually connected to the portgroup. Again, pretty easy to fix.

# The guests that were powered on will still be disconnected, so connect them.

Get-VM | Get-NetworkAdapter | Where { $_.NetworkName -eq "Internal" } |

  Set-NetworkAdapter -Connected:$true -Confirm:$false

With that, everything is back to normal.

Neal Mueller and Pierre Ettori over at Cisco have published a few short tutorial style videos on the Nexus 1000V. You can get to kick the tires for 60 days without it costing you a cent. The videos to look at are:

1. How to install an (60-day) evaluation license for Nexus 1000V—this covers getting an eval copy of vSphere 4, Nexus 1000V, a 60-day license and installing it all.
   Note: go to our co-branded vSphere site to get your vSphere eval.
2. Detailed Feature Demo of Nexus 1000V—Pierre takes you through a 20-minute demo of the major Nexus 1000V features and shows the tight coupling with vCenter Server

For someone not too familiar with Windows volumes and devices, vixMntapi is not the easiest API to use. I will try and walk through a few basic steps here - hopefully it will clarify a few things:

The motivation behind VixMntapi is simple, you have a virtual disk, and you want to know which files are inside this disk. You may want to take a backup, check for virus, whatever.

So, at the bare minimum, you want to provide VixMntapi a virtual disk and you get a drive letter corresponding to that disk - somewhat like pushing a USB stick into your computer.

OK, that may lead you to expect something like VixMntapi_Mount(diskname) which returns say a drive letter. However, things are not that simple because a disk can have multiple partitions (and volumes) and a volume can span multiple disks.

To handle such cases, VixMntapi has a concept of a diskset which is just a collection of disks. This is a way to associate many disks (all backing the same volume for example). You call VixMntapi_OpenDisks, providing a number of disks and you will get back a handle that represents the diskset.

As part of opening diskset, VixMntapi walks through the partition tables of all the disks and collects all the volumes (including logical). VixMntapi can also look at the LDM disk database and figure out the details of dynamic volumes if any.

You can get details of these volumes by calling VixMntapi_GetVolumeHandles and querying for volume information on each of these handles using VixMntapi_GetVolumeInformation (Don't forget to call the corresponding free functions.)

So far, the procedure did not involve any operating system component. This is possible because VixMntapi has code to parse the partition details as well as the LDM databases. In other words, these 'volume objects' of VixMntapi are strictly known only to the VixMntapi and not to the OS.

But just having volume information is not that useful, you want to read files from this volume. And for this you need to mount the volume - or somehow make these volumes known to ths OS. To do this, you call VixMntapi_MountVolume. VixMntapi then creates a Windows device object representing this volume. To do this, VixMntapi needs the services of a kernel mode driver (which is part of VDDK and is installed when you install VDDK).  This is roughly the equivalent to plugging in a USB stick into your computer. A new volume appears.

From now on, various Windows storage stack components come into play, finally resulting in a volume that is exposed to user mode programs. If this volume is formatted with a file system, the file system driver will take ownership of the volume, if not the volume is simply a raw stream of bytes.

Since there are only a limited number of drive letters, VixMntapi does not map the volume to a drive letter. Instead, it gives the volume device object a name that can be accessed from the application. This is what you see as symbolic link in the Volume Information structure. (As the name shows, this is not the real volume name but an alias - the details are not that important).

Once you extract the symbolic link, you can for example use a function like DefineDosDevice to map the volume to a drive letter. Or you can simply use CreateFile to start reading from the volume. The following snippet is mounting a system volume and reading the file boot.ini in the root directory.

....
VixMntapi_MountVolume(volHandle, TRUE);
VixMntapi_GetVolumeInfo(volHandle, &volInfo);
string filePath = volInfo->symbolicLink + "boot.ini";
handle = CreateFile(filePath.c_str(), ....);
ReadFile(handle, ...)
....

The Take Control of VMware Fusion 2 blog series is back! This week, we are going to talk about finding a missing mouse pointer. If you are new to the series, the ebook Take Control of VMware Fusion 2 by Joe Kissell, teaches you all the fundamentals of VMware Fusion 2, as well as tips and tricks to get the most out of running Windows on your Mac.

Here is this week's excerpt from Joe Kissell's new book Take Control of VMware Fusion 2:

To learn more about the book Take Control of VMware Fusion 2, or buy it, click here.

The vSphere 4.0 release provides full support for the OVF 1.0 specification. This is a major upgrade compared to the OVF features that existed in VirtualCenter 2.5 and ESX 3.5, which were based on the preliminary OVF 0.9 specification and only included import and export of single VMs. The new features include:

• vApps – managing multi-tiered applications as a first-class entities in vCenter
• A data-driven OVF Deployment Wizard to greatly simplify installation and configuration of complex software.
• Customizable URL links in the VMware vSphere client and automatic IP allocation.
• Optimized packaging– you can distribute your packages as a single file and use delta-disk hierarchies to reduce download size.

This is quite a lot of stuff to cover in a single blog entry, so I am not even going to try. Instead, I have included a video showing the data-driven OVF deployment wizard in action. It shows how a vSphere user deploys, customizes and gets a complex multi-tiered CRM system up and running in a few simple clicks and without ever have to interact with a VM console at all. The CRM system OVF package has been optimized to take advantage of the new OVF features in vSphere 4.0, including application-level customization, automatic IP assignments, delta-disk compression, deployment-time configurations, and vSphere Client URL integration. In this blog, we will follow up with a series of articles that describes these features in details and how they can be used in practice. Fortunately, it turns out that most of them are really straight-forward to use (and require none to very little guest modification :).

We are pleased to announce our latest maintenance release of VMware Fusion 2. VMware Fusion 2.0.5 is a free update for all VMware Fusion 1.x and VMware Fusion 2.x users. You can download the bits here.

VMware Fusion 2.0.5 fixes over 80 bugs and comes with the following enhancements:

Snow Leopard Host!

For you adventurous types who run Apple's latest Mac OS X 10.6 Snow Leopard seed on your Mac, VMware Fusion 2.0.5 runs on your machines. Only 32-bit kernel is supported at this time. And because Snow Leopard is a pre-release operating system, VMware Fusion's Snow Leopard support is currently experimental.

Better Mac OS X Guest Support

We provided experimental support for Mac OS X 10.6 Server (Snow Leopard) as a guest operating system starting in VMware Fusion 2.0.3, and in 2.0.5, this support is extended to include the latest Snow Leopard seed (32-bit kernel only). We also worked with Apple to fix an issue with installing Snow Leopard guest on Macs with the powerful Intel Nehalem processors. Both Mac OS X 10.5 and 10.6 run well in virtual machines on Mac Pros and Xserves with Nehalem processors.

Ubuntu 9.04 "Jaunty Jackalope" Support

Of course, we have not forgotten those of you Linux fans. VMware Fusion 2.0.5 supports Ubuntu 9.04 as a guest operating system out of box, with pre-built modules and Easy Install. You no longer have to apply tricks like this.

