VMworld 2017: Predictive DRS Best Practices

Session: SER2849BU

Case 1: VMs performance can suffer due to resource constraints/surges

Case 2: Inefficient usage of resources due to reserving capacity for peak loads.

-Move VMs after contention occurs

-Statically reserve more resource
-Learn workload pattern, and move before VMs spike

What is the best solution? Predictive DRS

What is Predictive DRS?
-DRS enabled with predictions
-DRS scheduling + vROPs analytics

How does it work?
-Resource usage from vCenter
-vROPs consumes the data
-Predictions are made
-DRS invoked to perform optimizations

vROps Dynamic Thresholds (DT)
-Sophisticated analytics – 10 algorithms
-Learns normal behavior
-Detects hourly, daily, monthly patterns
-Generates upper and lower dynamic thresholds
-Predictions are then sent to vCenter

Software Requirements
-vSphere 6.5 Enterprise Plus
-vROps 6.4 or 6.5
-Time sync between vCenter and vROps needs to be less than 5 minutes

Speaker shows a demo of  a ‘follow the sun’ scenario with workloads spiking at different times on a regular pattern. pDRS learned the pattern, and vMotioned VMs to make sure VMs had enough resources. He shows a performance graph, where pDRS headed off performance issues and it resulted in consistent VM performance.

DPM with Predictions
Speaker asks audience to raise hands if anyone is using DPM. Two people raise their hands.
-Predictions can proactively power up ESXi hosts to absorb the workload demand

-Workloads it can predict: Periodic usage pattern
-Short spikes of a few minutes will not be predicted
-The more consistent the workload, the more accurate it will be

Learning Period
-Set to 14 days by default
-The longer the period, the better the accuracy
-Predictions only happen after 14 days

-Compute dynamic thresholds – Calculated once a day, or push a button to force a new calculation.
-Lookahead interval – Amount of time DRS looks ahead while accounting for predictions – default is 1 hour

Identify vMotions due to Preditions
-Not a clear answer as there can be a mix of VMs with predictions and those without
-pDRS moves are only in logs


VMworld 2017: Day 2 Keynote

Pat Gelsinger walks on stage and welcomes Michael Dell to the stage. Pat and Michael are doing a prepared Q&A.

First question is regarding lackluster support, such as quality of people and hold times. Pat says he is disappointed in hearing such feedback, as he thinks they have good NPS scores. But Pat said they are very focused, and will have some internal followup. VMware is also introducing Skyline, and proactive support. They want to be your best technology partner.

Second question is about AI, future topics, machine learning. Michael says he are in the most exciting times in human history. Cost of making something intelligent is almost zero. It’s game on! An enormous amount of data created from IoT is amazing. They overlay interesting computer science on top of this data, and the possibilities are endless. Dell thinks a lot about data and AI. Dell is seeing lots of new use cases. If you are not thinking about how you will be using this new data, you are doing it wrong. Pat speaks up and says in 1984 he was architecting the 486 and how they could use it for AI back then. But real AI wasn’t possible until the scale of compute and storage today. Michael says there is a coming boom in edge data, and new requirements in how you deal with that data.

Next question is in the area of SMB, and “don’t forget about us.” Michael says most new jobs are created in small and medium size business. Dell has added 10s of thousands of new small and medium customers. Dell is reimagining their products to support the SMB. Pat states they have 500,000 customers and most of them are SMBs. Pat commits to make sure SMB is kept in mind.

Next question is about ecosystem, HCI, and breadth of partnerships. Michael says he is committed to a thriving ecosystem, and is key part of VMware’s success. He says the partner ecosystem is as strong as ever. Amazing things going on with NSX. VMworld has 400+ partners here. Pat says he’s not so excited about some of the partnerships.

Synergy. Creating value together. How is Dell and VMware innovating together? Michael says cross-selling and deep level of deep technical integration with their stacks, while retaining an open ecosystem. Pat also states strong synergy, like VXrail. Michael says customers have lots of innovation around containers and new applications.

