Getting started with VMware Pivotal Container Service (PKS) Part 9: Logging

In this blog post, we will walk through configuring the various components within a PKS deployment such as vSphere (vCenter Server & ESXi), NSX-T (Manager, Controllers & Edges), BOSH and PKS Control Plane to forward their logs to an external syslog system such as a VMware vRealize Log Insight (vRLI) which includes 25 free OSI licenses for any vSphere customer.

If you missed any of the previous articles, you can find the complete list here:

Continue reading

Native MAC Learning in vSphere 6.7 removes the need for Promiscuous mode for Nested ESXi

Over the years, several solutions have been developed here and here to help reduce the impact of promiscuous mode, which is a requirement for running Nested ESXi as a workload. Although these solutions worked extremely well, it however did require users to install additional software to enable this functionality. The most recent solution was a new Learnswitch VMkernel module (released as a VMware Fling) that enables MAC learning capabilities on ESXi.

Today, I am pleased to announce that with the release of vSphere 6.7, the MAC Learning functionality is now available as a native feature of the VMware Distributed Virtual Switch (VDS) and as some of you may have guessed from the title, promiscuous mode is also no longer a requirement for running Nested ESXi! I wanted to take a moment and thank Subin, Jobin, Sriram, Rajeev & Samuel from our Network and Security Business Unit (NSBU) at VMware who worked tirelessly to get this integrated and productized into ESXi. Not only will this benefit Nested ESXi workloads but also other solutions and use cases that have historically required the use of promiscuous mode. For customers who are still running ESXi 6.0 or 6.5, you should continue to use the Learnswitch Fling until you fully upgrade to vSphere 6.7.

To use the new MAC Learning functionality, you will of course need to upgrade to vSphere 6.7 (both vCenter and ESXi) but also upgrade to the latest VDS version which is 6.6. MAC Learning can be enabled on a per Distributed Virtual Portgroup bases and today, it is only available when using the vSphere API. For those that have used the VDS API to manage their VDS, you will simply use the existing ReconfigureDVPortgroup_Task() method and in 6.7, there now a new macManagementPolicy property which allows you to enable and define your MAC Learning settings. This new MAC Management Policy will also be the new preferred method for managing security policies going forward for a DV Portgroup and the previous security policy settings should no longer be used.

Disclaimer: Nested ESXi is still not officially supported by VMware. Please use at your own risk.  Continue reading

Getting started with VMware Pivotal Container Service (PKS) Part 8: Monitoring Tool Overview

I had received a few questions about the monitoring capabilities for VMware PKS and some of the VMware tools that can help provide visibility and audibility of the platform. Different consumers of PKS will care about different things, as you can imagine the cloud admin/platform operator is primarily concerned with the underlying infrastructure (compute, storage, network) including the PKS Management components. Developers want to know how their application is doing and if there are any issues, how to quickly access the information they need to debug and fix the problem.


Complete end-to-end logging is a mandatory requirement for many customers, especially when it comes to dealing with large and complex application deployments. Being able to provide centralized access of all logs to both operators and developers is key to be able to quickly triage and resolve an issue. Remote syslog can be configured throughout the PKS stack from the infrastructure and going all the way up to the application if developers decides to instrument logging and sending it to the same syslog target. VMware customers can take advantage of vRealize Log Insight (vSphere customers receive 25 free OSI licenses) which is a on-premises log management solution. If you prefer a SaaS-based solution, VMware also has Log Intelligence which can be used to service both premises infrastructure as well as other cloud hosted deployments.

Infrastructure Monitoring

For Cloud Admins/Platform Operators, vRealize Operations Manager (vROPs) will be the tool of choice which many of our customers are already familiar with. vROps provides analytics, capacity management and alerting for all of your underlying compute, storage and networking infrastructure. This information can be trended over time and provide help proactive identify any anomalies within the infrastructure before they arise. There are a number of Management Packs that can be used to provide easy to consume and out of the box dashboards such as vSphere which gives you information about your vCenter Server and the ESXi hypervisor, NSX-V as well as NSX-T for networking/security and core storage including VSAN.

Application Monitoring

Unlike traditional applications, Cloud Native Apps require a completely different way of monitoring to ensure Developers can easily access the important information they require for development purposes. VMware Wavefront is a SaaS-based solution that is metrics monitoring and analytics platform that can handle the high-scale requirements of modern cloud-native applications. Not only can Developers instrument their own applications and forward that to Wavefront, but Wavefront also provides complete visibility into a Kubernetes (K8S) deployment from namespaces, nodes, pods and all the way down to the individual containers.

Here is a diagram to help illustrate the visibility that each solution provides:

In the next three posts, I walk through the configuration steps to setup vRLI, vROPs and Wavefront with VMware PKS.

If you missed any of the previous articles, you can find the complete list here:

New Instant Clone Architecture in vSphere 6.7 - Part 1

Instant Clone or VMFork (as it is referred internally) has been around for a number of years now. It was initially available as part of vSphere 6.0 with the primary consumer being Horizon View and their just-in-time desktop solution. Although Instant Clone was part of the core vSphere platform, public APIs were not available for external consumption. Many customers were interested in the technology to enable other non-VDI use cases such as Dev/Test, Continuous Integration/Continuous Development (CI/CD) and even Container workloads. Part of the reason for not exposing the API was partially due to the original Instant Clone architecture which has certain limitations and constraints.