Lower Idle CPU Usage

The VMware Fusion team is committed to providing a very stable and highly performing virtualization environment on the Mac. In this maintenance release, we reduced CPU usage when a virtual machine is idle under VMware Fusion.

For all the details of what VMware Fusion 2.05 has to offer, read the release notes.

What about the ATI Graphics Issue on Mac OS X 10.5.7?

I posted a note last month warning you about the problematic ATI drivers in Mac OS X 10.5.7. Unfortunately, the issue still exists. But be assured that we are following up with Apple and ATI on a resolution and we will update the blog when we have any change in status.

It is no secret that vSphere 4.0 delivers excellent performance and provides the capability to virtualize the beefiest of workloads. Several impressive performance studies using ESX 4.0 have been already been presented. (My favorite is this database performance whitepaper.) However, I continue to hear questions about the scheduling overhead of larger VMs within a heavily-utilized, mixed-workload environment. We put together a study using simple variations of VMware’s mixed-workload consolidation benchmark VMmark to help answer this question.

For this study we chose two of the VMmark workloads, database and web server, as the vCPU-scalability targets. These VMs represent workloads that typically show the greatest range of load in production environments so they are natural choices for a scalability assessment. We varied the number of vCPUs in these two VMs between one and four and measured throughput scaling and CPU utilization of each configuration by increasing the number of benchmark tiles up to and beyond system saturation.

The standard VMmark workload levels were used and were held constant for all tests. Given that the workload is constant, we are measuring the cost of SMP VMs and their impact on the scheduler . This approach places increasing stress the hypervisor as the vCPU allocations increase and creates a worst-case scenario for the scheduler. The vCPU allocations for the three configurations are shown in the table below:

Config2 uses the standard VMmark vCPU allocation of 10 vCPUs per tile. Config1 contains 20% fewer vCPUs than the standard while Config3 contains 40% more than the standard.

We also used Windows Server 2008 instead of Windows Server 2003 where possible to characterize its behavior in anticipation of using Server 2008 in a next-generation benchmark. As a result, we increased the memory in the Javaserver VMs from 1GB to 1.4 GB to insure sufficient memory space for the JVM. The table below provides a summary of each VM’s configuration:

Below is a basic summary of the hardware used:

• Dell PowerEdge R905 with 4 x 2.6GHz Quad Core AMD Opteron 8382
• Firmware version 3.0.2 (latest available).
• 128GB DDR2 Memory.
• 2 x Intel E1000 dual-port NIC
• 2 x Qlogic 2462 dual-port 4Gb
• 2 x EMC CX3-80 Storage Arrays.
• 15 x HP DL360 client systems.

Experimental Results

Figure 1 below shows both the CPU utilization and the throughput scaling normalized to the single-tile throughput of Config1. Both throughput and CPU utilization remain roughly equal for all three configurations at load levels of 1, 3, and 6 tiles (6, 18, and 36 VMs, respectively). The cost of using SMP VMs is negligible here. The throughputs remain roughly equal while the CPU utilization curves begin to diverge as the load increases to 9, 10, and 11 tiles (54, 60, and 66 VMs, respectively). Furthermore, all three configurations achieve roughly linear scaling up to 11 tiles (66 VMs). CPU utilization when running 11 tiles was 85%, 90%, and 93% for Config1, Config2, and Config3, respectively. Considering that few customers are comfortable running at overall system utilizations above 85%, this result shows remarkable scheduler performance and limited SMP co-scheduling overhead within a typical operating regime.

Figure 2 below shows the same normalized throughput of Figure 1 as well as the total number of running vCPUs to illustrate the additional stresses put on the hypervisor by the progressively larger SMP configurations. For instance, the throughput scaling at nine tiles is equivalent despite the fact that Config1 requires only 72 vCPUs while Config3 uses 126 vCPUs. As expected, Config3, with its heavier resource demands, is the first to transition into system saturation. This occurs at a load of 12 tiles (72 VMs). At 12 tiles, there are 168 vCPUs active – 48 more vCPUs than used by Config2 at 12 tiles. Nevertheless, Config3 scaling only lags Config2 by 9% and Config1 by 8%. Config2 reaches system saturation at 14 tiles (84 VMs), where it lags Config1 by 5%. Finally Config1 hits the saturation point at 15 tiles (90 VMs).

Overall, these results show that ESX 4.0 effectively and fairly manages VMs of all shapes and sizes in a mixed-workload environment. ESX 4.0 also exhibits excellent throughput parity and minimal CPU differences between the three configurations throughout the typical operating envelope. ESX continues to demonstrate first-class enterprise stability, robustness, and predictability in all cases. Considering how well ESX 4.0 handles a tough situation like this, users can have confidence when virtualizing their larger workloads within larger VMs.

(*) The spartan memory and disk allocations for the Windows Server 2008 VMs might cause readers to question if the virtual machines were adequately provisioned. Since our internal testing covers a wide array of virtualization platforms, reducing the memory of the Standby Server enables us to measure the peak performance of the server before encountering memory bottlenecks on virtualization platforms where physical memory is limited and sophisticated memory overcommit techniques are unavailable. Likewise, we want to configure our tests so that the storage capacity doesn’t induce an artificial bottleneck. Neither the Standby Server nor the Javaserver place significant demands on their virtual disks, allowing us to optimize storage usage. We carefully compared this spartan Windows Server 2008 configuration against a richly configured Windows Server 2008 tile and found no measurable difference in stability or performance. Of course, I would not encourage this type of configuration in a live production setting. On the other hand, if a VM gets configured in this way, vSphere users can sleep well knowing that ESX won’t let them down.

One of the many capabilities introduced in VMware vSphere 4 is VMware Data Recovery (VDR), a virtual machine backup and recovery product. Market research and customer feedback showed that many people wanted an integrated option for protecting virtual machines in a VMware environment. Further analysis showed that this was more eminent for VMware customers that had (or plan to have) fewer than 100 virtual machines in their environment and where IT responsibilities (including VMware) were shared among 2-3 IT administrators (as opposed to having a dedicated VMware administrator on-staff).

VMware has been helping customers address their backup challenges in two ways: making significant investments in the vStorage APIs for Data Protection that third-party backup tools use to integrate their backup/recovery products with vSphere, and in providing an integrated option optimized for vSphere customers with smaller environments. VDR is built using the vStorage APIs for Data Protection and incorporates a user interface, policy engine and data duplication - see the diagram below on how it all fits together. I’ll cover these blocks in a series of blogs but I wanted to start out by discussing Data Deduplication (dedupe).

Given that we had a made a decision to only use disks as the destination for the VDR backups, we had to look for a solution that offered disk storage savings – and this is where dedupe comes in. In a nutshell, dedupe avoids the same data to be stored twice - and dedupe is HOT – just check out the mergers and acquisitions news!

What VMware decided to implement for VDR dedupe is (take a deep breath) - block based in-line destination deduplication. Deconstructing it means the following:

    1. We discover data commonality at the disk block level as oppose to the file level.

    2. It is done as we stream the backup data to the destination disk as opposed to a post-backup process.

    3. The actual dedupe process occurs as we store the data on the destination disk as opposed to when we are scanning the source VM’s virtual disks prior to the backup.

