Jonathan Colon Feliciano

HomeLab – vDiagram Draw your Virtual Infrastructure

Hello everyone

Taking as a reference the Top 10 VMware Admin Tools” list, this time I am going to show you how to use the vDiagram tool that has the #6 position in the list of the most used tools by VMware infrastructure administrators. In essence this Powershell script captures and draws a VMware vSphere infrastructure using Microsoft Visio. Originally this tool was created by Alan Renouf @alanrenouf and currently the project is maintained by Tony Gonzalez @vDiagram_Tony.

To use this tool, the following requirements must be met:

  1. Powershell >= 5.1
  2. PowerCLI module (“Install-Module -Name VMware.PowerCLI”)
  3. Microsoft Visio 2013+

Once all the requirements are fulfilled, proceed to download the Powershell code. To download the application, click on the following link:

https://github.com/Tony-SouthFLVMUG/vDiagram2.0

Once the package is downloaded proceed to unpack the contents.

PS C:\> Expand-Archive -LiteralPath .\vDiagram2.0-master.zip -DestinationPath .
PS C:\> ls vD*


    Directory: C:\Users\jocolon\Downloads


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/26/2021  11:15 AM                vDiagram2.0-master
-a----         7/21/2021   9:37 AM       12470234 vDiagram2.0-master.zip


PS C:\>

Move to the unzipped folder and validate the content with the “ls” or “dir” command.

PS C:\> cd .\vDiagram2.0-master\
PS C:\vDiagram2.0-master> ls


    Directory: C:\vDiagram2.0-master


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/15/2021   5:29 PM                archived
-a----         2/15/2021   5:29 PM             66 .gitattributes
-a----         2/15/2021   5:29 PM           5771 README.md
-a----         2/15/2021   5:29 PM         109288 vDiagram.ico
-a----         2/15/2021   5:29 PM         673926 vDiagram_2.0.11.ps1
-a----         2/15/2021   5:29 PM         985128 vDiagram_2.0.11.vssx
-a----         2/15/2021   5:29 PM         116398 vDiagram_Scheduled_Task_2.0.11.ps1
-a----         2/15/2021   5:29 PM         254037 vDiagram_Standard.png


PS C:\vDiagram2.0-master>

Use the “Unblock-File” command that allows us to execute files that have been downloaded from the Internet.

PS C:\vDiagram2.0-master> Unblock-File .\vDiagram_2.0.11.ps1
PS C:\vDiagram2.0-master>

In this step with the “$PSVersionTable” command confirm the Powershell version locally installed. Reviewing the requirements section above you can see that in order to use the vDiagram tool you need to have a Powershell version 5.1.x or higher. In the example below you can see that my computer has version “5.1.19041.1151”.

PS C:\vDiagram2.0-master> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.1151
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1151
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\vDiagram2.0-master>

Additionally you must validate the PowerCLI module. With the “Get-Module” command you can validate the PowerCLI installed version.

PS C:\vDiagram2.0-master> Get-Module -ListAvailable -Name 'VMware.PowerCLI' | Sort-Object -Property Version -Descending | Select-Object -First 1


    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   12.3.0.... VMware.PowerCLI


PS C:\vDiagram2.0-master> 

After all requirements are met you can run the script by calling file “.\vDiagram_2.0.11.ps1”.

PS C:\vDiagram2.0-master> 

PS C:\vDiagram2.0-master> .\vDiagram_2.0.11.ps1
[08/24/2021 10:45:16] VMware PowerCLI Module(s) 12.3.0.17860403 11.5.0.14912921  found on this machine.

Once the program finishes running you can see in the “Prerequisites” tab a summary of all the dependencies and their status. In the below example all dependencies are shown in green color, which indicates that they are installed.

Following the steps as shown in the “Directions” tab, it is necessary to enter the IP/FQDN address of the vCenter and the credentials. It is important to mention that a read only account is the only needed privileges needed to connect and extract the required information.

Once the vCenter information is filled in, proceed to validate the connection by pressing the “Connect to vCenter” button. As you can see in the below image the button changes to green indicating that there was a successful connection to vCenter with the provided credentials.

The next step would be to select the “Capture CSVs for Visio” tab and specify the folder where the reports will be saved. In the below example I used the <Desktop/Output> folder.

It is important to mention that for each selected value a file will be created with the information of the respective element.

Then proceed to Click on “Collect CSV Data” to start the data collection process.

Once the data collection process ends, select the “Draw Visio” tab and configure the “Select CSV Input Folder” option.

Next, the folder where the previously collected data was stored is selected. In the following example it would be the <Desktop/Output> folder that I used in the “Capture CSVs for Visio” section.

It is now important to verify that all the information needed to build the diagram has been provided by clicking on the “CSV Validation Complete” button.

In the following step it is required to specify a folder where the diagram will be saved once it has been generated. To do so, click on “Select Visio output folder” and then select the folder to be used for this purpose. In the following example I have selected <Desktop/Output>.

In the “Visio Output Folder” area select the multiple options available to generate the diagram. Once you have selected the “Output” folder you can generate the diagram by clicking on the “Draw Visio” button.

At this step click “OK” in the notification about the diagram creation.

To view the generated diagram of our virtual infrastructure, click on the “Open Visio Diagram” button.

Finally, here are some sample images of the diagrams generated using my “HomeLab” virtual infrastructure as an example.

Summary

IIn this lab a tool called vDiagram is demonstrated, which allows us to make a logical representation of how the components of our virtual infrastructure are related. The good thing about this tool is that it is available for free. I hope you liked this lab. If you have any doubts or questions about this lab, leave them in the comments. Hasta Luego!!!!

VMware Skyline Health Diagnostics Deployment

Hello everyone

This time I come to show you the integration of “VMware Skyline Health Diagnostics” (VSHD) with VMware vCenter. I will also show you how to run the diagnostics to know how is the health of your Virtual infrastructure. VSHD is a self-diagnostic platform that allows to detect and solve problems in both vSphere and vSAN product line.

This tool provides recommendations in the form of Knowledge Base articles or links to troubleshooting procedures. vSphere administrators can use this tool to troubleshoot issues before contacting VMware Global Support.

© 2021 VMware

Benefits:

  • Based on symptoms, according to VMware VSHD automatically provides links to articles with steps to resolve the problem.
  • Self-service improves the time to get recommendations to assist in problem resolution.
  • Rapid repair to help recover the infrastructure from a failure and ensure that the business operates with less disruption.

To start we must access the following link where we can download the OVA file that allows us to manage the creation of the virtual machine where the VSHD services run.

https://my.vmware.com/group/vmware/get-download?downloadGroup=SKYLINE_HD_VSPHERE

Once authenticated on the VMware portal you will be redirected to the area where you can download the file OVA.

Below is the process of creating the VM using the OVA template that you downloaded. To see the content, just click on the “+” icon.

Installing VSHD through VMware vCenter

Start by using the “Deploy OVF Template” wizard where you upload the installation file by pressing “UPLOAD FILES”.

Set a name and select the folder in which the VM object will be created.

Select the “Compute Cluster” and press “NEXT”.

Confirm the information and press “NEXT”.

Accept the Licensing Agreement and press “NEXT”.

Select the storage location where the VM will be created and press “NEXT”.

Select the network to be used by the VM and press “NEXT”.

At this stage the unique properties of the VM such as the hostname, the password of the administration accounts and the IP address information are defined.

After the information has been validated, click “FINISH” to complete the process.

The installation process can be monitored from the “Recent Tasks” tab.

An optional requirement is the association of a DNS name to the IP used in the installation process. In the following screen we can see how to register a DNS name “FQDN” using Powershell from a Windows console

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> Add-DnsServerResourceRecordA -Name vmware-shd -IPv4Address 192.168.5.70 -ZoneName zenprsolutions.local -CreatePtr -AllowUpdateAny

PS C:\Users\Administrator> Get-DnsServerResourceRecord -Name vmware-shd -ZoneName zenprsolutions.local

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData
--------                  ---------- ----       ---------            ----------      ----------
vmware-shd                A          1          0                    01:00:00        192.168.5.70


PS C:\Users\Administrator>

Once the OVA file installation process is complete, you can proceed to power on the VM that will be used for the VSHD service.

When we turn on the VM we can see the DNS name information and the IP address that we previously configured.

With the IP address we can access the administration portal of the application using the following credentials:

  • Username: shd-admin
  • Password: <previously established>

The next step is to add the vCenter/ESXi information and corresponding credentials.

We can validate that the information entered is correct by pressing the “CHECK CONNECTION” button.

After validating the information and credentials, you proceed to run the diagnostic by pressing “RUN DIAGNOSTIC”.

In this screen we select the ESXi and vCenter servers you wish to scan and what type of plug-in to run during the collection of diagnostic information.

Optionally you can set up a “Tag” that can be used for an easy search of the diagnostics. Then you can click on “FINISH”.

In this next image we can see the progress of the diagnostic information gathering.

Additionally from the vCenter management console you can see a task related to the gathering process.

Once the process has finished you can view the status of the task by clicking on the “SHOW SUMMARY” button.

In this screen we can see that the tasks were executed without problems.

By pressing the “SHOW REPORT” button you can view the resulting reports.

To view the report press the eye icon as shown in the following image.

Here I show you several examples of the resulting report where you can pinpoint some of the problems with the infrastructure used as an example.

Summary

In this lab, I installed and configured the “VMware Skyline Health Diagnostics” (VSHD) which allows vSphere administrators to use this tool to troubleshoot issues before contacting VMware support. One nice thing about this tool is that it is freely available. I hope you liked this lab. If you have any doubts or questions about this lab, leave them in the comments. Regards.

NetApp Ontap Mediator Installation and Configuration

Hello everyone,

Today I will be talking a bit about how to install and configure the “Ontap Mediator” application that is used as an alternate way to validate the health status of a cluster collection. To set up the role of this application I will use as reference the NetApp portal documentation:

ONTAP Mediator provides an alternate health path to the peer cluster, with the intercluster LIFs providing the other health path. With the Mediator’s health information, clusters can differentiate between intercluster LIF failure and site failure. When the site goes down, Mediator passes on the health information to the peer cluster on demand, facilitating the peer cluster to fail over. With the Mediator-provided information and the intercluster LIF health check information, ONTAP determines whether to perform an auto failover, if it is failover incapable, continue or stop.

Role of ONTAP Mediator

This application can be used in “MetroCluster” scenarios as well as with “SnapMirror Business Continuity” (SM-BC) technology. As of ONTAP 9.8, SnapMirror Business Continuity (SM-BC) can be used to protect applications with LUNs, allowing applications to migrate transparently, ensuring business continuity in the event of a disaster. SM-BC uses “SnapMirror Synchronous” technology that allows data to be replicated to the target as soon as it is written to the source volume.

In this lab I will show you the Mediator application with the purpose of being able to perform in the future a lab on SM-BC in a VMware environment. The following image shows the role of Ontap Mediator within the SM-BC technology architecture.

As you can see the “Mediator” is constantly evaluating the Datacenter status to identify possible failures and to be able to react by migrating access to the volumes to the Datacenter that is up and running. It may be useful to understand some of the basics of SM-BC recovery and restoration.

Planned recovery:

A manual operation to change the access roles to volumes in an SM-BC relationship. The primary becomes the secondary and the secondary becomes the primary. The ALUA status report is also modified according to the status of the relationship.

Automatic unplanned recovery (AUFO):

An automatic operation to perform a failover to the mirror copy. The operation requires the assistance of the Ontap Mediator to detect that the primary copy is not available.

Here are the requirements to install the application. To view the content, just click on the “+” icon.

Requirements

To validate the complete list of requirements you can visit the documentation of “Ontap Mediator”

For this lab I am going to use Red Hat Enterprise Linux 8.1 running on a vSphere VM. The first thing to do is to download the application installation package. This is done by accessing the NetApp support portal as shown in the following image.

Link to Ontap Mediator:

https://mysupport.netapp.com/site/products/all/details/ontap-mediator/downloads-tab

After downloading the installation package, copy the “ONTAP-MEDIATOR-1.3” file to the server to be used for this purpose. Then proceed to change the installation file to executable mode with the command chmod +x.

