VMware | AVS: Content Library or Non vCenter objects on VSAN produces unassociated but valid objects


Summary:

Creating or Subscribing to a Content Library on vSAN is typical practice, but the annoying side effect?  Objects created on vSAN datastore that show up as "unassociated" objects and guess what, they simply inherit the Cluster's default VSAN policy at time of import.  Yeah, dumb right?  Also, by vSAN Operations Guide Standards section 6721 subsection 4, you shouldn't do this.

So then what?

In Azure VMware Solution(AVS), you have a couple of options.  You can do what the operations guide tells you that you shouldn't do or you can do something better.  Regardless of these options, the one thing you should do, is create a global content library.  

  1. Create Global Content Library: here are instructions to create one on an Azure blob store.
    1. You should do this, makes life easier if you can.
    2. Also a fun little experiment to play w/ Azure Functions
    3. Centralized Storage of your ISO/OVF's etc.
  2. Attach external storage (Not necessary, but I'll explain why you should)
    1. Azure NetApp Files (ANF)
    2. Pure Cloud Block Store for AVS
    3. Elastic SAN (ESAN)
  3. Subscribe to Global Content Library
    1. Subscribe and attach to an external datastore
      • This is preferable for couple of reasons:
        • If you need to scale up or down your AVS SDDC, you no longer would be tied to VSAN limitations related to storage policies that might require more than (x) numbers of hosts.
        • Content library repository contents in VSAN would be tied to the cluster that vsandatastore is attached. Meaning cluster-2 cannot direct attach ISO's.
        • Whether you create a global Azure blob based library or local library, you have to have a target datastore to pull down the data into.  If you choose VSAN, then you are basically running into the same problem of unassociated objects and cluster access limitations.
        • Another benefit w/ this model, if for whatever reason you want to get space back, you can just delete the content library subscription and re-subscribe to pull on-demand again.
    1. If an external datastore is not an option for you:
      • The subscription model to each vsan datastore is still beneficial because:
        • Easy to delete and recreate content library subscriptions
        • Still a single source for your 'content'
        • Scale scenarios where, let's say you set RAID-5 at one point as cluster default, that cluster would have issues scaling down to 3-nodes because it would be impossible to meet RAID-5 requirements on 'unknown' objects.  In this case, just delete the content library and resubscribe.
        • Slightly more annoying because now you have a content library for each cluster.
        • No avoiding "unassociated" objects in vSAN health check
Additional Notes:
  1. Must be a publicly accessible blob
    1. DNS issue here that needs to be addressed
    2. You can limit blob access to Azure sources in the very least

References:

https://core.vmware.com/resource/vsan-operations-guide#sec6721-sub4

https://vskeeball.com/2022/03/31/vsphere-content-library-on-azure-blob/

https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-operations/GUID-EC51751C-796A-4FFD-9455-BB178D1A3EBF.html



Comments

Post a Comment

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DOI
Read more

Azure VMware Solution: NSX-T Active/Active T0 Edges...but

Image
Summary: Azure VMware Solution (AVS) delivers by default w/ a pair of redundant Large NSX-T Edge VM's each running a T0 in active/active mode.  So why is my traffic only going out one Edge VM? Short answer: The default T1 that is delivered w/ AVS is an active/passive T1 where you connect your workloads to.  So while it could technically take either T0, it's always going to go out the closest T0 to the active "SR" T1.  Where do the SR's live?  You guessed it, on the Edge VM's.  As you can imagine, this can lead to a bottleneck if you try to shove all your traffic through a single Edge VM. Simple Diagram: Longer answer with Options:
Read more

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face and get nowhere be
Read more