This section overlaps with objectives 1.1 (Advanced storage management) and 1.2 (Storage capacity) but covers the multipathing functionality in more detail.
Knowledge
- Explain the Pluggable Storage Architecture (PSA) layout
Skills and Abilities
- Install and Configure PSA plug‐ins
- Understand different multipathing policy functionalities
- Perform command line configuration of multipathing options
- Change a multipath policy
- Configure Software iSCSI port binding
Tools & learning resources
- Product Documentation
- vSphere Client
- vSphere CLI
- VMware KB articles
Understanding the PSA layout
The PSA layout is well documented here, here. The PSA architecture is for block level protocols (FC and iSCSI) – it isn’t used for NFS.
Terminology;
- MPP = one or more SATP + one or more PSP
- NMP = native multipathing plugin
- SATP = traffic cop
- PSP = driver
There are four possible pathing policies;
- MRU = Most Recently Used. Typically used with active/passive (low end) arrays.
- Fixed = The path is fixed, with a ‘preferred path’. On failover the alternative paths are used, but when the original path is restored it again becomes the active path.
- Fixed_AP = new to vSphere 4.1. This enhances the ‘Fixed’ pathing policy to make it applicable to active/passive arrays and ALUA capable arrays. If no user preferred path is set it will use its knowledge of optimised paths to set preferred paths.
- RR = Round Robin
One way to think of ALUA is as a form of ‘auto negotiate’. The array communicates with the ESX host and lets it know the available path to use for each LUN, and in particular which is optimal. ALUA tends to be offered on midrange arrays which are typically asymmetric active/active rather than symmetric active/active (which tend to be even more expensive). Determining whether an array is ‘true’ active/active is not as simple as you might think! Read Frank Denneman’s excellent blogpost on the subject. Our Netapp 3000 series arrays are asymmetric active/active rather than ‘true’ active/active.
Security is a large topic and one you could spend a lifetime mastering. The blueprint isn’t too helpful in clarifying what level of detail you’re expected to know for this as the ESX/ESXi configuration guides cover issues not in the ‘skills and abilities’ section. More in depth still is the vSphere Hardening Guide. I guess the main thing is to focus on practical issues as the VCAP-DCA is a practical exam – knowing that the VMkernel uses memory hardening is no use in an exam if it can’t be configured or tweaked! Some of this section seems to have been added for the sake of it – how often will an admin need to modify the SSL timeouts? I could only fine one KB article about it!
Knowledge
- Identify configuration files related to network security
- Identify virtual switch security characteristics
Skills and Abilities
- Add/Edit Remove users/groups on an ESX Host
- Customize SSH settings for increased security
- Enable/Disable certificate checking
- Generate ESX Host certificates
- Enable ESXi lockdown mode
- Replace default certificate with CA‐signed certificate
- Configure SSL timeouts
- Secure ESX Web Proxy
- Enable strong passwords and configure password policies
- Identify methods for hardening virtual machines
- Analyze logs for security‐related messages
Virtual switch security characteristics
vSwitch security (layer2) settings (can be overridden at portgroup level);
- Promiscuous mode – needed for packet sniffing, vShield Zones (and virtual ESX hosts). Disabled by default.
- MAC address changes –affects inbound traffic. May need to be enabled if you’re using MS load balancing in Unicast mode, or the iSCSI software initiator with certain storage arrays. Enabled by default.
- Forged transmits – affects outbound traffic. Enabled by default.
Other network security measures (IPSec, VLANs, PVLANs etc) are dealt with in section 2, Networking.
Host security
Customise SSH settings (ESX only)
- Edit /etc/ssh/sshd.conf and set ‘PermitRootLogin’ to YES (default is NO). See VMwareKB for a list of other settings you can adjust (including the available ciphers).
- You can use PKI to authenticate using SSH without being prompted for a password. This is a standard Linux procedure – for step by step instructions see VMwareKB1002866.
- By default only SSH server is enabled. Configuration -> Security Profile to enable SSHClient, or use ‘esxcfg-firewall –e SSHClient’.
Read more…
Categories: VCAP, Virtualisation, VMware Tags: certificates, certification, esx, esxi, lockdown, passwords, security, ssl, vswitch
The main document to work through for the VCAP-DCA is the Availability Guide but there are plenty of good white papers and blog posts which give useful background information (see the bottom of this post). If you have access to the 2010 VMworld content it’s worth watching session BC8274 which covers most of the material on the blueprint.