When it comes to deduplication, there are different techniques and hash algorithms used to accomplish the result. I am not going to get into a theoretical discussion of the pros and cons of the various types of dedupe technologies available and which approach provides the best disk savings. I personally think that it totally depends on the customers’ IT environment constraints and their overall business goals plus a lot of the storage savings is going to be data driven anyway (the more data commonality there is, the better the dedupe rate). We chose this dedupe architecture because it fit best with what we were trying to achieve with VDR and what the vSphere platform provided to us. What were these reasons? Stay tuned to this space……

This post is going to cover some useful and popular recent content seen on our community. If you haven’t seen our community, it really is the best way to learn about PowerCLI and start getting automated. Today I’m going to touch on two topics. First, I’ll cover a script to list all RDM information, then give a script that will let you add NFS datastores to all your hosts in one shot.

Listing RDM Information

If you’re wondering what an RDM is or why you might use it, check out Rich Brambley’s blog for a really good explanation. Long story short is that RDMs are often used because you need to use Microsoft Cluster Services, or if you want to take advantages of features of your storage hardware.

In PowerCLI, RDMs will show up when you run the Get-HardDisk cmdlet. Specifically they will have a type of either “rawPhysical” or “rawVirtual”, depending on the type of RDM. However, they won’t have things like the SCSI LUN, which you may find very useful to report on. If you need this information, Luc Dekens has the script you’re looking for. It will list all RDMs on all VMs, along with their size, SCSI device, etc.

Adding NFS Datastores to Multiple vCenter or ESX Hosts

If you have more than a few hosts you probably have shared storage, this is what enables a lot of vSphere’s great features like vMotion. For this to work smoothly, however, you need that storage to be available on all your hosts in a consistent way, and this can turn in to quite a challenge as your environment grows.

Not long ago a question was asked about how to automate adding datastores across multiple vCenters. Not surprisingly, Luc also suggested an answer, and it’s a pretty good one. However I want to offer a slightly different answer. The first thing we should do is define all our NFS mapping information in a CSV file, like this:

One great feature of PowerShell is its Import-Csv cmdlet, which will turn lines from a CSV file into objects that you can access just like any other object. My variation on Luc’s solution is to use the Group-Object cmdlet and group these entries by the VCName property. This way, if you’re adding multiple datastores to a single VC, you only have to log in once. Here’s my full solution to the problem, which assumes that you’ve saved your data into a file called nfs.csv.

Import-Csv nfs.csv | Group VCName | Foreach {

 Connect-VIServer -Server $_.Name

 Foreach ($entry in $_.Group) {

  Get-VMHost | New-Datastore -Nfs -Name $entry.DatastoreName `

   -Path $entry.NfsExport -NfsHost $entry.NfsHost

 }

}

Closing Thought

Be sure to check out our community, it really is the most valuable source of information for automating with PowerCLI.

It was one of those weeks again. I had a lot to do, and there is still a lot left to do. I just finished this top 5 and the quality of the articles is again very high. Especially Chad's article, wow... Anyway, start reading and enjoy. This is my gift to all fathers out there.

• Mike Laspina - Automating vSphere ESX4 Host Installations
  The custom VMware kernel incorporates Linux kickstart scripting functionality to invoke automated installations. The script location is defined as part of the Syslinux functionality and is available as a menu at boot time. A control file located on the boot media provides these variable control elements. Depending on the media type Syslinux uses a respective cfg file to implement this function. The various available Syslinux boot methods that I am aware of are USB, CD, DVD, PXE and gPXE. In this blog I will demonstrate an ISO CDROM method to perform the automated boot cycle. Any of the boot methods mentioned will all work and have varying levels of complexity to achieve.
• Chad Sakac - VMware I/O queues, “micro-bursting”, and multipathing
  A shallow queue somewhere in the IO path (or an overflowing port buffer) will cause the I/O to back off.    You need the queues to be deep enough to withstand the bursts – sometimes increasing the queue depth is important.   Now, if the problem isn’t actually the bursts, but the I/O service time not being sufficient for the sustained workload (aka you have a slow, or underconfigured array), increasing the queue depth will help for only a fraction of a second, after which the deeper queue will still fill up, and now you just have increased the latency even more.
• Bouke Groenescheij - Queue Depth and more
  Last few weeks we have had some issues regarding our HDS USP-V. For some reason a SCSI lock locked the whole VMFS and all ESX servers in that cluster were not able to read/write to the VMFS anymore. The LUN was still available, however the VMFS not. So this crashed all the VMs in the cluster. The incident repeated itself after 6 weeks, on another server, other chassis, other switches and so we contacted VMware and HDS to help us in this situation.
• Duncan Epping - VCDX Defense, the blog article
  The last part of the VCDX certification is the defense. In short: you will need to write a design, fill out the application and defend your design during a two to three hour session. Although I can describe it in 30 words it is not as simple as it may sound. First of all your design needs to meet specific requirements. I can’t go in to the details unfortunately but when you receive an invitation you will receive all the prerequisites. Like me, most of you done numerous designs, but keep in mind it needs to be in English and so will your defense need to be. This is an extra barrier for many of the non- native speakers; I know it was for me.
• Rodney Haywood - VMware vShield
  You can think of vShield as providing firewalls inside your ESX hosts. Each host runs one or more vShields which is a VM (provided as an OVF) which acts as a bridge between the real network and your Virtual Machines. These numerous vShield machines are all managed by a central vShield Manager (also provided as an OVF, one per vCenter Server). The vShield creates two zones, one protected and the other unprotected. The traffic enters the protected zone from the unprotected zone. As it crosses the zones the vShield performs traffic analysis, discovery and stateful firewall protection.

While we’re on the subject of Nexus 1000V, Pierre-Emmanuel Ettori from Cisco has just posted a couple of videos on the Cisco Data Center blog. The videos take you on an in-depth tour of the Nexus 1000V (configuration, port profiles, etc) and shows the tight integration with vCenter Server. If you haven’t seen the Nexus1000V in action, it’s well worth a look.

We’ve seen a lot of excitement around our vNetwork Distributed Switch and also the Cisco Nexus 1000V virtual switch. A little confusion, however, has arisen around physical switch dependencies for the Nexus 1000V. I understand the confusion as the Nexus 1000V (which is software based and available now) and VN-link (hardware based and not yet available) with Nexus 5000 are often presented together.

So, for the record … the Cisco Nexus 1000V will operate with any physical switch (that we know of)—Cisco Catalyst, Nexus, Foundry, HP, Force 10, etc, etc. Of course, some of the special features may only be available when coupled with a Catalyst or Nexus.

For more information:

• A paper on VMware vDS and Cisco Nexus 1000V Features is available under “Resources” at vmware.com/go/networking
• Nexus 1000V at cisco.com/go/nexus1000v

HP leverages new capabilities with ThinApp to better offer their customers a single-pane of glass for the management of the virtual applications.
Customers can also use reports generated by HP Client Automation software to track virtual and physical applications for tighter asset management.
http://www.marketwire.com/press-release/Vmware-Inc-NYSE-VMW-1004447.html

Recently, IBM announced a new Cloud Computing offering called CloudBurst.  From the product page:

IBM CloudBurst is a complete IBM Service Management package of hardware, software and services, which simplifies your cloud computing acquisition and deployment.

