Yes, I’m still alive!

It’s been like what, six months now without blogging?! Now that’s something not cool and I really need to do something about it. The thing is, I’ve been involved in a lot of cool stuff internally at VMware and a lot more projects that I’ve learned so much from. It will all come back and reflect on my future blog posts in a way or another, so I can’t really complain!

But I’m not here to talk about that. I’ve just came across something really cool and I wanted to share with you right away.

Out of the blue, and while I was doing some geeky stuff with WAMP, ColdFusion and the vCloud PHP APIs, I’ve received a ping back from another blog with a title called: “Drawing Network Diagrams like Hany Michael”

What!! Are you kidding me?!! Am I really that famous!!

Ok, jokes aside. The blog post is so insightful that I really liked it a lot. I don’t necessary call then “Rules” as the author described them, but I agree with the vast majority of them. For example, in rule number 3 I personally think that the “right-angle” lines are so ugly in 99% of the cases, but everything has a use case. I just haven’t came across that one yet.

Anyways, I highly recommend reading that article and don’t forget to grab the .VSS stencils file provided by the author. As a matter of fact, I’ve learned a new trick from the “Cloud” shape! I just enhanced it a bit to look like that:

P.S. thank you Jake, you just made my day

Until a very recent date, I was not quite sure whether this is possible or not. In fact, whenever I was asked if vCloud Director can work with the fully licensed vShield Edge/App or not, I thought the safest answer would be No! After doing some research internally at VMware, I found a great presentation talking about this specific subject. And after viewing this preso for at least two times, I was still not quite sure how it can be set up or configured for that matter. At least I was sure that it can be achieved!

I did some trial and error experiments in my lab until I reached some good results that I thought I’d share with you through this blog post. So, with all that being said, I’d highly recommend trying this in your lab thoroughly before applying in production. To the best of my knowledge, everything you will see here is supported, however, you have to use with caution.

A high level overview.

I won’t go into the detailed benefits of vShield Edge/App and how they are two solid networking and security solutions. I just want to give you a glimpse on what you can achieve/expect from integrating them with vCloud Director:

• By adding the Load Balancing functionality of Edge, you can have simple (yet very powerful) load balancing for web applications in your cloud. The LB is currently limited to http but you can expect more protocols to show up in future releases (Hey, don’t qoute me on that . I will show you in details how to configure this in vCD/vSE later in the post.
• By adding the VPN functionality of Edge, you can do things like site-to-site VPN tunneling using IPsec. I will have a detailed blog post on this interesting subject soon.
• Adding the vShield App functionalities will give you another great tools like traffic visibility that you won’t normally have in these sophisticated inter-VM-networking. Think of it like NetFlow but with new ways to reach very deep levels of Org/vApp networks. You can also do some application level firewalling or even apply them on the vCD External Networks level to enforce some global security policies across all of your tenants. (I will talk about that as well in details in future posts).

First thing first. Licensing.

Before you can test anything here, you must have the appropriate licenses for vShield Manager. Remember, I’m referring here explicitly to the Edge and App (Endpoint is out of my scope here). You will need to get your licenses and apply them first in vCenter Server. This can be done like any other vSphere licenses. You have to note though that these licenses can be applied only after you associate your vCenter Server with the vCloud Director.

Preparing vShield Manager.

After applying the required licenses, you need to go to your vSM web portal and login with your user/pass (admin/default). Once you are there, click on Setting & Reports on the left panel, and then press on the Register button on the right side to register your vSM as an extension in vCenter Server. (Screenshot below)

After registering the vSM extension in vCenter, you will find a new icon in the “Solutions and Applications” tab. In addition to that, and in fact what interest us here, you will find two new tabs called “vShield Edge” and “vShield App” as shown in the screenshot below.

Installing and configuring vShield App

Although you can see the “vShield App” tab present in vCenter, you won’t be able to use anything there until you install the vShield Zones component in vSM. You do that but returning back to the vSM web portal (or now in the vCenter Solutions and Applications section), and selecting your ESX hosts that are present in the “Datacenter” list. On the right side, you will find the link to install the vShield App on the designated host. The setup is pretty straight forward, you just need to enter the IP settings and choose the appropriate datastore and network for storing/managing the appliance. (screenshot below).

Now to the real fun!

Okay, so now that we’ve taken care of all these pre-requisites to license and install the Edge/App components, it’s time to put them in action. I’ve tried to continue using screenshots for the procedures, but I found that really hard. I compiled instead this video (kind of quick and dirty) to make it easier and better to follow.

You can right-click on the image to save the high-resolution video. You can also view the video on You Tube or Vimeo.

