VMworld 2016 – What’s New in vSphere 6.5
Almost every year VMware announces a new version of its core product: vSphere. vSphere, or ESX and vCenter, has been around for quite some time and it is the core product for your Software Defined Datacenter. After so many years of revolution and innovation, what things can be improved? VMware thought of some and the new version shines with a couple of features some have been longing for and a couple of features that will set it even further apart from any competitive hypervisor. Curious? Let’s run through some of the cool new stuff! This is a cherry-pick from all the new features.
vCenter and PSC
vCenter has long been the core management server of ESX. It makes managing ESX so easy. But there were a few drawbacks. The first versions ran on Windows. Since vSphere 6.0 the Appliance version is the better way to go but migrating to it was complicated. With the latest update of the migration version, that limit has been removed. So vCenter Server Appliance is the way to go. It will be the new center of your virtual infrastructure. But Heartbeat has been decommissioned and there is no proper way to make vCenter high-available (other than FT, but that’s not really HA). With version 6.5, vCenter finally has native HA.
You can now install vCenter with HA built right into the appliance. Yes, that’s right, the appliance version. vCenter HA works with an active/passive architecture where it uses a witness to prevent split-brain situations. The Platform Services Controller or PSC can be installed in an Active/Active setup. With these technologies, vCenter finally is no longer the single point of failure. RTO can be 5 minutes and has no dependencies on shared storage or any external databases or relations.
Remember that moment where you installed vCenter Server Appliance for the first time? You opened the ISO on your Mac, you started the webpage, clicked the link.. erm, waitaminute.. That’s an EXE file! To Windows it is, then. So you open up the ISO on your Windows machine, click the link, install the plugin and the installation fails! It does something strange with your system’s hosts file, which is a protected system file in Windows. So you fix that and jump through all the pre-stage hoops and after a while your deployment starts. And after some more waiting, it fails with an error message telling you to go find a logfile and see what went wrong. Who has not at least seen a few of these hoops you had to jump through before you got it up and running?
Well, no more. Not only does VCSA look better, but it works better.. on Windows as well as on MacOS and Linux and without the plugin. The install procedure has been split in two where you first deploy the VM with basic settings and then set up roles, single sign-on and more. So if your deployment falls on its nose during the initial stage, you haven’t entered a world of configuration information you now have to do again. And another feature is, you can create a template from it after stage 1 has finished so you always set up vCenter Server Appliance the same way without loosing more of your precious time and making sure they are all identical in the process.
Update manager always felt like it was left behind a bit but it is so important to all of us out there that need to maintain those precious vSphere installs. You always needed a Windows server to install and run it and you still needed the VI Client to really set it up, scan and remediate hosts and clusters. With v6 you could scan and remediate clusters from the web client but you still needed the Windows backend to make it run.. until now.. With version 6.5, update manager is finally baked into the vCenter Server Appliance. You can scan and remediate your hosts and clusters right from within vCenter Server Appliance without any external dependencies.
Backup and Restore
At least once in every IT guy’s lifetime it happens: your infra crashes and burns. You have to revert to your backup solution to get up and running again. But will it work? You never really know until it’s done, no matter how may test runs you do. This is especially true for vCenter. vCenter Server so often causes the chicken-and-egg dilemma when it comes to backup/restore solutions. It took some time but VMware has added an out-of-the-box native backup and restore functionality into vCenter Server Appliance 6.5 and you can use it next to your current backup solution of vCenter if you like. The new B/R can however remove the dependency on third party backup solutions. It just writes a bunch of files on a storage API of your choice (SCP, FTP or HTTP) from which you can redeploy your own VCSA with the same server UUID you already had, from the standard vSphere ISO, no matter if you had a VCSA with integrated PSC or an external PSC. And it has a plain and simple user interface for protecting vCenter Server Appliances and PSC’s. You can even encrypt your backups so all your secrets stay safe.
