23 enero 2017

Containers and VMware

I´ve heard a lot of times in the last months about the containers will replace the virtual machines but nothing could be more untrue.
This kind of conversations come from the lack of knowledge about the different technologies and a bit of misunderstanding about what we can do with VMs or containers.

A container is an isolation unit of the kernel from the kernel subsystem but linked or bound to the same kernel where it was created or run. Nowadays, there are a lot of companies that develop container technologies: Docker, Rocket, Garden, etc.

Now, let´s review about what Docker is explained by VMware as it is the most famous container runtime: "Docker is not a container technology. It uses Libcontainer directly or in conjunction with LXC, libvert, OpenVZ, and others. Docker introduced the idea of creating images out of containers.  These images reside on a layered filesystem.  Each layer consists of a change made to a container.  This allows for quick image updates and downloading of new images.  You can build an image from a container that you created or you can download an existing image, update it and then commit the changes into a new image.  These images can reside locally in a private registry like VMware Harbor or in a publicly available registry, like DockerHub"

So, what's about VMware? how VMware can help in this new container technology wave? One of the best approach is join the best of both worlds: VMs and Containers.

In the next image you can see the stack for VMware: storage VSAN, network NSX, hypervisor vSphere, containers VCH and mgmt with vRealize... at the end operations an developer world fits into the same datacenter.  

To accomplish that, VMware had developed different open-source projects. You can find all of them in Github: Admiral, Harbor and vSphere Integrated Containers:

vSphere Integrated Containers (VIC) is the add of three components: Engine, Harbor and Admiral.
Admiral is the container management portal.
Harbor is the container registry for containers.

An important piece of VIC is Photon: "an OSS based linux container host runtime optimized for VMware vSphere"  https://vmware.github.io/photon/ 
How all this projects fits together? check this schema to understand how: VIC Engine + Admiral + Harbor

At the end of the day, what you will get is that with VIC containers will be created in vSphere as  virtual machines so you will be able to apply most of the features in vSphere to them (functions, monitoring, automation, security, networking, etc) in a transparent fashion for the developers as they will continue to use API to create containers, apps, and so on.  You win visibility of the container environment as VMs, which is critical to manage a infrastructure.

Last but least, just to clarify, "vSphere Integrated Containers is available to all vSphere 6.0 and above Enterprise Plus customers. There is no additional license subscription required to use vSphere Integrated Containers. You can download it from myvmware.com"

18 octubre 2016

vSphere 6.5 announced at VMworld 2016 Barcelona

vSphere 6.5 was announced at VMworld 2016 Barcelona.
As you may know, VCSA is the recommended deploy option since vSphere 6 was released in Feb`2015 and most of the new improvements are realted with that, for example, now we have native high availability for VCSA, the VUM (VMware Update Manager) is now integrated (remember that in vSphere 6.0 we need to install it only on Windows) and the new native backup and restore options which cover most of the complaints with the VCSA.

  • ·      VMware vCenter Server® Appliance - will deliver a simplified building block for vSphere environments offering an easy to deploy and manage approach that reduces operational complexity by embedding key functionality into a single virtual appliance. The appliance will offer customers simplified patching, upgrading, backup and recovery, high availability and more, including a 2x increase in both scale and performance of their vCenter Server environments.
  • ·      REST APIs - will improve both the IT and developer experience by enabling greater control and automation of virtual infrastructure for modern applications via new REST-based APIs.
  • ·      VMware vSphere Client - based on HTML5, the new vSphere Client will simplify the administrative experience via a modern, native tool that meets the performance and usability needs and expectations of users for day-to-day operations.
  • ·      VM Encryption - new virtual machine-level encryption will protect against unauthorized data access safeguarding data at rest as well as virtual machines that are moved with VMware vMotion®.
  • ·      Secure Boot - new feature will prevent the tampering of images as well as the loading of unauthorized components into vSphere environments.
  • ·      VMware vSphere Integrated Containers™ - will allow IT operations teams to provide a Docker-compatible interface to their app teams enabling vSphere customers to transform their businesses with containers without re-architecting their existing infrastructure.