And this is a quick illustration showing the setup in the video. We have an Organization called “ITDev” with an organization network which we created under the name “OrgNet-ITDev-Routed_LB”. This OrgNet is routed to an external network with the subnet 172.30.0.0/23.

Important notes

These are some of the notes that I’ve taken throughout the process of testing this integration:

• It is very important to note that you should *NOT* mess with the Firewall and NAT tabs of the vSphere/vShield Edge panels. Anything you can do inside vCloud Director, keep it there. The moment you start to mix things with each others, you will end up with a huge mess, and probably a broken configuration. Remember, the only objective of this post is to empower your cloud with added features that are not currently there in the vCD GUI. We are not trying here to replace the vCD portal with the vSphere Client!
• Make sure you have Abobe Flash Player installed and configured properly with your IE browser. I used here a remote lab to test and configure all that, and while in my initial phase, i had a quite hard time working with the vShield Edge screens. Nothing seemed to work and things used to freeze. After a lot of looking here and there i figured that Adobe was not installed on IE (i use Firefox to access the vCD). Once the Flash Player was installed and configured with IE, everything worked just fine.
• I mentioned earlier that you need to associate you vCenter Server first with vCloud Director in order to be able to apply the vShield Licenses. Make sure also after that to apply the full licenses of Edge in vCenter as it might be still using the basic vSE licensed features.
• DNS, DNS, DNS and D.N.S.

That’s all folks. I will come back with more posts on this subject when I have the time to touch on the vShield App use cases, as well as the VPN features inside vCD.

I was working on my vCloud Director lab the other day when I noticed that my SSL certificates expired. I was actually using the same certificates that i generated back in the old beta days.

Although there is no way to renew this SSL certificates from the vCD GUI, the process is fairly easy using the command line. Here is the steps I’ve taken to renew the certs on my lab:

1) First thing you need to stop the vCD cell service. The command for that, using root account, is “service vmware-vcd stop”.

2) Next, you need to run the configuration script once again. The command is “/opt/vmware/cloud-director/bin/configure”

3) Once the script starts, it will ask you for the SSL certificate. You have to identify the name of the file and then enter the required passwords.

4) You accept the question asking you if you want to start the vCD service again and you are done.

The easiest way to check on you new certificate renewal is to fire up your web browser and go to the vCD portal. Once there, you should have the security warning asking you to accept the new cert. In my case this is how the new cert looked like:

It’s important to note here that you need to apply the same changes on all your cells if you are running a multi-cell vCD setup. You may have noticed also that this certificate changes will require a minor downtime, so you have to plan for that as well.

What a title!

While playing with VMware vCloud Director during the beta phase, I came across some interesting points that I documented in my OneNote. One of these points that always confused me is the required DNS field when you create a new Organization Network. Have a look on the screenshot below.

If you look at it from a “Private Cloud” perspective, it makes perfect sense to have this field as a requirement. Why? because your cloud admin will be more or less involved in the infrastructure services. As I always like to say, the cloud admin doesn’t live in his own island isolated from anything else in the enterprise.

Now, if you look at the same thing but from a “Public Cloud” perspective, this can make you scratch your head. Why would the service provider be involved in the internal services of an organization like DNS? How can a SP even know the IP address of the DNS for an Org that is just getting it’s cloud up and running? Furthermore, what if the Organization want to change this IP for any reason in the future?

I researched our internal mailing lists on this point, and I did find that one of my colleagues brought this topic up. The response was simple, this is a small bug that will be fixed in a future update of vCD.

I’ve been getting a good feedback since I published my first guide for running vCD on a Laptop. The only problem was the requirement for an 8GB to run these loads of VMs required by vCD. Since then, I’ve been asked by a lot of people (colleagues, readers and even a customer) if it’s possible to have the same setup on a 4GB laptop, and the answer is: Yes, absolutely.

I was actually spoiled with my 8GB Laptop from VMware when I published my first guide, and I didn’t realize that many of us still use 4GB or even 2GB memory on their machines. With that said, I rethought the whole thing and came up with a slim (yet very powerful) setup to do a vCD lab on your laptops/desktops. So, without further ado let’s get started!

Assumptions

I’m assuming here that you are comfortable dealing with Linux. This is not an expert guide, but it’s not a beginner one either. I assume that you know how to install Linux and work with it from an intermediate level. I won’t be as thorough as i was in the first guide, and i won’t be publishing Videos or Screenshots. I will try to keep the balance between having a simple/short post yet without compromising the overall understanding of how things are done. If for any reason I failed to do that in any part, you can always drop a comment or send me an email to expand on it.

CentOS For The Win!

So, the first thing you will need is to get the CentOS 64bit iso and burn it on a DVD. After that, and depending on the base OS on your machine, you will need to have a separate partition for running CentOS as a bare metal operating system.