[root@NTAPMED-01V ~]# ls
anaconda-ks.cfg  ONTAP-MEDIATOR-1.3
[root@NTAPMED-01V ~]# chmod +x ONTAP-MEDIATOR-1.3 
[root@NTAPMED-01V ~]#

Next, proceed to install the application dependencies with the yum install command as shown below.

[root@NTAPMED-01V ~]# yum install openssl openssl-devel kernel-devel gcc libselinux-utils make redhat-lsb-core patch bzip2 python36 python36-devel perl-Data-Dumper perl-ExtUtils-MakeMaker python3-pip elfutils-libelf-devel policycoreutils-python-utils -y
Last metadata expiration check: 0:13:59 ago on Tue 29 Jun 2021 10:01:36 PM AST.
Package openssl-1:1.1.1g-15.el8_3.x86_64 is already installed.
Package libselinux-utils-2.9-5.el8.x86_64 is already installed.
Dependencies resolved.
...............
Installed:

Really long Output                                                              

Complete!
[root@NTAPMED-01V ~]#

Once all dependencies are installed, you can start running the application installation file. To do this use the command ./ONTAP-MEDIATOR-1.3.

Note: This command must be executed in the location where the installation file was stored.

[root@NTAPMED-01V ~]# ./ONTAP-MEDIATOR-1.3 

ONTAP Mediator: Self Extracting Installer

ONTAP Mediator requires two user accounts. One for the service (netapp), and one for use by ONTAP to the mediator API (mediatoradmin).
Would you like to use the default account names: netapp + mediatoradmin? (Y(es)/n(o)): Yes
Enter ONTAP Mediator user account (mediatoradmin) password: XXXXXX 

Re-Enter ONTAP Mediator user account (mediatoradmin) password: XXXXX

Checking if SELinux is in enforcing mode
SELinux is set to Enforcing. ONTAP Mediator server requires modifying the SELinux context of the file
/opt/netapp/lib/ontap_mediator/pyenv/bin/uwsgi from type 'lib_t' to 'bin_t'.
This is neccessary to start the ONTAP Mediator service while SELinux is set to Enforcing.
Allow SELinux context change?  Y(es)/n(o): Yes
The installer will change the SELinux context type of
/opt/netapp/lib/ontap_mediator/pyenv/bin/uwsgi from type 'lib_t' to 'bin_t'.




Checking for default Linux firewall
Linux firewall is running. Open ports 31784 and 3260? Y(es)/n(o): Yes
success
success
success


###############################################################
Preparing for installation of ONTAP Mediator packages.


Do you wish to continue? Y(es)/n(o): 

The installer will ask several questions about the password of the users used by the ONTAP Mediator service and the TCP ports that will be opened in the local “Firewall” of the server. Once everything is properly specified the installer will validate that all the application prerequisites are installed.

Do you wish to continue? Y(es)/n(o): Y


+ Installing required packages.


Updating Subscription Management repositories.

Really long Output                                                              

Dependencies resolved.
Nothing to do.
Complete!
OS package installations finished
+ Installing ONTAP Mediator. (Log: /tmp/ontap_mediator.7atkl8/ontap-mediator/install_20210709162016.log)
    This step will take several minutes. Use the log file to view progress.
#includedir /etc/sudoers.d
Sudo include verified
ONTAP Mediator logging enabled
+ Install successful. (Moving log to /opt/netapp/lib/ontap_mediator/log/install_20210709162016.log)
+ Note: ONTAP Mediator uses a kernel module compiled specifically for the current
        system OS. Using 'yum update' to upgrade the kernel may cause a service
        interruption.
    For more information, see /opt/netapp/lib/ontap_mediator/README
[root@NTAPMED-01V ~]#

After installing the application it is important to validate that the services of the Ontap Mediator are activated and functional. To validate the services use the command <systemctl status ontap_mediator mediator-scst>.

[root@NTAPMED-01V ~]# systemctl status ontap_mediator mediator-scst
 ontap_mediator.service - ONTAP Mediator
   Loaded: loaded (/etc/systemd/system/ontap_mediator.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-07-09 14:21:31 AST; 11min ago
  Process: 1296 ExecStop=/bin/kill -s INT $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 1298 (uwsgi)
   Status: "uWSGI is ready"
    Tasks: 3 (limit: 23832)
   Memory: 61.4M
 Started ONTAP Mediator.

 mediator-scst.service
   Loaded: loaded (/etc/systemd/system/mediator-scst.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-07-09 14:21:30 AST; 11min ago
  Process: 1164 ExecStart=/etc/init.d/scst start (code=exited, status=0/SUCCESS)
 Main PID: 1250 (iscsi-scstd)
    Tasks: 1 (limit: 23832)
   Memory: 3.3M
 Started mediator-scst.service.
[root@NTAPMED-01V ~]# 

Additionally, it is important to ensure that the services are using the correct tcp ports. With the command <netstat -anlt | grep -E ‘3260|31784’> you can validate that ports 3260 and 31784 are in “LISTEN” mode.

[root@NTAPMED-01V ~]# netstat -anlt | grep -E '3260|31784'
tcp        0      0 0.0.0.0:3260            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:31784           0.0.0.0:*               LISTEN     
tcp6       0      0 :::3260                 :::*                    LISTEN     
[root@NTAPMED-01V ~]# 

With the command firewall-cmd –list-all you can validate that the rules for ports 31784/tcp and 3260/tcp are properly configured in the server’s local firewall.

[root@NTAPMED-01V ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 31784/tcp 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@NTAPMED-01V ~]# 

Once the installation process has been successfully completed, add the Ontap Mediator to the configuration of the clusters where you have selected to use the “SnapMirror Business Continuity” (SM-BC) technology. To add the configuration, go to [Protection] => [Overview] => [Mediator] => [Configure]. Then you have to add the configuration as shown in the following images. It is important to mention that the certificate to be added in this configuration is the one of the CA located in:

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ca.crt

Note: It is important to mention that for this configuration to work there must be a “cluster peer” and “vserver peer” relationship previously established.

Through the Ontap console you can also validate that the Ontap Mediator configuration is working correctly. With the <snapmirror mediator show> command you can validate that the Connection Status is “connected” and the Quorum Status is “true”.

Note: This command must be used in both clusters to validate that the connection is correctly established.

OnPrem-HQ::> snapmirror mediator show                    
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
192.168.6.16     OnPrem-DR       connected         true

OnPrem-HQ::*> 
OnPrem-DR::> snapmirror mediator show
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
192.168.6.16     OnPrem-HQ       connected       true

OnPrem-DR::> 

Here is how to add the Ontap Mediator to the cluster through Ontap’s console. To see the content, just click on the “+” icon.

Ontap Mediator CLI Setup

With the snapmirror mediator add command you can add the Ontap Mediator with the IP address 192.168.6.16 to the Onprem-HQ cluster. It is important to mention that for this configuration to work there must be a “Cluster peer” and “Vserver peer” relationship previously established.

OnPrem-HQ::> snapmirror mediator add -mediator-address 192.168.7.167 -peer-cluster OnPrem-DR -username mediatoradmin 

Notice: Enter the mediator password.

Enter the password: XXXXX
Enter the password again: XXXXX

Info: [Job: 171] 'mediator add' job queued 

OnPrem-HQ::> 

With the snapmirror mediator show command you can validate that the Connection Status is “connected” and the Quorum Status is set to “true”.

OnPrem-HQ::> snapmirror mediator show                    
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
192.168.6.16     OnPrem-DR       connected         true

OnPrem-HQ::*> 
OnPrem-DR::> snapmirror mediator show
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
192.168.6.16     OnPrem-HQ       connected       true

OnPrem-DR::> 

Additionally I show you how to replace the SSL certificate of the Ontap Mediator service with one generated from a Microsoft Certificate Authority. To see the content, just click on the “+” icon.

Optional SSL Certificate Replacement

Step 1: Generate a configuration file to create the Certificate Signing Request (CSR). In this step it is important to set the CN and DNS with the fully qualified domain name (FQDN) of the server name. In my case the server name is NTAPMED-01V.

[root@NTAPMED-01V ~]# nano -w req.conf 
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = PR
L = SJ
O = Zen PR Solutions
OU = IT
CN = NTAPMED-01V
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = NTAPMED-01V.zenprsolutions.local

Step 2: Use the openssl command to generate the CSR file that will be used as a template to create the certificate that the Ontap Mediator service will use.

Note: If the openssl command is not available on your system you can use the yum install openssl command to install the necessary packages

[root@NTAPMED-01V ~]# openssl req -new -out ntapmed.csr -newkey rsa:2048 -nodes -sha256 -keyout ntapmed.key -config req.conf

Once the openssl command has finished, two files will be created, the ntapmed.csr is the template that will be used to generate the certificate and the ntapmed.key is the private key.

[root@NTAPMED-01V ~]# ls -al ntapmed.*
-rw-r--r-- 1 root      root      1123 Jul  9 16:53 ntapmed.csr #Certificate Signing Request
-rw-r--r-- 1 rebelinux rebelinux 1704 Jul  9 16:53 ntapmed.key #Private Key
[root@rebelpc rebelinux]# 

Step 3: Access Microsoft’s Certificate Authority server and use the certreq.exe command to generate the certificate using the ntapmed.csr file as template.

C:\>certreq.exe -submit -attrib "CertificateTemplate:WebServer" ntapmed.csr ntapmed.cer

Once the process is completed, a file will be created with the name ntapmed.cer that is used for the Ontap Mediator service.

Step 4: To replace the SSL certificate it is also necessary to change the public certificate of the CA. To obtain this certificate from the CA use the command certutil -ca.cert ca.cert which will produce the certificate in the ca.cer file.

C:\>certutil -ca.cert ca.cer

Once this process is completed simply copy all the files (ca.cer, ntapmed.cer and ntapmed.key) to the Ontap Mediator server.

Step 5: Move to the /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ folder and modify the certificate files as shown below.

[root@NTAPMED-01V ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/
[root@NTAPMED-01V server_config]# ls
ca.crt  ca.srl            config.pyc    logging.conf.yaml  ontap_mediator.config.yaml     ontap_mediator_schema.yaml  ontap_mediator_server.csr  ontap_mediator.user_config.yaml
ca.key  config_migration  __init__.pyc  netapp_sudoers     ontap_mediator.constants.yaml  ontap_mediator_server.crt   ontap_mediator_server.key
[root@NTAPMED-01V server_config]# cp -R /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config /root/
[root@NTAPMED-01V server_config]#
[root@NTAPMED-01V server_config]# nano -w ca.crt
[root@NTAPMED-01V server_config]# openssl x509 -noout -serial -in ca.crt 
serial=5D2E25D9AFFDE4904A05D70BEB7ACBD2
[root@NTAPMED-01V server_config]# 
[root@NTAPMED-01V server_config]# nano -w ontap_mediator_server.crt
[root@NTAPMED-01V server_config]# nano -w ontap_mediator_server.key

After making the changes, it is necessary to restart the services using the command systemctl restart ontap_mediator mediator-scst

[root@NTAPMED-01V server_config]# systemctl restart ontap_mediator mediator-scst
[root@NTAPMED-01V server_config]# systemctl status ontap_mediator mediator-scst
 ontap_mediator.service - ONTAP Mediator
   Loaded: loaded (/etc/systemd/system/ontap_mediator.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-07-09 20:31:48 AST; 8s ago
  Process: 22222 ExecStop=/bin/kill -s INT $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 22232 (uwsgi)
   Status: "uWSGI is ready"
    Tasks: 3 (limit: 23832)
   Memory: 56.5M

 mediator-scst.service
   Loaded: loaded (/etc/systemd/system/mediator-scst.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-07-09 20:31:50 AST; 5s ago
  Process: 22223 ExecStop=/etc/init.d/scst stop (code=exited, status=0/SUCCESS)
  Process: 22309 ExecStart=/etc/init.d/scst start (code=exited, status=0/SUCCESS)
 Main PID: 22389 (iscsi-scstd)
    Tasks: 1 (limit: 23832)
   Memory: 1.0M

Summary

In this lab I showed you how to install and configure Ontap Mediator. In the future I will use this service to do a lab on “SnapMirror Business Continuity” (SM-BC) together with VMware. I hope you liked this lab. If you have any doubts or questions about it, leave them in the comments. Regards.

