VMware vMotion View Horizons Replica VDI

When working with a linked-clone replica in VMware View Horizons, you must unprotect the linked-clone base image prior to vMotioning the linked-clone base image to another data store. The following commands will enable you to unprotect the base image, vMotion the base image to the new datastore then to finally reprotect the base image for continued use by VMware View Horizons.

1. Disable provisioning for the VMware View Pool.
2. Change settings in VMware View to reflect the new datastore to use.
3. Unprotect replica.

sviconfig -operation=UnprotectEntity -DsnName=<dsnname> -DbUsername=<dbusername> -DbPassword=<dbpassword> -VcUrl=https://<vcenterurl>/sdk -VcUsername=<username> -VcPassword=<password> -InventoryPath=//vm/VMwareViewComposerReplicaFolder/ -Recursive=true

4. vMotion replica.
5. Reprotect replica.

sviconfig -operation=ProtectEntity -DsnName=<dsnname> -DbUsername=<dbusername> -DbPassword=<dbpassword> -VcUrl=https://<vcenterurl>/sdk -VcUsername=<username> -VcPassword=<password> -InventoryPath=//vm/VMwareViewComposerReplicaFolder/ -Recursive=true

6. Re-enable provisioning.

Reference : http://kb.vmware.com/kb/1008704

Tagged , , , , ,

Installing XAMPP + Xdebug on Oracle Linux 6.4 x86

This guide will show you how to install XAMPP with Xdebug (compiled) on an RedHat/Oracle Linux 6.4 x86 installation in a few simple steps.

Login in as root or su over to root to start with. Let’s start by making sure we have all the development tools that are necessary to compile the Xdebug library for XAMPP in addition bringing everything the system most up-to-date.

yum update -y
yum groupinstall "Development Tools" -y

Grab the download links from ApacheFriends for XAMPP and use wget to get XAMPP and the Development Packages.

cd ~
wget http://www.apachefriends.org/download.php?xampp-linux-1.8.1.tar.gz
wget http://www.apachefriends.org/download.php?xampp-linux-devel-1.8.1.tar.gz

Extract XAMPP and move to it’s permanent location.

tar -xzvf xampp-linux-1.8.1.tar.gz
mv lampp/ /opt

Extract XAMPP Development libraries and copy the include directory into the base of the lampp directory for use with the compiler.

tar -xzvf xampp-linux-devel-1.8.1.tar.gz
cp -r lampp/include /opt/lampp/.

Using PECL install Xdebug which will invoke the process to compile it the extension.

/opt/lampp/bin/pecl update-channels
/opt/lampp/bin/pecl install Xdebug

Edit the php.ini file to add the newly compiled Xdebug.

vi /opt/lampp/etc/php.ini

Add in the following lines at the end of the php.ini configration file.

zend_extension = "/opt/lampp/lib/php/extensions/no-debug-non-zts-20100525/xdebug.so"
xdebug.remote_enable = 1
xdebug.remote_handler = "dbgp"
xdebug.remote_host = "localhost"
xdebug.remote_port = 9000

Start/Restart XAMPP. Browse to the http://host/xampp/phpinfo.php page to ensure Xdebug was loaded properly.

Tagged , , , , , , , , ,

vSphere Inventory Search 403 Query Service Failed Forbidden

The 403 error which I encountered was tied to the vSphere Client Login Screen. If the “Use Windows Session Credentials” is checked this would cause the 403 errors when searching for a virtual machine.

The work around is to type in the username and password you are authenticating as which bypasses and saved session credentials.

There are many articles about the 403 Forbidden error using the Search Inventory feature within the vSphere Client. There are a differnt range of solutions and work arounds including reinstalling vCenter! Reinstalling vCenter just didn’t sit well with me since that can be a long process depending on your environment and how your organization responds to certain changes.

Login to the query service failed. The server could not interpret the communcation from the client. (The remote server returned an error: (403) Forbidden.)

