2012

All posts tagged 2012

Not too many photos this time, and I’ve done better, but here are some selections from earlier today (Sept 15, 2012). You can really tell that Fall is coming on strong by the fact that the sun is sitting lower in the sky casting shadows across the market. It made for some challenging shooting and stark contrasts between sun and shade.

As always, please visit my Flickr Set or click on each photo below to go directly to it on Flickr. Please share and enjoy these photos, and remember that they are licensed under the Creative Commons Attribution, Non-Commercial, Share Alike (BY-NC-SA) license

Court House

Mickeys

New Friends

Puggin

Sharing

Yawning

Now for my final post of photos from San Francisco and the VMworld 2012 Party held Wednesday evening.

As always, please visit my Flickr Set or click on each photo below to go directly to it on Flickr. Please share and enjoy these photos, and remember that they are licensed under the Creative Commons Attribution, Non-Commercial, Share Alike (BY-NC-SA) license.

 

IMG_0021

 
IMG_0058

 
IMG_0059

 
IMG_0071

 
IMG_0074

 
IMG_0080

 
IMG_0082

 
IMG_0090

 
IMG_0166

 
IMG_0170

 
IMG_0239

 
IMG_0253

 
IMG_0268

 
IMG_0275

 
IMG_0285

 
IMG_0287

 
IMG_0315

 
IMG_0321

 
IMG_0334

 
IMG_0336

 
IMG_0340

Another set of photos from San Francisco. Opening day for VMworld 2012 had registration start at 11 AM and the Hands On Labs start at the same time. After waiting in line for the HOL most of the afternoon I finally gave up, grabbed a very late lunch, and took some time to walk around for a little street photography. After that I headed over to the VMUnderground Warm Up Party as a Service (WUPaaS) lugging my camera along to get some candid shots from the party.

As always, please visit my Flickr Set or click on each photo below to go directly to it on Flickr. Please share and enjoy these photos, and remember that they are licensed under the Creative Commons Attribution, Non-Commercial, Share Alike (BY-NC-SA) license.

Doing things a little differently for this post. These are small versions, and I’ve posted the entire set below. Click on a photo to bring up the larger versions from my Flickr page.

 

Interesting Character Keeping Watch
 

Multiple Lives
Portal Valuable Plastic
vmware WuPaaS Candid 01
WuPaaS Candid 02 WuPaaS Candid 03
WuPaaS Candid 04 WuPaaS Candid 05
WuPaaS Candid 06 WuPaaS Candid 07
WuPaaS Candid 08 WuPaaS Candid 09
WuPaaS Candid 10 WuPaaS Winners

Our third Farmers’ Market of the 2012 season, and another super crowd. This was also the second annual Des Moines Flickr Friend Photowalk. Be sure to check out the other amazing photos there.

As always, please visit my Flickr Set for more photos (there are 23 in this set), or click on each photo below to go directly to it on Flickr. You can also skip straight to the slide show if you’d like. Please share and enjoy these photos, and remember that they are licensed under the Creative Commons Attribution, Non-Commercial, Share Alike (BY-NC-SA) license.

MarketMoment
Perspective01
Textures03
Flower02
CrowdCandid03

Not too many photos this time, so they are all posted here. Please visit my Flickr Photostream or skip directly to the slideshow for my latest photos. To view larger versions on Flickr, just click an image.

As always, these photos are licensed under the Creative Commons Attribution, Non-Commercial, Share Alike (BY-NC-SA) license.

The Crowd
Ready To Go
Lift Off
Bike Valet

Our second Farmers’ Market of the 2012 season, and another great crowd. This time, I got some wonderful photos of the talented Brocal Chords vocal group performing on the street corner. I was also able to capture several couples strolling the market.

As always, please visit my Flickr Set for more photos (there are 19 in total), or click on each photo below to go directly to it on Flickr. You can also skip straight to the slide show if you’d like. Please share and enjoy these photos, and remember that they are licensed under the Creative Commons Attribution, Non-Commercial, Share Alike (BY-NC-SA) license.

Brocal Chords 03
Couple 02
Another Great Crowd
Brocal Chords 02
For a Stroll 03
Brocal Chords 10
For a Stroll 01

The 2012 Des Moines Farmers’ Market kicked off with a very large crowd this season, despite the humidity hanging in the air. As always, please feel free to skip to the Photo Set on Flickr, or the Slideshow, or click on any image to go directly to it on Flickr. Also keep in mind that these are all licensed under the Creative Commons Attribution, Noncommercial, Share Alike license. Enjoy!

