Powershell: Docker PowerCLI Core and Microsoft/Powershell - (docker -it switch)

Assumptions:
Docker running on MacOS.  (Likely runs the same on any other OS, minor differences)

Summary:
While I appreciate William Lam's posts on Docker and PowerCLICore; I'm kind of dumb and need explanations on the simpler aspects of docker.  So for those who would like to know what the options in docker mean (to explore at least) and why it can looks strange even looking at 'help', here is how I understand it.  This can also be applied to Microsoft/Powershell container image as well.

Details:
docker run --rm -it -v /Users/cnakagaki/Downloads/:/tmp/scripts vmware/powerclicore

The above line will pull the powerclicore container from docker hub (if not already 'pulled'), run it in interactive mode (w/ pseudo TTY, needed), and mount my local Downloads directory to /tmp/scripts within the docker container.

The part that mainly threw me off was the syntax combination of '-it' which essentially translates to -i (interactive) and -t (pseudo TTY).

Graphic below breaks it down to hopefully get a better basic understanding.


Further Research Needed:
I'm still having difficulty making Lam's examples work of running a powershell script from my mounted volume.  It works fine when working in session, but not calling it from this line like outlined in Lam's article:
docker run --rm -it -v ~/Downloads/:/tmp/scripts vmware/powerclicore /tmp/scripts/test.ps1
*"~" = /Users/CurrentUser/
I simply get a permission denied error.  Once I understand how to get this working, this'll be immensely useful in using docker and vmware/powerclicore container to distribute powershell/powercli workloads without actually installing it.










GeekTool: Geekweather2 auto-geolocation updated w/ city name

Continued from: http://tech.zsoldier.com/2014/11/geektool-geekweather2-w-auto-geo.html


I briefly looked through the corelocation framework.  Looks like the CLGeocoder Class could return friendly names, but I've been playing w/ Python lately so took that route for now.

Be that as it may, wrote a little python script to take the latitude and longitude results from locateme to have it return city name from Google mapping API's.  I also updated the geekweather2.sh script to accept "Names" that have underscores and/or spaces.  The python script needs work as I'm kind of guessing w/ the return I get from geopy.

I'll look into it more just out of curiosity, but if you have a chance, would love for someone to update my gist to determine city more accurately.

PreReqs:

  1. Install geopy module for python
    1. pip install geopy

Below is my fork of geekweather2.sh:
https://github.com/Zsoldier/GeekWeather2/blob/master/geekWeather2.sh

Below is what the new shell geeklet would look like w/ this new python script:

Below you'll find the contents of the cityLocator python file:

vSphere/PowerCLI: Convert to Virtual Machine is Greyed Out

Summary:
Assuming permissions are correct, this occurred in my environment, but unsure as to why.  Regardless, this is a script you can use to re-register multiple templates to your vCenter's inventory.

It will simply get a list of templates, their folder location, host, etc, remove it from inventory and re-add it back exactly where it was.  This is in relation to KB2037005

vSphere: Beta Program


VMware is opening applications to participate in their vSphere Beta Program to anyone who has 5.5 and/or 6.0 deployed in their environments.  Even if partially.
There are quite a number of expectations so be prepared to really engage w/ VMware:

  • Online acceptance of the Master Software Beta Test Agreement will be required prior to visiting the Private Beta Community
  • Install beta software within 3 days of receiving access to the beta product
  • Provide feedback within the first 4 weeks of the beta program
  • Submit Support Requests for bugs, issues and feature requests
  • Complete surveys and beta test assignments
  • Participate in the private beta discussion forum and conference calls
The obvious and not so obvious benefits are as follows:
  • Receive early access to the vSphere Beta products
  • Interact with the vSphere Beta team consisting of Product Managers, Engineers, Technical Support, and Technical Writers
  • Provide direct input on product functionality, configurability, usability, and performance
  • Provide feedback influencing future products, training, documentation, and services
  • Collaborate with other participants, learn about their use cases, and share advice and learnings
Sign up here:
http://info.vmware.com/content/35853_VMware-vSphere-Beta_Interest?src=vmw_so_vex_cnaka_471

vSAN: Configure an all-flash vSAN using PowerCLI

Script that I'm putting together to configure new all-flash vSAN clusters.  Still a work in progress, I plan on making it into a function once I've worked out the kinks.  Hosting it on gist.github.com so feel free to make suggestions.


vSAN: Rebuilding an ESXi host that has vSAN claimed disks...

Summary:
While configuring my hosts, I ran into various issues.  One host simply decided to stop talking and the hostd service became unstable.  This meant vCenter could not access the ESXi host to manage it.  One issue I had was that my hosts were missing PTR entries, but even w/ that resolved, I was still stuck w/ one host having issues.