Knowledge
- Identify VMware FT hardware requirements
- Identify VMware FT compatibility requirements
Skills and Abilities
- Modify VM and ESX/ESXi Host settings to allow for FT compatibility
- Use VMware best practices to prepare a vSphere environment for FT
- Configure FT logging
- Prepare the infrastructure for FT compliance
- Test FT failover, secondary restart and application fault tolerance in a FT Virtual Machine
FT requirements (hardware, software and feature compatibility)
Compatibility
- Firstly you have to make sure your host hardware will support FT – it’s more demanding than many other VMware features.
- The main requirement is to have Intel Lockstep technology support in the CPUs and chipset. Rather than list the processor families which support FT you can read VMwareKB1008027.
- Hardware virtualisation must also be enabled in the BIOS (not always on by default).
- You need to ensure the guest OS and CPU combination is supported (as the Availability Guide states, Solaris on AMD is not for example).
- Must have HA enabled on the cluster
- Licencing– you need Advanced or higher to run FT
- Host certificates need to be enabled. If you did a clean install of vSphere 4.x this is enabled by default but if you upgraded from VI3.x you have to explicitly enable it (vCentre settings, SSL)
- Should avoid mixing ESX and ESXi hosts in a cluster with FT-enabled VMs (VMwareKB1013637)
There are also VM level requirements;
- No USB or sound devices
- No NPIV
- No paravirtualized guest OS
- No physical mode RDMs
- Hot plug (memory, CPU, hard disks etc) is automatically disabled for FT-enabled VMs
- No Serial or parallel ports
Restrictions
FT places quite a few restrictions on the features you can use;
Read more…
The main guide for this section is the ‘Setup for Failover clustering and Microsoft Cluster Service’ whitepaper. It’s a difficult topic to test in a lab unless you’re lucky enough to have FC in your lab! Very little has changed in regards to running MSCS on VMware since the VI3 days so if you’re familiar with that (and it was on the VCP syllabus) then don’t read any further! If you want a refresher however (and a few tidbits which are new to vSphere 4.1), read on….
Knowledge
- Identify MSCS clustering solution requirements
- Identify the three supported MSCS configurations
Skills and Abilities
- Configure Virtual Machine hardware to support cluster type and guest OS
- Configure a MSCS cluster on a single ESX/ESXi Host
- Configure a MSCS cluster across ESX/ESXi Hosts
- Configure standby host clustering
Tools & learning resources
Supported MSCS configurations
Three options;
- Cluster in a box
- Cluster across boxes
- Standby (one physical node, one virtual node)
Solution requirements
Physical hardware
One of the main requirements is a FC SAN (this is one of the rare features which doesn’t work with NFS).
Read more…
Most people have used Update Manager to some degree so this objective is probably one of the easier ones to cover. The VUM Administration Guide covers pretty much everything on the VCAP-DCA blueprint and should be your first stop for study (apart from this blog obviously!).
Not listed in the blueprint (at least in this section) is the PowerCLI cmdlets for using Update Manager. Section 8 only lists ‘Installing the Update Manager PowerCLI cmdlets’ but if you have time it’s probably worth giving them a spin.
Knowledge
- Identify firewall access rules for Update Manager
Skills and Abilities
- Determine use case for, install and configure Update Manager Download Service
- Configure a shared repository
- Configure smart rebooting
- Manually download updates to a repository
- Perform orchestrated vSphere upgrades
- Create and modify baseline groups
- Troubleshoot Update Manager problem areas and issues
- Generate database reports using MS Excel or MS SQL
- Upgrade vApps using Update Manager
Tools & learning resources
Update Manager basics (VCP revision)
The exam topics assume a certain amount of knowledge as Update Manager is on the VCP syllabus. A quick recap;
- Installs as a plugin to vCentre
- Downloaded as part of the vCentre package
- Once the server component is installed you have to add the plugin to any VI client installations you use.
- Distinguishes between ‘patches and security updates’ vs ‘product upgrades’.NOTE: With the recent release of vSphere v4.1 U1 it’s clear that the distinction between a ‘patch’ and an ‘upgrade’ is rather hazy. Upgrading a host from v4.0 to v4.1 requires a ‘host upgrade’ baseline whereas upgrading a host from v4.1 to v4.1 U1 requires a ‘patch’ baseline. You can read more in this article at Jason Boche’s website.
- Patching guest OSs requires an agent to be installed to the guest. This is done automatically the first time a guest is scanned for patch compliance or can be done manually if required.
