Thursday, 30 January 2020

Enabling ActiveIQ/AutoSupport with NetApp HCI 1.6 & 1.7

If you didn’t check the tick box to ‘Yes, I want to send cluster statistics to Active IQ to proactively monitor cluster health and performance’ when you were deploying your NetApp HCI, it is easy to enable this post deployment.

Image: HCI Review: Tick the Active IQ box: Final step before clicking Start Deployment

Pre-requisites

You’ll need these ports open on the firewall.

URLs for SF nodes to connect to AIQ (mNode = Management Node):
Source : Destination : Port : Description
mNode : sfsupport.solidfire.com : 22 : Reverse SSH tunnel for support access
mNode : https://repo.netapp.com/bintray/api/package : 443 : mNode service upgrades
mNode : https://netapp-downloads.bintray.com : 443 : mNode service upgrades
mNode : monitoring.solidfire.com : 443 : Storage cluster reporting to AIQ

You’ll also need the mNode IP/DNS name to connect to.
And credentials to login to the mNode.

Procedure Walkthrough

Step 1:
Connect to the mNode Management Services API (REST API UI):
https://{mNode IP or DNS}/mnode

Image: HCI/SolidFire mNode Management Services API

Step 2:
Click Authorize and submit credentials to log in.

Image: Authorize to the REST API UI

Step 3:
Click GET /assets
Click Try it out (changes to Cancel after you click)
Click Execute
Copy the value for the base asset ID (which is af82e8c4-e072-48e4-b438-c00c1ebe45f1 in the example below.)

Image: GET /assets

Image: The base asset ID

Step 4:
Click PUT /assets/{asset_id}
Click Try it out (changes to Cancel after you click)
Enter the following JSON payload:
{
 "name": "string",
 "telemetry_active": true,
 "config": {}
}
Enter the asset_id you obtained above.
Click Execute

Image: NetApp HCI set telemetry_active = true

Step 5:
That’s it!

You can re-execute the GET /assets above, and you should see:
"telemetry_active": true

Image: Telemetry Active = true

And if you login to -
- you should shortly see your cluster in there.

Wednesday, 29 January 2020

NetApp Aggregate Encryption: Some Examples and Some Questions Answered

When NetApp Aggregate Encryption came out with ONTAP 9.6, there was some excitement for two reasons (the second probably being the biggest reason):
- i: Create a new aggregate and enable NAE on it, and then all the new volumes created on the NAE aggregate are encrypted (by NAE).
- ii: NVE volumes do not participate in aggregate deduplication savings, but NAE volumes in an NAE aggregate do participate in aggregate deduplication savings.

If you have existing aggregates with data on them, enabling NAE isn’t as simple as just switching it on. Every volume in the aggregate needs to be encrypted with NVE first, then you can enable NAE on the aggregate. But, if the aggregate is NAE, and all the volumes are NVE, well, you won’t get those aggregate deduplication savings (which was probably the main reason for enabling NAE in the first place.)

Also, if you have a system with just one aggregate and existing data, you’ll be a little stumped because the SVM rootvol can’t be NVE encrypted, so unless you can make a tiny temporary NAE aggregate out of spares to vol move the SVM rootvol to and then back once the main aggregate is NAE (or find another trick), you’re stuck with a non-encrypted aggregated.

I always think things make much more sense with examples, so below are 11 examples which follow on from one another and hopefully aid understanding.

Clustershell Guided Examples

1) Enable Onboard Key Manager (OKM):


cluster1::> security key-manager onboard enable


Note: The passphrase needs to be 32 to 256 ASCII-range characters long otherwise you get:
Error: command failed: The onboard passphrase must be 32 to 256 ASCII-range characters long.

After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager onboard show-backup" command.


cluster1::> security key-manager onboard show-backup


2) Create a brand new NAE aggregate (encrypt-with-aggr-key true):


cluster1::> aggr create -node cluster1-01 -aggr n1_aggr1 -diskcount 10 -encrypt-with-aggr-key true

cluster1::> aggr show -fields encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1  true


3) Create a volume on an NAE aggregate with fairly default settings and see its encryption status:


cluster1::> vol create -vserver svm0 -volume vol01 -aggregate n1_aggr1 -size 1G -security-style unix

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -volume vol01
vserver volume encryption-type encrypt is-encrypted
------- ------ --------------- ------- ------------
svm0    vol01  aggregate       true    true


4) Create a non-NAE aggregate for testing purposes:


cluster1::> aggr create -node cluster1-02 -aggr n2_aggr1 -diskcount 10 -encrypt-with-aggr-key false ‌

cluster1::> aggr show -fields encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1  true
n2_aggr1  false