HomeLab: How to obtain a Veeam Not for Resale (NFR) license for your HomeLab protection

In this opportunity I come to show you how to get free Veeam licenses that you can use to protect your “HomeLab” or can be used to practice if you are planning to get certified as a “Veeam Certified Engineer” (VMCE). I am currently protecting my virtual environment with these licenses that can be obtained if you meet one of these requirements:

Who is eligible?

  • Veeam Certified Engineers (VMCE)
  • VMware: vExperts, VMware Certified Professionals (VCPs & VCAPs)
  • Microsoft: Most Valuable Professionals (MVPs), Microsoft Certified Solutions Experts (MCSEs)
  • AWS: AWS Heroes & Certified Professionals
  • Nutanix AHV: ALL Nutanix technical personnel
  • VMware, Microsoft, AWS trainers, bloggers and other certified professionals

To request this free license just access the link “Veeam FREE NFR Key for Veeam Availability Suite” and fill out the form which is shown in the following image:

After filling out the form, you will receive an email with the attached NFR licenses that you can install on your Veeam B&R Server.

Although there is a “Veeam Community” version that is also freely available, this license does not have all the features of the NFR edition. I have included the link of the Veeam portal where you can compare the features available for each type of edition. Here is the link “Veeam Feature comparison”.

I hope you liked this post. If you have any questions or comments about it, leave them in comments. Regards.

Hasta Luego Amigos!

HomeLab: Using vCheck for vSphere Infrastructure Health Accessment

In this opportunity I come to show you how to download and use the vCheck tool that is used to validate the health status of the VMware vSphere infrastructure. This tool is developed by Alan Renouf as a mechanism to identify possible failures or misconfiguration in the vSphere implementation. To learn more about this tool I will use the vCheck documentation as a reference:

This script picks on the key known issues and potential issues scripted as plugins for various technologies written as Powershell scripts and reports it all in one place so all you do in the morning is check your email.

vCheck Github Page

In this area I present to you what is checked when using vCheck. To view the content, just click on the “+” icon.

What is checked in the vSphere version?

  • General Details
  • Number of Hosts
  • Number of VMs
  • Number of Templates
  • Number of Clusters
  • Number of Datastores
  • Number of Active VMs
  • Number of Inactive VMs
  • Number of DRS Migrations for the last days
  • Snapshots over x Days old
  • Datastores with less than x% free space
  • VMs created over the last x days
  • VMs removed over the last x days
  • VMs with No Tools
  • VMs with CD-Roms connected
  • VMs with Floppy Drives Connected
  • VMs with CPU ready over x%
  • VMs with over x amount of vCPUs
  • List of DRS Migrations
  • Hosts in Maintenance Mode
  • Hosts in disconnected state
  • NTP Server check for a given NTP Name
  • NTP Service check
  • vmkernel warning messages ov the last x days
  • VC Error Events over the last x days
  • VC Windows Event Log Errors for the last x days with VMware in the details
  • VC VMware Service details
  • VMs stored on datastores attached to only one host
  • VM active alerts
  • Cluster Active Alerts
  • If HA Cluster is set to use host datastore for swapfile, check the host has a swapfile location set
  • Host active Alerts
  • Dead SCSI Luns
  • VMs with over x amount of vCPUs
  • vSphere check: Slot Sizes
  • vSphere check: Outdated VM Hardware (Less than V7)
  • VMs in Inconsistent folders (the name of the folder is not the same as the name)
  • VMs with high CPU usage
  • Guest disk size check
  • Host over committing memory check
  • VM Swap and Ballooning
  • ESXi hosts without Lockdown enabled
  • ESXi hosts with unsupported mode enabled
  • General Capacity information based on CPU/MEM usage of the VMs
  • vSwitch free ports
  • Disk over commit check
  • Host configuration issues
  • VCB Garbage (left snapshots)
  • HA VM restarts and resets
  • Inaccessible VMs

It is important to mention that vCheck has support for other products as shown in the following image:

Source: Virtu-Al.Net

To get started you need to download the tool from the Github portal where it is continuously developed. To download vCheck directly click on the following link “Download”. Once the script is downloaded, it is necessary to unzip it.

The first time vCheck is run it will start the configuration process, this configuration allows you to create a template with the information that will be used for all future runs of the program. To modify these parameters again you can use the <-config> option as follows:

[blabla@blabla ~]$ pwsh #Powershell core on Linux :)
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS /home/blabla/vCheck> ./vCheck.ps1 -config

In this area I demonstrate the vCheck configuration process. To see the configuration process, just click on the “+” icon.

Configuration process example

PS /home/blabla/vCheck> ./vCheck.ps1 -config
WARNING: 
GlobalVariables
# Report header [vCheck]: 
# Would you like the report displayed in the local browser once completed ? [$true]: 
# Display the report even if it is empty? [$true]: 
# Use the following item to define if an email report should be sent once completed [$false]: 
# Please Specify the SMTP server address (and optional port) [servername(:port)] [mysmtpserver.mydomain.local]: 
# Would you like to use SSL to send email? [$false]: 
# Please specify the email address who will send the vCheck report [me@mydomain.local]: 
# Please specify the email address(es) who will receive the vCheck report (separate multiple addresses with comma) [me@mydomain.local]: 
# Please specify the email address(es) who will be CCd to receive the vCheck report (separate multiple addresses with comma) []: 
# Please specify an email subject [$Server vCheck Report]: 
# Send the report by e-mail even if it is empty? [$true]: 
# If you would prefer the HTML file as an attachment then enable the following: [$false]: 
# Set the style template to use. [Clarity]: 
# Do you want to include plugin details in the report? [$true]: 
# List Enabled plugins first in Plugin Report? [$true]: 
# Set the following setting to $true to see how long each Plugin takes to run as part of the report [$true]: 
# Report on plugins that take longer than the following amount of seconds [30]: 
WARNING: 
Connection settings for vCenter
# Please Specify the address (and optional port) of the vCenter server to connect to [servername(:port)] [vcsa.local.lab]: vcenter-01v.pharmax.local
WARNING: 
General Information
# Set the number of days of DRS Migrations to report and count on [1]: 
# Set the number of days of Storage DRS Migrations to report and count on [1]: 
WARNING: 
Checking VI Events
# Set the number of days of VC Events to check for errors [1]: 
WARNING: 
Windows vCenter Error Event Logs
# Set the number of days of VC Events to check for errors [1]: 
# Set the number of days of VC Event Logs to check for warnings and errors [1]: 
WARNING: 
Windows vCenter Error Event Logs
# Set the number of days of VC Events to check for errors [1]: 
# Set the number of days of VC Event Logs to check for warnings and errors [1]: 
WARNING: 
vCenter Sessions Age
# Enter maximum vCenter session length in hours [48]: 
# Enter minimum vCenter session length in minutes (IdleMinutes) [10]: 
# Do not report on usernames that are defined here (regex) [DOMAIN\\user1|DOMAIN\\user2]: 
WARNING: 
vCenter License Report
# Display Eval licenses? [$true]: 
WARNING: 
HA configuration issues
# HA Configuration Issues, do not report on any Clusters that are defined here [Example_Cluster_*|Test_Cluster_*]: 
# HA should be set to ... [$true]: 
# HA host monitoring should be set to ... [$true]: 
# HA Admission Control should be set to ... [$true]: 
WARNING: 
HA VMs restarted
# HA VM restart day(s) number [5]: 
WARNING: 
DRS & SDRS Migrations
# Set the number of days of DRS Migrations to report and count on [1]: 
# Set the number of days of Storage DRS Migrations to report and count on [1]: 
WARNING: 
Cluster Slot Sizes
# Minimum number of slots available in a cluster [10]: 
WARNING: 
Datastore Consistency
# Do not report on any Datastores that are defined here (Datastore Consistency Plugin) [local*|datastore*]: 
WARNING: 
Clusters with DRS disabled
# Clusters with DRS Disabled, do not report on any Clusters that are defined here [VM1_*|VM2_*]: 
WARNING: 
QuickStats Capacity Planning
# Max CPU usage for non HA cluster [0.6]: 
# Max MEM usage for non HA cluster [0.6]: 
WARNING: 
s/vMotion Information
# Set the number of days to go back and check for s/vMotions [5]: 
# Include vMotions in report [$true;]: 
# Include Storage vMotions in report [$true;]: 
WARNING: 
DRS Rules
# Display VM affinity rules? [$true]: 
# Display VM anti-affinity rules? [$true]: 
# Display HOSTaffinity rules? [$true]: 
# Set DRS Rule name exception (regex) [ExcludeMe]: 
WARNING: 
Hosts Overcommit state
# Return results in GB or MB? [GB]: 
WARNING: 
Active Directory Authentication
# Show "OK" results? [$false]: 
# Expected Domain name [mydomain.local]: 
# Expected Admin Group [ESX Admins]: 
WARNING: 
NTP Name and Service
# The NTP server which should be set on your hosts (comma-separated) [pool.ntp.org,pool2.ntp.org]: 
WARNING: 
VMKernel Warnings
# Disabling displaying Google/KB links in order to have wider message column [$true]: 
WARNING: 
Syslog Name
# The Syslog server(s) which should be set on your hosts (comma-separated) [udp://syslogserver]: 
WARNING: 
Disk Max Total Latency
# Disk Max Total Latency Settings in Milliseconds [50]: 
# Disk Max Total Latency range to inspect (1-24) Hours [24]: 
WARNING: 
Lost Access to Volume
# Set the number of days of Lost Action Volume to report and count on [1]: 
WARNING: 
Check LUNS have the recommended number of paths
# Set the Recommended number of paths per LUN [2]: 
WARNING: 
ESXi Inode Exhaustion
# Set the ESXi filesystem free Inode threshold in percent [40]: 
WARNING: 
Host Profile Compliance
# Show detailed information in report [$true]: 
# Show compliant servers [$false]: 
WARNING: 
Hosts with Upcoming Certificate Expiration
# How many days to warn before cert expiration (Default 60) [60]: 
WARNING: 
Host Multipath Policy
# The Multipath Policy (PSP Plugin) your hosts should be configured to use [VMW_PSP_RR]: 
WARNING: 
Host Power Management Policy
# Which power management policy should your hosts use? For Balanced enter "dynamic" (this is the ESXi default policy), for High Performance enter "static", for Low power enter "low". [dynamic]: 
WARNING: 
Datastore Information
# Set the warning threshold for Datastore % Free Space [15]: 
# Do not report on any Datastores that are defined here (Datastore Free Space Plugin) [local]: 
WARNING: 
Number of VMs per Datastore
# Max number of VMs per Datastore [5]: 
# Exclude these datastores from report [ExcludeMe]: 
WARNING: 
Datastore OverAllocation
# Datastore OverAllocation % [50]: 
# Exclude these datastores from report []: 
WARNING: 
Datastores with Storage IO Control Disabled
# Do not report on any Datastores that are defined here (Storage IO Control disabled Plugin) [local]: 
WARNING: 
sDRS VM Behavior not Default
# Exclude these VMs from report []: 
WARNING: 
VSAN Datastore Capacity
# Set the warning threshold for VSAN Datastore % Free Space [15]: 
WARNING: 
VSAN Configuration Maximum Disk Group Per Host Report
# Percentage threshold to warn? [80]: 
WARNING: 
VSAN Configuration Maximum Magnetic Disks Per Disk Group Report
# Percentage threshold to warn? [50]: 
WARNING: 
VSAN Configuration Maximum Total Magnetic Disks In All Disk Groups Per Host Report
# Percentage threshold to warn? [50]: 
WARNING: 
VSAN Configuration Maximum Components Per Host Report
# Percentage threshold to warn? [50]: 
WARNING: 
VSAN Configuration Maximum Hosts Per VSAN Cluster Report
# Percentage threshold to warn? [45]: 
WARNING: 
VSAN Configuration Maximum VMs Per Host Report
# Percentage threshold to warn? [50]: 
WARNING: 
VSAN Configuration Maximum VMs Per VSAN Cluster Report
# Percentage threshold to warn? [50]: 
WARNING: 
Checking Standard vSwitch Ports Free
# vSwitch Port Left [5]: 
WARNING: 
Checking Distributed vSwitch Port Groups for Ports Free
# Distributed vSwitch PortGroup Ports Left [10]: 
WARNING: 
vSwitch Security
# Warn for AllowPromiscuous enabled? [$true]: 
# Warn for ForgedTransmits enabled? [$true]: 
# Warn for MacChanges enabled? [$true]: 
WARNING: 
Snapshot Information
# Set the warning threshold for snapshots in days old [14]: 
# Set snapshot name exception (regex) [ExcludeMe]: 
# Set snapshot description exception (regex) [ExcludeMe]: 
# Set snapshot creator exception (regex) [ExcludeMe]: 
WARNING: 
Map disk region event
    # Set the number of days to show Map disk region event for [5]: 
WARNING: 
Created or cloned VMs
# Set the number of days to show VMs created for [5]: 
WARNING: 
Removed VMs
# Set the number of days to show VMs removed for [5]: 
WARNING: 
VMs with over CPU Count
# Define the maximum amount of vCPUs your VMs are allowed [2]: 
WARNING: 
VMs restarted due to Guest OS Error
# HA VM reset day(s) number due to Guest OS error [5]: 
WARNING: 
Guests with less than X MB free
# VM Disk space left, set the amount you would like to report on MBFree [1024]: 
# VM Disk space left, set the amount you would like to report on MBDiskMinSize [1024]: 
WARNING: 
Checking VM Hardware Version
# Hardware Version to check for at least [8]: 
# Adding filter for dsvas, vShield appliances or any other vms that will remain on a lower HW version [vShield*|dsva*]: 
WARNING: 
VMs in inconsistent folders
# Specify which Datastore(s) to filter from report [local]: 
WARNING: 
No VM Tools
# Do not report on any VMs who are defined here (regex) []: 
WARNING: 
VM Tools Issues
# VM Tools Issues, do not report on any VMs who are defined here []: 
WARNING: 
Removable Media Connected
# VMs with removable media not to report on []: 
WARNING: 
Single Storage VMs
# Local Stored VMs, do not report on any VMs who are defined here [Template_*|VDI*]: 
# Local Datastores, do not report on any VMs within these datastores [Local|datastore1]: 
WARNING: 
VM CPU %RDY
# CPU ready on VMs should not exceed [10.0]: 
WARNING: 
VM CPU Usage
# VM Not to go over the following amount of CPU [75]: 
# VM CPU not allowed to go over the previous amount for how many days? [1]: 
WARNING: 
Backup Garbage
# Names used in backup product snapshots. Defaults include VCB, Veeam, NetBackup, and Commvault [VCB|Consolidate|veeam|NBU_SNAPSHOT|GX_BACKUP]: 
WARNING: 
Find VMs with thick or thin provisioned vmdk
# Report on disk formats that are not "thin" or "thick", which format is not allowed? [thick]: 
# Specify Datastores to filter from report [local]: 
WARNING: 
Virtual machines with incorrect OS configuration
# VMs with incorrect OS Configuration, do not report on any VMs who are defined here [VM1_*|VM2_*]: 
WARNING: 
Virtual machines with less hard disks than partitions
# Do not report on any VMs who are defined here (regex) [VM1_*|VM2_*]: 
WARNING: 
Powered Off VMs
# VMs not to report on [Windows7*]: 
#VmPathName not to report on [-backup-]: 
# Report VMs powered off over this many days [7]: 
WARNING: 
Unwanted virtual hardware found
# Find unwanted virtual hardware [VirtualUSBController|VirtualParallelPort|VirtualSerialPort]: 
WARNING: 
Mis-named virtual machines
# Misnamed VMs, do not report on any VMs who are defined here [VM1_*|VM2_*]: 
WARNING: 
VM Network State
# Only show NICs that are set to Connect at Startup [$true]: 
WARNING: 
Reset VMs
# Set the number of days to show reset VMs [1]: 
WARNING: 
Snapshot activity
# Set the number of days to show Snapshots for [5]: 
# User exception for Snapshot removed [s-veeam]: 
WARNING: 
VMs with CPU or Memory Reservations Configured
# Do not report on any VMs who are defined here []: 
WARNING: 
VM Logging
# The number of logs to keep for each VM [10]: 
# The size logs can reach before rotating to a new log (bytes) [1000000]: 
WARNING: 
VM Tools Not Up to Date
# Do not report on any VMs who are defined here (regex) []: 
# Maximum number of VMs shown [30]: 
WARNING: 
NonPersistent Disks
# Exclude all virtual machines from report [^DV-|^MLB-]: 
WARNING: 
VMs Memory/CPU Hot Add configuration
# Should CPU hot plug be enabled [$true]: 
# Should Memory hot add be enabled [$true]: 
WARNING: 
VM - Display all VMs with CBT unexpected status
# Should CBT be enabled (true/false) [$false]: 
WARNING: 
Site Recovery Manager - RPO Violation Report
# SRM RPO Violations: Set the number of minutes an RPO has exceeded to report on [240]: 
# SRM RPO Violations: Only look for RPO events on VMs with these names: (regex) []: 
# SRM RPO Violations: Report on unresolved RPO violations only? [$true]: 
Specify Credential
Please specify server credential
User: 
User: 
User: 
User: administrator@vsphere.local
Password for user administrator@vsphere.local: ********