Quick Fix (Assumes no data on vSAN disks, use info at your own risk):
Assuming you have vSAN claimed disks, this is how you can clear them up.
  1. Gather your list of disk on the host using this command:
    • ls /vmfs/devices/disks
  2. Ones appended w/ a :1 or 2 are typically your vSAN disks, you can double check using this command:
    • partedUtil getptbl /vmfs/devices/disks/naa.#################
    • Return looks like this:
  3. Once you've determined which ones have those partitions, delete them:
    1. partedUtil delete /vmfs/devices/disks/naa.################# 1
    2. partedUtil delete /vmfs/devices/disks/naa.################# 2
  4. Once all have been deleted, restart services:
    • services.sh restart

Details:
After rebuilding the host from iso, it continued to exhibit issues.  I tried adding it back to vCenter after the rebuild, (mind you I still had vSAN turned on and set to automatic on the cluster), it reached 80% then failed w/ the following error:

A general system error occurred: Unable to push CA certificates and CRLs to host stupidESXihost.mydomain.local

Attempting to login directly via fat client to the box simply provided:

An unknown connection error occurred. (The server could not interpret the client's request. (The remote server returned an error: (503) Server Unavailable.))

After this, I attempted to rebuild the host from iso again, but this time I had turned off vSAN on my cluster object.  Unfortunately, it appears that the damage had been done to the extent that my vSAN disks were still claimed by vSAN which was noted by the # symbol next to my vSAN disks in the install screens.

This appeared to be cause the ESXi host to now simply go into error 503 state even after rebuilding the host from scratch.  I had to actually delete the vSAN claimed disks partitions and restart the services to get the host back into a healthy state.

Helpful Info:
http://www.virtuallyghetto.com/2013/09/additional-steps-required-to-completely.html
*ESXCLI method described by Lam doesn't work in this case because application server is in 503 state, so no API/CLI methods available. 

Nutanix: Role Mapping Quirk



Summary:
Basically was trying to map a set of AD groups to the Cluster Admin role in Nutanix/Prism.  It appears the role mapping config is very literal.  Meaning, putting in a group like this:

GroupA, GroupB

GroupA will work, but members of GroupB will not have access.  This is because of a 'space' after the comma.  Valid input would be:

GroupA,GroupB


vSphere: VUM (Update Manager) had an unknown error.

Summary:
There is a KB article about this, basically happens when the metadata zip file is missing.  In my case, it happened when I moved vCenter from one OS version to another.  By way of old VM to new VM.

Essentially, I needed to move all my metadata files from my old vCenter that happened to house VUM as well to the new one.

Typically if default install, this location is here:
C:\VMware\VMware Update Manager\Data

The folder in particular is hostupdate and contains the metadata_###### file that the logs refer to.  So if you still have the old server, you can simply copy it back over.

Otherwise, your only recourse is to reinstall and clear the VUM database.

vSphere: Big Data Extensions (Also how to increase heap size in vSphere 6)


Summary:
Installing BDE from VMware is pretty easy, but there are some requirements that you need to meet prior to deployment.
  1. Forward and Reverse DNS lookup records for you BDE appliance.
  2. Make sure your ESXi hosts, and vCenters are NTP synced.
Anyway, regarding the above error: Certificate does not have a valid chain and is invalid.

Assuming both preReqs and any others listed in BDE documentation are met, the only way I've been able to work around this problem is by increasing the vSphere Web Client's max heap size from 2GB to 4GB.

This took some work detective work from my TAM, but he found me a way to increase specific services heap size in 6.0.  Here is the line you will need to increase the web client's heap to a size appropriate for your environment that the dynamic sizing may not understand.

This is for the vCenter Appliance, but same applies for Windows server.
cloudvm-ram-size -C 4096 vsphere-client
service vsphere-client restart

Here is the doc, where this nugget is hidden:
http://www.vmware.com/files/pdf/techpaper/VMware-PerfBest-Practices-vSphere6-0.pdf
Page 61 to be exact.


PSA: DO NOT UPGRADE from 5.0/5.1 straight to 5.5 U3b

Really VMware!?
Here is the KB: https://kb.vmware.com/kb/2143943
[UPDATE: Patch released that should fix this issue: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144357]
Basically, you'll end up w/ some 5.0 hosts that will be overloaded w/ VM's, assuming you used UM to do your updates.  In my case, I had 13 hosts on 5.5 w/ 2 hosts overloaded on 5.0.

So here is my workaround to keep VM's up and running w/o rebooting them:

  1. Fresh Install ESXi 5.5 U2 on some hosts that were already upgraded to 5.5 U3b
    1. In my case, most of my 5.5U3b hosts were empty.
  2. Once 5.5 U2 is installed, you should be able to successfully migrate from 5.0 to 5.5U2.
  3. Follow that up by migrating from 5.5U2 to your remaining 5.5 U3b hosts.

This worked for me and saved my arse.  Hope you don't run into this and I'm sorry for all those previous to me that actually followed that stupid KB.

On the flip side, a PERFECT case as to why you might want to implement stateless caching for your ESXi hosts.  If I'm thinking of it correctly, should have been an easy way for me to swap versions.  Will need to explore that more.

