Lifecycle Management and Scaling
vCenter Server Profiles:
This should not be confused with host profiles. Think of it as a way to provide a desired state across all of your vCenter Servers in your organization for instance configuring authentication or backups, as well reverting back to a last known good configuration.
This capability is based off of just the REST API. There is no UI for this. You capture the state of an existing vCenter Server by exporting the config in JSON format.
You can then make changes to this config, think about this along the lines of mostly anything you can change in the VAMI interfaces. You can also easily find API’s for vCenter Server configuration by executing GET or POST commands directly from in the vSphere Client! (Behind the scenes, the vCenter Server profiles is also known as infrastructure profiles. So you’ll see infra profiles in the name of the API)
Finally you then validate and import the config to other vCenter Servers.
vCenter Server Multi-Homing and Scalability
Multiple network cards is now supported in vCenter Server 7, with support for a maximum of 4 NICs per vCenter Server.
- Import to note is that NIC 1 (the second NIC you add) will be reserved for vCenter HA, even if VCHA is not being used.
vCenter Server Scalability enhancements
Couple of things changing with vCenter Server scalability in vSphere 7.
Note the max amount of vCenter Servers in linked mode are still 15.
vCenter Server CLI TOOLS
CMSSO-UTIL: Simplified tooling commands for vSphere SSO domain consolidation with 2 functions: unregister & domain-repoint
New process called check-in, check-out and versioning. Also easier to find VMware template versions.
- Check-out templates for editing
- Check-in templates to save changes made
- Versioning tab allow quick historical view of edits. Can also revert to previous version (Only available when VM is stored in Content Libary)
Advanced configuration in Content Library with the ability to edit the auto-sync frequency and performance optimization.
Upgrade and Migrations
Embedded PCS only
- No more external PCS (YES!), and not available as an option for deployment.
- Message will show in vCenter Server install UI
- KB 60229
Migration of vCenter Server from Windows to appliance
- External PCS no longer an option
- New workflows enabled automatically for
- migration from windows to appliance
- convergence of external PSCs
- Converge tool removed and is now integrated into Upgrade/Migration
Update planner is getting some great improves as well
- Perform pre- upgrade and update checks
- Automatically detect installed products
- Show compatible upgrades
These new features will save everyone lots of time by remove the guesswork and complicated interoperability questions.
vSphere Lifecycle manager
vSphere 7 is introducing an entirely new solution to unify software and firmware management. This feature probably replace vSphere Update Manager in the future.
Cluster image management
- Cluster image is the model for management of ESXi lifecycle
- Recommendation Engine tracks validated firmware, driver and software compatibility
- Remediate everything at once, and leverage a Desired State model
- Management of host firmware from within vSphere
- Works in conjunction with vendor management tools like
Dell OpenManage and HPE OneView
- VCG/HCL checks and Recommendation Engine. Remove the risk of unsupported drivers/firmware!
- Full GUI and REST API available
New ESXi REST API
Hardware & Performance
Original DRS Improved DRS • Cluster centric • Workload centric • Runs every 5 min • Runs every 1 min • Uses cluster-wide standard • Uses the VM DRS Score deviation model • Based on granted memory
VM DRS Score
I am interested to see if this new change will clear up some of the confusion around DRS.
- VM DRS Score in buckets (0-20%, 20-40%, etc).
- Lower bucket score not necessarily means a VM is not running properly.
- It’s about the execution efficiency of a VM.
- DRS calculates VM DRS Score for a VM on ESXi hosts in a cluster
- VM DRS Score is calculated using i.e.:
• CPU %RDY (Ready) time
• Memory swap
• CPU cache behavior
• Headroom for workload to burst
• Migration cost
- Not enabled by default
- Scalable Shares are configured on cluster level and/or resource pool level
- Scalable Shares aby default for vSphere with Kubernetes where a Namespace = Resource Pool.