- Patches are downloaded accordingly to a defined schedule (default once a day)
Read more…
At the London VMUG yesterday there was a presentation about VMware certification by Scott Vessey, a well known VMware trainer (@vmtraining or http://vmwaretraining.blogspot.com/). After his presentation one question raised was whether it’s worth taking the vSphere 4 track or maybe delaying a while and jumping straight to the upcoming vSphere 5 track. Scott said this was a common question so I thought I’d add my thoughts on why I wouldn’t wait;
- vSphere 5 (as it’s commonly known but not it’s final name) is slated for release around July/August this year (according to this article from the recent VMware Partner Exchange). Even assuming they hit this deadline that means waiting another six months. Once the next version is released it’ll take a while for the exams to be updated, especially in the case of the VCAP-DCA track which requires live labs. vSphere 4 was released in May 2009 but the VCP exams took another 3 months to be released after that. Allowing a bit longer for the VCAP tracks, let’s say 4 months. That makes it a ten month wait from today.
- Are you prepared to take the exams without help or study guides from the blogosphere, Twitter, and the experience of those who’ve gone before? If you know your stuff and are happy to be among the first then you’ve probably already taken the VCAP exams so waiting isn’t an option! If you find other’s experiences and suggestions helpful then you’re talking an extra three to six months for that to filter down.
- If you’re not on the vSphere 5 beta you can’t start learning the new features until July/August at the earliest, compared to vSphere 4 which is available today, is widely adopted and documented.
- Traction/demand from employers. This argument depends on why you ‘re after certification – if it’s to progress your career then bear in mind that while recruiters will add any new certification to their wanted (or mandatory) list almost immediately it takes longer for the value of a given certification to be respected (or not) in the marketplace. Back in the day the Microsoft MCSE had a good reputation to start with which quickly became tarnished. The RHCE took a few years to establish itself as a tough certification worth asking for and the VCAP-DCA may be the same. If you’re doing it for the technical challenge then this is obviously irrelevant.
- How different will the VCAP-DCA on vSphere 5 really be? I know of many IT pros who skipped the MCSE 2003 track because if you already had the MCSE2000 that was fine – having the 2003 wasn’t really going to open up new jobs to you. You could wait for the VCAP-DCA on vSphere 5 to find that the two are treated interchangeably in the market and you simply waited longer to qualify.
For all these reasons I’m not going to wait. Whether I actually find time to take the exams before they release v5 is another question but my intention is clear!
There are plenty of people planning on taking the VCAP exams – what do you all think?
Automation is becoming increasingly popular and important, and VMware’s Orchestrator is another automation/scripting product but with loftier aims – to provide an extendable orchestration platform to enable a dynamic infrastructure. To date it seems to have gained very little traction or attention (most blog and twitter articles cover PowerCLI) but VMware obviously want to promote it – hence it’s inclusion in the VCAP-DCA blueprint.
Knowledge
- Identify vCenter Orchestrator requirements
- Identify default Orchestrator plug‐ins
Skills and Abilities
- Install and Configure vCenter Orchestrator
- Configure vCenter Orchestrator database
- Configure vCenter Orchestrator LDAP connection
- Configure vCenter Orchestrator vCenter server connections
- Run a Workflow
- Administer Actions, Tasks, Workflows and Policies
- Administer Packages
- Identify appropriate Workflow for a given management activity
Tools & learning resources
Like many I’m hoping to take the new advanced VMware certification VCAP-DCA later this year. This is my first post in my VCAP-DCA study notes series and covers section 8.3, Administer vSphere with the vMA. The notes are mainly intended as a revision list rather than a tutorial so you should have some knowledge of the topic before starting (there are links at the bottom to help you get started if not). Most of this content has been covered elsewhere previously so kudos to those who spent time discovering it – I’ve simply collected it all together for reference.
I’ve covered the topics on the VCAP-DCA blueprint and included some detail on the new vSphere 4.1 features as you never know when they’ll get included in the exam. The only exceptions are esxcli and vmkfstools which I’ll cover as part of section 1 (managing storage) and section 6 (troubleshooting).
Main uses
- syslog server (vilogger component)
- centralised scripting repository
- replacement for ESX service console (scripts and third party plugins)
- easier to port service console scripts rather than converting to PowerCLI
- scripts may need amending (new authentication methods etc)
- facilitates move to ESXi
Prerequisites, installation and updating
Prerequisites
- ESX host must support 64-bit VMs (Intel EM64T and vT technology)
- ESX 3.5U2 onwards, vCentre 4.0 onwards (2.5 NOT supported)
- 512MB, 1vCPU, 5GB+ disk space
Read more…
Loading ...
Recent Comments