404 Error vSphere Login Screenshot

When investigating the log files on the vCenter Server for the Inventory Service located at:

       “C:ProgramDataVMwareInfrastructureInventory ServiceLogsds.log”

The following two errors stood out when related to this issue:

       “WARN com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl]
Unable to find user data for user: DOMAINUser”

       “ERROR com.vmware.vim.vcauthorization.impl.PrincipalContextImpl]
Failed to get group memembership”


Root Cause:
After reaching out to support, it turns out that the issue is at login. If the following option is used, “”. It can cause a 403 Error when using the Inventory search.

Work Around: Type in the username and password, even if it is the same identity you are logging in as.

vSphere Login 404 Workaround Screenshot

VMware Support Suggested Permanent Fix: Upgrade to vCenter Server 5.1 Update 1.

Tagged , , , , ,

VMware vSA vSphere Storage Appliance Installation Parameters

During recent troubleshooting of installing VMware’s vSphere Storage Appliance, I’ve under covered two installation parameters which could be needed depending on your environment and installation.

The first one allows you to change the username and password that the vSA will use to connect to vCenter with.

VMware-vsamanager.exe /v"VM_SHOWNOAUTH=1"

VMware vSA Install Screenshot

The other parameter, allows you to specify the vCenter IP addresss or FQDN.

VMware-vsamanager.exe /v"VM_IPADDRESS=<fqdn/ip>"

VMware vSA Install Screenshot

… or the two can be combined like

VMware-vsamanager.exe /v"VM_SHOWNOAUTH=1 VM_IPADDRESS=<fqdn/ip>"
Tagged , , , ,

Failed to Start Migration Pre-copy Error 0xbad003f vMotion Migration Fix

“A general system error occurred: Failed to start migration pre-copy. Error 0xbad003f. Connection closed by remote host, possibly due to timeout.”
“A general system error occurred: Failed to start migration pre-copy. Error 0xbad004b. Connection reset by peer.”

Another issue, that I recently came across was a live vMotion issue where the vMotion migration would fail during the pre-copy and always at 10%. The following issues were either one of the two:

VMware vCenter vSphere Event Log

I performed some basic troubleshooting such as a vmkping. I used the ping command and watched the response times remain consistent during the attempted vMotion migration. No packets were being lost which I thought that there would be packet loss if there was an issue with Layer 3 IP addressing.

VMware ESXi vmkping

While still on the command line with the ESXi host, I decided to look for any arp entries anyways regardless of my logic to rule it out. I ran the following:

cat /var/log/vmkernel | grep arp

I was wrong, there was another host on the network that had the same IP address!

VMware ESXi Log

I found a new IP address for my VMKernel, updated DNS then updated the IP address on the ESXi host and my issue was resolved!

Tagged , , , , , ,

Increase Login Timeout vSphere Client – KB1002721

Default the login in time is 20 seconds, in VMware KB 1002721 it recommends bumping up the client login time out up to 60 seconds. Below is the snippet of code to run against your VMware database to bump up login times from 20 seconds to 60 seconds.

Recently, there was an interesting issue after upgrading all our vCenter instances from 5.0 to 5.1. As a result, of the upgrade one of the particular items that was most notable was logins were starting to fail. This occurred randomly and could not find a particular reason for this behavior.

After the parameter is changed, the VMware vCenter Server service must be restarted for this parameter to take effect!

UPDATE [dbo].[VPX_PARAMETER]
SET [VALUE]='60'
WHERE [NAME]='client.timeout.normal'
Tagged , , , , ,

EMC VNX Check Hotspare Rebuild Successfully After Disk Failure

There are two status codes in a SP Collect that a CE should look at before removing a failed drive.

67d is the hexadecimal address which can be found in the SP Collect logs which indicates that the drive successfully failed over to the hot spare. This can be found in the SPA_navi_getlog.txt and the SPB_navi_getlog.txt respectively.

78b is the address which indicates that the drive has been removed from the array.

EMC VNX SPA Log Rebuild Screenshot

EMC VNX SPB Log Rebuild Screenshot

I received the two tips in this article from a local CE that came onsite one day after a disk failure and is definitely worth a mention.

Tagged , , , , , , ,

EMC VNX Check Transitioning Equalizing Faulted LUN Disk

After a disk has faulted, the disk goes into a transitioning or an equalizing state. EMC uses different terminology to describe the action of repairing a faulted disk. Transitioning or equalizing times can vary based on the type and speed of the disk but your SAN utilization will have a direct impact on how fast a drive rebuilds. No where in Unisphere does it indicate a status or an approximate ETA time of when the drive is to complete.