After setting up the initial configuration we can start running the main script of the tool using the <vCheck.ps1 -Outputpath> command. The “Outputpath” option allows us to set where the report will be saved. When you run the command it will ask you for the vCenter login credentials. In my case I used the default administrator account but it is recommended to use an account with read-only privileges.

PS /home/blabla/vCheck> ./vCheck.ps1 -Outputpath vcheck-reports/                                   

Specify Credential
Please specify server credential
User: administrator@vsphere.local #vCenter credentials
Password for user administrator@vsphere.local: ********

In this area I show you the example of the vCheck collection process. To see the result of the process, just click on the “+” icon.

vCheck Report Processing

Begin Plugin Processing                                                                                                                                                                                                                                                                             [21:54:30] ..start calculating Connection settings for vCenter by Alan Renouf v1.20 [1 of 116]                                                                                                                                                                                                      [21:54:52] ..finished calculating Connection settings for vCenter by Alan Renouf v1.20 [1 of 116]                                                                                                                                                                                                   [21:54:52] ..start calculating General Information by Alan Renouf, Frederic Martin v1.3 [2 of 116]                                                                                                                                                                                                  [21:55:04] ..finished calculating General Information by Alan Renouf, Frederic Martin v1.3 [2 of 116]                                                                                                                                                                                               [21:55:04] ..start calculating Checking VI Events by Alan Renouf v1.2 [3 of 116]                                                                                                                                                                                                                    [21:55:05] ..finished calculating Checking VI Events by Alan Renouf v1.2 [3 of 116]                                                                                                                                                                                                                 [21:55:05] ..start calculating VC Services by Alan Renouf v1.1 [4 of 116]                                                                                                                                                                                                                           [21:55:05] ..finished calculating VC Services by Alan Renouf v1.1 [4 of 116]                                                                                                                                                                                                                        [21:55:05] ..start calculating Windows vCenter Error Event Logs by Alan Renouf v1.2 [5 of 116]                                                                                                                                                                                                      [21:55:05] ..finished calculating Windows vCenter Error Event Logs by Alan Renouf v1.2 [5 of 116]                                                                                                                                                                                                   [21:55:05] ..start calculating Windows vCenter Error Event Logs by Alan Renouf v1.2 [6 of 116]                                                                                                                                                                                                      [21:55:05] ..finished calculating Windows vCenter Error Event Logs by Alan Renouf v1.2 [6 of 116]                                                                                                                                                                                                   [21:55:05] ..start calculating Windows vCenter Warning Event Logs by Alan Renouf v1.2 [7 of 116]                                                                                                                                                                                                    [21:55:05] ..finished calculating Windows vCenter Warning Event Logs by Alan Renouf v1.2 [7 of 116]                                                                                                                                                                                                 [21:55:05] ..start calculating vCenter Sessions Age by Rudolf Kleijwegt v1.2 [8 of 116]                                                                                                                                                                                                             [21:55:05] ..finished calculating vCenter Sessions Age by Rudolf Kleijwegt v1.2 [8 of 116]                                                                                                                                                                                                          [21:55:05] ..start calculating vCenter License Report by Justin Mercier, Bill Wall v1.2 [9 of 116]                                                                                                                                                                                                  [21:55:05] ..finished calculating vCenter License Report by Justin Mercier, Bill Wall v1.2 [9 of 116]                                                                                                                                                                                               [21:55:05] ..start calculating HA configuration issues by John Sneddon v1.1 [10 of 116]                                                                                                                                                                                                             [21:55:06] ..finished calculating HA configuration issues by John Sneddon v1.1 [10 of 116]                                                                                                                                                                                                          [21:55:06] ..start calculating HA VMs restarted by Alan Renouf v1.3 [11 of 116]                                                                                                                                                                                                                     [21:55:06] ..finished calculating HA VMs restarted by Alan Renouf v1.3 [11 of 116]                                                                                                                                                                                                                  [21:55:06] ..start calculating DRS & SDRS Migrations by Alan Renouf, Jonathan Medd v1.3 [12 of 116]                                                                                                                                                                                                 [21:55:06] ..finished calculating DRS & SDRS Migrations by Alan Renouf, Jonathan Medd v1.3 [12 of 116]                                                                                                                                                                                              [21:55:06] ..start calculating Cluster Slot Sizes by Alan Renouf v1.2 [13 of 116]                                                                                                                                                                                                                   [21:55:06] ..finished calculating Cluster Slot Sizes by Alan Renouf v1.2 [13 of 116]                                                                                                                                                                                                                [21:55:06] ..start calculating Cluster Configuration Issues by Alan Renouf v1.1 [14 of 116]                                                                                                                                                                                                         [21:55:06] ..finished calculating Cluster Configuration Issues by Alan Renouf v1.1 [14 of 116]                                                                                                                                                                                                      [21:55:06] ..start calculating Datastore Consistency by Robert Sexstone v1.6 [15 of 116]                                                                                                                                                                                                            [21:55:07] ..finished calculating Datastore Consistency by Robert Sexstone v1.6 [15 of 116]                                                                                                                                                                                                         [21:55:07] ..start calculating Clusters with DRS disabled by Robert van den Nieuwendijk v1.3 [16 of 116]                                                                                                                                                                                            [21:55:07] ..finished calculating Clusters with DRS disabled by Robert van den Nieuwendijk v1.3 [16 of 116]                                                                                                                                                                                         [21:55:07] ..start calculating Cluster Node version by Raphael Schitz, Frederic Martin v1.1 [17 of 116]                                                                                                                                                                                             [21:55:07] ..finished calculating Cluster Node version by Raphael Schitz, Frederic Martin v1.1 [17 of 116]                                                                                                                                                                                          [21:55:07] ..start calculating QuickStats Capacity Planning by Raphael Schitz, Frederic Martin v1.7 [18 of 116]                                                                                                                                                                                     [21:55:07] ..finished calculating QuickStats Capacity Planning by Raphael Schitz, Frederic Martin v1.7 [18 of 116]                                                                                                                                                                                  [21:55:07] ..start calculating s/vMotion Information by Alan Renouf v1.2 [19 of 116]                                                                                                                                                                                                                [21:55:08] ..finished calculating s/vMotion Information by Alan Renouf v1.2 [19 of 116]                                                                                                                                                                                                             [21:55:08] ..start calculating More RAM than free space on Datastore by Olivier TABUT, Bob Cote v1.2 [20 of 116]                                                                                                                                                                                    [21:55:08] ..finished calculating More RAM than free space on Datastore by Olivier TABUT, Bob Cote v1.2 [20 of 116]                                                                                                                                                                                 [21:55:08] ..start calculating DRS Rules by John Sneddon v1.2 [21 of 116]                                                                                                                                                                                                                           WARNING: Retrieving VM group to VMHost group DRS rules with Get-DrsRule is obsolete. Use Get-DrsVMHostRule cmdlet instead                                                                                                                                                                           [21:55:08] ..finished calculating DRS Rules by John Sneddon v1.2 [21 of 116]                                                                                                                                                                                                                        [21:55:08] ..start calculating Clusters Without Host Profile attached by John Sneddon v1.0 [22 of 116]                                                                                                                                                                                              [21:55:08] ..finished calculating Clusters Without Host Profile attached by John Sneddon v1.0 [22 of 116]                                                                                                                                                                                           [21:55:08] ..start calculating Hosts Overcommit state by Alan Renouf v1.4 [23 of 116]                                                                                                                                                                                                               [21:55:09] ..finished calculating Hosts Overcommit state by Alan Renouf v1.4 [23 of 116]                                                                                                                                                                                                            [21:55:09] ..start calculating Hosts Dead LUN Path by Alan Renouf, Frederic Martin v1.2 [24 of 116]                                                                                                                                                                                                 [21:55:09] ..finished calculating Hosts Dead LUN Path by Alan Renouf, Frederic Martin v1.2 [24 of 116]                                                                                                                                                                                              [21:55:09] ..start calculating Host Swapfile datastores by Alan Renouf v1.2 [25 of 116]                                                                                                                                                                                                             [21:55:09] ..finished calculating Host Swapfile datastores by Alan Renouf v1.2 [25 of 116]                                                                                                                                                                                                          [21:55:09] ..start calculating ESXi with Technical Support mode or ESXi Shell enabled by Alan Renouf v1.3 [26 of 116]                                                                                                                                                                               [21:55:09] ..finished calculating ESXi with Technical Support mode or ESXi Shell enabled by Alan Renouf v1.3 [26 of 116]                                                                                                                                                                            [21:55:09] ..start calculating ESXi hosts which do not have Lockdown mode enabled by Alan Renouf v1.1 [27 of 116]                                                                                                                                                                                   [21:55:09] ..finished calculating ESXi hosts which do not have Lockdown mode enabled by Alan Renouf v1.1 [27 of 116]                                                                                                                                                                                [21:55:09] ..start calculating Active Directory Authentication by Bill Wall, Dan Barr v1.2 [28 of 116]                                                                                                                                                                                              [21:55:10] ..finished calculating Active Directory Authentication by Bill Wall, Dan Barr v1.2 [28 of 116]                                                                                                                                                                                           [21:55:10] ..start calculating NTP Name and Service by Alan Renouf, Dan Barr v1.3 [29 of 116]                                                                                                                                                                                                       [21:55:10] ..finished calculating NTP Name and Service by Alan Renouf, Dan Barr v1.3 [29 of 116]                                                                                                                                                                                                    [21:55:10] ..start calculating Host Configuration Issues by Alan Renouf, Dan Barr v1.2 [30 of 116]                                                                                                                                                                                                  [21:55:10] ..finished calculating Host Configuration Issues by Alan Renouf, Dan Barr v1.2 [30 of 116]                                                                                                                                                                                               [21:55:10] ..start calculating Host Alarms by Alan Renouf, John Sneddon v1.3 [31 of 116]
[22:33:17] ..Displaying HTML results

