Hyper-V and HP c7000 Flex 10D, some thoughts…

I like the good old HP chassis, a reliable piece of kit and relatively straightforward to administer and maintain. On the host & networking side, networks are provided by modules in the rear of the chassis, allocated over the chassis fabric to each blade.

In essence, 2 x rear chassis Flex 10 modules (each with 8 x ports – FCoE, 10gbE or 1gbE SFP+ modules) provide resiliency to the server blades in the front of the chassis. Upstream you can have LACP connections for maximum throughput. Links are aggregated in shared uplink sets (SUS) and you can specify allowed VLAN tags across these uplink sets, which can then be dragged and dropped in server profiles to allow blade connectivity.

Each Flex module can provide 4 VF’s to a server (Virtual Functions). These can be 3 x Ethernet + 1 x FCoE or 4 Ethernet and so on. You provide this via a server profile in the Virtual connect manager.

As these are mirrored for availability, you don’t have 8 Ethernet to play with – you have 4 pairs. So, how best to utilise these connections? Answer: it depends.

4. If you have FCoE or iSCSI storage, you are immediately going to lose 1 pair of connections to facilitate this, leaving you with 3 pairs.

3. Now you are left with choices to make in regard to splitting up your traffic. These decisions will be driven by the back end network infrastructure connecting to the flex10’s. If you have physically separate networks for Internet facing traffic (IF/DMZ) – then you will have at least 1 pair of ports on the Flex side connected to this and you will therefore be forced to lose another pair on the host side.

2. and 1. You need host management, Live Migration, Heartbeat and Trusted/Non internet traffic for your VMs – from 2 pairs of NICs – So however you go about this, you will likely need to use LBFO teams & vSwitches (2012 R2) or SET (2016) over your pairs, carving out vEthernets for Management, LM & Heartbeat and VM networks.

Just be cautious of how you allocate bandwidth to the host network functions. Remember that internode CSV traffic is vital to maintaining storage connectivity and you don’t want your design to allow an out of control VM to consume all the available bandwidth, choking the host connectivity.

Likewise, a live migration needs to be fast, but not to the detriment of your workloads. Test, find the balance, tune and then prepare for distribution.

More reading of QoS in Switch Embedded Teaming is here….

 

 

Advertisements

Hyper-V & Cisco UCS

All,

Quick note on my preferred network config for Cisco UCS hosts – follow Cisco recommendations and use the hardware you have available to you – set your networks to utilise their native HA:

 

Name

Fabric HA  

vSwitch

 

Use

SMB 1 A SMB Multipath No Host Only
SMB 2 B SMB Multipath No Host Only
iSCSI 1 A MPIO No Host Only
iSCSI 2 B MPIO No Host Only
iSCSI 1 A MPIO Yes Guest Only
iSCSI 2 B MPIO Yes Guest Only
Management AB UCS No Host Only
Live Migration AB UCS No Host Only
Cluster HB AB UCS No Host Only
VM Networks (Trusted) AB UCS Yes Guest Only
VM Networks (Internet Facing / Non Trusted) AB UCS Yes Guest Only

Let the UCS do the hard work maintaining connectivity – don’t bother using LBFO teams, vEthernets etc… just assign as many NICs as per your design requirements and keep all your host & guest data separate.

The example above shows iSCSI use for host and guest use, also SMB for host storage. FCoE storage (preferred) would be provided by HBA and not showing in your Ethernet NIC list.

If you have a NetApp and System Center suite as well, then you should be reading up about flexpod here

Hyper-V – Don’t forget these simple administrative points! Part 2.

Continued from Part 1 – here.

8. DO use SCCM/WSUS for patching

For heavens sake, DON’T have firewall rules in your environment allowing all servers to talk outbound to the internet. WHEN they infiltrate your environment, you’ll have given them an easy exit with your data.

Block all internet bound traffic from your servers and monitor the blocking. Allow only key services and send them all via a proxy – by exception! Get WSUS to collect the patches you need and distribute them internally in a safe and controlled manner.

9. DO use VLANS on your Hyper-V switches – Get VMM to do the donkey work

Networks & IP pools in VMM are a wonderful thing. Set a VLAN, Static MAC and Static IP’s – all handled on build automatically. Make the most of this feature to keep tabs on your infrastructure. There’s no need to go back and forth to your IPAM tools for VM deployments.

Removing native networks and DHCP prevents a poorly configured VM from gaining access to anything it shouldn’t be talking to.

10. DON’T Mix and match CPU/Memory types in a cluster

Whilst it’s entirely possible to do so, you’ll end up compromising on performance of your VM’s. Everything will require CPU compatibility mode enabled (VM shutdown required to enable).

