vArchitect Newsletter 009

Apache Struts 2 bug bites VMware

VMware recently announced updates to the following products with a patch to resolve the Apache Struts 2 vulnerability, responsible for some website hacks.

Horizon Desktop as-a-Service Platform (DaaS)

VMware vCenter Server (vCenter)

vRealize Operations Manager (vROps)

vRealize Hyperic Server (Hyperic)

The only vCenter patch currently available is 6.5b with a KB workaround for 6.0, but keep an eye on this link for all correspondence on other product releases and versions.

Some additional reference:

https://kb.vmware.com/kb/2149434

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

https://struts.apache.org/docs/s2-045.html

VMware tools and RSS issue

VMware rushed out a blog post on the 23rd to bring to light an issue many customers are facing with several versions of VMware tools and dropping packets. This issue impacts VMware tools 9.10.0 up through 10.1.5 (which is current). They’re currently working on a fix, but check the blog post for more info. For now, downgrade to 9.4.15 to avoid the issue. Also, something that Anton Gostev pointed out in one of the Veeam newsletters, this might manifest itself as jobs failing due to enough dropped packets. Since only a single vCPU can service the RSS queues and virtual proxies are already quite busy with the data compression and deduplication, there may be times when your jobs fail unexpectedly and without anything apparently wrong.

vRealize Production Test Tool

Chip recently sat down with a buddy of his over some cigars when the conversation turned towards vROps and how to monitor it. One option—although there are several—which was pointed out was the vRealize Production Test Tool. This is a little-known, java-based tool which is freely available from VMware and can run a series of tests to assess the health of vRealize Automation, vRealize Operations Manager, and vRealize Business. You can find the download link here along with a PDF instruction guide. In a nutshell, you run this utility, fill out a form with your connection details, and re-run the tool using those settings pointed at one of those three products. After a minute or two when the tool has run a number of tests against the APIs, an HTML report is generated with the status including a pass or fail rating. Something to note when it comes to using the vRPT with vROps is that it doesn’t officially support vROps 6.4 (or 6.5) at this time. We have been in touch with product management at VMware about this and some documentation inconsistencies and so hope to get a newer version soon.

VMware vSAN first to support Intel Optane

For anyone using or considering using VMware vSAN, you might be delighted to know that it’s the first platform to support Intel’s new Optane drive series based on the 3D XPoint technology. And using those Optane drives gives it a 2.5x performance increase, so even speedier than it was before.

Change the “All Services” brick icon in vRA

Something that anyone who has used vRA will attest to is the annoying “lego” icon for the All Servies (default) view in the vRA catalog and how it cannot be changed. Well, it actually can be changed, and here is an article and a convenient utility that can help. Just keep in mind that this isn’t officially supported, so be sure to keep that icon or the base64 handy for when you perform an upgrade and need to restore the custom icon.

Proactive scans of your vSphere with Runecast

Something we just learned about not too long ago is a product by the name of Runecast that performs a sort of analysis and scan of your vSphere by referencing known issues. The premise is you deploy this virtual appliance in your environment, connect it to your vSphere, and let it scan for known defects, vulnerabilities, and problems in your environment by referencing the extensive VMware Knowledge Base. It’s still a young product, but has great promise. They have a live demo available on their site you can check out if you wish.

HTML5 client fling and ESXi host client fling updated

Keeping on the regular release train are updated versions of the popular HTML5 web client fling for vCenter, and the ESXi host client fling. And by the way, if you happen to run into the issue on the H5 fling where you can no longer access the FAMI (port 5490) before the update, you can always use the command line approach to update the bits.

VMware Workstation and Fusion updated

Around the 14th, both Workstation and Fusion received a minor update to address bugs. Current versions for Workstation and Fusion are now 12.5.4 and 8.5.5, respectively. See the release notes for Fusion and Workstation to check out the details.

vSphere 6.0 U3 released

vSphere 6.0 U3 (now with ESXi 6U3a available) released earlier, and release notes can be found here. This is a good update to get if you’re on vSphere 6.0 as it resolves a number of issues. One thing to be aware of at the moment, however, is if you do go to U3, you cannot go to 6.5. Again, this is only temporary and will be resolved in a future update to vSphere 6.5, but keep that in mind.

New VMware courses available on Pluralsight

For those that might have a Pluralsight subscription or maybe who don’t but love learning through videos, there are a few new VMware-related courses that are now available for your viewing pleasure. VMware vRealize Operations Manager by David Davis, What’s New in vSphere 6.5 by Josh Coen, and a Horizon 7 series by Greg Shields are now posted. Even if you’re reading this newsletter and your job focus isn’t 100% virtualization related, Pluralsight has tons of courses on all sorts of tech material, so highly recommended you check it out to see what is of use.

RVTools updated to 3.9.3
Most everyone is familiar with or uses this free tool today, but FYI it was updated recently to 3.9.3 courtesy of Rob. Check it out and get the bits here. Now supports vSphere 6.5, has new features, and better Excel export formatting.
Commentary on the AWS S3 outage

For those not aware, the beginning of this month was hard for Amazon and their US-East-1 region located in Virginia. The long and short of it was human error took down S3 in that zone for roughly half a day, and because so many other Amazon services use S3 as a backend, they too—including the monitoring dashboard itself—either went down or were impacted. Naturally, too, many prominent customers were affected including Slack and Giphy. Anthony has a good take on this here. Feel free to Google around and read the arm waving posited by other sites, but here are some hard lessons that everyone should understand that were painfully brought to light that day:

  1. No one is infallible. Clouds are built and maintained by teams of humans. There have been and always will be errors induced by those humans with the capacity to interrupt service.
  2. Don’t put all your eggs in one basket. You wouldn’t put all your production servers on a single ESXi host, would you? Don’t then pack your entire business’ workloads in a single cloud. A successful cloud approach involves private, and multiple public cloud providers to achieve a hybrid cloud stance.
  3. Redundancy and resiliency at the infrastructure level are not true redundancy. If you’re not making your application natively available at its own level, you’re not really redundant but rather hoping (and praying) the underlying infrastructure lets you fake along.
vCPU and vNUMA rightsizing – Rules of Thumb

Here’s a good summary written by Mark Achtemichuk, performance guru and good guy, from VMware on best practices around sizing your VMs with respect to vCPU configuration. This is a topic Chip has explained on several occasions to customers with the potential to make or break high-performance workloads, so bookmark and read through a couple times to make sure you really understand what is being said here.

vSAN performance benchmarks on all-flash

This topic is frequently asked when it comes to vSAN, so it’s good to see someone else has posted their numbers here. In short, R1 (mirroring) in vSAN is going to give you the best performance at the sacrifice of capacity while R5 is going to give you the best capacity at the sacrifice of performance.

VMware Horizon 7.1 released

Horizon 7.1 was released this month with quite a few new features and changes, so hit up the release notes for all the details. Find some additional blog posts on what’s new here and here as well.

Fix for ReFS on Windows Server 2016 issue

Last month we wrote about an issue impacting Veeam users that have repositories backed by a ReFS volume on Windows Server 2016. Glad to report that this has been addressed in a patch by Microsoft, and you can read about it here. It’s highly recommended that you get and apply this if you fall into this category.

New IOInsight fling

The VMware performance group recently released a cool new fling which helps people understand a VM’s I/O behavior.

It ships as a virtual appliance and provides a web-based UI which allows users to choose the VMDKs to monitor. They even recommend adding the IOInsight report to your support ticket for vSphere storage related issues, since it will help VMware support better understand the problem.

https://labs.vmware.com/flings/ioinsight