In these times of “Sheltering in place” if you are American or “lockdown” for the rest of the world, it is the perfect time to learn something new or improve on your skills in something you think you already know. Things I personally will be looking at will be the recently released vSphere 7 which will incidentally broaden my knowledge of Kubernetes, improve my Terraform skills related to the use of Infrastructure as Code on Containers and for something new I will be looking at Python. What are you going to do during this period? Learn what’s new in VMware vSphere 7, of course.
To undertake Learning effectually, it needs to be normalized into your daily routine, just like the rest of your “new” tasks. So as a way of focusing my mind and hopefully improving your knowledge base, let’s get started with this first post a primer about VMware’s newest version of vSphere, version 7.
What’s New in vSphere 7
vSphere has been the flagship product for VMware providing the vast majority of its revenue. The release of version 7 sees the biggest change to the core flagship product since ESXi was first released with version 3.5.
There has been plenty said about the rewriting of vSphere to make containers a first-class citizen on vSphere and we wrote about that at a high level in this post; as such we will concentrate on the other new features.
- Simplified Lifecycle Management- new tools for simplified upgrades, patching and configurations
- vCenter Improvements – vCenter Profiles and Content Library improvements
- Security Enhancements – vSphere Trust Authority and Identity federation
- Application acceleration- Enhancements in DRS and vMotion for large and mission-critical workloads
vSphere Update manager is dead long live VMware vSphere Lifecycle Manager
The rather limited Update manager has been replaced by LifeCycle Manager, for those with long memories, this is not the old VMware Lifecycle Manager, but actually more of an Update Manager (VUM) on steroids. Lifecycle Manager like VUM is a vCenter service and just like VUM you can use Update Manager Download Service (UMDS) or a manual process to populate the Lifecycle Manager’s image depot. So what exactly does it provide that makes it a better option than the tried and tested VUM? So far it seems that it just downloads and applies patches.
VMware vSphere Lifecycle Manager
VMware has always been able to update ESXi using customer 3rd party images through VUM but never 3rd party drivers or firmware updates, these had to be done as a manual out of band process. Which meant that you could be running your hosts in a position where you have hardware drivers and firmware with a known bug in them until such a time as Cisco, HP or Dell update their base image or you can find time to plan an outage to update firmware device drivers. This would mean a manual rolling outage across your cluster.
With the release of vSphere 7 you can now use images to create a desired state for hosts across clusters, more importantly this image can include updated individual 3rd party validated drivers and firmware updates. This means that a tested image can roll out across a cluster updating firmware, 3rd party device drivers and the core ESXi base OS in a single pass.
This lifecycle image can also be used to confirm host consistency across clusters and host of the same make and model. Lifecycle manager can verify hardware against the VMware compatibility guide and the VSAN Hardware compatibility list to confirm compliance and supportability.
Upgrading and patching
Upgrading and patching vCenter appliance has always been a fraught experience. The vCenter Update Planner should simplify this process. This feature lets you run what-if scenarios on your environment to allow you to verify if an upgrade won’t break anything. This is a massive time-saver, prior to this you needed to manually verify the VMware product Interoperability Matrices, a lengthy exercise and prone to errors, and an encyclopedic knowledge of your environment and the various products, versions, patch levels and editions across your estate.
We now have desired state configuration management capabilities for the vCenter server too. This will enable users to define, validate, and apply configuration to multiple vCenter server programmatically. This feature is currently only available via the vCenter REST API. Once you have configured your newly deployed vCenter 7.0, you export the configuration as a JSON formatted file. This configuration can then be used to manage the configuration of up to 100 vCenter servers.
A content library is a vSphere object that stores VM’s vApp Templates and ISO files. They are used to help maintain a centralized repository and were a vast improvement on the old method of having to manually maintain various ISO datastores. And prior to the release of the content library vApp and template management was arduous. So what enhancements have been added?