Okay, so we’re heading into territory I personally do not like so much. In the past VMware made a lot of changes to the management interfaces. First with the VI Client, then with the Web Client that felt like the slowed down version of the appliance, finally with a full blown redesign where speed was picked up quite good but it still required Adobe Flash. Why not HTML5, was the callout from almost all of you out there? Get rid of Flash. VMware heard you, but is not quite ready. So, basically there can be five main management interfaces.
- The currently most used is the vSphere Web Client. It’s based on the Adobe Flex platform and needs Flash to run. And it’s still here.
- Next is the HTML5-based vSphere Client. This tool has had accelerated development mostly because all of you out there downloaded the HTML5 Fling so much. That Fling will continue to be updated more often and can be used by all of you who are looking for that cutting edge functionality. However, the Fling will remain unsupported.
- Then there is the revamped Appliance Management UI. This is also an HTML5 interface. And there is also a similar interface that is especially for the Platform Services Controller, where the SSO configuration can be managed.
- Finally, and staying with the HTML5 theme, we have the Host Client. The Host Client also started out as a VMware Fling but made it into the product as of vSphere 6.0 Update 2.
That makes a total of 5 (counting nr 3 twice, as mentioned). Not the best story, but we hope that VMware will in the end roll it up into one. Now, as a reminder, these new features are only available in the vCenter Server Appliance.
Did you hate that Client Integration Plugin or what? It would not run on just any client, then there were security issues and then when you thought you were in the green, you tried running an installation of an OVA and came to the conclusion that the CIP had some kind of an issue and it refuses to install an OVA because you need the CIP for that. Well, in version 6.5, the plugin is gone. It’s all native browser functions. That should make for a lot of happy faces.
Security keeps getting more focus in IT. And VMware is no exception. Data integrity, privacy, know who has access, know who changed something. This has been on the wish-list of many for quite some time.
In the old days, vSphere would not tell you who changed what. It just stated that a change was made, period. Who changed it? What was changed and when? Log collectors could not help as the information simply was not transported to it. Since v6, the information of which user changed what and when is logged, but it is not reflected in the logs that are transported to external log collectors, not even to LogInsight. You need third party tools to or scripts by various knowledgable people to make vCenter show that information.
Now, with v6.5, vSphere shows you what happened, who made it happen and when it happened. Logs become more actionable. When an admin changes the amount of vCPU’s or adds memory to a VM, logs will clearly show:
- The account that made the changes
- The VM that was changed
- A list of changes that were made to the VM in the format “old setting” -> “new setting”
This way, you always know what the old setting was and what the new setting is. If you are troubleshooting a server, you can now easily revert it back to its original state when changes were not documented.
VM Encryption and vMotion Encryption
With vSphere 6.5, you can now apply an encryption policy to a VM. What does that even mean? Once a VM is encrypted, the VMDK’s and the VM files are encrypted. This is done via symmetric keys. The key comes from the key manager and unlocks the key stored in the VMX/VM settings. The stored/unencrypted key is then used to encrypt/decrypt. It does not require any changes to the VM, the OS within the VM, the datastore or the VM’s hardware version. The VM itself has no access to the keys used to encrypt and when you vMotion an encrypted VM, vMotion also is encrypted (otherwise you might still be able to read the VM contents). Obviously to make encryption valuable, not everybody should have access to the keys. So a new role is introduced, the “No Cryptography Administrator”. This admin can do almost anything a “normal” admin can do, except encrypt or decrypt VM’s, access consoles of encrypted VM’s and download encrypted VMs. They can manage the encrypted VM in terms of power on and off, boot and shutdown and vmotion.
VM encryption depends on an external key management server or KMS. The symmetric keys come from the KMS. The KMS key encrypts the VM key. That’s the key that vCenter requests and sends to the hosts. That key is stored in the host memory and used to decrypt the key used to encrypt.that traditionally is managed by security. The KMS hands out keys that vSphere uses to encrypt and decrypt VMs. Obviously not everyone can have access to encryption keys, that would defy the purpose of the encryption. This will stir things up a bit with your current admin roles as you may need to re-evaluate who needs access to what.