This blog entry from the ibm.com Community describes the software used to provide the resource abstraction layer:

Cloud Software Configuration:
•IBM CloudBurst service management pack
•IBM Tivoli Provisioning Manager v7.1
•IBM Tivoli Monitoring v6.2.1
•IBM Systems Director 6.1.1 with Active Energy Manager; IBM ToolsCenter 1.0; IBM DS Storage Manager for DS4000 v10.36; LSI SMI-S provider for DS3400
•VMware VirtualCenter 2.5 U4; VMware ESXi 3.5 U4 hypervisor

What's interesting to note is that the solution is based on the prior release of ESXi, version 3.5  With all the enhancements that have been added in ESXi 4 (which we'll talk about in upcoming blog postings), there should be no doubt that ESXi is the ideal architecture for building clouds of any size -- as many of our customers are already doing today.

The ESX Team

Welcome!

I’m Nava Davuluri, a new hire into Product Marketing. This is my third month at VMware and things are off to a great start! One of the highlight events at my job so far includes attending the new vSphere launch, where I got to see business leaders in computer technology talk about how VMware products are increasing efficiency(performance, power and hardware) control( security and service levels) and choice (hardware, OS and application architecture) for the next-generation of cloud computing. This has given me a perspective on how important these products are and also made me realize the importance of my role.

I was hired to manage the sample code arena for developers and system administrators that make up the majority of VMware developer community. My biggest goal here is to make your life easier. Yes!, by creating a community based sample code site where it will be easy to create, collect and share sample codes in one single straight forward page.

Hence, we came up with a brand new community called CodeCentral. This community sample codes site is designed bearing just those thoughts in mind.

Who is this blog for?

This Blog is intended for VMware community developers and system administrators who use VMware infrastructure and would like to have IT control through automation.

CodeCentral/Blog is the place that updates about what’s new on CodeCentral.

I will be blogging most of the time, but I will have expert guest bloggers from VMware community and VMware insiders frequently blog as well.

What content lives on CodeCentral?

CodeCentral will contain scripts and sample code for various VMware products starting with vSphere SDK. CodeCentral will provide example sample codes that solve specific tasks.

I would appreciate any feedback/comments on CodeCentral and my blog off-course.

Please visit CodeCentral at: http://communities.vmware.com/community/developer/codecentral

Welcome!

I’m Nava Davuluri, a new hire into Product Marketing. This is my third month at VMware and things are off to a great start! One of the highlight events at my job so far includes attending the new vSphere launch, where I got to see business leaders in computer technology talk about how VMware products are increasing efficiency(performance, power and hardware) control( security and service levels) and choice (hardware, OS and application architecture) for the next-generation of cloud computing. This has given me a perspective on how important these products are and also made me realize the importance of my role.

I was hired to manage the sample code arena for developers and system administrators that make up the majority of VMware developer community. My biggest goal here is to make your life easier. Yes!, by creating a community based sample code site where it will be easy to create, collect and share sample codes in one single straight forward page.

Hence, we came up with a brand new community called CodeCentral. This community sample codes site is designed bearing just those thoughts in mind.

Who is this blog for?

This Blog is intended for VMware community developers and system administrators who use VMware infrastructure and would like to have IT control through automation.

CodeCentral/Blog is the place that updates about what’s new on CodeCentral.

I will be blogging most of the time, but I will have expert guest bloggers from VMware community and VMware insiders frequently blog as well.

What content lives on CodeCentral?

CodeCentral will contain scripts and sample code for various VMware products starting with vSphere SDK. CodeCentral will provide example sample codes that solve specific tasks.

I would appreciate any feedback/comments on CodeCentral and my blog off-course.

Please visit CodeCentral at: http://communities.vmware.com/community/developer/codecentral

It's been a while so I thought I'd dust off the old VIX blog to talk about a new tool out there called PowerWF.

PowerWF has also posted quite a log of screencasts that can help you get a sense of the product. My brief description would be that PowerWF is a workflow builder based on Windows Workflow Foundation and specializing on workflow for virtual environments. The current version gives you more than 200 actions, including Windows Workflow Foundation (which gives you things like flow control for workflows), VIX (which gives you the ability to manage VMs as well as run programs within them), Secure Shell, and others. Here's a little taste of the VIX activities.

For some more info you might want to head over to Eric Sloof's blog or you can visit PowerWF directly. It seems PowerWF will also be adding support for PowerCLI within the next week or two, which should be pretty exciting for all you vSphere admins out there, so stay tuned.

After posting the “Let’s Talk Security …” blog entry last week, our engineering director reminded me of a few more things worth pointing out. Virtual switches are very much like physical switches, but they do differ in a few ways relevant to the security discussion around MAC flooding and spanning tree attacks.

• Virtual switches know the MAC addresses of the VMs and vmkernel ports by registration. It’s all controlled by the ESX hypervisor, so there is no need to “learn” any MAC addresses. vSwitches will also toss any frames with a destination MAC address outside what is registered. Hence, they’re not susceptible to MAC flooding.
• Frames received on an uplink will never be forwarded out an uplink—they’re either forwarded to the correct virtual port (with registered MAC address) or ports (multicast or broadcast) or thrown away (destination is not attached to this virtual switch). This simple rule means ESX cannot introduce a loop in the network (unless someone deliberately provisions a bridge inside a VM with two vnics). This also means ESX does not need to participate in Spanning Tree and will not put an uplink in a blocked state so you get full use of all uplinks. Note: this does not mean you should turn off spanning tree on your access switches—ESX just ignores the BPDU updates. (of course, always configure portfast or portfast trunk on the physical switchports to immediately get to the STP forwarding state)

With the launch of vSphere 4.0, VMware introduced a new version of the ESX Server and the management server, vCenter Server. In addition vSphere enables greater resource efficiency, management control, and freedom of choice for virtual datacenter storage resources and connectivity options. A brief summary of these new storage management capabilities in vSphere 4.0 are as follows:

Virtual Disk Thin Provisioning

Virtual disk thin provisioning increases the efficiency of storage utilization for virtualization environments by dynamically allocating storage and using only the amount of underlying storage resource needed to store the contents of the virtual disk. On average customers feedback is that they expect a reduction of 50% of their storage space. 

Improved iSCSI Software Initiator Efficiency

The new vSphere iSCSI SW initiator has been optimized for virtualization IO and provides significant improvements in CPU efficiency and throughput when compared to the earlier 3.5 version. VMware has released a new iSCSI software initiator that is far more efficient in its use of the ESX CPU cycles to drive storage IO. The entire iSCSI software initiator stack has been tuned to optimize cache affinity, enhance VMkernel TCP/IP stack, and to make better use of internal locks.