You can check the state of the transitioning or an equalizing state but it is burried in the SP Collect logs. Once you perform an SP Collect, it is one large zip file. Expand the zip file and you will find more zip files. There is a zip file that ends in _sas.zip, within that file there will be SPA_cfg_info.txt or SPB_cfg_info.txt depending on which service processor you performed the SP Collect on. Within that file look for the information that shows you the status of the transitioning/equalizing process!

EMC VNX Equalizing Log

Tagged , , , , , , , , ,

EMC VNX Integration Quest Vintela Authentication Services

Quest (Vintela) Authentication Services (VASD) provides schema extensions to Active Directory to authentication against LDAP by providing SID to UID/GID mappings and vice versa. In multiprotocol environments that provide NFS and SMB protocols to the same underlying data it becomes tricky with permissions and file ownership since it must be maintained in the *nix and Windows environments. There are many ways to provide mappings for this situation but for those that use Quest (Vintela) Authentication Services (VASD) here is an proven guide on how to leverage your existing authentication services against the EMC VNX/Celerra for file. ldap.conf

# --------------------------------------------------------------------
# This template must be copied to /.etc/ldap.conf when the ldap
# server[s] used by the data mover is using the Quest Vintela
# Authentication Services schema installed on Windows Server.
# --------------------------------------------------------------------
nss_schema			rfc2307bis

nss_base_passwd		DC=northwind,DC=lan?sub
nss_base_shadow		DC=northwind,DC=lan?sub
nss_base_group		DC=northwind,DC=lan?sub

nss_map_objectclass posixAccount		User
nss_map_objectclass shadowAccount		User
nss_map_objectclass posixGroup			Group

nss_map_attribute	uid					sAMAccountName
nss_map_attribute	uniqueMember		member
nss_map_attribute	givenname			givenName
nss_map_attribute 	ou					description
nss_map_attribute	shadowLastChange	pwdLastSet
nss_map_attribute 	homeDirectory		unixHomeDirectory
nss_map_attribute	uidNumber			uidNumber
nss_map_attribute	gidNumber			gidNumber
nss_map_attribute	gecos				gecos
nss_map_attribute	loginShell			loginShell

nsswitch.conf

passwd:         files ldap
group:          files ldap
hosts:          files dns ldap
netgroup:       files ldap

Copy the contents of ldap.conf and push to server_2.

[nasadmin@CELERRA ~]$ cp ***ldap.conf*** /nas/site/ldap.conf.server_2
[nasadmin@CELERRA ~]$ server_file server_2 -put /nas/site/ldap.conf.server_2 ldap.conf

Copy the contents of nsswitch.conf and push to server_2.

[nasadmin@CELERRA ~]$ cp ***nsswitch.conf*** /nas/site/nsswitch.conf.server_2
[nasadmin@CELERRA ~]$ server_file server_2 -put /nas/site/nsswitch.conf.server_2 nsswitch.conf

Disables the default usermapper and removes any existing usermapper configurations

[nasadmin@CELERRA ~]$ server_usermapper server_2 -disable
[nasadmin@CELERRA ~]$ server_usermapper server_2 -remove -all

Bind the primary DataMover (server_2) to the domain and associate a binding user distinguished name and password for LDAP authentication lookups.

[nasadmin@CELERRA ~]$ server_ldap server_2 -set -p -basedn "DC=northwind,DC=lan" -binddn "CN=EMCServiceUser,OU=Users,DC=northwind,DC=lan" -servers 192.168.1.100,192.168.1.101

Use the following commands to verify connectivity and lookup capabilities against LDAP.

[nasadmin@CELERRA ~]$ server_ldap server_2 -info
server_2 :
LDAP domain:      northwind.lan
State:            Configured - Connected
Schema:           Active Directory
Base dn:          dc=northwind,dc=lan
Bind dn:
Configuration:    RFC-2307 defaults
LDAP server:      192.168.1.100 - Port: 389 - Active
    SSL:          Not enabled
LDAP server:      192.168.1.101 - Port: 389 - Spare
    SSL:          Not enabled

[nasadmin@CELERRA site]$ server_ldap server_2 -service -status
server_2 :
LDAP domain "northwind.lan" is active - Configured with file "ldap.conf"

[nasadmin@CELERRA ~]$ server_ldap server_2 -lookup -user jsmith
server_2 :
user: jsmith, uid: 500, gid: 301, homeDir: /northwind/home/jsmith

Set parameters to utilize LDAP to look up the SID to UID/GID mappings.

[nasadmin@CELERRA ~]$ server_param server_2 -facility cifs -modify resolver -value 1
[nasadmin@CELERRA ~]$ server_param server_2 -facility cifs -modify useADMap -value 1
server_2 : done
Warning 17716815753: server_2 : You must stop and start the service associated with the cifs facility for changes to useADMap to take effect

**** REBOOT server_2 DATAMOVER **** This will disrupt connectivity to the DataMover and should be done in a maintenance window.

server_cpu server_2 -reboot warm -monitor now

We have to create the mapping which will force the user to be looked up in LDAP. Finally, check that the user was looked up successfully.

[nasadmin@CELERRA ~]$ server_cifssupport server_2 -secmap -create -name jsmith -domain northwind
[nasadmin@CELERRA ~]$ server_cifssupport server_2 -secmap -list
server_2 : done

SECMAP USER MAPPING TABLE

UID         Origin      Date of creation         Name                        SID
500	        ldap        Fri Aug 31 07:40:23 2012 NORTHWINDjsmith           S-1-5-15-4376b78a-a9aad504-d4f8c2d6-460

If you are having troubles use the following command to provide verbose information which will contain any informational, warning or critical error messages.

[nasadmin@CELERRA ~]$ server_ldap server_2 -info -verbose

Please let me know if you have any questions! Thanks!

Tagged , , , , , , , , , , , ,

EMC VNX Celerra NAS Multiprotocol Environment Planning

A mixed protocol environment means that you have two means of accessing the same data generally through SMB/CIFS/Samba and NFS. SMB is natively supported in Windows and NFS is natively in *nix environments.

There are complexities an organization will always run into when running in a mixed protocol environment which is a result of how Windows and *nix systems handle security at the core of their respective operating systems. *nix platforms handles permissions by using permission bits and Windows uses Access Control Lists (ACL). Ownership of a file is either defined by a User ID (UID) in the Unix world or a Security ID (SID) in Windows.

Fundamentally, *nix and Windows platforms handles files, permissions and sharing completely differently and this introduces new complexities because of this business requirement. It is my personal advice, try to avoid running a mixed protocol environment if possible. If a there is a requirement that mandates this need, then design and plan accordingly to prevent future headaches down the road.

This article is not a how-to guide on how to implement a mixed protocol environment since each implementation is unique since there is a complexity reason for driving to use the mixed protocol environment to begin with. Use the following as things to understand and to take in account BEFORE you implement a mixed protocol environment.

This article is a cliff-notes version of the following EMC documents,  Multiprotocol Environment Guide and the User Mapper Guide.

It is important that the sections below are completely understood a head of time for accurate planning of multiprotocol environment. If a change is required after the filesystem is already in production, there is no easy way to change these settings without creating another filesystem and rsync’ing/robocopy’ing the data between filesystems.

Understanding CIFS and Unix Permissions

CIFS

  • Access Control Lists
  • SID Ownership
  • Username Passwords

*nix

  • Permission Bits
  • UID & GID Ownership Bits
  • IP Address Access

Understand the CIFS User ID Resolution Options

• Active Directory
• LDAP Directory
• Local Files
• Network Information Service (NIS)
• Usermapper (Internal or External)

To understand your mappings in technical detail please review the EMC Naming Services Guide.

NOTE: EMC recommends use of Internal Usermapper in Windows-only environments.
NOTE: Avoid static mappings if possible, it becomes a management nightmare. Even if you use custom Active Director Schema Attributes/software to deal with Windows-to-Unix mappings, the Naming Services Guide will provide you with the information to accommodate custom schema attributes and fields.