Exact Error:
Error when attempting to vMotion, error
Migration to host <> failed with error Already disconnected (195887150). 
vMotion migration [-1062717213:1455646378729101] failed writing stream completion: Already disconnected
vMotion migration [-1062717213:1455646378729101] failed to flush stream buffer: Already disconnected
vMotion migration [-1062717213:1455646378729101] socket connected returned: Already disconnected

Nutanix: Deploying the Dell XC series

Adventures in deploying the new Dell XC (Nutanix) series systems.  Initial install of a Nutanix based system.

PreRequisites (per XC630 1U system):
  1. 2x 10Gb Ports <-- Trunk Ports
  2. 1x iDrac Port <-- This is for your out of band management.
    • We get these DHCP enabled by default so we can access them the minute their connected.
  3. IPv6 Link-Local Enabled on switch (Recommended/Preferred)
    • Typically enabled by default on modern switches
    • This enables the Nutanix Controller VM's discover each other immediately.
    • You'll need to attach a device physically to that switch
      • Or a VM to that switch to start configuration.
    • This will allow you to setup via a snazzy web interface.
  4. If IPv6 Link-Local is unavailable on the switches, then the setup involves logging into each CVM to perform manual cluster creation.
    • This can be done by logging into each ESXi hosts' shell to ssh into each CVM's local network connection attached to the vSwitchNutanix Interface.
      • This can be done because Nutanix has vmk interface already created on the same local network.
      • Nutanix has an advanced setup doc on their support portal to walk you through the manual cluster creation process.  Although a bit difficult to locate, in my opinion.
    • Log into the controller VM's on each host and assign them an IP address on ESXi's management network so they can discover each other.
Dell will typically ship these out ESXi pre-installed, although Nutanix' Acropolis and Hyper-V are options as well.

In our case, ESXi is currently our preferred hypervisor, so that's what we received.
Front of Dell XC630's

Back of Dell XC630's.  It's a lab, so yeah, it's a mess.  STOP LAUGHING!
Setup is relatively easy assuming you have all the PreReqs in place.  We did not have IPv6 link-local enabled, so setup was a bit more cumbersome than I would have liked.  Once all setup though, this Nutanix system is one sexy beast.

Enabling IPv6 Link Local is highly recommended because, adding new nodes becomes a cake walk.  Prism will automatically detect new ESXi hosts added and introduce them into the cluster.  So if anything to take away, IPv6 link local is a must.

Next, I'll dive into Prism and give my opinion/reflection on that.

Misc: Starbucks teams with Spotify

A very interesting new feature. The obvious feature of finding out what is playing in your local Starbucks is useful, but the fact that they could use your Spotify data to influence the playlist store's playlist is pretty cool.


NetApp VSC 4.2.2 HTTP Error 500 VSphereAuthenticationFilter only support jetty requests



NetApp KB ID 2026327 only states error 503, but the fix listed in the article will also fix this error 500 problem too.

It seems to only affect vCenters running 5.5 U3b or higher.  Anyway, probably far and few between dealing w/ this, but hopefully this helps someone looking for a solution.  Long story short, the KB details certain conf files that need to be modified.

Perform the following steps to resolve the issue:
  1. Open %Programfiles%\Netapp\Virtual Storage Console\smvi\server\etc\wrapper.conf
  2. Locate the wrapper.java.additional.X lines (should be 4)
  3. Add the following line:
    wrapper.java.additional.5=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
  4. Open %Programfiles%\Netapp\Virtual Storage Console\wrapper\wrapper.conf
  5. Locate the wrapper.java.additional.X lines (should be 7)
  6. Add the following additional line:
    wrapper.java.additional.8=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
  7. Restart both VSC services, or reboot.


vSphere: Security Vulnerability w/ "Shared Folders" Feature


Since this appears to be making the rounds, I figured I'd post a little Powershell code on how to figure out if a guest's VMware tools is affected.  It only appears to affect Window's so this little bit of code can help you determine whether the "Shared Folders" feature is installed.  I posted this to communities too.

$VM = Get-VM NameofVM
 
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $vm.extensiondata.summary.guest.hostname)
$RegKey= $Reg.OpenSubKey("System\CurrentControlSet\Control\NetworkProvider\Order")
$RegKeyValue = $RegKey.GetValue("ProviderOrder")
If($RegKeyValue -match "hgfs|hgs"){Write-Host ("$($VM.Name) might be affected by VMSA-2016-0001." + "  String Values hgfs, vmhgs, and/or vmhgfs need to be removed and VM rebooted.  ESXi Host should be patched prior.  RegistryPath: $($RegKey.Name), ProviderOrderKeyStringValue: $($RegKeyValue)") -ForegroundColor:Red}
Else(Write-Host "$($VM.Name) not affected by VMSA-2016-0001" -ForegroundColor:Green)


Caveats to this is that once you find those that have the HGFS/HFS, the ESXi host needs to be patched, the string values removed from the registry, and VM needs to be rebooted for change to take effect.
Also note:

  1. This only escalates privileges within the Guest OS. This does not escalate rights into the ESXi host.
  2. Just because those values are there, doesn't necessarily mean the function is actually in use.

The other half is that you will need to patch your ESXi hosts:
http://www.vmware.com/security/advisories/VMSA-2016-0001