New vCenter Server Storage Enhancements

To help manage storage space in vSphere, each VM and ESX in the inventory now has its own storage tab that shows information about storage resources for those objects. The datastore can now be also managed as an object within vCenter in a manner that allows the vSphere administrator to view, group, and set permissions for each datastore. vSphere also provides a detailed view of all the components in the storage layout .These topology maps provide key information to administrators about which paths are available, as well as the grouping of objects sharing storage resources and new alerts and alarms are a key capability for to effectively managing datastores in which thin provisioned disks might create an over allocation of storage resources.

Enhanced Storage VMotion

Management of Storage VMotion is now fully integrated into vCenter Server. It offers full support to move a VM home from one datastore to another to facilitate storage migration. Some of the use case for the migration can be changing the storage protocol (FC, iSCSI or NFS) and/or change from thick to thin virtual disk format without impacting the VM.

In vSphere, Storage VMotion is also significantly more efficient because it leverages a change block tracking method that moves the VM home over to the new datastore much faster than in snapshot method used in the ESX Server release 3.5, and it no longer requires twice the CPU and memory of a give VM.

Dynamic Expansion of VMFS Volumes

VMFS Volume Grow offers a new way to increase the size of a datastore that resides on a LUN that has been recently increased in capacity, via the vSphere Client GUI without disrupting the running virtual machine. It complements the dynamic LUN expansion capability that exists in many storage array offerings today. If a LUN is increased in size, then VMFS Volume Grow enables the VMFS volume extent to dynamically increase in size as well.

vStorage APIs for Multipathing

In vSphere, leveraging third party storage vendor multi-path software capabilities has been introduced through a modular storage architecture that allows storage partners to write a plug-in for their module to leverage. These modules can communicate with the intelligence running in the storage array to determine the best path selection, as well as leveraging parallel paths to increase performance and reliability of the IO from the ESX to the storage array. By default the native multipath driver (NMP) supplied by VMware will be used. It can be configured to support round-robin multipath as well. However, if storage vendor module is available, it can be configured to manage the connections between the ESX and the storage. There are three types of plugins, Path Selection Plug-in (PSP), Storage Array Type Plugin (SATP) and Multi-Pathing Plug-in (MPP.)

Conclusion

VMware is now providing more storage options and features that provide greater control, choice and efficiency to be leveraged in a vSphere environment. The new storage features, as well as previously existing ones (like VMFS) are grouped into an infrastructure category named vStorage. vSphere 4.0 enables the vSphere administrator to do more with less. Extending the benefits provided by virtualization reach new levels of storage efficiency, management control and additional choices in storage connectivity. To read more on the new features in vSphere see the What’s new in vSphere - Storage paper, for detailed information on configuring see the Configuration Guide.

Authors: Paul Manning, Sr Technical Marketing Architect &

Ibrahim "Ibby" Rahmani, Sr Product Marketing Manager - Storage

In ESX 4, we released VMXNET 3 as another high performance paravirtualized adapter for use with VMs. This increases the choices …or perhaps the level of confusion. Which adapter do you choose?

Fortunately, there is help at hand. One of our engineers recently updated a knowledge base (KB) article on this very topic. You can see the full text at the kb.vmware.com site (KB #1001805), but I’ve copied the meat of it here...

The adapter choices are as follows …

• Vlance — An emulated version of the AMD 79C970 PCnet32 LANCE NIC, an older 10 Mbps NIC with drivers available in most 32-bit guest operating systems except Windows Vista and later. A virtual machine configured with this network adapter can use its network immediately.
• VMXNET — The VMXNET virtual network adapter has no physical counterpart. VMXNET is optimized for performance in a virtual machine. Because operating system vendors do not provide built-in drivers for this card, you must install VMware Tools to have a driver for the VMXNET network adapter available.
• Flexible — The Flexible network adapter identifies itself as a Vlance adapter when a virtual machine boots, but initializes itself and functions as either a Vlance or a VMXNET adapter, depending on which driver initializes it. With VMware Tools installed, the VMXNET driver changes the Vlance adapter to the higher performance VMXNET adapter.
• E1000 — An emulated version of the Intel 82545EM Gigabit Ethernet NIC, with drivers available in most newer guest operating systems, including Windows XP and later and Linux versions 2.4.19 and later.
• VMXNET 2 (Enhanced) — The VMXNET 2 adapter is based on the VMXNET adapter but provides some high-performance features commonly used on modern networks, such as jumbo frames and hardware offloads. This virtual network adapter is available only for some guest operating systems on ESX/ESXi 3.5 and later.
  VMXNET 2 is supported only for a limited set of guest operating systems:
  • 32- and 64-bit versions of Microsoft Windows 2003 (Enterprise and Datacenter Editions). You can use enhanced VMXNET adapters with other versions of the Microsoft Windows 2003 operating system, but a workaround is required to enable the option in the VI Client or vSphere Client. See http://kb.vmware.com/kb/1007195 if Enhanced vmxnet is not offered as an option.
  • 32-bit version of Microsoft Windows XP Professional
  • 32- and 64-bit versions of Red Hat Enterprise Linux 5.0
  • 32- and 64-bit versions of SUSE Linux Enterprise Server 10
  • 64-bit versions of Red Hat Enterprise Linux 4.0
  • 64-bit versions of Ubuntu Linux
• VMXNET 3 — The VMXNET 3 adapter is the next generation of a paravirtualized NIC designed for performance, and is not related to VMXNET or VMXNET 2. It offers all the features available in VMXNET 2, and adds several new features like multiqueue support (also known as Receive Side Scaling in Windows), IPv6 offloads, and MSI/MSI-X interrupt delivery. 
  VMXNET 3 is supported only for virtual machines version 7 and later, with a limited set of guest operating systems:
  • 32- and 64-bit versions of Microsoft Windows XP and later
  • 32- and 64-bit versions of Red Hat Enterprise Linux 5.0 and later
  • 32- and 64-bit versions of SUSE Linux Enterprise Server 10 and later
  • 32- and 64-bit versions of Asianux 3 and later
  • 32- and 64-bit versions of Debian 4/Ubuntu and later
  • 32/64-bit versions of Sun Solaris 10 U4 and later

VM Upgrades …

Now, a word about upgrades… if you upgrade a VM to Version 7 hardware support (to take advantage of VMXNET3), it’s a one-way upgrade. i.e. you cannot go back.

Scott Lowe posted some good information about the virtual machine upgrade process on his blog. It’s worth a look

David Oslager, from our own field, added some great info about capturing the interface information from a Windows VM for later reapplication after the upgrade. This is his process…

As per Scott’s blog, you have to save the IP info from the old NIC and replace the IP info on the “new” VMXNET 3 adapter.

Dump the IP info to a text file and then reapply it on Windows

To dump the IP config using netsh from a command line:

netsh interface ip dump > c:\ipconfig.txt

Since Windows will most likely see the new NIC as “Local Area Connection 2” (or something similar) you have to modify the above text file and change the NIC name to match the new NIC’s name. Or change the new NIC’s name on the host to match what’s in the file above. Either way works.