Once the command finishes, an< .html> file will be created with the result of the report. vCheck has the feature of being able to schedule the report to be sent by e-mail on a recurring basis.. So, you can have a weekly report of how is the health of your virtual infrastructure.

Here are several examples of report generated with vCheck

I hope you liked this tool. If you have any questions or comments about this post, leave them in comments. Regards.

HomeLab – Automated VMware Infrastructure Documentation

In this blog I will be talking about how to automate the creation of documentation reports of our virtual infrastructure. There are several commercial solutions to generate this type of report but I will be talking about “As Built Report” a free tool that uses powershell as a base to build the reports.

The “As Built Report” tool uses the VMware.PowerCLI modules that we explained previously in our blog. If you want to know more about PowerCLI follow this link here. An important fact about “As Built Report” is that it is not only used to generate reports on VMware but also supports the following products:

  • VMware vSphere, NSX & SRM
  • Cisco UCS Manager
  • Nutanix Prism Element
  • Pure Storage FlashArray
  • Rubrik
  • Zerto
  • Dell/EMC VxRail
  • Cohesity DataPlatform
  • etc…

First of all to use this tool we need to validate the requirements that in general consist of the following:

  • Windows PowerShell 5.1 o later
  • VMware.PowerCLI

To install the “As Built Report” powershell module use the command <Install-Module> followed by the module name AsBuiltReport.

PS /home/blabla> Install-Module -Name AsBuiltReport

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
PS /home/blabla>   

An optional requirement is to build a configuration file that allows you to set the organization parameters that are used to generate the report. This process generates a JSON file which is used as a template so that you do not have to fill in repetitive information when generating reports. To view the configuration procedure, simply click on the “+” icon.

AsBuiltReport JSON Configuration File

The powershell cmdlet New-AsBuiltConfig allows you to generate a template that will be used as the basis of the report. This template sets the non-technical parameters of the report.

PS C:\WINDOWS\system32> New-AsBuiltConfig

---------------------------------------------
 <        As Built Report Information      >
---------------------------------------------
Enter the name of the Author for this As Built Report [jocolon]: Jonathan Colon
---------------------------------------------
 <           Company Information           >
---------------------------------------------
Would you like to enter Company information for the As Built Report? (y/n): y
Enter the Full Company Name: Zen PR Solutions
Enter the Company Short Name: ZENPR
Enter the Company Contact: Jonathan Colon
Enter the Company Email Address: jcolonf@zenprsolutions.com
Enter the Company Phone: XXX-XXX-XXXX
Enter the Company Address: Puerto Rico
---------------------------------------------
 <            Email Configuration          >
---------------------------------------------
Would you like to enter SMTP configuration? (y/n): n
----------------------------------------------
 <       As Built Report Configuration      >
----------------------------------------------
Would you like to save the As Built Report configuration file? (y/n): y
Enter a name for the As Built Report configuration file [AsBuiltReport]: HomeLab VMware Report
Enter the path to save the As Built Report configuration file [C:\Users\jocolon\AsBuiltReport]:

Name                           Value
----                           -----
Email                          {Port, Credentials, Server, To...}
Company                        {FullName, Contact, Phone, Email...}
UserFolder                     {Path}
Report                         {Author}


PS C:\WINDOWS\system32>

Once the process is completed, a JSON file will be created with the following content:

{
    "Email":  {
                  "Port":  null,
                  "Credentials":  null,
                  "Server":  null,
                  "To":  null,
                  "From":  null,
                  "UseSSL":  null,
                  "Body":  null
              },
    "Company":  {
                    "FullName":  "Zen PR Solutions",
                    "Contact":  "Jonathan Colon",
                    "Phone":  "787-203-2790",
                    "Email":  "jcolonf@zenprsolutions.com",
                    "ShortName":  "ZENPR",
                    "Address":  "Puerto Rico"
                },
    "UserFolder":  {
                       "Path":  "C:\\Users\\jocolon\\AsBuiltReport"
                   },
    "Report":  {
                   "Author":  "Jonathan Colon"
               }
}

The New-AsBuiltReportConfig command allows you to set the technical parameters of the report such as the verbose level and type of information collected.

PS C:\WINDOWS\system32> New-AsBuiltReportConfig VMware.vSphere -FolderPath C:\Users\jocolon\AsBuiltReport\ -Filename ReportConfig

Once the process is completed, a JSON file will be created with the following content:

{
    "Report": {
        "Name": "VMware vSphere As Built Report",
        "Version": "1.0",
        "Status": "Released"
    },
    "Options": {
        "ShowLicenseKeys": false,
        "ShowVMSnapshots": true
    },
    "InfoLevel": {
        "_comment_": "0 = Disabled, 1 = Summary, 2 = Informative, 3 = Detailed, 4 = Adv Detailed, 5 = Comprehensive",
        "vCenter": 3,
        "Cluster": 3,
        "ResourcePool": 3,
        "VMHost": 3,
        "Network": 3,
        "vSAN": 3,
        "Datastore": 3,
        "DSCluster": 3,
        "VM": 2,
        "VUM": 3
    },
    "HealthCheck": {
        "vCenter": {
            "Mail": true,
            "Licensing": true
        },
        "Cluster": {
            "HAEnabled": true,
            "HAAdmissionControl": true,
            "HostFailureResponse": true,
            "HostMonitoring": true,
            "DatastoreOnPDL": true,
            "DatastoreOnAPD": true,
            "APDTimeOut": true,
            "vmMonitoring": true,
            "DRSEnabled": true,
            "DRSAutomationLevelFullyAuto": true,
            "PredictiveDRS": false,
            "DRSVMHostRules": true,
            "DRSRules": true,
            "vSANEnabled": false,
            "EVCEnabled": true,
            "VUMCompliance": true
        },
        "VMHost": {
            "ConnectionState": true,
            "HyperThreading": true,
            "ScratchLocation": true,
            "IPv6": true,
            "UpTimeDays": true,
            "Licensing": true,
            "SSH": true,
            "ESXiShell": true,
            "NTP": true,
            "StorageAdapter": true,
            "NetworkAdapter": true,
            "LockdownMode": true,
            "VUMCompliance": true
        },
        "vSAN": {},
        "Datastore": {
            "CapacityUtilization": true
        },
        "DSCluster": {
            "CapacityUtilization": true,
            "SDRSAutomationLevelFullyAuto": true
        },
        "VM": {
            "PowerState": true,
            "ConnectionState": true,
            "CpuHotAdd": true,
            "CpuHotRemove": true,
            "MemoryHotAdd": true,
            "ChangeBlockTracking": true,
            "SpbmPolicyCompliance": true,
            "VMToolsStatus": true,
            "VMSnapshots": true
        }
    }
}

Finally, we generate the report using the <New-AsBuiltReport> command with the vCenter information parameters and referencing the JSON file we have created as templates.

PS C:\WINDOWS\system32> New-AsBuiltReport -Report VMware.vSphere -Target vcenter-01v.zenprsolutions.local -Username administrator@vsphere.local -Password XXXXX -Format Word,Text,HTML -OutputFolderPath 'C:\Users\jocolon\OneDrive\Desktop\' -EnableHealthCheck -AsBuiltConfigFilePath 'HomeLab VMware Report.json' -ReportConfigFilePath 'ReportConfig.json'

VMware vSphere As Built Report 'VMware vSphere As Built Report' has been saved to 'C:\Users\jocolon\OneDrive\Desktop\'.
PS C:\WINDOWS\system32>

Once the process of collecting the information from the vCenter is finished, the command saves the report as specified with the <OutputFolderPath> parameter. The following image shows the generated report in the <Word,Text,HTML> format.

Below I show you some images showing the result of the report collected from the vCenter <vcenter-01v>:

Summary

In this lab we learned how easy it is to create documentation about our virtual infrastructure by using freely available tools. “As Built Report” is a robust tool that facilitates the manual process of creating or updating our documentation.

How To Install and Use VMware PowerCLI on ArchLinux

In this blog I will be showing you how to install the PowerCLI tool specifically on the ArchLinux operating system. Archlinux is an advanced Linux distribution that is characterized by being simple and lightweight. Additionally it offers the user full control in managing and modifying everything related to the system.

Well, to install and use PowerCLI we have to install Powershell first. PowerShell is a cross-platform automation and configuration tool. PowerShell has a large number of commands oriented to system administration. But at the same time, PowerShell is a full-featured programming language that allows writing functional programs. There are many Powershell-based administration tools from different manufacturers such as:

  • VMware PowerCLI
  • Cisco UCS PowerTool
  • NetApp PowerShell Toolkit
  • DELL\EMC Unity-Powershell 
  • Amazon AWS Tools for PowerShell

As you can see Powershell is a tool highly used by infrastructure manufacturers and is offered as a method for automation or rapid deployment of software-based infrastructure. Powershell is my second preferred programming language with Python at the top of my list.