5) Create an SVM on the non-NAE aggregate, and look at the SVM rootvol’s encryption status:


cluster1::> vserver create -vserver svm1 -aggregate n2_aggr1

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1
vserver volume    encryption-type encrypt is-encrypted
------- --------- --------------- ------- ------------
svm1    svm1_root none            false   false


6) Q: Can we encrypt the SVM rootvol? Answer = NO

‌‌
cluster1::> volume encryption conversion start -vserver svm1 -volume svm1_root

Error: command failed: Failed to start conversion on volume "svm1_root" in Vserver "svm1". Reason: Operation is not supported on a Vserver root volume.


7) Q: Can we encrypt the non-NAE aggregate with an unencrypted SVM rootvol in it? Answer = NO

cluster1::> aggregate modify -aggregate n2_aggr1 -encrypt-with-aggr-key true

Error: command failed: Failed to modify the aggregate "n2_aggr1" since it contains non-encrypted volumes. Run the "volume show -encrypt false" command to get the list of non-encrypted volumes. Convert all of them to NVE (NetApp Volume Encryption) volumes and try again later.


8) Q: Can we vol move the unencrypted SVM rootvol to the NAE aggregate? Answer = YES

cluster1::> vol move start -vserver svm1 -volume svm1_root -destination-aggregate n1_aggr1

Error: command failed: The destination aggregate "n1_aggr1" is an NAE (NetApp Aggregate Encryption) aggregate. Non-encrypted volumes are not supported in such aggregates.

cluster1::> vol move start -vserver svm1 -volume svm1_root -destination-aggregate n1_aggr1 -encrypt-with-aggr-key true
[Job 130] Job is queued: Move "svm1_root" in Vserver "svm1" to aggregate "n1_aggr1". Use the "volume move show -vserver svm1 -volume svm1_root" command to view the status of this operation.

cluster1::> volume move show -vserver svm1 -volume svm1_root

                           Vserver Name: svm1
                            Volume Name: svm1_root
                 Actual Completion Time: Wed Jan 29 21:21:57 2020
                  Destination Aggregate: n1_aggr1
                        Detailed Status: Successful
                          Managing Node: cluster1-02
                    Percentage Complete: 100%
                             Move Phase: completed
                       Source Aggregate: n2_aggr1
                             Move State: done
             Is Source Volume Encrypted: false
     Encryption Key ID of Source Volume:
        Is Destination Volume Encrypted: true
Encryption Key ID of Destination Volume: 00000000000000000200000000000500eb33c6a732638615349e38f7259e9c200000000000000000

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1
vserver volume    encryption-type encrypt is-encrypted
------- --------- --------------- ------- ------------
svm1    svm1_root aggregate       true    true


9) Create an NVE volume on the non-encrypted aggregate.


cluster1::> vol create -vserver svm1 -volume vol11 -aggregate n2_aggr1 -size 1G -security-style unix -encrypt true

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1 -volume vol11
vserver volume encryption-type encrypt is-encrypted
------- ------ --------------- ------- ------------
svm1    vol11  volume          true    true


10) Convert the non-encrypted aggregate to NAE aggregate and check the encryption status of our NVE volume.


cluster1::> aggregate modify -aggregate n2_aggr1 -encrypt-with-aggr-key true

cluster1::> aggr show -fields encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1  true
n2_aggr1  true

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1 -volume vol11
vserver volume encryption-type encrypt is-encrypted
------- ------ --------------- ------- ------------
svm1    vol11  volume          true    true


11) Q: Can we convert the NVE volume on the NAE aggregate to aggregate encryption-type? Answer = NO (but you can vol move it to an NAE aggregate to give it the aggregate encryption-type)

The only way to convert the NVE volume to aggregate encryption-type is to vol move the volume to another NAE aggregate (you could then move it back again if you so wish.)

cluster1::> vol move start -vserver svm1 -volume vol11 -destination-aggregate n1_aggr1 -encrypt-with-aggr-key true

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted,aggregate -vserver svm1 -volume vol11
vserver volume aggregate encryption-type encrypt is-encrypted
------- ------ --------- --------------- ------- ------------
svm1    vol11  n1_aggr1  aggregate       true    true


Image: NVE v NAE

Also see my post from 24 July 2019:
NetApp Aggregate Encryption (NAE) in ONTAP 9.6: How to Configure

Monday, 20 January 2020

NetApp HCI X.X Software Component Versions

A list of NetApp HCI version to software component versions starting from HCI 1.2. Information mostly taken from release notes.