In my case, i have a Windows 7 64bit running on an 80GB SSD drive, and a secondary 500GB one running in the CD-ROM bay. In W7 you can shrink your current partition on the fly without messing with your filesystem. You just need to right-click on it, and then press on shrink. It’s recommended to defrag your OS first before doing that to keep things at best performance and also to guarantee the maximum space you can achieve after shrinking.

As you see in the screenshot above, i’ve shrink the SSD drive to free up 12GB of space on it. I will use this for storing the VM files and consequently have the best performance for them. Depending on your setup, you can instead use this partition for your base Linux OS. For me I thought the VMs will need the performance rather than the base CentOS, especially that the latter is running natively on the laptop hardware.

Next, I freed up 30GB from the 500GB drive to use for the CentOS base OS. The boot partition will be created automatically for you during the CentOS installation.

When you reach the Boot part in Linux installation, make sure to choose the Windows 7 as your default boot rather than Linux to avoid the hassle of accidently booting into Linux when you power on the Laptop for normal day-to-day use.

Installing VMware Workstation 7.1 for Linux

Now that you’ve installed Linux on your laptop, we will need to first install VMware Workstation 7.1. Fairly easy step, download and run the package to get the GUI installation wizard. After finishing this step the WS will create two virtual interfaces, one of which is the “Host-only” interface in which we are interested in. We’ll come to that point in a bit.

Installing Oracle DB on CentOS

Thanks to Duncan Epping for the tip, installing Oracle on Linux has never been easier. You just need to download Oracle Express, install the RPM and you are done. It’s just as simple as this. Just make sure you follow the instructions on the screen as there is a command you need to run as root.

Preparing CentOS for running vCD

As you know, vCD requires two Ethernet interfaces in the installation. Since you are running this system on a Laptop, you are actually limited to only one LAN interface (and probably the wireless won’t work or need a hell of configuration). We have two cool options here:

• Create a sub-interface in Linux. This option makes sense if your Laptop/Desktop is hooked up to a network all the time.
• Use the Host-only virtual interface created by Workstation. I’m more in favor of this option as it allows me to run vCD while on the road. In fact, this is the whole idea of having this setup running on my laptop.

For option number two, we will use the physical Ethernet interface on the laptop for the HTTP Proxy, and the Host-only virtual interface for the Remote console proxy (connected back to vCenter).

Next, we need to have a working DNS on our Linux. Bind is the perfect solution here, just google something like “configuring bind on centos” for a detailed guide. After you have it up and running, make sure to put the DNS entries for vCD, vCenter, vSM and ESX. It’s very important to have a working DNS service in your environment to avoid a lot of problems later on. If you don’t feel comfortable with Bind on Linux, you can install a DNS service on the vCenter VM later on, but i recommend having all your services on your base CentOS operating system to save memory and keep things clean and simple.

Installing vCD on CentOS

Now it’s time to install vCD on our base Linux system. You can check out my video guide for that, but a couple of notes here:

• Make sure that you choose the Host-only virtual interface for the Console Proxy.
• In the DB configuration, put “xe” as the database name.

Creating a Workstation Team for Installing vCenter and ESX

Did you notice that up this point we have not created one single VM? Well, now its the time. You have to install here two VMs, the first for the vCenter Server on Windows 2003 64bit, and the second for ESXi 4.1. Make sure you configure the networking on both VMs on the Host-only network and to set static IPs from that subnet. Needless to say that they must match the DNS entries you created earlier. The last thing needed here is to import the vSM into your ESXi as a nested VM and you are done.

Alright, so now that we have everything in place (with only 2 VMs in Workstation and a nested VM in ESX) we will need to fire up our browser in CentOS and point it to the vCD portal. Once there, you will need to finish the initial configuration (licensing and system id name), and then attached the vCenter Server + vSM to your vCD. Once this is done, you can power off your vSM and leave it as it is until you come later on to the point where you need to do your cloud networking (e.g. create network pools).

Congrats! you now have a fully working vCD setup on your laptop with 4GB memory. In fact, you can theoretically have 2GB only and work fine if you keep all your VMs down just to show the vCD interface to your customers. That’s right, you don’t need vCenter or ESX in order to login to your vCD portal and browse through it. I found this very handy when sitting with a customer who just wanted to have the look and feel of this “vCloud thing” as per his words!

Do you have 8GB Laptop? GO WILD!

So now that we’ve seen how you can run all that on 4GB, what if you actually have 8GB memory? Here are some ideas:

• Configure NFS on your CentOS and use it as a shared storage!
• Create and install another ESX VM and use the NFS as a shared storage.
• Create and install a CentOS VM to run a second vCD Cell and test how a two-cell environment works!
• Create and install a second vCenter Server VM and attache it to your vCD.

Have fun!