To re-import it:

netsh -c interface –f c:\ipconfig.txt

This really comes in handy when you have a lot of DNS servers, WINS servers, etc and/or multiple IPs on the same NIC.

If you can answer yes to any of these questions, this contest is for you

• Are you a VMware® customer or a VMware enthusiast and a firm believer in using virtualization to run business-critical applications?
• Do you currently run business-critical applications using VMware technology for improved availability and manageability?
• Are you considering running your business-critical applications on VMware vSphere™ for breakthrough performance and outstanding reliability?
• Should every IT organization use VMware vSphere to deliver business-critical applications as dynamic, cost-efficient, reliable IT services on internal clouds?

Win Big! Just create a 1-3 minute video that shows why VMware provides the best platform for business-critical applications by July 20th.

• Grand Prize: $5000 Cash
• Four $1000 Second Prizes
• One $1000 VMworld Favorite Prize
• All participants will get one free limited edition Run It with VMware T-shirt!

Not a VMware customer? Not running VMware vSphere yet? Or does your organization restrict you from sharing your VMware story with the public? Not to worry!

1. You don’t have to be a VMware customer to participate. If you love VMware technology and want to share why you think VMware vSphere is the best platform for business-critical applications, you can!
2. You don’t have to run VMware vSphere in the datacenter to talk about it. You can base your video on what you’ve read and heard about vSphere, and why you are excited about running business-critical applications on it. 
3. If you’re not allowed to represent your company, that’s okay! There is no requirement for you to share any information about yourself, your organization, or your experience using VMware at your organization. Just be creative in showing why VMware vSphere is the best platform for business-critical applications! 

Submit your entry by July 20th for your chance to win! Read the full guidelines here. U.S. Residents Only. See Terms and Conditions for details.

1. Are you a VMware customer or enthusiast and a firm believer in using virtualization?
2. Do you currently run business-critical application using vmware technology?
3. Are you considering running your business-critical application on VMware vSphere?
4. Do you think every organization should use VMware vSphere to deliver business-critical applications as dynamic, cost-effective, reliable IT services on internal clouds?

VMware has achieved a SPECweb2005 benchmark score of 50,166 using VMware vSphere 4, a 14% improvement over the world record results previously published on VI3. Our latest results further strengthen the position of VMware vSphere as an industry leader in web serving, thanks to a number of performance enhancements and features that are included in this release. In addition to the measured performance gains, some of these enhancements will help simplify administration in customer environments.

The key highlights of the current results include:

1. Highly scalable virtual SMP performance.
2. Over 25% performance improvement for the most I/O intensive SPECweb2005 support component.
3. Highly simplified setup with no device interrupt pinning.

Let me briefly touch upon each of these highlights.

Virtual SMP performance

The improved scheduler in ESX 4.0 enables usage of large symmetric multiprocessor (SMP) virtual machines for web-centric workloads. Our previous world record results published on ESX 3.5 used as many as fifteen uniprocessor (UP) virtual machines. The current results with ESX 4.0 used just four SMP virtual machines. This is made possible by several improvements that went into the CPU scheduler in ESX 4.0.

From a scheduler perspective, SMP virtual machines present additional considerations such as co-scheduling. This is because in case of a SMP virtual machine, it is important for ESX scheduler to present the applications and the guest OS running in the virtual machine with the illusion that they are running on a dedicated multiprocessor machine. ESX implements this illusion by co-scheduling the virtual processors of a SMP virtual machine. While the requirement to co-schedule all the virtual processors of a VM was relaxed in the previous releases of ESX, the relaxed co-scheduling algorithm has been further refined in ESX 4.0. This means the scheduler has more choices in its ability to schedule the virtual processors of a VM. This leads to higher system utilization and better overall performance in a consolidated environment.

ESX 4.0 has also improved its resource locking mechanism. The locking mechanism in ESX 3.5 was based on the cell lock construct. A cell is a logical grouping of physical CPUs in the system within which all the vCPUs of a VM had to be scheduled. This has been replaced with per-pCPU and per-VM locks. This fine-grained locking reduces contention and improves scalability. All these enhancements enable ESX 4.0 to use SMP VMs and achieve this new level of SPECweb2005 performance.

Very high performance gains for workloads with large I/O component

I/O intensive applications highlight the performance enhancements of ESX 4.0. These tests show that high-I/O workloads yield the largest gains when upgrading to this release.

In all our tests, we used SPECweb2005 workload which measures the system's ability to act as a web server. It is designed with three workloads to characterize different web usage patterns: Banking (emulate online banking), E-commerce (emulates an E-commerce site) and Support (emulates a vendor support site that provides downloads). The performance score of each of the workloads is measured in terms of the number of simultaneous sessions the system is able to support while meeting the QoS requirements of the workload. The aggregate metric reported by the SPECweb2005 workload normalizes the performance scores obtained on the three workloads.

The following figure compares the scores of the three workloads obtained on ESX 4.0 to the previous results on ESX 3.5. The figure also highlights the percentage improvements obtained on ESX 4.0 over ESX 3.5. We used an HP ProLiant DL585 G5 server with four Quad-Core AMD Opteron processors as the system under test. The benchmark results have been reviewed and approved by the SPEC committee.

We used the same HP ProLiant DL585 G5 server and the physical test infrastructure in the current as well as the previous benchmark submission on VI3. There were some differences between the two test configurations (for example, ESX 3.5 used UP VMs while SMP VMs were used on ESX 4.0; ESX 4.0 tests were run on currently available processors that have a slightly higher clock speed). To highlight the performance gains, we will look at the percentage improvements obtained for all the three workloads rather than the absolute numbers.

As you can see from the above figure, the biggest percentage gain was seen with the Support workload, which has the largest I/O component. In this test, a 25% gain was seen while ESX drove about 20 Gbps of web traffic. Of the three workloads, the Banking workload has the smallest I/O component, and accordingly had relatively smaller percentage gain.

Highly simplified setup

ESX 4.0 also simplifies customer environments without sacrificing performance. In our previous ESX 3.5 results, we pinned the device interrupts to make efficient use of hardware caches and improve performance. Binding device interrupts to specific processors is a technique common to SPECweb2005 benchmarking tests to maximize performance. Results published in the http://www.spec.or/osg/web2005 website reveal the complex pinning configurations used by the benchmark publishers in the native environment.

The highly improved I/O processing model in ESX 4.0 obviates the need to do any manual device interrupt pinning. On ESX, the I/O requests issued by the VM are intercepted by the virtual machine monitor (VMM) which handles them in cooperation with the VMkernel. The improved execution model in ESX 4.0 processes these I/O requests asynchronously which allows the vCPUs of the VM to execute other tasks.

Furthermore, the scheduler in ESX 4.0 schedules processing of network traffic based on processor cache architecture, which eliminates the need for manual device interrupt pinning. With the new core-offload I/O system and related scheduler improvements, the results with ESX 4.0 compare favorably to ESX 3.5.

