ser1166bu vmware vsphere platform services …...–latency between pscs –low as possible...

Jishnu Surendran ThankamaniAgnes James

SER1166BU

#VMworld #SER1166BU

VMware vSphere Platform Services Controller Housekeeping Strategies – Expert Talk

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#SER1166BU CONFIDENTIAL



bution

1 Know more about PSC

2 Right decisions at right time

3 Know what to do, what not to do

4 Safe recovery

#SER1166BU CONFIDENTIAL 3



bution




4 Safe recovery




bution

VMware

Certificate

Authority

Single Sign-On

Infrastructure Services Offered by PSC

5

Platform Services Controller

VMDir

VMware Certificate

authority

IDMD

STS

LookupService

SSOAdmin

Service Registration

Service Name

Service product

Service Type

Site ID

Node ID

Owner ID

End Point(s)

Type

Protocol

URL

SSL Trust /Anchor points

Attributes

#SER1166BU CONFIDENTIAL



bution

Certificates

6

VECS

VECS




bution




4 Safe recovery




bution

Topology Based Best Practices

• Embedded PSC

– Expected to be simple topology with easy maintenance

– Availability management is a matter of protecting a single machine

• VCHA

• External PSC

– Expected to used with multiple vCenter involved

– Availability management based on Load balancer options

– When more than one PSCs involved replication becomes the point of interest

– Maintain same build of PSCs

– Use sites to group PSCs in multiple HA groups – PSCs behind load balancer

– Latency between PSCs – Low as possible




bution

Configuration Maximums

• Max number of PSCs supported in replication – 8 (6.0), 10 ( 6.5)

• Max number of PSCs behind load balancer – 4

• Maximum vCenters in single SSO domain – 10 ( 6.0 & 6.5 ), 15 ( 6.5 U1)

• Group membership per user for best performance : 1015




bution

Factors for Design Decisions

10

Area Choices Justification Implication

Deployment

topology

EmbeddedReduced resource utilization for Management. VCHA availability need on PSC as well

VCs in linked mode is not a supported topology

External Multi-VC and Single Management access More VMs to manage

SSO Domain

One Share Authentication and license data across components and regions/Disposable PSC.

More than oneEmbedded PSCs/Replication requirements are not met

Separate availability/Management practice

Replication

Topology

LinearNo manual intervention. Agreements made in deployment order

Single point of failure possible in more than two PSC case

Ring Each PSC with two replication partnersCommand-line interface must be used

PSC HA

Stand by PSC without Load balancer

Load balancer management overhead is a constraint/Manual Failover acceptable

Manual repointing on PSC failure

Two PSC behind a load balancer High availability Administrative overhead

vSphere HA VM/Platform level failures




bution

More Options

• SSH access – Disable/Enable

• Certificates – Custom/VMCA/VMCA as Subordinate ( Hybrid recommended )

• TLS configurator – http://kb.vmware.com/kb/2147469

• Patching – Update using updaterepo.zip bundles / Full Product and VIMpatch iso

• NTP – Sync from ESXi / NTP server




bution

References for Architectural Decisions

• VMware Validated Design

• vSphere Topology Decision Tree Poster

• Topology upgrade planning tool

• VMware Digital Marketing whitepaper




bution




4 Safe recovery




bution

Do's and Don'ts

14

Do’s:

• Best practice and FAQ reviews

• Be aware of health monitoring options

• Backup and restore points before any

change

• Know the complexity of implementation

• Ensure minimum one PSC availability

for vSphere domain and site

Don’ts:

• Unmanaged decommission procedure –

Delete the Appliances directly

• Snapshot revert and backup restore of

Single PSC when replication involved

• Using same vSphere domain name and

Active directory domain name

• Make replication agreement between PSC

of different SSO domains

• PSC PNID change




bution

Health Check Options and Maintenance

GUI

15

Two almost identical GUI to manage PSC

CPU and Memory stats

Storage Stats

Network StatsVMworld 2017 Content: N

ot for publicatio

n or distribution

Health Check Options and Maintenance

Commands:

16

Solution users

Information about nodes

Service registrations

Replication quick status

Replication Detailed Status

PSC used by VC



bution

Managing Complexity of Implementation

• Know the site topology

• Service registration to Site mapping

• Know the Replication agreements

• VC to PSC dependency

Disclaimer: Please take extreme caution when connecting to the vmdird database, this is primarily for educational purposes. You should take extreme care in making changes while in the database else you can negatively impact your environment.

17



bution

Services list empty for a search with decommissioned PSC machine nameList of nodes from GUI

Search for Endpoint URLs with node name, it should be no match

Before After

Two solution users reduced

Before After

List of nodes

Unregister command execution

Additional validation while decommissioning a PSC

Ensure all VCs are pointing to a PSC other than the one getting decommissioned

Decommission PSC psc01a.vcloud.local

Before After

Solution users list

Unregister from respective source solution

Along with VC one of the NSX manager also can to be decommissioned

Decommission NSX associated with VC

Empty service list for a search using decommissioned VC nameList of nodes in GUI post decommission of vc2

Search for Endpoint URLs with node name, it should be no match

Before After

Node list from command line

Before After

Four Solution users reduced

Unregister command execution

KB article to decommission VC/PSC nodeshttp://kb.vmware.com/kb/2106736

Search for Endpoint URLs with node name

Save the output to a file and review

OR

Review output directly piping to less

List of nodes from command lineSolution users from command lineList of vCenters in Inventory

List of Solution UsersList of services from the node by searching with node name

Decommission vc2.vcloud.local

List of nodes from GUI

Decommission - Demo

18



bution

http://kb.vmware.com/kb/2106736

Certificate Replacement

19

Machine certificate of node as End point’s SSL trust in service registrations



bution




4 Safe recovery




bution

Backup Plan

• Image level backup and File level backup (vSphere 6.5)

• Snapshots before changes – temporary restore points

• Keep a copy of lstool.py list output for reference

Special consideration of restore when replication is involved:

– Use powered off state snapshot of PSCs created together to revert changes.




bution

Quick Recovery Options

• Repoint VC to available PSC at the same site

• Quick temporary PSC deployment

• Image based restore with two methods (6.0):

– psc_restore

– psc_restore with --ignore-sync

• File based backup and Image based backup (6.5):

– /usr/bin/vcenter-restore




bution

23




4 Safe recovery




bution

Q&A



bution



bution

ser1166bu vmware vsphere platform services …...–latency between pscs –low as possible...

Documents