vArchitect Newsletter 018

New Releases and Patches

Rather than list all new releases separately, we’re going to collect them here in a single heading. As with any new versions, we highly recommend you read through the release notes.  They provide valuable information on the upgrade process as well as listing known issues that could potentially impact your environment.

  • VMware Tools 10.2.0
    • The most noticeable new features are:
      • VMware tools can now be installed or upgraded in ESXi through vSphere Update manager, using the offline bundle with VMware Tools VIB. If you are running a different ESXi version, this will help keep a consistent VMware Tools version across your VMware infrastructure.
      • Improved lifecycle management with SCCM
    • Good overview article from William Lam here.
  • VMware vRealize Suite Lifecycle Manager 1.1
    • A couple of months ago we mentioned in our newsletter about the release of vRealize Suite Lifecycle Manager 1.0. Well VMware has been working hard and just release 1.1 which some nice new features:
      • In-product Marketplace
        • Allow you to browse and install marketplace content for all the vRealize Products.
      • Configuration drift remediation
        • Initially you could only view the configuration drift, now you can remediate against a good known state.
      • Support for deletion of an environment managed by vRSLCM
      • Enhancements to environment installations, upgrade and retry logic.
  • vSAN 6.6.1 Patch 02
    • With the release of vSphere 6.5 Patch 02, vSAN received some really nice new features. This patch applies to much more than vSAN, so check the overall KB here.
      • vSAN Support Insight:
        • Enhanced vSAN support as part of the VMware Skyline™ program. More to come in a blog on VMware Skyline.
        • vSAN phone home automatically pushing configuration, health, and performance telemetry to VMware.
      • Adaptive resynchronization
        • Adaptively increase resynchronization bandwidth during off peak cycles to speed up resyncs and slow down during high peak cycles.
      • Multipath support for SAS systems
        • vSAN now enables multiple redundant paths from server to storage with no setup required, when used with a supported multipath driver. An example of such a system is HPE Synergy
      • vSAN now supports the AMD EPYC platform
      • Patch 2 fixes critical 10 GbE NIC problem.
  • vCenter Server 6.5 U1d
    • This new release mostly resolves issues as well as includes Photon OS security fixes.
  • Veeam Backup & Replication 9.5 U3
    • This update is HUGE and brings tons of features, most notably agent management and deployment.
    • Platform support updates.
    • DD OS 6.1 support
    • Lots more
    • Good blog coverage here of the other releases from Veeam coinciding with 9.5 U3.
  • Cross-vCenter Workload Migration Utility v1.0
    • GUI to do cross-SSO domain migrations between vCenter Servers.
    • Article from William Lam here.
    • Clarification that you must have BOTH vCenter AND ESXi at the version specified in the KB for migrations to work.
  • NSX-T 2.1
    • Load balancer support
    • Pivotal integration
    • More
  • VMware Workstation 1 and v14.1.1
    • Fixes for Windows 10 Fall Creator’s update
    • Patches for Spectre
    • Includes VMware Tools 10.2
  • VMware Fusion 1 and v10.1.1
    • Same updates as VMware Workstation above.
  • Microsoft PowerShell Core 6.0 GA
    • Blog article here.
    • Huge release allowing cross-platform PowerShell for the first time.
    • Based on .NET Core.
    • Not all scripts will work because of cmdlet support, so test carefully.
VMware Security announcements

Since our last newsletter, VMware has released quite a few patches to address multiple security issues.  Please review the vulnerability list below carefully and address where necessary.

We are not listing all the vulnerabilities, but we do encourage that you review the security advisories for all other severities as well as older product versions. Sign up here to receive VMware security advisories in your inbox!