Conclusions

These SPECweb2005 results demonstrate that customers can expect substantial performance gains on ESX 4.0 for web-centric workloads. Our past results published on ESX 3.5 showed world record performance in a scale-out (increasing the number of virtual machines) configuration and our current results on vSphere 4 demonstrate world class performance while scaling up (increasing the number of vCPUs in a virtual machine). With an improved scheduler that required no fine-tuning for these experiments, VMware vSphere 4 can offer these gains while lowering the cost of administration.

We've been very busy lately working on some changes to the VMware Knowledge Base that we're just bursting to tell you about! We can't tell you everything we're up to today, but thought you might want a sneak peek at the new look & feel that's coming soon.

Here's the new KB Homepage. Much easier on the eyes don't you think?
Note the simpler search section, tabbed interface, and sidebar with collapsible sections.

The results page looks a lot cleaner too. Again you see tabbed results, which put a lot of information right at your fingertips, all on one page.

And finally, a look at a KB article. Check out the handy actions in the right sidebar.

There, you have a taste of the new look coming. We're also working on the internals that power the KB, and soon we'll be updating you on that.

It was quite a busy week again on Planet V12n. The amount of blog posts published every week over and over again is amazing. What amazes me even more is the quality of the blog posts which makes picking a top 5 harder every single week. This is what I ended up with...

• Chad Sakac / Vaugn Stewart - A “Multivendor Post” to help our mutual NFS customers using VMware (1 , 2)
  The first core difference is that block (iSCSI/FC/FCoE) use an initiator-to-target multipathing model based on MPIO.   The domain of the path choice is from the initiator to the target.   For NAS – the domain of link selection is from one Ethernet MAC to another Ethernet MAC – or one link hop.  this is configured from the host-to-switch, switch-to-host, and NFS server-to-switch and switch to NFS server, and the comparison is shown below (note that I called it “link aggregation”, but more accurately this is either static NIC teaming, or dynamic LACP)
• Rodney Haywood - Nehalem Memory with Catalina
  In order to increase the number of memory sockets without sacrificing memory bus clock speed, the ASIC adds a small amount of latency to the first word of data fetched. Subsequent data words arrive at the full memory bus speed with no additional delay. The first word delay is in the order of 10% but I have heard from some spies that testing shows this is looking like a non-issue. Its especially a non-issue compared to the constant 10% latency hit and 28% drop in bandwidth you would get if you populated the channels in the normal Nehalem way.
• Brian Noris - Securing ESX Service Console
  Ive been doing a fair bit of virtualization security lately and I thought id share a few tid bits on what Ive done and why. If y0u find this useful then check back every couple of days as ill be adding additional steps and verifying if these apply to VI3, Vsphere or both. Most of you who are familiar with ESX will know  the default “Out Of The Box” behaviour restricts the user root from logging in directly via SSH which generally means either root user must authenticate as a standard user and then SU to root or log in directly from the console.
• Eric Sloof - Diskless Boot of ESX4 and ESX4i with PXE and iSCSI
  Since EDA and UDA are still in their beta phase and there aren’t much alternatives available for installing a VMware ESX4 or ESX4i server unattended, I thought “let’s build one myself”. I’m not a Linux guy so I had to create a Windows distribution server. In my search I’ve discovered a great little piece of software called CCBoot. This windows application enables a diskless boot of an ESX4i with iSCSI. Diskless boot makes it possible for ESX server to be operated without a local disk. The 'diskless' server is connected to a VMDK file over a network and boots up the hypervisor from the remotely located VMDK file. CCBoot is the convergence of the rapidly emerging iSCSI protocol with gPXE diskless boot technology. Remote boot over iSCSI, or CCBoot, pushes the iSCSI technology even further, opening the door to the exciting possibility of the diskless computer.
• Dominic Rivera - DRS and anti affinity rules
  An anti-affinity DRS rule is used when you want to keep 2 virtual machines on seperate hosts, usually because they provide a redundant service and locating them on the same host would eliminate that redundancy. Unfortunately an anti-affinity DRS rule can only be created for exactly 2 VMs. As you can see from the table below, once you get to creating anti-affinity rules for sets of VMs larger than 4, the creation of the rules becomes daunting.

• - Log in to VMware Communities (if you are already logged in, all services will be available)
• - Access or manage your VMware account
• - Submit support requests online
• - Download, purchase or register VMware products
• - Manage VMware product licenses

We recently posted a paper titled, Network Segmentation in Virtualized Environments on vmware.com that discusses and describes three virtualized trust zone configurations and some best practices for secure deployment.

So, what’s a trust zone? It’s part of a network (a network segment) within which traffic flows relatively freely. Traffic in and out of the trust zone is subject to stronger restrictions. Good examples are DMZs, or web/application/database zones between which we would put some form of firewalling.

The idea of consolidating a DMZ to a single host (one of the scenarios described in the paper) has stirred some opinions in the VMware Communities. The subject of security always does.

I thought one of the replies to the ongoing discussion was worth reposting. This post is from our own Serge Maskalik (aka vSerge on communities). You can read the rest of the thread here to get the context of the discussion, but the points about L2 attacks I think stand on their own (and hence why I reposted them here)…

These are really good questions, and there are a number of considerations with regards to using VLANs and how to properly secure L2 environments to reduce your attack surface area. To say that VLANs aren't secure and can't be used for DMZ usage isn't fair - the reality is that there lots of very secure VLAN implementation in production networks since the early part of this decade, especially seen in service provider networks. When you go to a Savvis, Global Crossing, AT&T, etc - you get a VLAN + CIDR block and datacenters' tenants are split up this way across the access layer. I recall building out the GlobalCenter datacenters in the late 90s/early part of this decade (these are now Savvis through Exodus acquisition), and the flat edge network which was Catalyst 5500s with shared broadcast domains became Catalyst 6500s or 7600s or comparable solutions by other vendors with VLAN segregation by customer with VLAN counts in 1k+ range per datacenter. That was almost 10 years ago and we now see lots of large and small enterprise networks heavily leverage VLANs to reduce numbers of physical NICs, simplify physical topology, reduce port density requirements on the switching edge, provide more configuration flexibility, reach large consolidation ratios by having more VMs run on smaller number of ESX servers in collapsed DMZ+Internal environments, etc.

The following is a little bit of information about L2 attacks that folks often talk about and how to put some controls in place to prevent them.

1. CAM flooding or MAC flooding. Switches use content-addressable memory which contain VLAN/PORT/MAC-ADDRESS tables for looking up egress ports as frames are forwarded. These are the forwarding tables for the switches and they have limits in size. The CAM tables are populated by looking at the source MAC on a frame and creating a CAM entry that records which port maps to what source MAC. This attack type tries to overrun the table by generating large numbers of frames with different MACs, to the point that there is no more room in the CAM to store the MAC entries. When the CAM can no longer be populated, the switch will act like a hub and flood frames to all ports except the one the frame came in on (to prevent loops). To avoid this, there are features like setting the max number of MAC entries per port - in most cases you only need one per NIC. By setting this configuration, you get rid of this risk. Secondly, you have to evaluate the risk of such attack. The attacker has to penetrate into the DMZ, own a host within the DMZ or be already on a segment close to the DMZ to run this attack. This attack could not occur if there are intermediate routers in the path, since a mac rewrite occurs on those nodes. It's a good idea to limit your L2 broadcast domains and the diameter of the switched network to avoid propagation of these type of issues.

