Category: VCF

The “VCF” blog category focuses on VMware Cloud Foundation, an integrated cloud infrastructure platform from VMware. This category features a variety of content, including detailed tutorials, case studies, analytical articles, and the latest updates related to VMware Cloud Foundation.

VMware Cloud Foundation (VCF) Brownfield Deployments

VMware Cloud Foundation (VCF) provides a unified platform for managing hybrid clouds, but the deployment process differs between Greenfield (new) and Brownfield (existing) environments. Brownfield deployment involves integrating pre-existing infrastructure into the VCF framework.

Preparing to Use the VCF Import Tool

The VCF Import Tool is essential for transitioning existing infrastructure into the VCF framework. Here’s a step-by-step guide to preparing the tool:

  1. Download the Necessary Files:
    • SDDC Manager OVA: The foundation for managing VCF.
    • VCF Import Tool: Enables import and integration of existing infrastructure.
    • NSX Install Bundle: Configures the networking components for VCF.
  2. Deploy SDDC Manager:
    • This step is necessary for “convert” use cases to establish centralized management within VCF.
  3. Extract the Import Tool:
    • Transfer and configure the import scripts within the SDDC Manager.
  4. Copy NSX Bundle:
    • Ensure the NSX configuration is uploaded for seamless network integration.

Convert Workflow: Transitioning Infrastructure to VCF

The Convert Workflow addresses the challenge of adapting existing environments to align with VCF’s architecture. Follow these steps:

  1. Verify Prerequisites:
    • Confirm that SDDC Manager is running version 5.2 or later.
    • Ensure all required files (Import Tool, NSX bundles) are uploaded.
  2. Run Pre-Check Scripts:
    • Validate the current environment using the Import Tool’s pre-check capabilities. This step identifies configuration issues or incompatibilities.
  3. Create NSX JSON:
    • Generate a JSON file to map the existing network configurations into VCF’s NSX environment.
  4. Convert Management Domain:
    • This final step transitions the management domain to align with VCF’s integrated control and automation.

Import Workflow: Integrating Existing Components

For specific components or domains, the Import Workflow provides a framework to incorporate them into VCF:

  1. Check Prerequisites:
    • Confirm readiness by ensuring the infrastructure meets the required configurations.
  2. Generate NSX JSON:
    • Map existing NSX configurations into a JSON format suitable for VCF integration.
  3. Import Workload Domains:
    • Import and integrate vSphere and NSX components into the VCF ecosystem.

Sync Workflow: Maintaining Infrastructure Alignment

The Sync Workflow ensures continued alignment between the existing infrastructure and VCF:

  1. Verify Prerequisites:
    • Confirm that SDDC Manager is operational and all required scripts are present.
  2. Sync Workload Domain:
    • Synchronize the workload domains with VCF’s management systems, ensuring consistency and reliability.

VCF Import Tool Options and Parameters

Below is an overview of the key actions and parameters available in the VCF Import Tool:

1. Help and Version Commands

  • -h, --help
    Displays the help menu for the VCF Import Tool, outlining available commands and their usage.
  • -v, --version
    Shows the current version of the VCF Import Tool.

2. Core Actions for Brownfield Deployments

  • convert
    Converts an existing vSphere infrastructure into a management domain within SDDC Manager.
  • check
    Validates if a vCenter is suitable for import as a workload domain in SDDC Manager.
  • import
    Imports an existing vCenter as a VI workload domain into SDDC Manager.

3. Sync and Deployment Operations

  • sync
    Synchronizes configuration between an imported VI workload domain or a workload domain deployed from SDDC Manager. This helps manage configuration drift between vCenter Server and SDDC Manager.
  • deploy-nsx
    Deploys NSX Manager as a standalone operation. This is useful for preparing networking configurations for workload domains.
  • precheck
    Runs validation checks on a vCenter to identify any potential issues before starting the import or conversion process.

Critical Security Alert: Update to Fixed Version 8.0 U3d Immediately

Urgent Notice from VMware by Broadcom

VMware has announced that the security patches released on September 17, 2024, intended to address CVE-2024-38812, did not fully mitigate the vulnerability. As a result, all customers are strongly advised to update to the latest version, 8.0 U3d, immediately. Patches for the 8.0 U2 line are also available to address this issue.