Template versioning, this is only available to those templates that are stored in a content library, especially useful for Lifecycle management, as a result, templates can now be checked out to be updated and the unchanged version is still available for users to deploy without disruption. Once you have updated the template simply check the new version back in and follow the wizard to add notes as to your changes in the version. (think of it as adding a snapshot)
One of the major advantages of Content Libraries over traditional ISO data-stores is the ability to automatically synchronize date from a central store to locally hosted cloned libraries, version 7 introduces greater control over this synchronization.
Finally, Content Library privileges has received a bit of an update with a few new permissions to reflect the ability to undertake versioning processes on templates.
Security and Compliance
vSphere 7 has a few enhancements to its core security.
vSphere Software Guard Extensions (vSGX)
This is hardware protection for secrets. It allows applications to work with hardware to create a secure enclave that cannot be viewed by the guest OS or hypervisor. Applications can move sensitive logic & storage into this enclave. This is only supported on hardware that has Intel processors that support SGX where the function has been enabled in the hosts BIOS and the VM’s are running the latest version 17 level.
Improved Certificate Management
VMware have taken time to revisit certificate management in vSphere 7, and as a result it is much simpler. All the solution certificates are now gone and there is now a REST API to manage the vCenter Server certificates programmatically.
There are now four methods of handling Certificates in vSphere 7. A Fully Managed mode where the vCenter is its own root CA and this is used to manage the certificates between ESXi Hosts and between ESXi Hosts and vCenter servers. This will still result in an unsecured padlock on a browser unless you download the certificate and install it as a trusted certificate. The second method is Hybrid Mode here the VMCA manages the certificate management internally between ESXi Hosts and vCenter servers but the vCenter Client certificate itself is replaced by a trusted one. In this scenario vSphere admins will still need to download and trust the VMCA root certificate to access ESXi Hosts.
The third option is to have the VMCA operating as a sub-ordinate CA this is not changed from vSphere 6.x. The final mode is called “Fully Custom Mode” in this situation the VMCA is not used at all and all certificates are installed manually on each and every vCenter and ESXi host, this will be very intrusive and time-consuming – we do not expect this to be used in any but the most paranoid of environments as the administration overhead far outweighs the alleged security enhancement.
vSphere Trust Authority (vTA)
This is all about securing the vSphere infrastructure, how we trust that our hosts are configured correctly. VMware has introduced vTA to take care of this from hardware through to workloads. vTA creates a hardware root of trust using a small and separately managed cluster of ESXi hosts which take over the task of attestation. Host attestation is where the UEFI Secure Boot process, a server’s Trusted Platform Module (TPM), and an external service work together using cryptographic keys to verify that the host is running authentic software, and that is in a valid and secure configuration.
Where vTA is valuable is that it gives attestation the ability to enforce the rules by having the trusted hosts themselves take over the communication with the key management systems (KMS). This simplifies the connections paths to the KMS which as a result simplifies the risk auditing process, it also guarantees attestation by ensuring that any trusted host that fails attestation fails to access the necessary secrets. Without those secrets the errant host can not run an encrypted VM.
vCenter has had the ability to use MFA for a number of years however from the perspective of VMware there are a myriad of methods of MFA authentication methods which makes support difficult. In vSphere 7 VMware has introduced Federation, here the vCenter server when accepting an authentication request talks to an enterprise Identity provider to ascertain a user’s permissions. vCenter had basic federation for a long time, however it has had to integrate separately for MFA, with the introduction of ADFS VMware have opened to door to a lot more MFA options as they already understand how to communicate with ADFS natively.
VMware has also included Bitfusion into vSphere 7, this enables the utilization of GPU virtualization to accelerate AI/ML workloads. Support for Persistent Memory and improvements to vMotion and DRS to provide quicker migrations of workloads during times of contention or maintenance, especially for larger virtual machines.
Even though this post has not specifically talked about the project formerly known as Pacific and Tanzu, which marked out vSphere 7 as a transformational release and a major rewrite of large swath of core code. However even without those major changes, what’s new in VMware vSphere 7 is still a lot. VMware has done a sterling job of delivering a significant amount of value in other areas.