CEO of Pivotal (Rob) comes on stage.

Pivotal says they are now working with world class companies, and in use at 50% of the fortune 500. Michael says all customers are facing similar challenges, such as finding new value in their apps. Rob says customers has thousands of legacy applications. Pivotal has been working with containers for a very long time. Pivotal container (with a K) service (PKS) is a new offering! It uses Google cloud engine, NSX, and comes out of the box with full integration and kubernetes. Sam from Google cloud comes on stage. Sam says containers are coming at warp speed. Google has taken 10 years of container orchestration and know how to run billions of containers. They’ve poured that into Kubernetes, and GKE (Google Kubernetes Engine). Sam says customers want to run compute wherever they want. PKS built on Cloud Foundry. Michael says customers wanted partnership and integration.

VMware CTO Ray O’Farrell comes on stage. Ray says many of the new services are delivered as SaaS. They are also aiming at developers to help make your company unique. Ray will now do demos of a variety of VMware products. Ray plays a video about a fictitious company to help illustrate problems that companies face today. They then run through a few VMware products and how they solve the customer problems. They give a demo of AppDefense and various other products.

VMworld: What’s new in vSphere

Session: SER2342BU Mike Adams

vSphere 6.5 Updates:

Simplified experience – One appliance, modern APIs, simplified architecture

Built-in security- Secure data, secure infrastructure, secure access, better logging, trusted boot chain

Universal app platform – Any application, anywhere, VMware core technology

Proactive data center mgt – Predictive DRS, proactive HA, integration of vSphere & vROPS

–vSphere 6.5 upgrade path finder (google it)

vSphere 6.5 U1

HTML5 GUI has 90% functionality
vCenter Server Foundation now supports 4 hosts
vSphere 6.0 U3 to vSphere 6.5 U1 upgrade path supported
Product tested for over 8 months
vSphere 6.5 support is now 5 years (Nov 21, 2021)

New Areas for vSphere
vSphere scale-out PnP approach for big data and HPC – difference license
EULA restrictions on what workloads – HPC and big data only
Trying out a ‘basic’ edition in China for 2Qs – reduced feature set

vSphere Tech Preview and Highlights
Hybrid linked mode across multiple clouds – Mixed version support, data sharing, cross-cloud deployments
ESXi Upgrade without a reboot – Hot upgrading of ESXi version
NVMe support
NVM – tech preview
QAT – Quick assistant – roadmap (Chip from Intel) – compression and encryption acceleration
FPGA – roadmap

VMware Cloud on AWS
vSphere, vSAN, and NSX plus vCenter
Consumption model is host level – minimum 4 hosts up to 16 per cluster
Take ~2 hours to deploy
Add a new host in under 10 minutes
DRS can proactively add a new host to load balance
1yr is 30% less than on demand and 3-yr is 50% than on-demand
15-20% more than regular public cloud costs
Cloud is on a quarterly update schedule and will trickle down to on-site installs
Direct connect is optional

VMware AppDefense

Capture, detect, respond
You do not have to have NSX, but is better with it

Bits and Bytes

vSphere 5.0 and 5.1 EOS was 8/24/2016
vSphere 5.5 EOS is 9/9/2018
vCenter on windows going away after the next major version
Flex client (Flash) will not be offered after the next major version


VMworld 2017: Storage at memory speed

Session: FUT3040BU, Richard Brunner

Speed analysis is dependent on storage and database access latency. A key component is local storage latency – nothing can compete with DRAM

What if you can move storage closer to the processing? You can with byte-addressable persistent memory (PMEM)

Future vSphere will bring PMEM support using virtualized NVDIMM device

What is PMEM? Few hundred nanoseconds latency; byte-level access; regular non-privileged access; load/store CPU instructions

Updating storage at a finer grain level – read/modify/write latency is vastly less than block-storage

Uses: fast-caching layer; database logs; etc.

With future vSphere release – no VM driver needed. Guest storage is directly mapped to PMEM transparently.

