Luke

vCenter Server Appliance fails with EXT4-fs journal errors

vCenter’s not responding properly

Scroll down to bottom for TL;DR version

I got a text message this evening from a colleague of mine (@FrankRax) stating our lab was down. I tried to hit the vCenter and the hosts & clusters view wouldn’t load in the web client, just left me with the spinning wheel:

Okay, that’s fine, so I’ll check the VAMI, or Management UI of the VCSA, but then I got really scared when I saw this:

This isn’t a fresh install, it’s been a lab for a long time, actually even upgraded to 6.5u1 not that long ago. Now I know for a fact something’s gone wrong, so I launched the host client on each node in the cluster until I found the vCenter Server Appliance VM and launched the console, and was pretty much horrified at what I saw
the following content may be disturbing to some audiences, viewer discretion is advised

Error when Deploying a New VMware VM from Template: “you do not have permissions to assign this network”

I was trying to deploy a new VM from a vSphere template, but I kept getting the error: “you do not have permissions to assign this network”

Getting Started with VMware vSAN: Hybrid or All Flash?

Everyone hears about VMware’s Virtual SAN and how awesome it is. It’s a very compelling offering and is only overshadowed by their software defined networking solution NSX.

The biggest hurdle: how to get started.

The truth is it’s extremely simple to enable and start using, but that’s not the “getting started” I’m talking about. I wanted to cover off some things to think about when you’ve decided you’re going down the VSAN path.

How do you know how many IOPS to expect, or how much storage you will have or need, should you go hybrid or all flash, and what resiliency or protection options you have, and the impact of those.

First things first: Hybrid or All Flash?

The world v. CrossFit – Can we stop the hate?

I’ve been a fan of fitness for many many years. Am I an “athlete”? I’m sure that depends on the interpretation, but the word athlete is defined as a person who is proficient in sports and other forms of physical exercise. I played football in middle school, by high school, everyone was bigger than me, so I played golf my entire high school career.

After high school, I began going to the gym, mostly light strength training, I would run a little here in there. And by a little, I mean 1-2 miles. I ran a 5k in high school when I was maybe 16, and think I finished with a time of roughly 26 minutes & change, by no means fast.

Fast forward to today. I still hit the gym, although more focused on strength & high intensity. Every once in a while, Google Now will throw something into my feed that’s interesting. A while back, I saw an article from Runners World: The CrossFit Workout Runners Should Actually Try. It outlined some workouts regularly found in CrossFit to help runners.

Where am I going with this?

TL-DR: See below for details on these commands

Create a local user in the NSX Manager’s CLI, then use the API to grant CLI privileges to that user.

Here’s how using a linux machine:
ssh admin@[nsxmanagerIP] enable config t user vrops-readonly password plaintext notrealpassword user vrops-readonly privilege web-interface
Log out of the NSX Manager (type exit) and stay logged into the linux machine.
Create cli-auditor.xml that contains this (replace brackets with greater/less than):
[?xml version="1.0" encoding="ISO-8859-1" ?] [accessControlEntry] [role]auditor[/role] [resource] [resourceId]globalroot-0[/resourceId] [/resource] [/accessControlEntry]
Add the user as an auditor in the NSX Manager as a CLI user:
curl -i -k -u 'admin:password' -H "Content-Type: application/xml" -X POST --data "@cli-auditor.xml" https://nsxmanagerip/api/2.0/services/usermgmt/role/vrops-readonly?isCli=true
Add your domain/vCenter user as an auditor in the NSX Manager (NOT as a CLI user):
curl -i -k -u 'admin:password' -H "Content-Type: application/xml" -X POST --data "@cli-auditor.xml" https://nsxmanagerip/api/2.0/services/usermgmt/role/[email protected]?isCli=false

Details for creating the NSX CLI user for vROps

Automatic Plex Media Server update script for Linux/Ubuntu

I’m sure many of you know of Plex Media Server (PMS) and how awesome it can be for letting your kids watch your movies on the go. It likely needs no introduction, but if you’d like to learn more, please click Plex Media Server to be taken to their site.

In my home lab running ESXi through my VMUG Advantage EVALexperience (shameless plug, I know), I have an ubuntu VM I built specifically for PMS with 2 vCPUs & 4GB of RAM.

I then set up the mounts for my Synology NAS where my movie folders are so they’re mounted at boot, installed PMS, configured libraries, did some customizations, and BOOM! Kids’ movies on my phone on the go!

Sounds awesome! Why are you writing a post?