2. VLAN Cross-talk Attacks (or VLAN Hopping) - on Cisco switches, the dot1q trunks pass all tags be default. When you configure the ESX host to uplink via a dot1q trunk, and guest tagging is allowed, it's conceivable that a rogue guest can generate frames for VLANs it should not be a part off. Avoid enabled guest tagging and monitor your vSwitch configuration activity for such things. Another way to hop VLANs is to spoof dynamic trunk configuration frames from a host; protocols like these are used by vendors to automatically configure 802.1q trunks to set up and allow VLANs. To avoid this, configure switch ports passing tagged frames explicitly to be trunks and to explicitly forward specific tags. Also, don't allow for unplugged ports on the switches to remain in a VLAN used by important assets - put them into an unused VLAN to avoid the possibility of someone plugging in to a port and getting access to the VLAN. Avoid using default VLANs (like VLAN1 on Ciscos).

3. ARP spoofing - this is where a host on the same segment as other hosts modify the ARP table on the edge router/gateway to point to the attacker's MAC and are able to redirect traffic to themselves. This can be done using ARP request or Gratuitous ARP mechanisms. This is a bit tougher to defend against, but can happen regardless of whether you are using VLANs or not.

4. Spanning-Tree attacks - this is where attackers could cause a DoS and bring down the L2 network section by generated malicious STP BDPUs and become root bridges or confuse the protocol to block specific ports. This can happen regardless of usage of VLANs, plus features like bpdu-guard and root-guard help prevent this type of stuff.

5. VRRP or HRSP tampering - break the failover protocol for the default gateway, take over the gateway MAC yourself, etc.

6. Starve out the DHCP address range - not as big of deal of DMZ, unless you are using DHCP for servers.

We on the vShield Zones teams recognize these issues and try to provide visibility to VMs and flows destined/sourced to and from VMs from a network perspective. Using Zones, you can see an ARP spoofing attack from a VM or a physical host on a segment and remediate the issue. Security best practices claim that you need visibility into L2 to deal with these type of issues, so in addition to providing firewalling functionality, we spent a lot of time on providing microflow visibility.

Also, we are seeing lots of customers using vShield Zones to isolate and segment clusters to provide dual-purpose for DMZ and internal server VMs usage using VLANs + vShield Zones isolation. We will be posting papers on this front and there will be examples at VMworld on how this can work. We are seeing three major use cases in the context of this:

1. Isolated/Segment DMZ in a dedicated set of ESX hosts or cluster with multiple trust zones provided by the vShield Zones.

2. Fully collapsed DMZ where the cluster or set of ESX hosts are shared by internal VMs and Internet-facing VMs.

3. Branch office environments where there may be some VMs hosted with Internet access, some for internal server usage and VDI as well.

With the general availability of VMware vSphere 4 a few weeks ago, I just wanted to highlight for the security community that VMware vShield Zones is also part of that release and now generally available!

vShield Zones is a new product for VMware and one of the newest members of the vSphere 4 product family, based on technology from our acquisition of Blue Lane Technologies.  We had a lot of interest from customers around vShield Zones and had over 200 customers around the world registered for our recent private beta.  It is part of the vSphere package starting with the Advanced Edition and above.

VMware vShield Zones 1.0 offers the following key features and benefits for vSphere 4 environments:

Central Management of Logical Zone Boundaries and Segmentation

• Leverage existing virtual infrastructure containers –  hosts, virtual switches, VLANs – as logical trust or organizational  zones
• Define policies to bridge, firewall, or isolate network  traffic between zone boundaries
• Manage and deploy policies across entire VMware vCenter  Server deployment
• Integrate with VMware vCenter Server and automatically  deploy on existing virtual networks
• Scan and discover existing applications running on  virtual machines to identify application protocol
  

Network Enforcement and Flow Monitoring

• Classify traffic by network or application protocol (e.g.  HTTP, RDP, SNMP)
• Performantly filter traffic with stateful packet  inspection (SPI)
• Track dynamic port connections for protocols such as  FTP
• Track network connections across VMware VMotion migration  events.
• Easily convert observed network flows into precise  network enforcement rules.
• Monitor both allowed and disallowed activity
  

Management and Reporting

• Access the Web-based vShield Manager interface remotely  from any Web browser
• Configure administrators to be common with VMware vCenter  Server or distinct for separation of duties and roles
• View activity hierarchically at individual virtual  machine or aggregate levels and generate graphical or tabular  reports
• Retain log data for archival and compliance  purposes
• Export events and data using syslog format
  

More information about vShield Zones can be found at the product page here: http://www.vmware.com/products/vshield-zones/ <http://www.vmware.com/products/vshield-zones/>

vShield Zones 1.0 is downloadable as part of the VMware vSphere evaluation at: https://www.vmware.com/tryvmware/index.php?p=vsphere&lp=1 <https://www.vmware.com/tryvmware/index.php?p=vsphere&lp=1>

Documentation and release notes about vShield Zones 1.0 can be found at: http://www.vmware.com/support/pubs/vsz_pubs.html <http://www.vmware.com/support/pubs/vsz_pubs.html>

A guest post from VMware's Scott Drummonds:

I made a bad call.

About a month and a half ago, I anonymously posted a YouTube video depicting a controversial test of Microsoft’s Hyper-V.  The video was a bit hyperbolic in its dramatization of Hyper-V’s reliability.

Unfortunately, my intention to stir the pot with eye-poking banter has put my credibility and by association VMware’s credibility in question among some of you.  For this I apologize.

I’ve removed the video from YouTube.  I’ve also sent a note of apology to Jeff Woosley at Microsoft.

My focus, and clearly VMware’s focus, is to help our 140,000 plus customers get the most from their technology investments.  This is our commitment.  We will absolutely work our best to live up to the high standard you’ve come to expect from us.  And when we mess up, we’ll be the first to address the mistake head on.

Scott

Scott is @drummonds1974 on Twitter. His blog is Virtual Performance.

VMware :: Forum 2009 :: Online Forum.

Don't miss this opportunity to learn about vSphere™ 4—The Next Generation of VMware's market leading virtualization products!

Come see how companies within different industries like the Public Sector, Education, Healthcare and Technology are simplifying IT and increasing flexibility while cutting IT costs by 50%.

Attend the Online Virtualization Forum on June 9th and 10th,
8:00am–1:00pm PDT. Don't miss this opportunity to:

• Network with VMware product experts, customers, partners and other IT Professionals.
  
• Attend 30-minute presentations and get the latest info on VMware solutions, products and industry trends.
  
• Access real-time information from industry leaders without the hassle or expense of travel.
  
• Create a multi-media resource kit, including white papers, videos and podcasts.

June 9th & 10th, 2009
8:00am – 1:00pm PDT
"<&&&&""&"">"

p.s. If you were following jtroyer or vmware on Twitter, you'd already know about this and other other cool stuff.