Daz’s bits and bobs

I’ve been working through a SRM setup and have been looking at ways to optimize the amount of traffic that is sent over the WAN. The first obvious move is to move your vmware swap files off the replicated LUNS.

Another way is to reduce the sync window. i.e. how often is yoru replication technology trying to keep the source and destination in sync? — Increasing this window can sometimes help you out. But that all depends on your delta’s.

For example – In the case of a windows page file on an active server (SQL etc) it could “potentially” change the whole file within an hour. If your replication was set to every hour and the page file was 4gb then you’d be sending at least 4gb every hour. Changing the sync on your replicated LUN to 8hrs instead would mean you’d only send the 4gb of “delta” (i.e. blocks that have changed since original snap)

Problem is that you would typically want to sync your virtual machines on a more frequent schedule than 8hrs. So this is where you need to move your windows page files onto a separate LUN (also replicated), but on a larger sync window (perhaps only once if your servers are static).

Check this link for a great script to monitor changes made to a virtual machine via the vmware CBT API. This is perfect for finding culprit machines that are generating a lot of replication traffic if you are replicating over a WAN.

http://www.vmguru.com/index.php/articles-mainmenu-62/scripting/105-using-powershell-to-track-block-change-sizes-over-time

If you have some disks on a virtual machine you don’t want this script to capture then just set them as independent disks (so no snapshots can take place). This is handy if you have your windows page file on a separate disk that you don’t want to be measured as a part of the CBT changes.

Some very nice examples by Gene on how to setup vyatta as a router on this page;

http://www.sonoracomm.com/support/19-inet-support/233-vyatta-cable

Masquerade Natting;

set service nat rule 10 source address 192.168.77.0/24
set service nat rule 10 outbound-interface eth0
set service nat rule 10 type masquerade

set service nat rule 20 source address 10.200.88.0/24
set service nat rule 20 outbound-interface eth0
set service nat rule 20 type masquerade

Essentially every thing leaving from these two networks will be natted via the eth0 interface. i.e. they will be using the same IP as eth0 for their requests.

Static Nat Route (pinhole);

set service nat rule 2 inbound-interface eth0
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
set service nat rule 2 description “Web Server1″
set service nat rule 2 destination address 192.168.109.254
set service nat rule 2 destination port 81
set service nat rule 2 inside-address address 10.200.88.45
set service nat rule 2 inside-address port 80

This rule takes everything that hits port 81 on 192.168.109.254 and sends it through to 10.200.88.45 (which is another routeable network) — in this case a directly attached network on eth1.

This page is hard to find, but it has it all…  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008705

To generate and import an SSL certificate on the VDM server:

Note: Certificates are only required for client‐facing systems (that is, standard, replica, or security VDM servers).

1. All the commands related to certificates need to be run in System Context. From a command prompt, run:at <time> (In 24 hour format) /interactive cmd.exeFor example:at 21:45 /interactive cmd.exeThis opens a new command window in System Context.
2. On the VDM or security server, change the directory to C:\Program Files\VMware\VMware VDM\Server\jre\bin.
3. Run the following command to create a 1024bit self-signed SSL certificate:keytool -genkey -keyalg “RSA” -keystore keys.p12 -storetype pkcs12 -validity 360To generate 2048bit certificate, run the command:keytool -genkey -keyalg “RSA” -keysize 2048 -keystore keys.p12 -storetype pkcs12 -validity 360Note: The keys.p12 file is created in the current directory.
4. Run the following command to create a certificate signing request (CSR):keytool -certreq -keyalg “RSA” -file certificate.csr -keystore keys.p12 -storetype pkcs12 -storepass <secret> , w here <secret> is the keystore passwordNote: The certificate.csr file is created in the same location.
5. Send the CSR file (certificate.csr) to a certificate authority and request a certificate in PKCS7 format.Note: If the certificate authority does not offer PKCS7 as a format, see Exporting into PKCS7 format in this article for information about exporting the certificate data in the appropriate format.
6. Copy the contents of the file into a text editor and save it as certificate.p7. The content appears similar to:—–BEGIN PKCS7—–
   MIIF+AYJKoZIhvcNAQcCoIIF6TCCBeUCAQExADALBgkqhkiG9w0BBwGgggXNMIID
   LDCCApWgAwIBAgIQTpY7DsV1n1HeMGgMjMR2PzANBgkqhkiG9w0BAQUFADCBhzEL
   i7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4JqrIg
   EhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIWMQA=
   —–END PKCS7—–

   Note: For more information about importing certificates issued by an OpenSSL CA, see Importing certificates issued by an OpenSSL CA (1007390).

7. Run the following command to import certificates issued by CA:keytool -import -keystore keys.p12 -storetype pkcs12 -storepass <secret> -keyalg “RSA” -trustcacerts -file certificate.p7Where <secret> is the keystore password (the password you used when exporting the certificate).
8. To configure the View Connection Server to use the new certificate, place the new certificate and copy the keys.p12 file (the keystore file) in C:\Program Files\VMware\View Manager\Server\sslgateway\conf.
9. Modify or create the following file:C:\ProgramFiles\VMware\View Manager\Server\sslgateway\conf\locked.properties
10. Add the following properties:keyfile=keys.p12
    keypass=<secret>

    Where <secret> is the keystore password (the password you used when exporting the certificate).

11. Restart the View Connection Server service.

Exporting into the PKCS7 format

To export into the PKXS7 format:

1. Open the certificate file.
2. Click Details > Copy to File.
3. Click PKCS7, then select Include Details of Certificate.

   The file is saved with a .P7B extension.

This happens when the virtualcenter service tries to start before some of its dependencies are up and running. Typically due to SQL Server not being in a running state when it tries to startup.

If your in windows 2008 you can choose the service to start automatically (delayed), and most of the time this will resolve the problem. If you want to do it properly, and in a more clean way…. you’ll need to add SQL as a dependency.

Open regedit and go to the following key;    (find the sevice name that virtual cetner is running under – vpxd in this case)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpxd

Open and modify the “Depend on Service” Multi-String and append the following (specific to my environment, but Adam for vmware and sqlserver)

MSSQLSERVER
ADAM_VMwareVCMSDS

So my DependOnService Multi-String now reads;

ProtectedStorage
lanmanworkstation
MSSQLSERVER
ADAM_VMwareVCMSDS

Done.

On next reboot the virtual center service will wait for its dependencies to start before it tries to start itself.