In addition, VMware was also interested in getting feedback from customers on how they would like to consume Instant Clone from an Automation standpoint, this was important because the current workflows were also some what complex. This started out with the release of a PowerCLI Instant Clone Extension Fling that provided an abstraction on top of the private APIs. Based on that and other feedback, VMware followed that up by releasing Instant Clone for pyvmomi (vSphere SDK for Python) Fling which gave customers more programmatic access to the private APIs. Both Flings were a huge success and we even had customers using the pyvmomi Instant Clone modules in Production to deploy several hundred Instant Clone VMs per day for their CI/CD workloads.

Taking the learnings from both Horizon View and the feedback from customers using the Flings, the Instant Clone Product/Engineering team has been hard at work behind the scenes on simplifying the Instant Clone architecture and removing limitations and constraints that had existed in earlier versions. As you can imagine, this was a non-trivial amount of work that would need to be released in phases, especially as VM lifecycle management touches almost every part of the vSphere stack. The team really focused on ease of consumption, especially from an Automation standpoint which is how most customers prefer to consume Instant Clone.

Continue reading

New vSphere 6.7 APIs worth checking out

Below are just a few of the new vSphere 6.7 SOAP and REST APIs that have been added or enhanced which I think will be quite useful for customers to be aware of while they start to plan for their vSphere 6.7 upgrades. For a complete list of new vSphere 6.7 (SOAP based) APIs, check out the vSphere 6.7 API Reference Guide which will include a "What's New" section on all the new Managed Objects, Methods, Properties, etc. For a complete list of new vSphere 6.7 REST based APIs, check out vSphere Automation API 6.7 Reference which you can identify new operations and properties which will be marked with "Added in vSphere 6.7".

vSphere 6.7 WebServices (SOAP) API

AlarmManager->ClearTriggeredAlarms() - This method finally provides a way for customers to clear an alarm like you can using the vSphere UI. Historically, customers only had the ability to acknowledge an alarm using the API but not a way to reset alarms.

VirtualMachine->ApplyEvcModeVM_Task() - This method can be used to enable the new Per-VM Enhanced vMotion Capability (EVC) feature that has been introduced in vSphere 6.7

VirtualMachine->InstantClone_Task() - This method simplifies the deployment of new version of Instant Clone that has been added into vSphere 6.7. For more details on how the new Instant Clone feature works, please take a look at this blog post here.

HostNvdimmSystem - This new Managed Object and its respective methods can can be used to manage the new NVDIMM (Persistent Memory) capability that has been added into vSphere 6.7

VirtualMachine->Config->createDate - This new property finally includes the creation date of a VM that has been created in vSphere 6.7 and will be persisted with the lifecycle of the VM itself. I will provide a more detailed blog post on how to consume this new property as well as the expected behaviors, especially around upgrades. I know many of you have been asking for this property and I am glad to see this finally available for all on-premises customers!

VirtualMachine->Flags->vbsEnabled - This new property allows customers to easily enable the new Microsoft Virtualization-Based Security (VBS) feature which was added in vSphere 6.7. This single property (UI/API) behind the scenes actually enables a number of other VM settings required for VBS to properly run such as Virtual Hardware Virtualization (VHV), vIOMMU, EFI Firmware & Secure Boot, which is nice as customers do not have to worry about the underlying settings and simply toggle a simple boolean property.

VirtualMachineGuestOsIdentifier - These are all the new GuestOS Ids that have been added into vSphere 6.7 to enable new GuestOS support, you can find the mapping of the OS type by taking a look at the vSphere API Reference Guide

  • asianux8_64Guest
  • centos8_64Guest
  • darwin17_64Guest
  • darwin18_64Guest
  • freebsd11Guest
  • freebsd11_64Guest
  • freebsd12Guest
  • freebsd12_64Guest
  • oracleLinux8_64Guest
  • other4xLinux64Guest
  • other4xLinuxGuest
  • rhel8_64Guest
  • sles15_64Guest

vSphere 6.7 REST API

/appliance/backup/schedules - This endpoint provides management and configuration of the new VCSA scheduled backup feature

/appliance/backup/system_name - This endpoint allows you to list all existing backups that have been taken for your VCSA

/appliance/local_accounts - This endpoint provides management of all local users

/appliance/local_accounts/policy - This endpoint provides global password policy management for all local users

/appliance/logging/forwarding - This endpoint provides external syslog configuration for the VCSA

/appliance/networking/proxy - This endpoint provides HTTP(S) proxy configurations for the VCSA

/appliance/ntp - This endpoint provides NTP configuration for the VCSA

/vcenter/deployment - This endpoint enables the ability to automate both Install/Upgrade of the Stage2 installer for VCSA/PSC. Stage 1 deployment of the appliance is currently not part of the REST API but can be automated using existing methods such as OVFTool or PowerCLI as an example.

/vcenter/hvc - This endpoint enables customers to configure their on-premises vCenter Server to consume the new Hybrid Linked Mode (HLM) feature that is only available as part of the VMware Cloud on AWS offering

/vcenter/vm/guest/{identity,local_filesystem} - This endpoint provides guestOS details such as the configured OS along with some basic networking (e.g. Hostname and IP Address) which is retrieved as part of the VMware Tools service running inside of the GuestOS. In addition, you can also get visibility into the guest filesystem including capacity and freespace.

/vcenter/vm/storage/policy - This endpoint provides details about the current configured VM Storage Policy for individual VMDKs of a VM

/vcenter/vm_template - This endpoint provides an early Tech Preview for the ability for customers to create VM Templates (VMTX) and storing them within vSphere Content Library