Support for hardware accelerators
- This feature will require VM hardware version 17
- When adding a new device, the following options appear:
• (Dynamic) DirectPath IO
• NVIDIA GRID vGPU
- DRS with Assignable H/W will use the chosen PCIe device or vGPU profile for initial placement in the cluster
Reduce stun times for large workloads
With the increase in workload resource consumption and the growing of resource allocations for workloads, changes was necessary in vMotion. The challenge today is the performance impact we see during vMotion for stun times on very large VMs.
VMware refactored vMotion to solve these challenges and brining back vMotion capabilities for large workloads like SAP HANA or Oracle.
Memory copy (OLD WAY)
- When vMotion is initiated, Page Tracers are installed. This is done on all the vCPU entitled to that specific virtual machine that is to be alive migrated.
- During a vMotion, all changed memory pages are tracked by using a page tracer.
- Changed (or dirtied) memory pages are copied to the destination ESXi again.
- This caused significant impact on workload performance on 6.x
Memory copy optimization
- In vSphere 7, only 1 vCPU is claimed regardless of how many vCPUs are configured for the VM. This single vCPU is dedicated to page tracing and page fire work during a vMotion operation.
- Much more efficient by improved page tracing.
- Greatly reduced performance impact on workload!
- During the switch-over phase (stun), the last memory bitmap is transferred.
- In previous versions, the entire bitmap was transferred from the source to destination ESXi host
- In vSphere 7, only the compacted bitmap is transferred from the source to destination ESXi host
- 24 TB memory requires 768 MB bitmap
- Cuts time for a 24 TB VM from 2 seconds to milliseconds!
- VMware’s aim for stun time to be < 1 sec for all workloads which is a huge improvement
New baselines added
- New support for CPU packages was introduced
- Intel® Cascade Lake generation
- AMD Zen2 generation
- EPYC Rome
VM Hardware v17
Virtual Watchdog Timer
- Without a watchdog timer, guest OSes & applications don’t have a standard way to know that they crashed.
- A watchdog timer helps by resetting the VM if the guest OS is no longer responding.
- This is especially important for clustered applications, like databases and filesystems.
Precision Time Protocol (PTP)
- Provides sub-millisecond timekeeping for financial and scientific applications
- This requires both an in-guest device and an ESXi service to be enabled
- You can choose between NTP and PTP
Security & Compliance
vSGX / Secure Enclaves
vSGX provides hardware protection for Secrets
- Intel Software Guard Extensions (SGX) allows applications to work with hardware to create a secure enclave (128MB) that cannot be viewed by the guest OS or Hypervisor.
- Applications can move sensitive logic & storage into this enclave.
- Only supported on Intel (Ice Lake), since AMD has SEV, which is a different approach.
- If this is enable you will loose vMotion and snapshot capabilities so application design is important
Simplified Certificate Management
As we all know vSphere 6.x has A LOT of certificate and in replace these can be tricky. In vSphere 7 this has been simplified and most of the certs has been removed.
- There is still the concept of machine certs, you can still let the VMCA manage the cluster internally with hybrid mode (recommended)
- There are also new APIs to get this done
vSphere Trust Authority
Attestation in vSphere 6.7 (then)
- Attestation in vSphere 6.7 is view-only.
- No repercussions for failing; secure workloads still run on untrusted hosts!
- Attestation is done by vCenter Server, a VM.
- Encryption keys managed by vCenter Server.
- Cannot encrypt vCenter Server (dependency loop).
- Hard to implement Principle of Least Privilege.
Attestation in vSphere 7 (now)
- vTA creates a hardware root of trust using a separate ESXi host cluster.
- Attestation can be a requirement for access to encryption keys.
- Only talks to the trusted hosts and doesn’t talk to vCenter Server anymore
- Can encrypt workload vCenter Server instances.
- Easier to implement Principle of Least Privilege.
- Reduces audit scope & risk.
- TPM 2.0 important!
- Order the $20 TPM with server hardware
- ADFS will initially be offered (Microsoft Active Federated services)
- Standards-based federated authentication with enterprise identity providers (IdPs)
- This will reduce the vSphere Admin workload as well as the audit scope
- Flexible MFA options are now available which is great for compliance and security.
- SSO still exists, though have to choose IdF
- Federated identity VMware with Kubernetes
(All images on this page courtesy VMware)