Two great features for me right now is to have the option to backup and restore the VCSA removin the dependency with third party backup solutions in one hand, and to have the option  to secure and encriptyon the VMs in other hand, so security is now done with VCSA 6.5

In the next post i´ll cover one by one the new features, meanwhile you can check the official landing page: http://blogs.vmware.com/vsphere/2016/10/introducing-vsphere-6-5.html

11 septiembre 2016

vSphere 6 upgrade: repoint replicated embedded SSO or PSC to external PSC

One of the keys of the new vSphere 6 topology is decided which scenario will fits better following the best practices. The main best practice is deploy external PSC as it will help us to get high availability SLA and an easier upgrade path for the future. keep in mind that VCSA is the recommended option to deploy vCenter right now.

First of all, review on this image the upgrade path from the two different platforms: Windows Server and VCSA (vCenter Server Appliance):

Go ahead with a specific and common scenario: SSO embedded replicated between at least 2 vCenters.

First step is to deploy an external SSO replicating with the embedded SSO, second step is repoint vCenters to the external SSO and third uninstall the embedded SSO:

The quid here is the process to "repoint" the SSO, follow this KB and you´ll see it´s a piece of cake:

If you have PSC embedded instead the SSO embedded just follow this kb:

Once you have the new external SSO working, just upgrade it to PSC:

And last but not least, upgrade the vCenter 5.x to vCenter 6.x

You can use the same steps to upgrade a single vCenter install with embedded (or not) SSO or PSC.

Finally, remember that VMware recomeends:
  • Deploy VCSA
  • Deploy external(s) PSC
  • Select a VMware "recommended" topology

04 septiembre 2016

Microsegmentación con Firewall Distribuido de NSX (DFW)

Revisemos primero los tipos de FW que disponemos:

-Fisicos: aunque aun son necesarios, los cortafuego perimetrales tienen limitaciones sobre el ancho de banda que pueden gestionar asi como la carga de analisis que obliga a una escalabilidad horizontal compleja y que aumenta la complejidad del entorno.

-Virtuales, mismo servicio que los fisicos pero en formato virtual, son un buen complemento para los FW fisicos aunque estan limitados a una mdia de 1 y 4 Gb de ancho de banda.

-Distribuidos: son el complemento perfecto para los fw fisicos en un entorno de vSphere. EL FW de NSX esta basado en el rendimiento del kernel del hypervisor (ESXi), permiten una gran escalabilidad horizontal muy agil y que no implica aumentar la complejidad del entorno y que permite un ancho de banda de hasta 20Gbps por host.

Gracias al nuevo paradigma que presentan los servicios distribuidos de NSX, como en este caso el de FW,  es posible plantear otros escenarios a donde las capas de los servicios fisicos tradicionales no estaban llegando, en este caso, el esquema de firewall perimetral se amplia a un esquema de una relacion 1:1 entre VM y FW como vemos en al siguiente imagen:

De la idea anterior nace el concepto de "microsegmentación": el trafico se inspecciona ahora en las tarjetas de las maquinas virtuales a nivel de capa 2, 3 y 4 gracias a NSX.
Ademas permite integración con soluciones de terceros que aumentan la capacidad de analisis de las aplicaciones como de capa 7.
Por ultimo es importante destacar que si la VM se mueve de host hypervisor (ESXi), las reglas de esta VM se van con ella, y no es necesario ningun tipo de reconfiguracion con lo que es 100% compatible con las tecnicas de asignacion dinamica de recursos (DRS) y de caracteristicas como HA de VMware para dotar de alta disponibilidad a las maquinas virtuales. 

La microsegmentacion nos permite aislar y segmentar las aplicaciones de diferentes formas como podemos ver en la siguiente imagen:

01 septiembre 2016

VMWORLD 2016 - Breakout Sessions on-demand

The VMworld 2016 breakout sessions are now available on-demand: