Widenet is VCP Certified for VMware Products.
In many Article, we talked about Tips & tricks, or to solve problems, like here, or here. Now we will talking about a big news from VMware.
vSphere 6.7, released today, includes an update to both its hypervisor (ESXi 6.7) and management console (vCenter Server 6.7). This release shows that VMware Inc. is not content to let its hypervisor become a commodity, and that it’s possible to make incremental, evolutionary changes to a proven product and, moreover, that VMware is still making substantial investments in its hypervisor. The vSphere 6.7 beta, though NDA-constrained, has been available to the public since October 2017. Despite the fact that a lot of new features were baked into the 6.5 release, this release does make some nice incremental changes. Following are some of the most important changes included with vSphere 6.7.
An important hardware caveat to be aware of is VMware has released an HCL for vSphere 6.7 that excludes some older, yet popular CPUs. If you’re thinking about running this release on an older system for development or testing first before placing it into production on your newer servers, make sure to check the HCL to ensure compatibility.
Single Reboot Upgrade
vSphere upgrades can now be completed with one single reboot. Prior to vSphere 6.7, major version upgrades took quite a while (although they could be done without disruption by transferring workloads by using the Distributed Resource Scheduler [DRS]). vSphere 6.7, on the other hand, allows you to do a “quick boot” where it loads vSphere ESXi without restarting the hardware because it only restarts the kernel. This feature is only available with platforms and drivers that are on the Quick Boot whitelist, which is currently quite limited.
VMware Configuration Maximum Tool
The most visible configuration maximum change in vSphere 6.7 is the number of devices that can be attached to a host. VMware has increased some of the other maximums.
vSphere 6.5 eliminated the vSphere Client that ran natively on Windows (also known as the C# Client or Thin Client) in favor of the vSphere Web Client, which was Flash-based. Also introduced in version 6.5 was the vSphere Client, which replaced Flash with HTML5. vSphere 6.7 further extends the capabilities of the vSphere Client and will eventually replace the vSphere Web Client. It looks like the vSphere Client can do about 90 percent that the vSphere Web Client can do. In vSphere 6.5, VMware had a list of the functionalities not yet supported in the vSphere Client; hopefully the company will do the same for vSphere 6.7. Figure 1 shows the main menu of the vSphere Web Client, and Figure 2 shows the main vSphere Client menu. Although the new client looks cleaner, and does seem more responsive than the vSphere Web Client, the location of some items has changed and some workflows will have to be adjusted accordingly with these changes. I wrote an article on the vSphere Client when it first came out that explains why VMware is switching to an HTML5-based client.
vCenter Server Appliance
Now that the vCenter Server Appliance (VCSA) is functionally equivalent to the Windows-based vCenter Server, it would take a lot to convince me to use the Windows-based one instead of VCSA. Overall, I have found that the VCSA embedded database (PostgreSQL) performs great. Furthermore, the VCSA is very easy to update, and the Linux OS (Photon OS) is rock solid. As a side note, the VCSA can easily be monitored using vimtop (be sure to read my recent articles on using vimtop). You can also read my article about migrating from a Windows-based vCenter Server to a VCSA, as well as another article on using the built-in VCSA backup tool. The built-in backup tool in vSphere 6.7 offers more scheduling options for its VCSA backup tool than in vSphere 6.5. The Backup Scheduler tool (Figure 3) can be accessed from the vCenter Server Appliance Management Interface (VAMI). VMware is also stating that there are “phenomenal” performance improvements in vCenter operations per second, in reduction of memory usage and DRS-related operations.
Suspend and Resume of vGPU Workloads
vGPU allows you to carve up a physical GPU into multiple virtual GPUs that can be used by VMs. Although vGPUs were introduced with vSphere 6.0, the VMs that used vGPUs there were limited in what you could do with a VM that was using a vGPU. vSphere 6.7, on the other hand, removes some of these barriers, and now you can suspend and resume a vGPU-enabled VM.
For quite some time vSphere has had the ability to mask off CPU features so that VMs that were running on systems with newer CPUs could be vMotion to servers with older CPUs. This is called Enhanced vMotion Compatibility, or EVC. In vSphere 6.7 VMware has extended this capability to allow you to do this on a per-VM, rather than on an ESXi-host basis. This means that if you have VMs that you want to take advantage of CPU-specific features, and are willing to limit those VMs to CPUs that only have those features in your cluster, you can configure them to do so.
A per-VM EVC is set from the vSphere client by selecting a VM, going to the Configure tab and selecting Edit (Figure 4).
I’ve been a fan of using instant clones with virtual desktops—they’ve proven to be a big space saver, to use only a fraction of the disk resources compared to a full clone, and to allow VMs to be provisioned in seconds from a parent image. With vSphere 6.7, VMware has exposed the APIs that can be used to create instant clones. It looks like a straightforward process and I suspect that many people will figure out some very interesting ways to use the instant clone API.
ESXi Quick Boot
vSphere 6.7 introduces the Quick Boot feature, which allows a system to reboot in less than two minutes as it does not re-initialize the physical server BIOS. This can speed up operations that require an ESXi system to be rebooted; however, Quick Boot is only supported on certain systems and does not work with systems that have ESXi Secure Boot enabled.
Figure 5 shows two hosts, one with Quick Boot enabled and another without it enabled. By default, Quick Boot is enabled if the system supports it.
Persistent Memory (PMem) Devices
vSphere 6.7 now supports the next generation of storage devices that use persistent DRAM memory, known as non-volatile dual in-line memory module (NVDIMM) devices. This technology is still in its infancy, but applications that require the lowest possible latency regardless of the cost will find this feature invaluable. PMem is presented to vSphere as either as vPMemDisk, which is treated somewhat like a datastore, or as a virtual NVDIMM (vNVDIMM), which is presented directly to guest OSes that can use NVDIMM devices.
Virtual Hardware Version 14
Virtual hardware is the abstract version of physical hardware to a virtual machine or, in essence, a virtual motherboard. As physical hardware supports more features, VMware builds new virtual hardware accordingly to emulate the physical version. vSphere 6.7 comes with a new virtual hardware, version 14. Version 14 adds support for NVDIMM, as well as Trusted Platform Module (TPM), Microsoft Virtual-based Security (VBS) and I/O Memory Management.
VMFS3 datastores have been around for a long time, but VMware is now phasing them out. To assist with this transition, vSphere 6.7 automatically upgrades VMFS3 datastores to VMFS5 when they’re mounted. If you want to upgrade VMFS5 datastores to VMFS6 datastores, you’ll need to upgrade the datastore with vSphere Storage vMotion because an in-place upgrade of a VMFS5 to VMFS6 datastore isn’t possible.
As a side note, vSphere 6.7 supports VMFS5 and VMFS6; however, vSphere 6.0 and earlier systems only support VMFS5 datastores. As such, if you have an environment that contains vSphere 6.0 or earlier systems, you’ll want to only use VMFS6 datastores on systems that won’t be accessed by them.
Upgrading to vCenter Server 6.7
A specific order must be used when upgrading to vSphere 6.7. Check the documentation for the latest order and caveats, but the basic procedure can be carried out by first upgrading the Platform Service Controller (PSC), then upgrading vCenter Server and, last, updating the ESXi hosts.
Because upgrading directly from vSphere 5.5 to 6.7 isn’t supported, you’ll need to first upgrade from vSphere 5.5 to vSphere 6.5, and then finally to vSphere 6.7. It needs to be noted that an ESXi 5.5 host cannot be managed by VCSA 6.7. On the contrary, upgrading from vSphere 6.0 to 6.7 is supported. If you’re still running a window-based vCenter Server rather than a VCSA, VMware does offer a tool to assist you in the migration; be sure to read my article on using this tool.
Upgrading to ESXi 6.7
As mentioned earlier, ESXi 6.5 doesn’t support all the CPUs that ESXi 6.0 does, so be sure to check the HCL to unsure that your system is supported. Roughly speaking, what you’ll typically find supported, at the minimum, is a 2 core CPUs that were released after September 2006 and have NX/XD enabled. You can use the VMware Update Manager (VUM) to do an orchestrated automated upgrade. Alternatively, you can manually update the ESXi systems using an ISO image or esxcli commands or, if you use stateless host, you can use vSphere Auto-Deploy to update your servers. To see how to update an ESXi system using esxcli commands, be sure to read my article.
If I’m forced to pick one single standout feature in vSphere 6.7, it would have to be the instant clone API. I see this feature as a great enabler for the VMware ecosystem and VMware developers because the ability to spawn hundreds of identical VMs that only use a small amount of space in minutes has some mind-boggling use cases. However, with great power comes greater responsibility, and it will be interesting to watch the development of tools to manage and orchestrate these VMs over time.
Yes, instant clones is the gee-wiz feature in this release, but the rest of the improvements in this release prove that the hypervisor has room for evolutionary growth—and that VMware is serious in maintaining its leadership position in this regard.
Summary:Today a team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from many types of computing devices with many different vendors’ processors and operating systems.
Intel is committed to product and customer security and to responsible disclosure. We worked closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to mitigate this issue promptly and constructively.
Description:Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Affected products:For non-Intel based systems please contact your system manufacturer or microprocessor vendor (AMD, ARM, Qualcomm, etc.) for updates.
The following Intel-based platforms are impacted by this issue. Intel may modify this list at a later time. Please check with your system vendor or equipment manufacturer for more information regarding updates for your system.
Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm)
2nd generation Intel® Core™ processors
3rd generation Intel® Core™ processors
4th generation Intel® Core™ processors
5th generation Intel® Core™ processors
6th generation Intel® Core™ processors
7th generation Intel® Core™ processors
8th generation Intel® Core™ processors
Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
Intel® Atom™ Processor C Series
Intel® Atom™ Processor E Series
Intel® Atom™ Processor A Series
Intel® Atom™ Processor x3 Series
Intel® Atom™ Processor Z Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
Intel® Pentium® Processor J Series
Intel® Pentium® Processor N Series
Recommendations:Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop software updates that can help protect systems from these methods. End users and systems administrators should check with their operating system vendors and apply any available updates as soon as practical.
For non-Intel based systems please contact your system manufacturer or microprocessor vendor (AMD, ARM, Qualcomm, etc.) for updates.
Please check with your system vendor or equipment manufacturer for more information regarding your system.
Other variants of this side-channel analysis are being addressed by Operating System and Software Vendors. For more details see:
Yesterday evening, Microsoft released Windows patches — Security-only Updates, Cumulative Updates, and Delta Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3, the nominal release date. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). I’ve been assured that the Win7 and 8.1 Monthly Rollups will come out next week on Patch Tuesday.
The Win10 patch for Fall Creators Update, version 1709, contains other security fixes besides those related to Meltdown. The other Win10 patches appear to be Meltdown-only. Those of you running the beta version of Win10 1803, in the Insider Program, have already received the patches.
BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. (It now appears as if the value of the key doesn’t matter; just the presence of the registry entry turns on Meltdown protection. Thx, @abbodi86, @MrBrian.) If you’re running third-party antivirus, it has to be updated before the Meltdown patch installer will run. It looks as if there are known problems with bluescreens for some antivirus products.
There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.
Note that the Windows Server patches are not enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)
Question: Does Microsoft will release patches for olders operating systems like Windows Server 2003, Windows Server 2000?
Answer: Maybe No. Windows XP and Server 2003 don’t yet have patches. As you know these operating system are out of support. No word on whether Microsoft will release those sooner or later.
Operating system version
Windows Server, version 1709 (Server Core Installation)
All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.
While all customer instances are protected, we recommend that customers patch their instance operating systems. This will strengthen the protections that these operating systems provide to isolate software running within the same instance. For more details, refer to specific vendor guidance on patch availability and deployment.