PMEM is vMotion and FT compatible

DIMM size can range from 8 GiB to 100s of GiB

PMEM Tech: 3D XPoint; HPE DIMMs; HybriDIMM

All PMEM solutions need a way of ensuring that the last set of updates have ‘made it’ to the persistent media

Server hardware, firmware, and software support

VMware Implementation of PMEM

Concept: Virtualize and manage NVDIMMs; accelerate legacy legacy and modified applications; virtual disks stored on PMEM; Byte addressable virtual hardware

Two access methods: vSCSI with VMDK; vNVDIMM with modern OS (WS2016)

FT will be compatible with vNVDIMM for high availability

vCenter & DRS will support PMEM and manage it at a cluster level

Maintenance mode can also vacate powered off hosts too and move their data

New VM creation workflow will have a PMEM storage option

Add new device will now have a NVDIMM option – up to 64 per VM

Storage migration will also support NVDIMM

Modes of operation:

NVMe SSD – Requires emulation and multiple layers to access device – slowest mode

vPMEMDISK – No storage stack needed and faster performance

nNVDIMM – only Filesystem  needed – very fast

vNVDIMM DAX – (Direct access mode) directly maps blocks into the application (fastest)

DAX mode – 35GB of persistent  data written in a second (512KB random writes)

VMworld 2017: VMware Cloud on AWS: Storage

Session: STO1980BU, Ben Meadocroft, Matt Amdur

Any Cloud, Any Application, Any Device

VMware Cloud on AWS

  • SDDC running on AWS bare-metal
  • Sold, operated and supported by VMware
  • Support for containers and VMs
  • Global AWS footprint and availability

Physical host config:

Based on i3p.16xlarge
2 sockets
8x 1.788 NVMe GB – encryption with keys stored in AWS
36 cores per host
Raw capacity tier of 10TB per node
2 disk groups per host
No dedupe/compression
No vSAN encryption – uses HW encryption

Cluster config:
Cluster size of 4-16 nodes
Each cluster has 1 vCenter
vSAN now has 2 datastores – 1 for VMware only, 1 for customer only

Software upgrades of the cluster:
New host is provisioned and added to the cluster – so no HA capacity is lost
Software upgraded in a rolling fashion
After all software is upgraded, the ‘new’ host is removed
This is all done by VMware during customer scheduled maintenance windows

Cluster Failure remediation:
Host fails or problem identified
New host added to cluster (10 min)
Previous hosts evacuated from cluster
This process is all automated and transparent to the customer

Increase effective capacity from 5.7TB per host (w/ RAID5 ECX)
Enable dedupe/compression
Stretch vSAN clustering for increased data resiliency
Provide stretched networking for customer workloads
Nested fault domains – RAID-1 across AZ, RAID-5 within AZ
Disaster recovery on AWS

VM backup – VADP based backups
Disaster recovery – Third party VAIO-based DR
External storage access – In-guest access to cloud storage

VMworld 2017: App security with AppDefense and NSX

Session: SAI3237SU, Tom Corn, Sr. VP Security Products

Network exploitation is easier today due to the distributed nature of applications and components. Hack one layer, and you can move across boundaries via application firewall holes. We need to shrink the attack surface area. Least privilege. Align controls to applications. Microsegmentation is network layer least privilege. Securing the network can align security with applications. New notion of least privilege compute. This new concept is ‘ensuring good’ vs. ‘chasing bad’.

AppDefense: Capture; Detect; Respond

Capture: Intended state & runtime state. Hypervisor can see what’s running and what’s provisioned. Intended state engine hooks into vCenter and provisioning systems (Puppet, Chef, vRealize) and automation frameworks (Jenkins, Ansible, etc.). Machine learning kicks in and uses ESXi. Break this information into manifests for each VM and placed into a protective zone. A monitoring process is also in the protected zone. If something changes, AppDefense is aware. A library of incident responses (suspend, snapshot, block, alarm, quarantine, etc.) is included. Security teams will get notified and can work with the application teams.

Security ecosystem: Palo Alto, IBM Security, Symantec, RSA, Carbon Black, Trend, SecureWorks, etc.