In the wake of VM encryption comes vMotion encryption. vMotion encryption does not encrypt the whole vMotion network, it encrypts the vMotion data. As mentioned, it is required when you vmotion your encrypted VM’s but you can also enable it to encrypt all vMotion traffic. vMotion encryption has 3 settings:
- Disabled: (obviously) do not use encryption
- Opportunistic: Use encryption when source and destination host both support encryption
- Required: Only allow encrypted vMotion. This will mean vMotion will fail if one of the hosts does not support it.
UEFI secure boot has been around for some time and with vSphere 6.5 we can now also leverage it in the datacenter, both for the host and the VM. If Secure Boot is enabled, you can’t install unsigned code. With Secure Boot enabled, ESXi will ONLY boot and use signed code, for ESXi as well as additional VIBs. This ensures that the hypervisor has a cryptographic chain of trust to the certificate stored in the firmware. UEFI ensures the kernel boots clean after which the secure boot verifier launches and validates each VIB against the certificate stored in the UEFI firmware. Secure Boot checks this every time the host boots. If the check fails anywhere in the chain, the host will fail to boot. Consequently, secure boot inside the VM is also a chain. It can be enabled in the UI as well as with PowerCli.
HA and DRS Enhancements
High Availibility and Distributed Resource Scheduling are two major components of vSphere that have made a big difference over the years. Where HA keeps your VM’s alive and available, DRS keeps your hosts balanced and well utilized. In vSphere 6.5, there are a couple of enhancements that certainly are worth mentioning.
HA Orchestrated Restarts
One of the things we’re all familiar with boot order. You want the AD servers booted before you want the DB servers booted. You want the App servers booted once the DB servers are booted and so on. In vSphere 6.5 you now have HA Orchestrated Restarts, where you can define in what order a specific multi-tier app needs to boot, like first the DB server, then the App server and last the Web tier. Every time HA needs to restart this tier, it will do so according to your rules.
ProActive HA and Quarantine Mode
How can HA be proactive? It’s not like you see a failure coming. Or is it? As it turns out, and you all probably know this, almost all big server vendors have extra hardware checks and monitoring build into their servers. This is monitored by their hardware management solution like Dell OpenManage or HP’s Insight Manager. Now, HA can vacate a host once an alert is raised. As soon as a notification comes in of a host being in a degraded mode, HA will vMotion the VM’s on that host to another host in the cluster.
Once a host is in degraded mode, HA will put it in Quarantine Mode. Any host that is either moderately or severely degraded will be put in Quarantine. This means that HA will not move VM’s to it until you fix the server and get it out of quarantine.
Tuning your DRS was pretty basic. With vSphere 6.5 you can tune it more to your situation and use case. With DRS policies the distribution of VM’s over your hosts gets more equal. DRS now also looks at consumed memory versus active memory for load balancing. Also, DRS now looks at CPU overcommit to prevent a single host from overcommitting on CPU load. This is especially useful when you have a lot of smaller VM’s in your infrastructure, like with VDI.
DRS used to not look at the network load of a host when it moved VM’s around. On occasion that could run you into trouble when a network intensive VM was sitting on a host when another VM with high network load was moved onto it and things start slowing down. DRS now also looks at the saturation of a host’s network links and avoids moving VM’s onto it that could cause a slow-down or worse. It still is a lower priority than CPU and memory so no guarantees on performance here.
So that wraps up our cherry picking of the new features. There is more to hear and see, like vSAN 6.5, Virtual Volumes updates and Storage Policies and control but we’ll save that for a more storage intensive post. No exact release date has been communicated yet. VMware states it will release vSphere 6.5 in the fourth quarter of 2016.
Update: Many thanks to Mike Foley for the corrections on VM encryption and secure boot.
- vCenter Server: Installable versus Appliance by Edwin Weijdema
- How to install Micro Segmentation on your vSphere cluster… by Alex Muetstege
- vCenter Server appliance 6.0 URL-based patching by Sander Martijn
- Network connection lost after vCSA restore by Erik Scholten
- VMware releases first ShellShock patch by Alex Muetstege