Information taken from the release notes.

NetApp HCI 1.7P1 includes the following software component versions:
Version : Software component
1.7P1   : NetApp Deployment Engine (NDE)
11.7    : NetApp Element software
11.7    : NetApp HCI Bootstrap OS
11.7    : NetApp HCI Management Node (mNode)
4.3.0 (Build 233) : NetApp Element Plug-in for vCenter Server (VCP)
VMware vSphere 6.7 (supported during deployment and expansion)
- VMware vCenter Server 6.7 Update 1
- VMware ESXi 6.7 Update 1
VMware vSphere 6.5 (supported during deployment and expansion)
- VMware vCenter Server 6.5 Update 2
- VMware ESXi 6.5 Update 3
VMware vSphere 6.0 (supported during expansion only)
- VMware vCenter Server 6.0 Update 3c
- VMware ESXi 6.0 Update 3a

NetApp HCI 1.7 includes the following software component versions:
Version : Software component
1.7     : NetApp Deployment Engine (NDE)
11.5    : NetApp Element software
11.5    : NetApp HCI Bootstrap OS
11.5    : NetApp HCI Management Node (mNode)
4.3.0 (Build 233) : NetApp Element Plug-in for vCenter Server (VCP)
VMware vSphere 6.7 (supported during deployment and expansion)
- VMware vCenter Server 6.7 Update 1
- VMware ESXi 6.7 Update 1
VMware vSphere 6.5 (supported during deployment and expansion)
- VMware vCenter Server 6.5 Update 2
- VMware ESXi 6.5 Update 3
VMware vSphere 6.0 (supported during expansion only)
- VMware vCenter Server 6.0 Update 3c
- VMware ESXi 6.0 Update 3a

NetApp HCI 1.6P1 includes the following software component versions:
Version : Software component
1.6     : NetApp Deployment Engine (NDE)
11.3.1  : NetApp Element software
11.3    : NetApp HCI Bootstrap OS
11.3    NetApp HCI Management node
4.3.0 (Build 233) : NetApp Element Plug-in for vCenter Server (VCP)
VMware vSphere 6.7 (supported during deployment and expansion)
- VMware vCenter Server 6.7 Update 1
- VMware ESXi 6.7 Update 1
VMware vSphere 6.5 (supported during deployment and expansion)
- VMware vCenter Server 6.5 Update 2
- VMware ESXi 6.5 Update 3
VMware vSphere 6.0 (supported during expansion only)
- VMware vCenter Server 6.0 Update 3c
- VMware ESXi 6.0 Update 3a

Note: NetApp HCI 1.4 was the last HCI version to ship with ONTAP Select.

NetApp HCI 1.4P2 ships with the following software component versions:
Version : Software component
1.4P1   : NetApp Deployment Engine (NDE)
11.1P1  : NetApp Element software
11.1P1  : NetApp HCI Bootstrap OS
11.1P1  : NetApp HCI Management node
4.2.3   : NetApp Element Plug-in for vCenter Server
9.4     : ONTAP Select (optional)
VMware vSphere 6.7 (supported post-deployment upgrade)
- VMware vCenter Server 6.7 Update 1 build number 10244745 or later
- VMware ESXi 6.7 Update 1 build number 10302608 or later
VMware vSphere 6.5 (installable during deployment)
- VMware vCenter Server 6.5 Update 2 build number 8307201 or later
- VMware ESXi 6.5 Update 1 build number 5969303 or later
VMware vSphere 6.0 (installable during deployment)
- VMware vCenter Server 6.0 Update 3a build number 5202527 or later
- VMware ESXi 6.0 Update 3 build number 5050593 or later

NetApp HCI 1.4P1 ships with the following software component versions:
Version : Software component
1.4P1   : NetApp Deployment Engine (NDE)
11.1    : NetApp Element software
11.1    : NetApp HCI Management node
4.2.1   : NetApp Element Plug-in for vCenter Server (VCP)

NetApp HCI 1.4 ships with the following software component versions:
Version : Software component
1.4     : NetApp Deployment Engine (NDE)
11.0    : NetApp Element software
11.0    : NetApp HCI Management node
4.2     : NetApp Element Plug-in for vCenter Server (VCP)
VMware vSphere 6.7 (supported post-deployment upgrade)
- VMware vCenter Server 6.7 Update 1 build number 10244745 or later
- VMware ESXi 6.7 Update 1 build number 10302608 or later
VMware vSphere 6.5 (installable during deployment)
- VMware vCenter Server 6.5 Update 2 build number 8307201 or later
- VMware ESXi 6.5 Update 1 build number 5969303 or later
VMware vSphere 6.0 (installable during deployment)
- VMware vCenter Server 6.0 Update 3a build number 5202527 or later
- VMware ESXi 6.0 Update 3 build number 5050593 or later