Juggler Triptich Resized
More Busy Cooks
Making Mini Donuts
Good Crowd
Different Generations
Busy Cooks

The Setup

A client called in with an interesting problem. They had recently performed a planned outage due to a power issue at their premises, but upon powering everything back up one of their hosts was unable to access the iSCSI SAN volumes. Fortunately, they were able to bring up all of the VMs on the remaining hosts, but capacity was down enough that they had to disable HA and DRS.

Upon interviewing the client, it became clear that they had already checked all the usual suspects. Nothing in the configuration prior to the power cycling had changed. Switch configurations, cables, ports, port groups, iSCSI settings, etc. were all exactly as before. In desperation, they had even wiped and re-installed the host using ESXi, carefully re-configuring everything to match the working hosts in the hopes that this would resolve the issue. It did not.

The Non-Standard Configuration

We know that VMware and many other experts recommend separating your vSphere network into separate Storage, Management, vMotion, and Production VM networks, typically using VLANs. This client, however, had opted to stay with a flat network configuration with all port groups and vmkernel interfaces configured on the same IP subnet. While this isn’t a Best Practice, there really isn’t anything wrong with doing things like this. As long as the vmknics can talk to the SAN, all should work fine, right?

At some point in the past, however, the decision was made to place an air gap between the storage interfaces and the rest of the network. All of the storage-related physical interfaces were connected to a switch which was not uplinked to the rest of the network in an effort to isolate that traffic so it wouldn’t overload the Production VM and Management traffic. Again, this isn’t a Best Practice, but it should work (and it did for quite some time) configured this way.

Troubleshooting

Where to start? I first plugged my laptop into the storage switch and attempted to ping the IP addresses assigned to the iSCSI vmkernel ports on the troubled host. No pings were returned, yet I was able to successfully ping all other storage interfaces present on the switch. Also, as expected, I was unable to ping all the interfaces connected to the Production/Management switches — a quick check to make sure there wasn’t an uplink between them. This pretty much established what we already knew, but more importantly, laid the ground work for my next test.

Next, I used PuTTY to ssh in to the troubled host and perform vmkpings. Here, I noticed a pattern that led me to my conclusion. I was not able to ping the iSCSI interfaces of the SAN, but when I tried to ping IPs that I knew were only on the Production/Management switches, the pings were returned. This made it clear that the Storage network traffic for the troubled host was exiting the host via the physical interfaces connected to the Management/Production switches and not via the interfaces on the Storage switch.

So what was happening? Upon booting up, that host was binding its iSCSI software initiator to the Management vmkernel port and not the vmkernel ports uplinked to the Storage switch. Since all vmkernel ports are automatically enabled for iSCSI traffic and there is no way to disable iSCSI traffic on a vmkernel port, there was no way to force the iSCSI software initiator to bind to a particular vmkernel port — except to do things right and set them up on separate IP subnets/VLANs.

The Real Solution and The Work-Around

So, of course, the real solution is to re-work the storage network so that it uses a different IP subnet than the production network. This, however, requires planned down time to re-IP all the storage interfaces on all hosts and the SAN. Until that can be planned, they were still down a host and running without HA/DRS. On a hunch, I came up with the following work-around, which got the host back up and running until such time as the reconfiguration could take place:

  1. Power down the troubled host.
  2. Disconnect the network cables serving as uplinks for the Management vmkernel port.
  3. Power up the host, leaving those cables disconnected.
  4. Wait long enough to assure the host had completely booted into ESXi.
  5. Plug the Management vmkernel uplink ports back in.

This worked because the only vmkernel interfaces available while the server was booting were the ones connected to active uplinks — the ones connected to the Storage switch. Once that binding took place, it would not change so it was then safe to plug the Management vmkernel uplinks back in. Obviously not an ideal situation, but it did get the host back in service until a outage window can be scheduled to properly configure the Storage network interfaces.