AppDefense Demo

Shows a 3-tier application (web server, app, SQL database). Shows the manifest file for the service tiers. The ‘security’ guy comes on stage to review the application prior to app deployment. Next a hacker comes on stage to break into the app.

Kill chain (3 attacks): Exploitation, Extraction, Exfiltration

Hacker shows an SQL injection attack that opens a remote TCP connection to metasploit. The remote shell is a Windows CMD shell with admin rights.  He then uses a PowerShell script to extract the data from SQL. He then uses a python script to exfil the data.

AppDefense has puppet integration, and crawls Puppet config. AppDefense now knows about all the app tiers, and configuration and pulls that in. It auto-discovers ports, protocols, and visually displays a map. AppDefense can also pull in reputation data from third parties. After 10 days of learning, 90 pre-verified behaviors are captured. Only one needs manual review. For the manual review you can click ‘send to owner’ and sends to an Android mobile phone app for approval. The app owner can then approve or reject from their phone.

Now that the verified scope is done, you can then put the app into protected mode. The hypervisor will now start monitoring behaviors. Gives you a choice of remediation options (block, alert, snapshot, power off, suspend, quarantine). Admin is presented with the short list of rules they can enable/disable or make automatic or manual.

Resumes hacking attempt

Shows that the Python injection attack on the login page no longer works. The outbound connection is blocked. If somehow the attacker gets in another method, he launched his powershell script to extract the data. He was using a legit connection, but the process that does the connection is bad and AppDefense stops that.

Now they show the AppDefense console and the alarms triggered from the hacking attempts. AppDefense looks at the CLI that launches the connection and verifies that it is valid. For example, connecting to the DB via 1433 is normally allowed but AppDefense can see a powershell was making the connection and not the app and block it. Basic IP/port block/allow is not enough.

The hacker now looks inside the VM for the process that is blocking his actions. He then launches a script that injects into the security process some custom code. The AppDefense response to the tampering is to take an action, which is to suspend the VM. The hacker was then booted out.


VMworld 2017: Day 1 Keynote

Note: This week I’ll be live blogging from VMworld 2017. As always, this will be live, and so please excuse my typos and grammar issues.

Pat Gelsigner walks on stage. This is Pat’s 6th VMworld and he became CEO 5 years ago. Pat mentions the disaster in Houston and sends his prayers and thoughts.

Pat talks about science fiction now becoming fact. Quantum entanglement, zika resistant mosquitoes, self-driving cars, etc. Tech has left the nest. Tech is now restructuring entire industries.Digital media has now surpassed revenues for traditional media. Mentions real player and winamp. Some industries are only 1/10 of the way to a digital transformation. 200 years ago 85% of families were involved in agriculture. Today it’s 1-2%. Today is about higher paying jobs and higher quality life.

Fundamentally companies have to reshape themselves in the digital age. VMware vision: Any cloud, any application, any device. An ebb and flow between centralized computing and de-centralized computing (e.g. cloud moving to edge). Apps and IoT is exploding data. Pat mentions VMware Pulse IoT partnership in beta with Toyota and Fujitsu.

Apps are about unleashing your potential, on any device. Consumer simple but enterprise secure. Apps and identity; Management and security; Desktop and mobility. Airwatch manages iOS, Chomebooks, Android, Windows, etc. HP announces the partnership with VMware for Workspace ONE into HP’s managed services offering.

Sanjay Poonen comes on stage with a Captial One rep (Jennifer) to talk about EUC. Captial one bills themselves as a tech company that happens to also be a bank. They are an AirWatch and Workspace ONE customer. They want a consistent and unified experience, and they now have it. On the horizon: machine learning.

Back to Pat.

Private cloud – VMware has now virtualized the datacenter.

Today: A faster and simpler solution is needed. VMware Cloud Foundation with automated lifecycle management. V2.2 is now announced. Hyperconverged: vSAN has 10,000 customers. VMware vSphere 6.5 is mentioned.