An updated kernel for Amazon Linux is available within the Amazon Linux repositories. EC2 instances launched with the default Amazon Linux configuration on or after 10:45 PM (GMT) January 3rd, 2018 will automatically include the updated package. Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:
sudo yum update kernel
After the yum update is complete, a reboot is required for updates to take effect.
We have updated AWS Windows AMIs. These are now available for customers to use, and AWS Windows AMIs have the necessary patch installed and registry keys enabled.
Microsoft have provided Windows patches for Server 2008R2, 2012R2 and 2016. Patches are available through the built-in Windows Update Service for Server 2016. We are pending information from Microsoft on patch availability for Server 2003, 2008SP2 and 2012RTM.
AWS customers running Windows instances on EC2 that have “Automatic Updates” enabled should run automatic updates to download and install the necessary update for Windows when it is available.
Please note, Server 2008R2 and 2012R2 patches are currently unavailable through Windows Update requiring manual download, Microsoft advise these patches will be available Tuesday, January 9th.
We have released Amazon ECS Optimized AMI version 2017.09.e which incorporates all Amazon Linux protections for this issue. We advise all Amazon ECS customers to upgrade to this latest version which is available in the AWS Marketplace. Customers that choose to update existing instances in-place should run the following command on each container instance:
sudo yum update kernel
The update requires a reboot of the container instance to complete
Linux customers who do not use the ECS Optimized AMI are advised to consult with the vendor of any alternative / third-party operating system, software, or AMI for updates and instructions as needed. Instructions about Amazon Linux are available in the Amazon Linux AMI Security Center.
An updated Microsoft Windows EC2 and ECS Optimized AMI will be released as Microsoft patches become available.
We will be releasing new platform versions that include the kernel update to address this issue within 48 hours. For Linux environments, we recommend that you enable “Managed Platform Updates” to automatically update within your chosen maintenance window once these updates are available. We will post instructions for Windows environments once the update is available.
All infrastructure running Fargate tasks has been patched as described above and no customer action is required.
There are no updates required for or applicable to Amazon FreeRTOS and its supported ARM processors.
All instances running Lambda functions have been patched as described above and no customer action is required.
RDS-managed customer database instances are each dedicated to only running a database engine for a single customer, with no other customer-accessible processes and no ability for customers to run code on the underlying instance. As AWS has finished protecting all infrastructure underlying RDS, process-to-kernel or process-to-process concerns of this issue do not present a risk to customers. Most database engines RDS supports have reported no known intra-process concerns at this time. Additional database engine-specific details are below, and unless otherwise noted, there is no customer action required. We will update this bulletin as more information is available.
RDS for MariaDB, RDS for MySQL, Aurora MySQL, and RDS for Oracle database instances currently have no customer actions required.
For RDS PostgreSQL and Aurora PostgreSQL, DB Instances running in the default configuration currently have no customer actions required. We will provide the appropriate patches for users of plv8 extensions once they are made available. In the meantime, customers who have enabled plv8 extensions (disabled by default) should consider disabling them and review V8’s guidance at https://github.com/v8/v8/wiki/Untrusted-code-mitigations.
For RDS for SQL Server Database Instances, we will release OS and database engine patches as Microsoft makes each available, allowing customers to upgrade at a time of their choosing. We will update this bulletin when either has been completed. In the meantime, customers who have enabled CLR (disabled by default) should review Microsoft’s guidance on disabling the CLR extension at https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server.
Updated WorkSpaces bundles will be available with the security updates soon. Customers who have created Custom Bundles should update their bundles to include the security updates themselves. Any new WorkSpaces launched from bundles that do not have the updates will receive patches soon after launch, unless customers have changed the default update setting in their WorkSpaces, in which case they should follow the above steps to manually apply the security updates provided by Microsoft.
WorkSpaces Application Manager (WAM)
We recommend that customers choose one of the following courses of action:
AWS is aware of recently disclosed research regarding side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). These are vulnerabilities that have existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.