This urgent advisory applies to all vCenter Server users, as the newly identified vulnerabilities pose a significant security risk. Notably, two critical vulnerabilities were reported in vCenter Server, including a heap-overflow vulnerability and a privilege escalation vulnerability. These have been responsibly reported to VMware, which has now provided updates to address them.

Key Vulnerability: Heap-Overflow in vCenter Server (CVE-2024-38812)

Vulnerability Description:

A critical heap-overflow vulnerability was discovered in vCenter Server, specifically in its implementation of the DCERPC protocol. The issue has been assigned CVE-2024-38812 and carries a CVSSv3 base score of 9.8, placing it in the Critical severity range.

Known Attack Vectors:

This vulnerability can be exploited by a malicious actor who has network access to the vCenter Server. By sending a specially crafted network packet, the attacker could trigger the heap-overflow, potentially leading to remote code execution (RCE) on the affected system.

Why You Should Patch Now

This vulnerability could allow attackers to gain control over your vCenter Server environment, putting your infrastructure at risk for unauthorized access, data breaches, or service disruptions. Given the widespread use of vCenter Server for managing virtual environments, this threat is extremely serious, especially for businesses relying on VMware for critical operations.

Patch Availability

The new patches, which can be found in the Response Matrix, have been made available for both the 8.0 U3, 8.0 U2 and 7.0 U3 versions of vCenter Server. Customers should apply the new patches immediately to ensure their systems are protected.

What to Do:

  1. Check your version: Identify if your vCenter Server version is affected.
  2. Apply the patches: Use the Response Matrix provided by VMware to download and install the necessary updates.
  3. Follow VMware’s best practices: Regularly update your systems, review security advisories, and apply patches as soon as they are released to minimize security risks.

Mount VMware-vCenter-Server-Appliance-8.0.3.00400-24322831-patch-FP.iso to VCSA VM. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:

# To stage the ISO:
software-packages stage --iso

# To see the staged content:
software-packages list --staged

# To install the staged rpms:
software-packages install --staged

VMware vCenter Server 8.0 Update 3c: Fixing vSphere Client Idle Session Issue

VMware has released vCenter Server 8.0 Update 3c, bringing several key improvements and bug fixes. Among these, one notable issue addressed in this release relates to the vSphere Client’s behavior when left idle for extended periods.

PR 3439359: vSphere Client Session Becomes Unresponsive After 50 Minutes of Inactivity

In previous versions, particularly starting from vSphere 8.0 Update 3b, users encountered a frustrating issue with the vSphere Client. If a session remained idle for more than 50 minutes, the client would become unresponsive, making it impossible to log in or log out. Attempting to resume work in the same browser would yield no results unless all browser cookies were cleared. This was not only an inconvenience but also a disruption for administrators managing their vSphere environments.

Cause of the Issue: Apache Tomcat 9.0.91 Upgrade

The root of the problem was traced back to an upgrade to Apache Tomcat 9.0.91, introduced in vSphere 8.0 Update 3b. This upgrade brought with it a change in the default value of the property org.apache.catalina.connector.RECYCLE_FACADES. Previously set to FALSE, this value was altered to TRUE, causing sessions to become invalid after extended inactivity. This meant that any session left idle for over 50 minutes would not properly refresh, effectively locking the user out until they manually cleared cookies from their browser.

Links:

Intel Skylake CPUs Reaching End of Support in Future vSphere Releases after 8.x

As the IT industry continues to evolve, so do the platforms and hardware that support our digital infrastructure. One significant upcoming change is related to Intel’s Skylake generation of processors, which has entered the End of Servicing Update (ESU) and End of Servicing Lifetime (EOSL) phase. By December 31, 2023, Intel will officially stop providing updates for Skylake server-class processors, including the Xeon Scalable Processors (SP) series. This change is set to impact future VMware vSphere releases, as VMware plans to discontinue support for Intel Skylake CPUs in its next major release following vSphere 8.x.

Why Skylake CPUs are Being Phased Out

Intel’s Skylake architecture, introduced in 2015, has been widely adopted in server environments for its balance of performance and power efficiency. The Xeon Scalable Processor series, which is part of the Skylake generation, has been foundational in many data centers around the world. However, as technology progresses, older generations of processors become less relevant in the context of modern workloads and new advancements in CPU architectures.