The first thing we have to do is to install Powershell and for this I will use the program “yay” which is a tool in Archlinux to install programs from the unofficial repository “Arch User Repository”. With the command <yay -S powershell-bin> we can install the Powershell program to the system. To see the installation procedure, just click on the “+” icon.

yay -S powershell-bin

[rebelinux@blabla ~]$ yay -S powershell-bin
:: Checking for conflicts...
:: Checking for inner conflicts...
[Aur:1]  powershell-bin-7.1.3-1

:: Downloaded PKGBUILD (1/1): powershell-bin
  1 powershell-bin                           (Installed) (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> 
:: (1/1) Parsing SRCINFO: powershell-bin
==> Making package: powershell-bin 7.1.3-1 (Sat 05 Jun 2021 08:08:03 PM AST)
==> Retrieving sources...
  -> Downloading powershell_7.1.3-1.ubuntu.18.04_amd64.deb...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   647  100   647    0     0   1473      0 --:--:-- --:--:-- --:--:--  1473
100 65.1M  100 65.1M    0     0  1182k      0  0:00:56  0:00:56 --:--:-- 1201k
==> Validating source files with sha256sums...
    powershell_7.1.3-1.ubuntu.18.04_amd64.deb ... Passed
==> Making package: powershell-bin 7.1.3-1 (Sat 05 Jun 2021 08:09:00 PM AST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found powershell_7.1.3-1.ubuntu.18.04_amd64.deb
==> Validating source files with sha256sums...
    powershell_7.1.3-1.ubuntu.18.04_amd64.deb ... Passed
==> Removing existing $srcdir/ directory...
==> Extracting sources...
  -> Extracting powershell_7.1.3-1.ubuntu.18.04_amd64.deb with bsdtar
==> Sources are ready.
==> Making package: powershell-bin 7.1.3-1 (Sat 05 Jun 2021 08:09:01 PM AST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> WARNING: Using existing $srcdir/ tree
==> Entering fakeroot environment...
==> Starting package()...
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "powershell-bin"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: powershell-bin 7.1.3-1 (Sat 05 Jun 2021 08:09:05 PM AST)
==> Cleaning up...
[sudo] password for rebelinux: 
loading packages...
warning: powershell-bin-7.1.3-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) powershell-bin-7.1.3-1

Total Installed Size:  170.21 MiB
Net Upgrade Size:        0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                                                                                  [########################################################################################] 100%
(1/1) checking package integrity                                                                                                                [########################################################################################] 100%
(1/1) loading package files                                                                                                                     [########################################################################################] 100%
(1/1) checking for file conflicts                                                                                                               [########################################################################################] 100%
(1/1) checking available disk space                                                                                                             [########################################################################################] 100%
:: Processing package changes...
(1/1) reinstalling powershell-bin                                                                                                               [########################################################################################] 100%
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[rebelinux@blabla ~]$

There is another more advanced installation method that also allows you to install Powershell from the command line. I leave here the required commands. To see the installation procedure, just click on the “+” icon.

Manual installation of Powershell

git clone https://aur.archlinux.org/powershell-bin.git
cd powershell-bin
makepkg -si

To access the Powershell application the <pwsh> command is used to call the interpreter. From the interpreter we can run Powershell commands that are commonly called “Cmdlets”.

[rebelinux@blabla ~]$ pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS /home/rebelinux> 

The next step to run PowerCLI is to install its module by using the <Install-Module -name VMware.PowerCLI> command from the Powershell interpreter.

Header text

Header text

PS /home/blabla> Install-Module -name VMware.PowerCLI  

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
PS /home/blabla>  

To connect to the vCenter we use the “cmdlet” <Connect-VIServer> specifying the IP address or DNS name of the server.

PS /home/blabla> Connect-VIServer vcenter-01v.zenprsolutions.local -Verbose -Username administrator@vsphere.local -Password XXXXXX

Name                            Port User
----                            ---- ----
vcenter-01v.zenprsolutions.local 443  VSPHERE.LOCAL\Administrator

PS /home/blabla> 

I will use a basic command to do connection testing against vCenter. In this test I will use the <Get-Cluster> command to check the currently created clusters.

PS /home/blabla> Get-Cluster

Name                           HAEnabled  HAFailover DrsEnabled DrsAutomationLevel
                                          Level
----                           ---------  ---------- ---------- ------------------
RegionA01-EDGE                 False      1          True       FullyAutomated
RegionHQ-MGMT                  False      1          True       FullyAutomated
RegionA01-COMP                 True       1          True       FullyAutomated

PS /home/blabla> 

Another basic example is to use the <Get-Datastore> command to validate which datastores currently exist in the virtual DataCenter. In the output of the <Get-Datastore> command you can see the free and used space in the datastores configured in the DataCenter.

PS /home/blabla> Get-Datastore

Name                               FreeSpaceGB      CapacityGB
----                               -----------      ----------
SSD-VM-HIGH-CAPACITY-PERF-KN           173.708         894.000
NVME-VM-HIGH-PERF-01                     0.017         476.750
SSD-VM-HIGH-CAPACITY-PERF-MK           251.536         931.250
HDD-VM-MED-PERF-02                   2,232.268       3,726.000
HDD-VM-MED-PERF-01                   2,509.246       3,726.000
esx-00f                                110.801         111.750
NVME-VFLASH-01                           0.840         238.250
HDD-VM-ISO-LOW-PERF                    606.936         931.250
NFS_SNAP_OFFLOAD                        29.258          50.000
SRM_PlaceHolder                         97.170          99.750
SERVER_DATASTORE                        92.444          99.750

PS /home/blabla> 

Hasta Luego Amigos!

vSphere 7 Update 2 NFS Array Snapshots Offload Support

The vSphere 7.0 U2 release provides the ability to use native snapshot when using the NFS protocol as the access mechanism. As described on the VMware blog:

NFS Improvements

NFS required a clone to be created first for a newly created VM and the subsequent ones could be offloaded to the array. With the release of vSphere 7.0 U2, we have enabled NFS array snapshots of full, non-cloned VMs to not use redo logs but instead use the snapshot technology of the NFS array in order to provide better snapshot performance. The improvement here will remove the requirement/limitation of creating a clone and enables the first snapshot also to be offloaded to the array.

What’s New in vSphere 7 Update 2 Core Storage

In this blog I explain the configuration needed to test this new feature. To start we should validate the prerequisites to be able to implement this solution. According to the VMware documentation portal the prerequisites are as follows:

  • Verify that the NAS array supports the fast file clone operation with the VAAI NAS program.
  • On your ESXi host, install vendor-specific NAS plug-in that supports the fast file cloning with VAAI.
  • Follow the recommendations of your NAS storage vendor to configure any required settings on both the NAS array and ESXi.

The NFS configuration will be done in NetApp Ontap using the “NetApp NFS Plug-in for VMware VAAI” plugin that recently added native NFS snapshot offload support.

Note: The plug-in can be downloaded from the NetApp support portal at the following link “NetApp Support”.

© 2021 NetApp

Once we are in the NetApp support portal we must download version 2.0 of the plugin as shown in the following image. To install the plugin we need to unzip the downloaded file and rename the file inside the folder named vib20 with the extension .vib to the new name NetAppNasPlugin.vib.

© 2021 NetApp

In the next step I used the NetApp Ontap Tools to install the plugin but it can also be installed using VMware Lifecycle Manager.

To install the plugin go to [ONTAP tools => Settings => NFS VAAI tools] and in the “Existing version:” section press “BROWSE” to select where the “NetAppNasPlugin.vib” file is stored. Once the file is located press “UPLOAD” to load and install the plugin.

In this step we can see how to install the plugin to the ESXi servers by pressing the “INSTALL” button.

The following image shows that the installation of the plugin was successful. An advantage of the new version of the plugin is that no reboot of the ESXi server is required.

After installing the plugin we will proceed to validate that the Ontap Storage has support for VMware vStorage APIs for Array Integration (VAAI) features in the NFS environment. This can be verified with the command <vserver nfs show -fields vstorage>. As you can see the vStorage function is currently disabled in the SVM called NFS. To enable the vStorage function use the <vserver nfs modify -vstorage enabled> command.

OnPrem-HQ::> vserver nfs show -fields vstorage 
vserver vstorage 
------- -------- 
NFS     disabled  

OnPrem-HQ::> vserver nfs modify -vstorage enabled -vserver NFS 

OnPrem-HQ::> vserver nfs show -fields vstorage                 
vserver vstorage 
------- -------- 
NFS     enabled  

OnPrem-HQ::> 

The next requirement to be able to use native snapshot offload is the creation of an advanced setting in the VM configuration called snapshot.alwaysAllowNative. To add this value you have to go to the VM properties then to [VM Options => Advanced => EDIT CONFIGURATION].

The following image shows the value of the <snapshot.alwaysAllowNative> variable that according to VMware documentation must have a value equal to “TRUE”. You can use the following link as reference “VMware Documentation”

Now i start testing to validate that the native snapshot is working in Ontap. First i will create a snapshot with the <snapshot.alwaysAllowNative> function set to FALSE. Then i will make changes to the VM so that i can measure the speed of deleting and applying the snapshot changes to the base disk. In the example shown below the command <New-Snapshot> in PowerCLI was used to create a snapshot of the VM named RocaWeb

PS /home/rebelinux> get-vm -Name RocaWeb | New-Snapshot -Name PRE_Native_Array_Snapshot | Format-Table -Wrap -AutoSize  
                                                                                                                                                                                                                                               Name                      Description PowerState                                                                                                                                                                                               ----                      ----------- ----------                                                                                                                                                                                               PRE_Native_Array_Snapshot             PoweredOff                                                                                                                                                                                                                                                                                                                                                                                                                                              
PS /home/rebelinux> 

In this step a 10GB file was copied to grow the snapshot so that i can measure how fast the changes are applied to the base disk when the snapshot is deleted. In this example the file “RocaWeb_2-000001-delta.vmdk” represents the delta where the snapshot changes are saved. This represents a traditional VMware snapshot.

[root@comp-01a:/vmfs/volumes/55ab62ec-2abeb31b/RocaWeb] ls -alh
total 35180596
drwxr-xr-x    2 root     root        4.0K May 31 23:40 .
drwxr-xr-x    7 root     root        4.0K May 31 19:02 ..
-rw-------    1 root     root      276.0K May 31 23:40 RocaWeb-Snapshot15.vmsn
-rw-------    1 root     root        4.0G May 31 23:40 RocaWeb-a03f2017.vswp
-rw-------    1 root     root      264.5K May 31 23:40 RocaWeb.nvram
-rw-------    1 root     root         394 May 31 23:40 RocaWeb.vmsd
-rwxr-xr-x    1 root     root        3.4K May 31 23:40 RocaWeb.vmx
-rw-------    1 root     root       10.0G May 31 23:51 RocaWeb_2-000001-delta.vmdk #Delta (VMFS Based Snapshot)
-rw-------    1 root     root         301 May 31 23:40 RocaWeb_2-000001.vmdk
-rw-------    1 root     root      500.0G May 31 23:37 RocaWeb_2-flat.vmdk
-rw-------    1 root     root         631 May 31 23:37 RocaWeb_2.vmdk
[root@comp-01a:/vmfs/volumes/55ab62ec-2abeb31b/RocaWeb]

The following image shows the time it took to apply the snapshot changes to the base disk when the snapshot was removed. In summary the operation took 9 minutes in total using traditional VMware snapshot.

Note: Ontap simulator was used for this lab.

In this last example the <New-Snapshot> command was also used to create the snapshot but with the <snapshot.alwaysAllowNative> option set to “TRUE”. In that way i can test the use of Native Snapshot Offload in NFS. Here again, a 10GB file was copied to the VM to grow the snapshot, so i can measure how quickly changes are applied to the base disk when the snapshot is deleted.

PS /home/rebelinux> get-vm -Name RocaWeb | New-Snapshot -Name POST_Native_Array_Snapshot | Format-Table -Wrap -AutoSize
                                                                                                                                                                                                                                               Name                       Description PowerState                                                                                                                                                                                              ----                       ----------- ----------                                                                                                                                                                                              POST_Native_Array_Snapshot             PoweredOff                                                                                                                                                                                                                                                                                                                                                                                                                                             
PS /home/rebelinux> 

Here we can see that there is no “-delta.vmdk” file but there is a file named “RocaWeb_2-000001-flat.vmdk” with the same size of 500GB as the “RocaWeb_2-flat.vmdk” file. This allows us to confirm that the NFS Native Snapshot Offload feature is enabled in Ontap.