  • Advisory ID: VMSA-2016-0014.1
    • Severity:    Critical
    • Synopsis:    VMware ESXi, Workstation, Fusion, & Tools updates address
    • multiple security issues
    • Issue date:  2016-09-13
    • Updated on:  2017-12-21
    • CVE number:  CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, CVE-2016-7084, CVE-2016-7079, CVE-2016-7080, CVE-2016-7085, CVE-2016-7086
      • Upgrade Workstation 14.x to 14.1.0
      • Upgrade Workstation 12.x to 12.5.0
      • Upgrade Fusion 10.x to 10.1.1
      • Upgrade Fusion 8.x to 8.5.10
      • Upgrade VMware Tools 10.x 10.0.9
  • Advisory ID: VMSA-2018-0001
    • Severity:    Critical
    • Synopsis:    vSphere Data Protection (VDP) updates address multiple security issues.
    • Issue date:  2018-01-02
    • Updated on:  2018-01-02 (Initial Advisory)
    • CVE number:  CVE-2017-15548, CVE-2017-15549, CVE-2017-15550
      • Upgrade VDP 6.1.x to 6.1.6
      • Upgrade VDP 5.x & 6.0.x to 6.0.7
  • Advisory ID: VMSA-2018-0002.1
    • Severity:    Important
    • Synopsis:    VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
    • Issue date:  2018-01-03
    • Updated on:  2018-01-09
    • CVE number:  CVE-2017-5753, CVE-2017-5715
      • Upgrade ESXi 6.5.x to ESXi650-201712101-SG
      • Upgrade ESXi 6.0.x to ESXi600-201711101-SG
      • Upgrade ESXi 5.5.x to ESXi550-201801401-BG
      • Upgrade Workstation 14.x to 14.1.1
      • Upgrade Workstation 12.x to 12.5.8
      • Upgrade Fusion 10.x to 10.1.1
      • Upgrade Fusion 8.x to 8.5.9
  • Advisory ID: VMSA-2018-0003
    • Severity:    Important
    • Synopsis:    vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities
    • Issue date:  2018-01-04
    • Updated on:  2018-01-04 (Initial Advisory)
    • CVE number:  CVE-2017-4945, CVE-2017-4946, CVE-2017-4948
      • Upgrade Workstation 14.x to 14.1.0
      • Upgrade Horizon View Client for Windows Workstation from 4.x to 4.7.0
      • Upgrade Workstation 10.x and 14.x Virtual Machine VMware Tools to 10.2.0
  • Advisory ID: VMSA-2018-0004.1
    • Severity:    Important
    • Synopsis:    VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative
    • execution issue
    • Issue date:  2018-01-09
    • Updated on:  2018-01-10
    • CVE number:  CVE-2017-5715
      • Upgrade vCenter Server 6.5.x to 6.5 U1e
      • Upgrade vCenter Server 6.0.x to 6.0 U3d
      • Upgrade vCenter Server 5.5.x to 5.5 U3g
      • Upgrade ESXi 6.5.x to ESXi650-201801401-BG & ESXi650-201801402-BG
      • Upgrade ESXi 6.0.x to ESXi600-201801401-BG & ESXi650-201801402-BG
      • Upgrade ESXi 5.5.x to ESXi550-201801401-BG
      • Upgrade Workstation 14.x to 14.1.1
      • Upgrade Workstation 12.x to 12.5.9
      • Upgrade Fusion 10.x to 10.1.1
      • Upgrade Fusion 8.x to 8.5.10
  • Advisory ID: VMSA-2018-0005
    • Severity:    Critical
    • Synopsis:    VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities
    • Issue date:  2018-01-10
    • Updated on:  2018-01-10 (Initial Advisory)
    • CVE number:  CVE-2017-4949, CVE-2017-4950
      • Upgrade Workstation 14.x to 14.1.1
      • Upgrade Workstation 12.x to 12.5.9
      • Upgrade Fusion 10.x to 10.1.1
      • Upgrade Fusion 8.x to 8.5.10
VMware Cloud on AWS

At the recent AWS re:invent conference in Las Vegas, VMware announced a bunch of new features for VMC on AWS.   Here is a complete list of the new features with some already being available and others in preview, which means they might not apply to all customers or AWS regions.