Understanding Access-checking Policies

Access-checking policy Description
Native (default)
  • Access to a file or directory through NFS or UNIX authenticated FTP is granted only if the UNIX permissions on the file or directory allow it.
  • Access through CIFS or Windows authenticated FTP is granted only if the Windows permissions on the file or directory allow it.
  • ACL and UNIX permissions are maintained for every file and directory.
  • A change in permissions on a file system object in NFS has no impact on permissions in CIFS and a change in permissions on a file system object in CIFS has no impact on permissions in NFS.
NT
  • Access to a file or directory through NFS or UNIX authenticated FTP is granted only if the UNIX and Windows permissions allow it.
  • Access through CIFS or Windows authenticated FTP is granted only if the Windows permissions allow it (the UNIX permissions do not have any effect).
  • ACL and UNIX permissions are maintained for every file and directory.
  • A change in permissions on a file system object in NFS has no impact on permissions in CIFS and a change in permissions on a file system object in CIFS has no impact on permissions in NFS.
UNIX
  • Access to a file or directory through NFS or UNIX authenticated FTP is granted only if the UNIX permissions allow it (the Windows permissions do not have any effect).
  • Access through CIFS or Windows authenticated FTP is granted only if the UNIX and Windows permissions on the file or directory allow it.
  • ACL and UNIX permissions are maintained for every file and directory.
  • A change in permissions on a file system object in NFS has no impact on permissions in CIFS and a change in permissions on a file system object in CIFS has no impact on permissions in NFS.
SECURE
  • Provides the greatest security across CIFS and NFS.
  • Access to a file or directory through either NFS or FTP or CIFS is granted only if the UNIX and Windows permissions on the file or directory allow it.
  • ACL and UNIX permissions are maintained for every file and directory.
  • A change in permissions on a file system object in NFS has no impact on permissions in CIFS and a change in permissions on a file system object in CIFS has no impact on permissions in NFS.
MIXED
  • Access to a file or directory through either NFS or FTP or CIFS is always determined by the ACL.
  • ACL and UNIX permissions are maintained for every file and directory.
  • ACLs for files and directories are created from the protocol that last set or changed the permissions. For example, if an NFS client sets or changes permissions on a file or directory, the ACL is rebuilt based on the UNIX mode bits. If a CIFS client sets or changes permissions on a file or directory, the ACL is built based on the standard Windows permissions.
  • In all cases, the ACL determines file and directory access regardless of whether the client is using the NFS, CIFS or FTP protocol.
  • ACL permissions are more granular than UNIX mode bits, consequently not all permissions set in an ACL can be translated to UNIX mode bits. In some cases, the mode bits might show more permissions than a user actually has
MIXED_COMPAT
  • Access to a file or directory through NFS or FTP or CIFS is determined by which protocol (NFS or CIFS) last set or modified the permissions.
  • ACL and UNIX permissions are maintained for every file and directory.
  • If the permissions of a file or directory are set or changed from a CIFS client, then access is determined by the ACL (EXPLICIT ACL). UNIX mode bits are generated based on the ACL but are not used for access checking.
  • If the permissions of a file or directory are set or changed from a UNIX client, then UNIX mode bits dictate access. An ACL is still created but is not used for access checking.
  • ACL permissions are more granular than UNIX mode bits, consequently not all permissions set in an ACL can be translated to UNIX mode bits. In some cases, the mode bits might show more permissions than a user actually has.


Understand Permission Translations

ACL to Unix Rights
EMC VNX Celerra ACL to Unix Rights Screenshot

Unix to ACL Rights
EMC VNX Celerra Unix to ACL Rights Screenshot

Understand your Inheritance

NATIVE, UNIX, NT, and SECURE
EMC VNX Celerra Native Inheritance Modes

MIXED and MIXED_COMPAT
EMC VNX Celerra Mixed Inheritance Modes

You can find this information and a wealth of other information in EMC’s Multiprotocol Environment Guide and User Mapper Guide.

Other Observed Notes:

  • Taking ownership from Windows Permissions/ACL will change the underlying UID/GID owner even though it is stated otherwise in Native Mode.
Tagged , , , , , , , , , , , ,