Agenda:

  • 3PM: Check-in, Welcome, Facilities
  • 3:05: VMUG Video
  • 3:15: Fusion-io preso
  • 3:50: Break
  • 3:55 VMware vShield Security preso – Karl Fultz, VMware SE
  • 4:40: Open Discussion
  • 4:55: Drawings
  • 5:00: Break
  • 5:15: Social networking at Buffalo Wild Wings

My Notes:

  • VMUG Video
    • VMware Paul Strong, CTO, Global Customer and Field Initiatives, VMware
    • vCloud Community, 8 Certified providers
  • Fusion IO: Gus Siefker (sales) and Victor Backman (tech)
    • 4 years in business, 80,000 cards
    • Move a lot of data, fast
    • Hardware and software combo that does a minimum of 100k IOPS
    • Good for DBs, VDI density
    • VDI Design: abstracting the layers (HW, OS, App, User Data) helps prep for putting Fusion-IO in the mix.
    • Boot images and high-IOPS data go to FIO, User Data and low IOPS go to SAN storage, lower tiers.
    • Basically a block level device. Presents to host as local storage.
    • Storage is persistent, can be (if needed) moved to different servers. Gave example of one client that ships them off site rather than file transfer over Internet/WAN.
    • Nutanix Complete Block: 4 Fusion-io ioDrives = 1.3 TB fo storage.
    • Card draws about 25 W of power, but replaces lots of HD spindles.
    • Uses NAND Flash memory like an SSD, but removes the controller from the mix.
    • 15 micro second latency.
    • ioTurbine: recently acquired by Fusion-io. Allows vMotion of local storage on a Fusion-io card which normally couldn’t be vMotioned.
    • There is an ioTurbine guest driver installed on the VMs. Acts as a read cache. Writes still go to SAN.
    • Keeping up to 80% of IO local to ESXi host, and reduces read load on back end storage.
    • Lab test with F-io card and NetApp back end storage using IOmeter as the load with 8 VMs. F-io solution averaged around 12,000 IOPS once the cache “warmed” up. NetApp read ops just about nothing, so its write ops performance increased.
    • When a VM is rebooted, its cache is flushed and it needs time to re-warm.
    • Guests supported are Windows only for now. Need a driver in the guest. Linux support is “coming soon.”
    • There is also a host driver.
  • Refreshment Break
  • vShield Security Overview: Karl Fultz, VMware SE
    • Enterprise Security today is not virtualized, not cloud ready.
    • Most people are still using physical security devices.
    • Moving workloads is challenging when the security doesn’t move with it.
    • vShield moves the firewall/security into virtual appliances on the host.
    • Perimiter, Internal, and End Point security.
    • vShield Zones/vShield App are basically the same. vShield Zones included with 4.1 Enterprise Plus. Segmentation and data scanning. vShield App new stand-alone product.
      • Provides 5-tuple ruleset firewall
      • Hypervisor-level fw. Inbound, outbound connection control at vNIC level
      • Groups that can stretch as VMs migrate to other hosts.
      • Flow monitoring, policy management, logging and auditing.
    • vShield Edge is perimiter security.
      • Provides NAT, DHCP, VPN, some load balancing.
      • VLAN /Port Group isolation. PG isolation requires vDS.
      • Detailed network flow stats.
      • Policy management and logging/auditing.
    • vShield Endpoint is AV offload.
      • Offloading scanning to the Security VM. No AV agents in the guest VMs.
      • Central management.
      • Enforce remediation within the VM with the driver.
      • Trend Micro (now), McAffee (in beta now), Sophos (coming soon), Symantec (coming soon) provide endpoint appliances.
      • Windows only for guests.
    • vShiled Manager is the management plugin in vCenter.
    • vShield App with Data Security had pre-defined templates to scan environment for data loss. (DLP, agentless if you don’t count VM Tools as an “agent”). Can configure trust zones.
    • Security policies follow VMs. Allows for mixed trust zones.
    • vShield Zones is not supported in vShield Manager 5.0, must use older verson of vShield Manager to support Zones. Will need multiple managers if mixing in 5.0 vShield App/Endpoint/Edge products.
  • Q/A Time
    • I asked for clarification about vShield Zones/App:
      • Enterprise Plus 5.0 still includes Zones. App is a separate add-on product, but they are almost identical. App adds a little more granularity.
      • Zones rules are stored in vCenter db, so backup of vCenter includes backup of the rules.
      • Upgrade path from Zones to App? First time anyone has asked him. Since the rules are in vCenter db it SHOULD just work.
  • Drawing for prizes