Public cloud: VMware and AWS partnership. Welcomes the CEO (Andy Jassy) of AWS to the stage. The same operational consistency between on-site and public cloud. Flash a number of early beta customers on the screen. And they show a partner ecosystem slide with DXC, Accenture, and others. All availability zones will have a VMware option by the end of 2018.

VMware cloud strategy: Make private cloud easy, deep partnership, expand partner network

Consistent operational environments across clouds: Google, AWS, etc. That’s what VMware Cloud Services is all about. NSX is a common networking feature across clouds. Consistent infrastructure, consistent operations, richest network, delivering IT agility.

Sanjay Poonen back on stage with Medtronic (Medical device company). Company vision has changed from a medical device company to a services company.

Pat is back.

At the heart of everything VMware is doing is networking, and by extension, NSX. VMware is stretching NSX into the public cloud and containers. NSX will be as important to VMware as vSphere was the last 10 years.

Sanjay Poonen is back with a Cloud Architect from Sysco. NSX for them has been transformative. They are deploying microsegmentation today. Sysco also uses Workspace ONE. Currently transforming into product teams internally. Looking at micro-services, containers.

Pat is back.

Most important topic: Security. Attack vectors become more and more complex. “We the tech industry” have failed the customers. VMware has three parts to address this: Secure the infrastructure, integrated ecosystem, cyber hygiene.

Five pillars of cyber hygiene: Least privilege, microsegmentation, encyrption, multi-factor authentication, patching.

Workspace ONE and Airwatch bring together consistent management. vSAN encyrption. Most of security today is “chasing bad”. “Ensuring good” is better than trying to find all of the bad.

Introducing VMware Appdefense: Capture intended application, machine learning, then a network service. Real-time detection for deviation from good. Automate response.

Pat brings an IBM rep on to talk about their AppDefense partnership and excitement around the collaboration.




New Nutanix Community Edition Release (2017.07.20)

Hot off the press is the community edition of Nutanix AOS, Community Edition (CE) 2017.07.20. For what’s new in AOS, see my post here. You can find all the direct download links at the end of this post in the Next community. As always, you can perform a simple 1-click upgrade via our PRISM GUI.

Nutanix AFS 2.1.1 Released

Hot off the press is Nutanix AFS 2.1.1 (Nutanix File Services). In case you don’t know, AFS is a web-scale “NAS” that runs in a highly available configuration on Nutanix clusters. This has several important new features, plus a number of resolved issues. New features include:

  • AFS Sizing workflow at time of deployment
  • Ability to rename AFS clusters
  • Ability to clone AFS on AHV (used for backups, DR testing, recovery, etc.)
  • Microsoft Management console support for AFS management
  • Ability to manage AFS permissions via the file server administrator role (which can be linked to a AD user or group)

The full release notes can be found here. You can download the new package here.

Nutanix AOS Released

Today I am glad to announce the general availability of Nutanix AOS This is a patch release, but it also has a few new features. Of interest to you will be the security patches (11 total), and a good sized list of resolved issues. You can find the full AOS release notes here and download the package here. Before any upgrade, do thoroughly read the release notes and make sure any prerequisites are met. There’s also a good Installation and Upgrades document here, which is a must-read before you upgrade.

New Features include:

  • Nutanix API v3 tech preview
  • GA of software-only support on Cisco UCS-B series servers
  • Expanded support for vSphere 6.5 (e.g. Dell XC)
  • Full support for ESXi 6.5a and vCenter 6.5

As always, this AOS update can be done via PRISM and our 1-click upgrade process. Zero downtime, and zero vMotions are needed. Customers often do AOS upgrades during the daytime. This release hasn’t yet been enabled for automatic download (it will in the coming weeks), so if you want it before the automated downloads are enabled just grab the gz package from our portal. If you are brand new to Nutanix and never done an AOS upgrade, feel free to call support. It’s dead easy and 100% GUI driven, but help is here if you want it.

If you haven’t yet upgraded to the 5.1 release train, now is a great time to do so.

© 2017 - Sitemap