  • VMware site recovery service
    • This new service provides a great use case for an end-to-end DR solution
  • Built on top of VMware Site Recovery Manager with vSphere Replication, which VMware said “delivers protection between customer datacenters and VMware Cloud on AWS, or between environments running in separate AWS Availability Zones (AZs)”
  • 1- and 3-year subscriptions
    • Provide significant cost savings
    • Additional cost savings available based on the number of eligible on-premises product license you own (Hybrid loyalty program)
  • VMware Hybrid Cloud Extension (Preview)
    • In short, this is an add-on SaaS offering which will provide large-scale migration between your on-premises environment running vSphere 5.0+ and VMC on AWS.
    • Provides built-in high-performance layer 2 extensions so you will be able to keep the same networks, IP addresses, and routing policies in place during migration.
  • Layer 2 VPN (Preview)
    • Extending Layer 2 networks from an on-premises data center to VMC on AWS, which allows you to migrate VMs to your cloud SDDC without having to change their IP addresses.
    • Only one Layer 2 VPN is supported per cloud SDDC
    • Hybrid Linked Mode is optional for configuring Layer 2 VPN but is required for cold migration and migration with vMotion between your on-premises data center and cloud SDDC.
    • In your on-premises data center, you can use NSX or configure a Standalone Edge.
  • L3 VPN Generic Download (Preview)
    • This will reduce configuration issues with IPsec deployments since you will be able to download a generic configuration after VPN is configured, which provides all the parameters that need to be set on remote VPN devices.
  • AWS Direct Connect
    • High speed, reliable and private network connectivity to an on-premises data center.
    • Single or Multiple DX links option available.
    • While connecting to an SDDC, customers can choose a Private VIF, Public VIF, or both VIF options.
      • Private VIF – carry vMotion and ESXi management traffic
      • Public VIF – optional, and used to establish VPN tunnel and carry management appliance and workload VM traffic.
    • VMC on AWS scale
      • Supports 32 host clusters
      • Multiple SDDC per organization
      • 10 Clusters per SDDC (future)
    • VMC on AWS regions
      • New region US East (N. Virginia)
    • Support for Wavefront by VMware
      • Collects data from application metrics collectors (Java, Ruby, Python, and more) as well as service metrics collectors (MySQL, Pivotal, Kubernetes, AWS, and more)
      • Allows customer to visualize and troubleshooting applications as well as receive alerts.
    • Scripting support
      • API
        • You can use NSX APIs and Power CLI for the Day0 and Day2 automation activities.
      • PowerCLI (preview)
        • A new module has been added since PowerCLI 6.5.4, which enables the automation and scripting of VMware Cloud on AWS features
      • AWS SDKs (preview)
        • Existing vSphere Automation SDKs for both Python and Java will include functionality for access to VMC on AWS
      • Datacenter CLI (preview)
      • VMC on AWS API is available via a multi-platform, simple command-line interface
    • AWS service access enhancements
      • You have the choice to access S3 buckets over the Internet or over the AWS Connected VPC.
    • VM template support in MVP
      • You can now add VM templates to Content Library, as well as delete and deploy them
    • Live migrations!! (This is a biggy, but still in preview)
      • Live vSphere vMotion will be supported over L2VPN and Direct Connect
      • Need to setup Hybrid Linked Mode (HLM) and L2VPN for this to work
    • vCenter HLM
      • Hybrid link mode sounds similar to enhanced linked mode but differs in requirements, how they work, and what problem each solves. William wrote a great blog describing the differences.
      • Supports vCenter Servers with an embedded or external PSC.
      • Support a single on-premises vCenter Server or multiple on-premises vCenter Servers that are joined to the same SSO domain.
    • External Storage access from inside Guest VM
      • NFS, SMB, and iSCSI storage protocols are validated over the following networks:
        • AWS Elastic Network Interface (ENI)
        • VMware Cloud on AWS Compute Gateway (CGW)
        • VMware Cloud on AWS Internet Gateway (IGW)
Free vSAN Essentials 6.2 eBook

Lot of thanks must go to Cormac Hogan and Duncan Epping for making their Essential Virtual SAN (vSAN) book available for free. You can download it here. If you use vSAN and you don’t own this book, you need to have it.