You will also be adding complexity to cluster capacity issues. Draining a host with 1tb of ram across a selection of 256gb hosts will be possible (provided no single VMs exist with memory assigned greater than 256gb), but sustaining node failures will become a complex calculation, rather than being able to tell at a glance.

If you are purchasing new nodes to expand your environment, then group them together and create a new cluster. Utilise live storage migrations between clusters – or – if using SMB3 storage, just simply live migrate the VM between clusters.

11. SQL per CPU host licencing on Hyper-V – beware!

Example: You have a Hyper-V cluster with 10 nodes, 2 processors per node (20 processors total) and you decide you want to use 2 nodes for SQL enterprise licensing on a per host CPU basis (4 CPU licences),

In short, a VM that has a licence covered by a host could potentially exist on any of the 10 nodes in your cluster. It does not matter about the settings on the VM defining the host it will reside on, it could be powered on, on any of the ten hosts and as such it is likely you would be seen to have fallen short of the required licences.

You would be best off removing 3 nodes from your existing cluster and creating a separate Hyper-V cluster dedicated for the SQL workloads and licences. Two nodes of running VM’s with a single empty host (which allows for a node failure/maintenance). This clearly shows your used hosts and your hot standby for a failure.

If in doubt – contact a licencing specialist company and get it checked and double checked. You do not want a bill in the post for the 8 remaining nodes 🙂

12. DO configure everything in PowerShell and DO retain it elsewhere

There’s many ways to automate the build of your hosts, SCVMM/SCCM or third party products, even LUN cloning (if boot from SAN). However, if you are manually building for any reason at all, then prepare the config and retain it afterwards. If the worst occurs, you can be back up and running in no time at all.

13. DO have a separate VLAN and address range for your host networks and DO keep them in step!

Make life easier for yourself. If you have 10 nodes, get 10 concurrent IP addresses from each of the ranges you may require (Management, Cluster-HB, Live Migration etc…) and make them the same last octet. Example:

Node1:

  • Mgmt: 10.0.1.11
  • ClusterHB: 172.10.0.11
  • Live Migration: 192.168.8.11

Node2:

  • Mgmt: 10.0.1.12
  • ClusterHB: 172.10.0.12
  • Live Migration: 192.168.8.12

And so on…. this will make your life easier in the long run. Keep these subnets away from any other use – so when you grow, you have more concurrent IP’s available.

If you ever need to revisit and reconfigure anything remotely via powershell, complexity will be reduced.

14. DO standardise your naming convention and use scripting/deployment tools!

As per the above points, name your network adaptors the same on every node – example:

  • MGMT-Team-NIC1, MGMT-Team-NIC2 –> MGMT-Team
  • LM-Team-NIC1, LM-Team-NI2 –> LM-Team
  • SMB-NIC1, SMB-NIC2
  • iSCSI-NIC1, iSCSI-NIC2

etc…

Again, when using PowerShell to build/configure it is easy to maintain convention and will save you countless config headaches over time.

Hyper-V – Don’t forget these simple administrative points! Part 1.

All,

Thought i’d put together a quick guide of often forgotten/overlooked configuration items, which may seem to be benign, but can pop up at exactly the wrong time and bite you in the proverbial. Most of these config items I have seen over the years and still run in to them from time to time!

1. DO configure all your Hyper-V hosts as CORE

There is absolutely no good reason to install GUI/Desktop Experience. If you are still not sure on your powershell commands, then use ‘SCONFIG’ to get an initial IP address in, firewall rules open for remote management, join the domain.

As the old adage goes – practice makes perfect. None of us started out knowing powershell off the top of our heads, so roll up your sleeves and give it a try. Once you have used it for a while it’ll become second nature.

2. DO run AV on your Hyper-V hosts

The exclusions are well known – published on technet for all to use – HERE  There is nothing worse these days, than making it easy for malware to spread. Be mindful of lateral movement in your organisation – think of malware intrusion not as an ‘IF’ but as a ‘WHEN’. Plan ahead and don’t make things easy for them.

3. DO turn on local firewalls

Again, group policy makes it easy for domain machines to have common rule sets applied to them. Don’t open the gates, for the sake of a few mins configuration work

4. DO plan your Hyper-V deployment ahead of time

Bad configuration is often the cause of bad planning. Even if you are only deploying a few hosts in a small cluster, how you approach this should be exactly the same as if you were planning for 32 hosts. Draw up your design according to the requirements. Even if the requirements are on the slim side, document your process and decision making.

Try to think of scale, if the company grows, would it be easy to add another few hosts later on?

5. DO connect a pair of 1gb onboard NICs – for dedicated managament use

You’ve invested in 10GbE – you have a pair of NICs and you are going to use them. There’s usually 2 x 1gb NICs onboard, doing nothing. Configure them as your OS main management network. Don’t put a vSwitch on top, keep it simple and easy to reach. If you do encounter any vLAN/vSwitch/vAnything issues down the line – you’ll be glad you can still manage your server – without the need for clunky iLO/DRAC sessions.

