«

»

VMworld 2016 Barcelona – Day 2 Summary

Second day, 2016-10-19, of VMworld started way better than the day before. Not stuck in traffic meaning ready when it started 09:00 AM CET.

The other VMworld 2016 Europe daily summaries can be found here:

Keynote

The second days keynote is usually a bit more technical and more demos. Was the same thing today and the first area covered was Workspace One.

screen-shot-2016-10-20-at-14-22-20

Using Horizon to access 3D CAD using a Samsung tablet, the Boxer email app with integration to e.g. SalesForce was included in the demo.

AirWatch was used to demo data protection/preventing access to data in Windows 10. More information about the vSphere 6.5 release was presented but i’ll cover that in more detail in my VMworld Day 3 Summary (link to be available soon). However, need to mention one thing and that is you’ll now have a REST API explorer via vCenter Server in the HTML5 interface. Will make it more simple to do your own automation compared to the existing SOAP interface.

screen-shot-2016-10-20-at-14-39-54

A nice demo was vSphere Integrated Containers via vRA where the components included e.g. the VCH (Virtual Container Host) were shown in vCenter Server and the deployment wizard in vRA to stand up new instances were covered.

screen-shot-2016-10-20-at-14-45-09

Photon, which is a container host, and the new announcement of Kubernetes as a services were the two last areas covered.

screen-shot-2016-10-20-at-14-59-15

If you missed the keynote sessions you can watch them here.

Many features and roadmap related things presented during the keynotes have two things in common apart from new releases and that is mobility & security for users and applications in the cloud(s). When building cloud services based on VMware technology it’s a must to fully understand NSX from an architect and technical perspective to be successful in this area.

Solutions exchange

I did not spend as much time as i wanted in the Solutions exchange talking to vendors but i had a chance to talk to a few at least. As mentioned in yesterdays summary i wanted to spend some time at the Rubrik booth and i had a walkthrough of their product by Chris Wahl. Apparently i asked the wrong question when looking for differences between traditional backup vendors compared to Rubrik  🙂
I was already familiar with the differences in setup, management and to certain extent Rubriks architecture. What i actually meant was the technical differences when accessing the vSphere environment and performing the snapshots and transferring the data to their solution. CBT and streaming the data to all Rubrik nodes available in the Rubrik environment is the approached used meaning CBT is not the answer to my question. It was more about how data is transfered to Rubrik and how data will be transfered in next release. That improvement will make the solution even faster. Really good information provided by Chris (as expected) so thanks for your time.

Breakout sessions

Today i attended two breakout sessions INF8856 & INF8430. Must say both of them were really good.

INF8856

This session was about vSphere encryption including both VM encryption and vMotion encryption.

VM Encryption

So form vSphere 6.5 you’ll have to opportunity to encrypt your VMs and this is a good extra protection against someone downloading the VM VMDK files and walks out the door with them. Well that can still happen but now you can’t use the VMDK:)

The feature is VM agnostic meaning it does not matter what guest OS is running in the VM, what datastore (backed by NFS, iSCSI or FC) the VM runs out of or what HW version is used. It encrypts both the VMDK files and the VM files meaning vmx files, snapshot files, memory files and so on. You can decide if you want everything to be encrypted, just the VMDK file(s) or just the VM related files.

A VM encrypted VM can only do encrypted vMotions and the following vSphere features are not supported with VM encryption:

  • VM suspend and resume operations
  • VMs with existing snapshots cannot be enabled for VM encryption
  • vSphere replication
  • Content library
  • Parallel and Serial port

VM encryption leverage AES-NI and the encryption algorithm is XTS-AES-256. The encryption takes place after the I/O leaves the VM and end up in ESXi VMkernel (Encryption Module) but before the IO is sent to the datastore. It requires a key management server (KMS) solution supporting KMIP 1.1. Make sure the KMS is highly available. The vCenter Server will not store the actual keys and there is no access to the encryption keys by the guest.

During a VM power on operation the vCenter Server will request the key required to encrypt and decrypt the VM from the KMS server and then push it out to all ESXi hosts in the vSphere cluster where the VM is running. This will make sure any ESXi host can run the VM after a vMotion (Manual or DRS initiated) or HA event.

Recommendations:

  • The vCenter Server will have crypthographer permissions included in the vCenter Server Administrator role. Use that role even more carefully in the future based on this.
  • Do not encrypt your vCenter Server and external Platform Service Controller VM(s) since vCenter Server is responsible for distributing the keys during VM power on operations.
  • When running a backup and restore solution that using a HotAdd backup proxy VM, Make sure that VM is encrypted. If not, encrypted disks cannot be mounted to the Proxy VM.

The keys are loaded into the ESXi host memory but should not be included or not in human readable format when you perform a ESXi host core dump. VMware did not present any performance implication figures, only said it uses an efficient CPU level encryption. Guess time will tell about potential performance implications.

Encrypted vMotion

You can select to perform an encrypted vMotion operation meaning the memory sent between the two ESXi hosts during a VM operation is no longer sent in clear text. This is a per VM configuration where the following alternatives are available:

  • Required – Must use
  • Opportunistic – Use when possible.
  • Disabled – Do not use

When a vMotion operation is initiated the vCenter Server create a migration specification which is sent to the source and destination ESXi hosts. Included in the migration specification is the encryption key which is a one time 256 bits key per vMotion operation. A figure presenting a small drop in performance during the switch over was presented but i guess it won’t have any real world implications unless you try to migrate really large VM(s).

INF8430

The main purpose of this session was to present a way to architect high consistent performance and not focusing on the highest performance at any given time. It also provided some troubleshooting tips in the networking section.

The session started with an description of NUMA and what implications you might experience with remote memory access meaning a VM running on a specific ESXi host runs on a physical CPU0  but accesses memory attached to CPU1.
In this case you’ll not have the best performance. Also covered the different caches in the CPU where the L1 and L2 caches are tied to a core but the LLC is shared among all cores in the CPU.

Next was memory description and what happens form a performance perspective when you use one or more memory banks, what happens when using N or N-X slots in a memory bank. different number of memory banks and also what happens when using different DIMM sizes as well

Last section covered network and make sure you design with NICs supporting the features you need and that the features are activated/loaded in the ESXi driver.

 Other

Day ended with the VMworld party but only for 30 minutes because then it was time to head out to Camp Nou to catch the Champions League game between Barcelona and Manchester City.

barca1

It was a pleasure to watch all these world class players live even though Barcelona were way better than Manchester City today.

barca2

Tomorrow is last day of VMworld.