Apply log rotation fix for vRA 7.3

If you’re on vRA 7.3, apply this fix if you haven’t already. It prevents an out-of-disk-space condition resulting from improper log rotation settings for the new Health Service. Again, apply this fix even if you don’t notice a problem.

Want to change the hostname of vCenter? DON’T.

This is something we see asked quite frequently, and there’s a KB that’s relevant for 6.x. Basically, if you’ve installed vCenter or vCSA using a hostname (as you should have), then you cannot change it after the fact. This is what is known as the PNID or Primary Network Identifier, and changing it on day 2 will result in things breaking.

vArchitects Blogs and Articles

Here are all the blogs written by the vArchitects since last time (since there are a few). We’ll try and group these together in the future.

Java 9 incompatible with vRealize Orchestrator client

If you’re using vRO and interacting with the Java-based vRO client on a regular basis, don’t upgrade to Java 9 as it’s not compatible with any release of vRO at this time. Stay on Java 8 and patch up to the latest security patches until it is compatible.

Importance of having a home lab

We wanted to put a little note in here about having a home lab and why this is important. We see it quite frequently, actually, where someone has been handed a big project or a new technology with no prior experience and asked to “just get it done.” Whether you’re learning vSphere for the first time or experimenting with Cisco ASA software or anything else, having a home lab is almost critical for self growth. Some people are fortunate enough (like some of us were) to have our employers dedicate some old hardware to a lab. That’s great in those cases. But bottom line is you should not expect anyone to invest in you other than you. Set aside a budget and build a small home lab to start. Even if it’s one decently-powered PC on which you can run VMware Workstation or something comparable, get something going. And if you already have some home lab gear, don’t forget about nested ESXi and what that can do for you. William Lam has a whole section on his blog for nested virtualization along with links to pre-built nested ESXi appliances for the latest release that you can import and go. Get some hardware or deploy nested instances and start learning, because you are responsible for your own future and the sole controller of your destiny.

Windows Server 2016 ReFS fixes on the way

Not a virtualization topic specifically, but for those using Veeam on (or waiting for the jump to) Windows Server 2016, a recent newsletter from Anton Gostev, product manager, informs us that they have almost gotten to the bottom of the ReFS issues seen with Veeam (and other solutions). Microsoft has some patches in beta and they are told to completely resolve the issues experienced by some. So if you’re holding out until these ReFS issues are resolved, you might not have to wait much longer.

Creating Custom Roles for vRealize Automation

For those using vRA, Grant Orchard has a great article on creating custom roles. It’s worth a strong look if you’re using vRA and want to do custom roles outside of AD.

VMware Workstation 14 beware

When Workstation 14 released in September, VMware silently changed their policy on supported CPUs which is still not clearly stated. In effect, CPUs which ran earlier versions of the product did so without issue, but many of those CPUs were dumped for the v14 release which introduced a new requirement for a feature called VMX Unrestricted Guest. Many of those CPUs occur in the Intel Nehalem architecture series. There’s a good article which covers that here, but beware that, if you haven’t purchased Workstation 14, you verify your CPU will still work.

Spectre/Meltdown

Unless you’re living under a rock you’ve heard about this. There is a lot of complexity here and all vendors are scrambling to issue patches. Rather than write a long article here rehashing what you can read everywhere else, we want to give you links to useful pages that have the important patches and KBs all in one place. Wil van Antwerpen has an excellent page in which he has collected all the salient points on these vulnerabilities and the necessary links to patches and articles for VMware and other vendors. You can view his page here.