NetApp HCI 1.3 ships with the following software component versions:
Version : Software component
1.3     : NetApp Deployment Engine (NDE)
10.3    : NetApp Element software
10.3    : NetApp HCI Management node
4.1     : NetApp Element Plug-in for vCenter Server (VCP)

NetApp HCI 1.2 ships with the following software component versions:
Version : Software component
1.2     : NetApp Deployment Engine (NDE)
10.2    : NetApp Element software
10.2    : NetApp HCI Management node
4.0     : NetApp Element Plug-in for vCenter Server (VCP)

Image: NetApp HCI

Monday, 13 January 2020

How to DHCP with Open DHCP Server - Quick Walkthrough

A quick install, setup, and run of Open DHCP Server.

1) Obtain Open DHCP Server from:

2) Double-click the OpenDHCPServerInstallerVX.XX.exe
And follow the prompts to install.

Image: Open DHCP Server Installer

Image: Open DHCP Server Installation

The install runs -
C:\OpenDHCPServer\installservice.exe

- which installs a service ‘OpenDHCPServer’ with the path to executable:
C:\OpenDHCPServer\OpenDHCPServer.exe

Image: Installing OpenDHCPServer - Installation Completed

Image: Open DHCP Server Service

Image: Contents of Install Folder C:\OpenDHCPServer

3) Edit OpenDHCPServer.ini as required
Note: Save the original .ini as say .ini.backup

4) To run, double-click ‘RunStandAlone.bat’.

5) To stop, close the cmd.exe window.

IMPORTANT NOTE: Before running OpenDHCP, be very careful that OpenDHCP is not connected/listening on any networks that it shouldn’t be. You don’t want to accidentally give out DHCP addresses.

Note: The ‘Open DHCP Server’ service only runs if you need to run Open DHCP as a service. Default state is ‘Startup Type’ = ‘Automatic’ and ‘Status’ = ‘Not Running’. When you run ‘RunStandAlone.bat’ that doesn’t start the service.

Image: Running OpenDHCP

Configuring IPMIs using OpenDHCP (or Not Having to Plug a KVM into every Server to Configure the IPMI/iLO/DRAC/whatever)

The reason why I’m writing a post about Open DHCP Server, is because I sometimes have to configure a number of servers (e.g. NetApp HCI/NetApp SolidFire) and it’s a bit of a pain needing to go to every server with a Keyboard, Video, Mouse (KVM), and configure the IPMI by: boot node, wait for key press to enter setup, configure IPMI, reboot, and so on (if there is already DHCP on the IPMI network, it can help.)

Using OpenDHCP and a portable switch (I bought a Netgear ProSafe GS116 for about £60), I can plug up to all the IPMI ports, see what’s got what on my private DHCP scope, connect over IPMI, and apply whatever configurations are required, without needing KVM (also, can RTFI nodes over the IPMI with new images if required, rather than carrying a set of USB keys.)

I set just:

[LISTEN ON]
{IP of my laptop on the IPMI network}
[RANGE_SET]
DHCPRANGE = {Range of IPs I want to use - i.e. not the static IPMI IPs I will configure later}
SubNetMask={as required}
Router={as required}

Image: Very simple OpenDHCPServer.ini example

The default HTTP interface for OpenDHCP is http://127.0.0.1:6789/ and for some reason this didn’t work for my laptop. Not a massive issue as can see all the DHCPREQUEST in the cmd.exe. The error was “HTTP Client 127.0.0.1, Message Receive failed, WSAError 0”. I tried on another laptop, didn’t get that error, but still the webpage failed to load.

Image: Netgear ProSafe GS116 16-port Gigabit Switch

Saturday, 11 January 2020

Studying for the VCP-CMA 2020 Certification: Update

I’ve just finished the 8 x Cloud Management Platform VMware Hands On Labs as below -

HOL-2021-01-CMP - vRealize Automation - Getting Started
HOL-2006-01-CMP - vRealize Suite - Making Private Cloud Easy
HOL-2021-91-ISM - vRealize Automation 8 - What’s New - Lightning Lab
HOL-2021-02-CMP - vRealize Automation - Advanced Topics
HOL-2021-04-CMP - vRealize Orchestrator - Getting Started
HOL-2006-02-CMP - vRealize Suite - Integrated Troubleshooting
HOL-2006-03-CMP - vRealize Suite Life Cycle Manager
HOL-2021-03-CMP - vRealize Automation - Advanced Extensibility

- and they are all well worth your time doing. The only one I might skip in hindsight is HOL-2021-91-ISM, since the VCP-CMA 2020 is focused on VMware vRealize Automation 7.6.