Impact on VMware vSphere Users

With VMware announcing plans to drop support for Skylake CPUs in a future major release after vSphere 8.x, organizations relying on these processors need to start planning for hardware refreshes. As VMware’s virtualization platform evolves, it is optimized for more modern CPU architectures that offer enhanced performance, security, and energy efficiency.

More info CPU Support Deprecation and Discontinuation In vSphere Releases

vSphere Client Instability and Session Timeouts After vCenter Server 8.0.3.00200 Upgrade: How to Resolve

After upgrading to vCenter Server 8.0.3.00200, some users have reported issues with the vSphere Client becoming unstable, particularly after long periods of session idleness (typically 1-2 hours). This instability may manifest in a variety of ways, including session timeouts, continuous loading indicators, and errors when browsing the inventory.

Root Cause

The root cause of this instability appears to be related to a misconfiguration in how the vSphere Client handles facade recycling within the Apache Catalina Connector.

Solution: Updating the Catalina Configuration

root@vcsa-home [ ~ ]# cp /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties /root/catalina.properties.bak

root@vcsa-home [ ~ ]# echo "org.apache.catalina.connector.RECYCLE_FACADES=false" >> /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties

root@vcsa-home [ ~ ]# service-control --restart vsphere-ui

VMSA-2024-0019: Critical VMware vCenter Server Vulnerabilities (CVE-2024-38812, CVE-2024-38813) Addressed

VMware has released an important security advisory, VMSA-2024-0019, detailing updates for VMware vCenter Server that address two significant vulnerabilities: a heap-overflow vulnerability (CVE-2024-38812) and a privilege escalation vulnerability (CVE-2024-38813). Both of these vulnerabilities could have severe implications if exploited, making it crucial for administrators to apply the necessary patches promptly.

Heap-Overflow Vulnerability (CVE-2024-38812)

Description: The first vulnerability, identified as CVE-2024-38812, is a heap-overflow vulnerability found in the vCenter Server’s implementation of the DCERPC protocol. This issue has been classified by VMware as Critical, with a maximum CVSSv3 base score of 9.8, indicating the potential for severe impact.

Known Attack Vectors: A malicious actor with network access to the vCenter Server can exploit this vulnerability by sending a specially crafted network packet. Successful exploitation could lead to remote code execution (RCE), allowing the attacker to execute arbitrary code on the vCenter Server with potentially full system privileges. This level of access could be used to disrupt services, exfiltrate sensitive data, or further compromise the virtual environment.

Privilege Escalation Vulnerability (CVE-2024-38813)

Description: The second vulnerability, CVE-2024-38813, is a privilege escalation flaw within the vCenter Server. VMware has rated this issue as Important, with a CVSSv3 base score of 7.5. While not as severe as the heap-overflow vulnerability, it still poses a significant risk.

Known Attack Vectors: An attacker with network access to the vCenter Server can exploit this vulnerability by sending a specially crafted network packet. If successful, the attacker could escalate their privileges to root, gaining full administrative control over the vCenter Server. This level of access could enable the attacker to make unauthorized changes, access sensitive information, or disrupt the entire virtual infrastructure.

More info VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)

Tips & Tricks for deploying VMware Cloud…

Tips & Tricks for deploying VMware Cloud…

The VMware Cloud Foundation (VCF) Holodeck Toolkit has become quite popular amongst our field teams for quickly spinning up a fully self-contained VCF environment, running on just a single physical ESXi host for educational and hands on experience. Internally, we have a Holodeck Google Space […]

VMware Social Media Advocacy

What’s in the new VMware vSphere Foundation…

What’s in the new VMware vSphere Foundation…

Since the announcement of the two new VMware offerings: VMware vSphere Foundation (VVF) and VMware Cloud Foundation (VCF) at the end of 2023, I have been trying to wrap my head around the new offers and to better help me understand the next level of details, I have put together several diagrams […]

VMware Social Media Advocacy

Automating counting cores & TiBs for new VMware…

Automating counting cores & TiBs for new VMware vSphere Foundation (VVF) and VMware Cloud Foundation (VCF) SKUs

Automating counting cores & TiBs for new VMware…

Happy New Year! 🥳🎉🥂 At the end of 2023, we announced two new offerings called VMware vSphere Foundation (VVF) and VMware Cloud Foundation (VCF) that drastically simplifies our overall vSphere-based portfolio and licensing model. To help our users understand the new licensing model which uses both CPU cores and TiB (for vSAN storage sizing), I […]

VMware Social Media Advocacy