My phone is spying on me!

Today at lunch we were talking about the primaries and how everyone was doing in the races. I was eating my lunch with my phone sitting on the table off to the side.

As our conversations continued, I picked up my phone and decided to check Google Now. There was nothing really out of the ordinary. As I scrolled, I saw this:

I thought how that’s a strange coincidence, then brought it up to the lunch crowd and joked how my phone was eavesdropping on our conversation. We all laughed and continued the joke as I put my phone down.

A few minutes later, I went back in to Google Now and it had a tile titled “Is your smartphone listening to you?”

Wow!! Really?? Yes, it was there, but too bad I didn’t screenshot it. After I clicked the link, then came back to Google Now and it refreshed, tile gone 😢

Coincidence? I think not!

vSphere Fault Tolerance Role Privilege names have changed from vSphere 5.5 to 6.0

I was playing in my lab today and ran across something I thought was strange. I exported the privileges from a test role in one lab, which happened to be vSphere 5.5, then tried to create a new role in vCenter 6.0 with the privileges I just pulled. It worked fine for almost everything, except these two:

Could not find Privilege with name 'Enable Fault Tolerance'. Could not find Privilege with name 'Disable Fault Tolerance'.

I thought that was kind of strange, so I ran a quick

Get-VIPrivilege | ? {$_.name -like "*fault*"} | select Name,Id

1	Get-VIPrivilege \| ? {$_.name -like "fault"} \| select Name,Id

and looked for something similar. Below is the comparison of 5.5 & 6.0:

vSphere 5.5
Name - Id ------ Turn On Fault Tolerance - VirtualMachine.Interact.CreateSecondary Turn Off Fault Tolerance - VirtualMachine.Interact.TurnOffFaultTolerance Disable Fault Tolerance - VirtualMachine.Interact.DisableSecondary Enable Fault Tolerance - VirtualMachine.Interact.EnableSecondary Query Fault Tolerance compatibility - VirtualMachine.Config.QueryFTCompatibility

vSphere 6.0
Name - Id ------ Turn On Fault Tolerance - VirtualMachine.Interact.CreateSecondary Turn Off Fault Tolerance - VirtualMachine.Interact.TurnOffFaultTolerance Suspend Fault Tolerance - VirtualMachine.Interact.DisableSecondary Resume Fault Tolerance - VirtualMachine.Interact.EnableSecondary Query Fault Tolerance compatibility - VirtualMachine.Config.QueryFTCompatibility

The difference is not drastic, but one simply word, or even one character, out of place will cause your script to fail. It’s easy to see that “Turn On” and “Enable” sound the same, so the need to rename “Enable” to “Resume” makes sense to me. Same with Disable & Suspend. These are just the two I know about, I really should write another article listing which ones have changed, but that’s for another day :)

Just something to watch out for I wanted to share.

Happy scripting!

VMware Virtual SAN Health failed Cluster health test

Here’s the error

While building a new environment for my lab, I ran across an interesting thing yesterday.

I looked at my cluster’s VSAN health and saw this error:

It’s complaining that my hosts don’t have matching Virtual SAN advanced configuration items.

If you click on that error, you’ll see at the bottom where it shows comparisons of hosts and the advanced configurations:

It shows VSAN.DomMaxLeafAssocsPerHost and VSAN.DomOwnerInflightOps as being different between a few of my hosts. Looking at the image above, you’ll see node 09 has values of 36000 and 1024, respectively, while the other nodes 10-12 show 12000 and 0.

I immediately went to the host configuration advanced settings in the web client, searched VSAN and don’t see either of those. I even checked through PowerCLI and can’t see those:

VMware vSphere 5.5 Web Client authentication fails with ‘cannot connect to the vCenter Single Sign On server.’

Earlier this week we were greeted with this awesome message:

It’s so descriptive we knew exactly where to start! Okay, yeah, not really. Sarcasm aside, you’d think the culprit would be SSO. I began checking the two SSO servers we have in an HA configuration and they appeared fine. What’s even more strange is the fat clients were all authenticating fine. I started checking logs on the SSO servers and saw several things similar to this:

2015-08-25 23:20:49,538 INFO [ActiveDirectoryProvider] Failed to find user snip@snipPrincipal id not found: {Name: snip, Domain: snip} via ldap search
and
2015-08-26 00:29:37.709:t@21945040:ERROR: ldap simple bind failed. Error(4294967295)

So I assumed it was SSO again, maybe related to the domain we auth against.

ThepHuck