Image: Education Services > Certification > VCP-CMA 2020 (the hyperlink link still says 2019)

What Next?

Now the VMware website has been updated with the VCP-CMA 2020 -
- I know my path is to take the Professional VMware vRealize Automation 7.6 exam once I’ve acquired enough knowledge and experience.

Now to “...item writers use the following references for information when writing exam questions. It is recommended that you study the reference content...” (from):

Revisiting the labs/other hands-on.

There is also a VMware Cloud Management YouTube channel with content worth watching:

No FlexPod design guides that appear to include vRealize, but worth checking out these NetApp Verified Designs that do (skip the bits you’re not interested in):

Notes from the 8 x Cloud Management Platform VMware Hands on Labs

Some notes I recorded whilst doing the labs.

VMware vRealize Automation Documentation

VMware vRealize Automation uses two distinct types of administrator accounts to divide up the administrative tasks required to manage the infrastructure endpoints, compute resource reservations, users, groups, and policies that need to be put in place. These two accounts are known as the IaaS Administrator and the Tenant Administrator.

The Tenant Administrator Portal includes two new tabs.
1. Administration - This tab contains all-of the administrative functions that are available to you as the Tenant Administrator.
2. Infrastructure - Allows you to review recent events that have occurred on your tenant's infrastructure.

DEM = Distributed Execution Manager

vSphere SPBM (Storage Policy-Based Management Framework)

vRealize Automation 8.0 consists of the following components:
- Cloud Assembly
- Service Broker
- Code Stream
- Orchestrator

vRealize Automation also requires vRealize Suite Lifecycle Manager and VMware Identity Manager for installation, configuration, post-install management, and authentication.

There are two different types of Component Profiles:
- Image
- Size

Harbor in GitHub:

VMware Solutions Exchange:
Note: vRealize Orchestrator plugins are .VMOAPP files (can also be installed as .DAR files)

vRealize Orchestrator Control Center is the main interface to configure and troubleshoot vRealize Orchestrator.

Configure Component Profile Size Settings for Catalog Deployments

Configure Component Profile Image Settings for Catalog Deployments

There are some limitations to component profiles with which you should familiarize yourself:
- If you try to resize the virtual machine to a size greater than the largest setting, it will fail.
- Additionally, if you edit the component profile Size ValueSets, the changes will retroactively work on any already-deployed virtual machines.

Image: Automated Lifecycle Management and Operations (Day 0 to Day 2)

VMware vRealize Suite Lifecycle Manager comes free with VMware vRealize Suite in all three editions.  The vRealize Suite Lifecycle Manager automates installation, configuration, upgrade, patch, configuration management, drift remediation and validate the health status of services from within a single pane of glass, thereby freeing IT Managers/Cloud admin resources to focus on business-critical initiatives, while improving time to value (TTV), reliability and consistency.

Step 1) Deploy vRealize Suite Lifecycle Manager appliance and complete initial configuration.
Step 2) Deploy other VMware Products*

*Products = vRealize Network Insight, vRealize Business for Cloud, vRealize Log Insight, vRealize Operations, vRealize Automation

Image: VMware Products deployable from vRealize Suite Lifecycle Manager

vRealize Automation 7 has the following options for extending functionality beyond simple virtual machine deployment:
- Event Broker
- XaaS blueprints and actions

Image (1/2): vRealize Automation + Event Broker Service & Xaas Service Designer - pluggable framework to vRO

Image (2/2): vRealize Automation + Event Broker Service & Xaas Service Designer - pluggable framework to vRO

vRealize CloudClient is a command-line utility that provides verb-based access with a unified interface across vRealize Automation APIs:

Image: VMware vRealize CloudClient 4.7.0

Another resource for downloading Blueprints is VMWARE {code}.  The code site allows community members to post and share vRealize Automation Blueprints as well as workflows and other content for VMware solutions: https://code.vmware.com

The ITSM Plug-in 7.6 is the latest release for those looking to extend ServiceNow ITSM with Multi-Cloud Automation with Governance

VMware vRealize Automation integration with ServiceNow (vRA ITSM Plugin)