[root@comp-01a:/vmfs/volumes/55ab62ec-2abeb31b/RocaWeb] ls -alh
total 49419672
drwxr-xr-x    2 root     root        4.0K Jun  1 00:07 .
drwxr-xr-x    7 root     root        4.0K May 31 19:02 ..
-rw-------    1 root     root      276.0K Jun  1 00:07 RocaWeb-Snapshot16.vmsn
-rw-------    1 root     root        4.0G Jun  1 00:07 RocaWeb-a03f2017.vswp
-rw-------    1 root     root      264.5K Jun  1 00:07 RocaWeb.nvram
-rw-------    1 root     root         393 Jun  1 00:07 RocaWeb.vmsd
-rwxr-xr-x    1 root     root        3.4K Jun  1 00:07 RocaWeb.vmx
-rw-------    1 root     root      500.0G Jun  1 00:09 RocaWeb_2-000001-flat.vmdk #No Delta (Array Based Snapshot OffLoad)
-rw-------    1 root     root         650 Jun  1 00:07 RocaWeb_2-000001.vmdk
-rw-------    1 root     root      500.0G Jun  1 00:03 RocaWeb_2-flat.vmdk
-rw-------    1 root     root         631 Jun  1 00:07 RocaWeb_2.vmdk
[root@comp-01a:/vmfs/volumes/55ab62ec-2abeb31b/RocaWeb] 

The following image shows the time it took to apply the snapshot changes to the base disk when the snapshot was removed using the NFS Native Snapshot Offload. In summary, you can see that applying the snapshot changes to the base disk took no time at all to finish.

Summary

NFS native snapshot offload operations are so fast because ONTAP references metadata when it creates a Snapshot copy, rather than copying data blocks, that why Snapshot copies are so efficient. Doing so eliminates the seek time that other systems incur in locating the blocks to copy, as well as the cost of making the copy itself.

Using Flexcache volumes to accelerate Windows shares data access

Starting In Ontap 9.8 release NetApp decided to add support for the Windows SMB protocol to the FlexCache technology. At last…..

In this blog, I will create a source volume as origin and a flexcache volume on a remote cluster. In the lab example I will also validate the benefit offered by the ability to extend a central CIFS share natively.

I used the NetApp documentation as a reference to define what a Flexcache volume is and what it is used for.

A FlexCache volume is a sparsely populated volume that is backed by an origin volume. The FlexCache volume can be on the same cluster as or on a different cluster than that of the origin volume. The FlexCache volume provides access to data in the origin volume without requiring that all of the data be in the FlexCache volume. Starting in ONTAP 9.8, a FlexCache volume also supports SMB protocol.

NetApp Documentation Portal

To begin with, I used as a reference the following diagram showing an Active Directory domain with two sites named Gurabo and Ponce. Both sites have an Ontap cluster with version 9.8P4. Flexcache requires the creation of “Intercluster” type interfaces..

Note: The Ontap simulator was used for the lab.

The configuration I performed on the NAS-EDGE remote <vserver> was documented in case you are interested in seeing how to create a SVM from scratch. To access it just click on the “+” icon.

Prerequisites – vserver and network setup

Step I: Add the SVM NAS-EDGE to the remote cluster.

OnPrem-EDGE::> vserver create -vserver NAS-EDGE -rootvolume NAS_EDGE_root -aggregate OnPrem_DR_01_VM_DISK_1 
[Job 577] Job succeeded: Success                                               
Vserver creation completed.

OnPrem-DR::> 

Reference: vserver create

Step II: Add the logical network interfaces (LIF).

OnPrem-EDGE::> network interface create -vserver NAS-EDGE -lif NAS_EDGE_01 -address 10.10.33.20 -netmask-length 24 -home-node OnPrem-DR-01 -home-port e0c -service-policy default-data-files    

OnPrem-EDGE::> network interface create -vserver NAS-EDGE -lif NAS_EDGE_02 -address 10.10.33.21 -netmask-length 24 -home-node OnPrem-DR-02 -home-port e0c -service-policy default-data-files

OnPrem-EDGE::> network interface show -curr-port e0c -vserver NAS-EDGE 
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----
NAS-EDGE
            NAS_EDGE_01  up/up    10.10.33.20/24     OnPrem-EDGE-01 e0c     true
            NAS_EDGE_02  up/up    10.10.33.21/24     OnPrem-EDGE-02 e0c     true
2 entries were displayed.

OnPrem-EDGE::> 

Reference: network interface create

Step III: Network route creation.

OnPrem-EDGE::> network route create -vserver NAS-EDGE -destination 0.0.0.0/0 -gateway 10.10.33.254

OnPrem-EDGE::> network route show -vserver NAS-EDGE
Vserver             Destination     Gateway         Metric
------------------- --------------- --------------- ------
NAS-EDGE
                    0.0.0.0/0       10.10.33.254    20

OnPrem-EDGE::> 

Reference: network route create

Step IV: Add the DNS parameters to the SVM.

OnPrem-EDGE::> vserver services dns create -domains zenprsolutions.local -name-servers 192.168.5.1 -vserver NAS-EDGE 

Warning: Only one DNS server is configured. Configure more than one DNS server
         to avoid a single-point-of-failure.

OnPrem-EDGE::> vserver services dns show -vserver NAS-EDGE 

                        Vserver: NAS-EDGE
                        Domains: zenprsolutions.local
                   Name Servers: 192.168.5.1
                 Timeout (secs): 2
               Maximum Attempts: 1

OnPrem-EDGE::> 

Reference: vserver services dns create

Step V: Configure CIFS protocol and add the vserver to the local domain.

OnPrem-EDGE::> vserver cifs create -vserver NAS-EDGE -domain zenprsolutions.local -cifs-server NAS-EDGE              

In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"ZENPRSOLUTIONS.LOCAL" domain. 

Enter the user name: administrator

Enter the password: xxxxxxxxxxxx

Notice: SMB1 protocol version is obsolete and considered insecure. Therefore it
is deprecated and disabled on this CIFS server. Support for SMB1 might be
removed in a future release. If required, use the (privilege: advanced)
"vserver cifs options modify -vserver NAS-EDGE -smb1-enabled true" to enable
it.

OnPrem-EDGE::> vserver cifs show                                                                
            Server          Status    Domain/Workgroup Authentication
Vserver     Name            Admin     Name             Style
----------- --------------- --------- ---------------- --------------
NAS-EDGE    NAS-EDGE        up        ZENPRSOLUTIONS          domain
2 entries were displayed.

OnPrem-EDGE::>

Reference: vserver cifs create

Step VI: Validate the SVM computer object creation in Active Directory (Powershell).

PS C:\Users\Administrator> Get-ADComputer -Identity NAS-EDGE

DistinguishedName : CN=NAS-EDGE,CN=Computers,DC=zenprsolutions,DC=local
DNSHostName       : NAS-EDGE.zenprsolutions.local
Enabled           : True
Name              : NAS-EDGE
ObjectClass       : computer
ObjectGUID        : 3cfec085-1417-4bac-bff7-d734e4e30049
SamAccountName    : NAS-EDGE$
SID               : S-1-5-21-2867495315-1194516362-180967319-2665
UserPrincipalName : 

PS C:\Users\Administrator> 

Step VII: Validate connectivity and name resolution (Powershell).

PS C:\Users\Administrator> ping NAS-EDGE.zenprsolutions.local
Ping request could not find host NAS-EDGE.zenprsolutions.local. Please check the name and try again.

PS C:\Users\Administrator> Add-DnsServerResourceRecordA -Name NAS-EDGE -IPv4Address 10.10.33.20 -CreatePtr -ZoneName zenprsolutions.local

PS C:\Users\Administrator> Add-DnsServerResourceRecordA -Name NAS-EDGE -IPv4Address 10.10.33.21 -CreatePtr -ZoneName zenprsolutions.local

PS C:\Users\Administrator> 
PS C:\Users\Administrator> nslookup NAS-EDGE.zenprsolutions.local
	primary name server = 192.168.5.1
	responsible mail addr = (root)
	serial  = 0
	refresh = 28800 (8 hours)
	retry   = 7200 (2 hours)
	expire  = 604800 (7 days)
	default TTL = 86400 (1 day)
Server:  SERVER-DC-01V.zenprsolutions.local
Address:  192.168.5.1

Name:    NAS-EDGE.zenprsolutions.local
Addresses: 10.10.33.20
	   10.10.33.21


PS C:\Users\Administrator> 

In order to start with the lab it is necessary to create an peer relationship between the local and remote vserver. To achieve this i use the command <vserver peer create> specifying the “applications” as “flexcache”.

Reference: vserver peer create.

Note: Previously, a cluster level peer relationship was performed with the <cluster peer create> command.

OnPrem-HQ::> vserver peer create -vserver NAS -peer-cluster OnPrem-EDGE -peer-vserver NAS-EDGE -applications flexcache 

Info: [Job 883] 'vserver peer create' job queued 

Once the peer relationship has been created between both vservers, you can continue to validate that the source volume was created as required. To validate the volume, the <volume show> command is used from the local cluster shell. In this lab I am going to use the volume named share.

OnPrem-HQ::*> volume show -vserver NAS                
Vserver   Volume       Aggregate    State      Type       Size  Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
NAS       NAS_root     OnPrem_HQ_01_SSD_1 online RW      20MB    17.66MB    7%
NAS       share        OnPrem_HQ_01_SSD_1 online RW      10.3GB   8.04GB   20%
19 entries were displayed.

OnPrem-HQ::*> 

Once the volume is identified, you can create the flexcache volume using the command <volume flexcache create>. It is important to mention that flexcache technology uses “FlexGroup” as a dependency when creating a volume. It is for this reason that the aggr-list option is used to specify which aggregates will be used to create the “FlexGroup” type volumes.

OnPrem-EDGE::> volume flexcache create -vserver NAS-EDGE -volume share_edge -aggr-list OnPrem_EDGE_0* -origin-vserver NAS -origin-volume share -size 10GB -junction-path /share_edge
[Job 595] Job succeeded: Successful.                                           

OnPrem-EDGE::>

From the remote cluster shell you can verify the created volume by using the <vol flexcache show> command.

OnPrem-EDGE::> vol flexcache show
Vserver Volume      Size       Origin-Vserver Origin-Volume Origin-Cluster
------- ----------- ---------- -------------- ------------- --------------
NAS-EDGE share_edge 10GB       NAS            shares            OnPrem-HQ

OnPrem-EDGE::> 

From the local cluster shell you can see the source volume with the command <volume flexcache origin show-caches>. The flexcache volume previously created can be validated in the command result.

OnPrem-HQ::*> volume flexcache origin show-caches
Origin-Vserver Origin-Volume  Cache-Vserver  Cache-Volume  Cache-Cluster
-------------- -------------- -------------- ------------- --------------
NAS            share         NAS-EDGE       share_edge    OnPrem-EDGE
1 entries were displayed.

OnPrem-HQ::*> 

Now i proceed to share the share_edge cache volume using the SMB protocol. The command <vserver cifs share create> is used with the option of <-path /share_edge> to specify the “junction-path” of the flexclone volume.

OnPrem-EDGE::> vserver cifs share create -vserver NAS-EDGE -share-name share_edge -path /share_edge

OnPrem-EDGE::>

Now you can see that the “Share” was created in the share_edge volume.

OnPrem-EDGE::> vserver cifs share show -share-name share_edge
Vserver        Share         Path              Properties Comment  ACL
-------------- ------------- ----------------- ---------- -------- -----------
NAS-EDGE       share_edge    /share_edge       oplocks    -        Everyone / Full Control
                                               browsable
                                               changenotify
                                               show-previous-versions

OnPrem-EDGE::> 

I have used the smbmap tool to validate that the shared folder can be accessed over the network.

[rebelinux@blabla ~]$ smbmap.py -H 10.10.33.20 -p "XXXXX" -d ZENPRSOLUTIONS -u administrator 
[+] IP: 10.10.33.20:445	Name: NAS-EDGE.zenprsolutions.local                            
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	share_edge                                        	READ, WRITE	
	ipc$                                              	NO ACCESS	
	c$                                                	READ, WRITE	
[rebelinux@blabla ~]$

In the performed test I copied the “Very_Big_File.iso” file to each site cluster “SHARE” volume.

Note: I modified the original diagram to show how the clients are connected.

In this section you can see the commands used to connect the clients to the “SHARE” volume.

Note: Ubuntu Linux 20.04 was used for this lab scenario.

CLIENT-HQ-01V
root@CLIENT-HQ-01V:/home/godadmin# mount -t cifs -o username=administrator@zenprsolutions.local,password=XXXXXXXX //nas/shares /mnt/share/
root@CLIENT-HQ-01V:/home/godadmin# cd /mnt/share/
root@CLIENT-HQ-01V:/mnt/share# ls
RecApp-2021-02-20.webm   RecApp-2021-02-27.webm   Very_Big_File.iso   WSUS-Cleanup.ps1
root@CLIENT-HQ-01V:/mnt/share#

CLIENT-EDGE-01V
root@CLIENT-EDGE-01V:/home/godadmin# mount -t cifs -o username=administrator@zenprsolutions.local,password=XXXXXXXX //nas-edge/share_edge /mnt/share_edge/
root@CLIENT-EDGE-01V:/home/godadmin# cd /mnt/share_edge/
root@CLIENT-EDGE-01V:/mnt/share_edge# ls
RecApp-2021-02-20.webm   RecApp-2021-02-27.webm   Very_Big_File.iso   WSUS-Cleanup.ps1
root@CLIENT-EDGE-01V:/mnt/share_edge#
CLIENT-EDGE-02V
root@CLIENT-EDGE-02V:/home/godadmin# mount -t cifs -o username=administrator@zenprsolutions.local,password=XXXXXXXX //nas-edge/share_edge /mnt/share_edge/
root@CLIENT-EDGE-02V:/home/godadmin# cd /mnt/share_edge/
root@CLIENT-EDGE-02V:/mnt/share_edge# ls
RecApp-2021-02-20.webm   RecApp-2021-02-27.webm   Very_Big_File.iso   WSUS-Cleanup.ps1
root@CLIENT-EDGE-02V:/mnt/share_edge#

In this last step the <cp> command was used to copy the “Very_Big_File.iso” file from the cluster to a local folder on the client. To measure the elapsed time of transfer the Linux <time> command was used.

CLIENT-HQ-01V
root@CLIENT-HQ-01V:/mnt/share# time cp Very_Big_File.iso /home/godadmin/

real	2m7.513s
user	0m0.016s
sys	0m6.236s
root@CLIENT-HQ-01V:/mnt/share#
CLIENT-EDGE-01V
root@CLIENT-EDGE-01V:/mnt/share_edge# time cp Very_Big_File.iso /home/godadmin/

real	4m2.391s
user	0m0.021s
sys	0m6.902s
root@CLIENT-EDGE-01V:/mnt/share_edge#
CLIENT-EDGE-02V
root@CLIENT-EDGE-02V:/mnt/share_edge# time cp Very_Big_File.iso /home/godadmin/

real	2m16.169s
user	0m0.054s
sys	0m6.128s
root@CLIENT-EDGE-02V:/mnt/share_edge# 

Further on, the following table shows the elapsed time transfer of each test performed. As you can see the CLIENT-HQ-01V located at the Gurabo site has direct access to the shared folder at the origin volume helping to achieve a lower transfer time of 2m7.513s. The CLIENT-EDGE-01V is connected to the Ponce site using the shared folder from the flexcache volume where you can see that since the content was not initially in the cache the transfer time was higher 4m2.391s. This behavior is due to the need to load the entire contents of “Very_Big_File.iso” from the source volume over the InterCluster LIF connection. Finally the CLIENT-EDGE-02V had a transfer time similar to CLIENT-HQ-01V (2m16.169s) since the content of the “Very_Big_File.iso” file is already in the cache of the flexcache volume.

Client NameElapsed Time
CLIENT-HQ-01V2m7.513s
CLIENT-EDGE-01V4m2.391s
CLIENT-EDGE-02V2m16.169s

till next time!

NetApp Aggregate Encryption (NAE) in ONTAP

© 2021 NetApp

Previously in a post I explained how to set up an encrypted volume using an encryption key manager (KMS) specifically from the company HyTrust. In this specific case each volume is encrypted individually using independent keys. A disadvantage of this method is that it affects the possibility of increasing the efficiency levels of data reduction such as compression, compaction and de-duplication (cross-volume-dedupe).

To eliminate this disadvantage the NetApp gurus came up with the idea of applying the encryption feature at the aggregate level by allowing volumes residing within the same aggregate to share the encryption key. This technology is known as “NetApp Aggregate Encryption” (NAE). This allows customers the option to take advantage of storage efficiency technologies in conjunction with the encryption process.

Now it’s time to talk about how we can create an encrypted aggregate in Ontap but first of all… What is an aggregate within Ontap?

Using the NetApp Knowledge Base portal as a reference:

An aggregate is a collection of disks (or partitions) arranged into one or more RAID groups.  It is the most basic storage object within ONTAP and is required to allow for the provisioning of space for connected hosts.

NetApp Knowledge Base
© 2021 flackbox.com

Step 1: Validate Ontap requirements.

In order to use the encryption option at the aggregate level, it is required to have a version of Ontap 9.6 or higher also make sure the required licenses are installed in the cluster. In this case we use the command <version> to validate the current version of the cluster and the command <license show -package VE> to display the license information.

OnPrem-HQ::> version
NetApp Release 9.9.1RC1: Fri Apr 30 06:35:11 UTC 2021
 
OnPrem-HQ::> license show -package VE -fields package,owner,description,type  
  (system license show)
serial-number                  package owner         description               type    
------------------------------ ------- ------------- ------------------------- ------- 
X-XX-XXXXXXXXXXXXXXXXXXXXXXXXX VE      OnPrem-HQ-01 Volume Encryption License license 
X-XX-XXXXXXXXXXXXXXXXXXXXXXXXX VE      OnPrem-HQ-02 Volume Encryption License license 
2 entries were displayed.

OnPrem-HQ::> 

Note: I previously done the external KMS setup in Ontap. Link

Step 2: Validate the available “Spare” discs.

To begin with, there are two ways to encrypt an aggregate; initially when it is created or the live conversion of an existing one. Initially I will be creating a new aggregate and then in another tutorial I will show you how easy is to convert an existing one. To create an aggregate you need to have disk drives available or in the “spare” state as NetApp commonly calls it.

The <storage aggregate show-spare-disks> command allows us to see how many partitioned disks are available on the node where i will create the new encrypted aggregate. In this particular case you can see that there are 24 partitioned disks using the “Root-Data1-Data2” option. To learn more about this disk strategy please follow the link below:

ADP(v1) and ADPv2 in a nutshell, it’s delicious!

 © 2021 Chris Maki
OnPrem-HQ::> storage aggregate show-spare-disks -original-owner OnPrem-HQ-01 
                                                                      
Original Owner: OnPrem-HQ-01
 Pool0
  Root-Data1-Data2 Partitioned Spares
                                                              Local    Local
                                                               Data     Root Physical
 Disk             Type   Class          RPM Checksum         Usable   Usable     Size Status
 ---------------- ------ ----------- ------ -------------- -------- -------- -------- --------
 VMw-1.1          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.2          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.3          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.4          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.5          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.6          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.7          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.8          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.9          SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.10         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.11         SSD    solid-state      - block           11.63GB   3.35GB  26.67GB zeroed
 VMw-1.12         SSD    solid-state      - block           11.63GB   3.35GB  26.67GB zeroed
 VMw-1.13         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.14         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.15         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.16         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.17         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.18         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.19         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.20         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.21         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.22         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.23         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
 VMw-1.24         SSD    solid-state      - block           11.63GB       0B  26.67GB zeroed
24 entries were displayed.

OnPrem-HQ::> 

Step 3: Create an encrypted aggregate.

To create the encrypted aggregate we use the <storage aggregate create> command with the option <encrypt-with-aggr-key true> turned on. In this case we create a secure aggregate composed of 23 disks “partitions”.

Note: For this example the RAID type “Dual Parity” was used.

OnPrem-HQ::> storage aggregate create -aggregate OnPrem_HQ_01_SSD_1 -diskcount 23 -node OnPrem-HQ-01 -raidtype raid_dp -encrypt-with-aggr-key true 

Info: The layout for aggregate "OnPrem_HQ_01_SSD_1" on node "OnPrem-HQ-01"
      would be:
      
      First Plex
      
        RAID Group rg0, 23 disks (block checksum, raid_dp)
                                                            Usable Physical
          Position   Disk                      Type           Size     Size
          ---------- ------------------------- ---------- -------- --------
          shared     VMw-1.1                   SSD               -        -
          shared     VMw-1.2                   SSD               -        -
          shared     VMw-1.3                   SSD         11.61GB  11.64GB
          shared     VMw-1.4                   SSD         11.61GB  11.64GB
          shared     VMw-1.5                   SSD         11.61GB  11.64GB
          shared     VMw-1.6                   SSD         11.61GB  11.64GB
          shared     VMw-1.7                   SSD         11.61GB  11.64GB
          shared     VMw-1.8                   SSD         11.61GB  11.64GB
          shared     VMw-1.9                   SSD         11.61GB  11.64GB
          shared     VMw-1.10                  SSD         11.61GB  11.64GB
          shared     VMw-1.18                  SSD         11.61GB  11.64GB
          shared     VMw-1.16                  SSD         11.61GB  11.64GB
          shared     VMw-1.13                  SSD         11.61GB  11.64GB
          shared     VMw-1.14                  SSD         11.61GB  11.64GB
          shared     VMw-1.15                  SSD         11.61GB  11.64GB
          shared     VMw-1.19                  SSD         11.61GB  11.64GB
          shared     VMw-1.20                  SSD         11.61GB  11.64GB
          shared     VMw-1.21                  SSD         11.61GB  11.64GB
          shared     VMw-1.17                  SSD         11.61GB  11.64GB
          shared     VMw-1.22                  SSD         11.61GB  11.64GB
          shared     VMw-1.11                  SSD         11.61GB  11.64GB
          shared     VMw-1.12                  SSD         11.61GB  11.64GB
          shared     VMw-1.23                  SSD         11.61GB  11.64GB
      
      Aggregate capacity available for volume use would be 219.5GB.
      
Do you want to continue? {y|n}: y
[Job 817] Job succeeded: DONE                                                  

OnPrem-HQ::> 

Once created it is required to validate the aggregate, to do so you must use the command <storage aggregate show> by filtering the result with the <encrypt-with-aggr-key> option.

OnPrem-HQ::> storage aggregate show -fields aggregate,size,availsize,usedsize,state,node,raidstatus,encrypt-with-aggr-key 
aggregate           node          availsize raidstatus      size    state  usedsize encrypt-with-aggr-key 
------------------- ------------- --------- --------------- ------- ------ -------- --------------------- 
OnPrem_HQ_01_SSD_1 OnPrem-HQ-01 219.5GB   raid_dp, normal 219.5GB online 480KB    true                  
OnPrem_HQ_02_SSD_1 OnPrem-HQ-02 209.3GB   raid_dp, normal 219.5GB online 10.12GB  false                 
aggr0_OnPrem_HQ_01 OnPrem-HQ-01 1.11GB    raid_dp, normal 22.80GB online 21.69GB  false                 
aggr0_OnPrem_HQ_02 OnPrem-HQ-02 1.11GB    raid_dp, normal 22.80GB online 21.69GB  false                 
4 entries were displayed.

OnPrem-HQ::> 

In the command result you can see that the aggregate was created with encryption capability enabled.

Step 4: Create a volume within the encrypted aggregate.

Unlike volume-level encryption NVE, when using aggregate-level encryption it is not required to specify the encrypt option to create the volume. The command <vol create> creates an encrypted volume by default when the volume resides in an aggregate configured with NAE.

OnPrem-HQ::> vol create -vserver SAN -volume Secure_Vol -aggregate OnPrem_HQ_01_SSD_1 -size 10GB -space-guarantee none 
[Job 818] Job succeeded: Successful                                            

OnPrem-HQ::>

By using the <vol show> command with the <encryption-state full> filter option you can see the volume was created encrypted by default.

OnPrem-HQ::> vol show -encryption-state full -aggregate OnPrem_HQ_01_SSD_1 -fields Vserver,Volume,encrypt,encryption-type,encryption-state 
vserver volume     encryption-type encrypt encryption-state 
------- ---------- --------------- ------- ---------------- 
SAN     Secure_Vol aggregate       true    full             

OnPrem-HQ::>

Summary

In this tutorial I showed you how to configure the aggregate level encryption technology within Ontap that allows us to use a unique security key to create encrypted volumes. This allows us to use data reduction technologies in conjunction with security mechanisms that enhance or strengthen the security posture of the organization.