6. DO check your cluster metrics!

It’s pretty smart, it’ll auto assign the networks, but it’s not infallable. Get powershell open and check them HERE. It might be an old article – but it is still relevant. Make sure your CSV traffic is going where you want it to go, in the event of a redirect – you dont want it going over the wrong network.

Finally…..

7. DO make the most of your Microsoft Licences!

So many people overlook system center, believing it to be a set of expensive management tools. If you have datacenter licensing, software assurance and the right CALs then you are set to use the full suite of products, plus some of the MDOP goodies that have been written for you.

https://www.microsoft.com/en-gb/cloud-platform/system-center-pricing

I’m sure you are all familiar with the components now. Quite simply, Hyper-V without VMM is like toast without butter – dry and boring!

Take your time planning system center and the investment will pay dividends, alternatively, get a consultant in to do the leg work for you! 🙂 You can contact me on the site.

Part 2 here…

 

 

 

Configuring DPM Agents, Non-domain using Certificates

Hi All,

Lots of articles on this, Microsoft’s own documentation is far more detailed for 2012 R2 than it is for 2016. The concept remains the same.

My problems started as the cert authority (being comprised of an offline root CA and domain enterprise subordinate CA) forming the certificate chain, could not be contacted by agents on the other side of a firewall (without making swiss cheese of the firewall and allowing port 80 to the CRL distribution point, or standing up an alternative CRL location)

Follow the cert template setup guide here.

In the settings for the template, change the subject name handling to supply in the request. These certs are for non domain machines.

certs

Make sure permissions to the template allow read & enroll. Then we can add the template to the CA for use and head for the MMC console + local computer cert snap-in on your DPM server.

Add the cert to your DPM server following the guide above, generate the BIN file, copy to the agent.

If your agent is behind a firewall, make sure to open the additional TCP 6076 port required for the certificate communication.

If your non-domain agent is unable to access the CRL distribution point (required for initial verification of the cert) then you will need to manually import the CRL files. Open explorer to your cert server \\yourcertserver\certenroll – here you will find your CRL files.

Import your CRL files (copied from the CA) using:

certutil -addstore CA “C:\CRLfolderpath\CRLfilename.CRL”

Remember to import the full chain of valid CRL files, once added in, run your DPM agent setup command – then you will have a BIN file with which to complete setup.

Support

Bizarrely – Microsoft doesn’t support backup of machines in a “Perimiter Network” – https://technet.microsoft.com/en-us/library/hh757801(v=sc.12).aspx

I’m not sure about anyone else, but I make extensive use of VLANs, which are subject to firewall rule sets and agents work fine in these scenarios. So why would a “perimiter network” be any different?

I suspect this is just noted as MS have not fully tested support of agents in this scenario, but I do not see any reason why it should not work.

However, follow best practice and remember that if backup of a system is essential, you are best sticking to the official supported guidelines 🙂

Qlik Sense – PostGRE SQL, PGPASS and backups…

A little off my usual subject matter – but was tasked with this recently and couldn’t find anything really detailing it all in one place.

Anyway, those of you familiar (or not) with this DB will be looking for some easy way to back it up. Well, there isn’t. It’s a good old fashioned dump out a flat file product.

Command lines to do this are detailed here: Qlik Sense Backup Guide

pg_dump.exe -h localhost -p 4432 -U postgres -b -F t -f “c:\QSR_backup.tar” QSR

As you will read there, when you backup you can be prompted for a password (???) or you can specify it in plain text (sigh). To store the password, you need to use a PGPASS file.

PGPASS files are detailed here: PostgreSQL docs

File format needs to be:

hostname:port:database:username:password

What it doesn’t clearly explain is that this is a lookup list (think HOSTS file). If you were to use the pg_dump command in the example above – your PGPASS file should read:

localhost:4432:QSR:postgres:YourPassword

For multiple databases across multiple hosts, then you need to list each entry in your file, when PG_dump.exe references this information, it will lookup based on the details in the command line of hostname, port, database and username to then select the password.

Security

I like to work with service accounts for applications, so it makes sense to put the PGpass.conf file in a folder with restricted permissions – so only that service account user or domain admin can get at it. Run your script using this account or one with permissions to read the file.

Scripting Backup

My preference here is to call the script on a schedule. I’m using poweshell as I have multiple nodes in the site and services need to be stopped on every node for the backup to take place.

 

$scriptblock1={
stop-service QlikSenseEngineService
stop-service QlikSensePrintingService
stop-service QlikSenseProxyService
stop-service QlikSenseSchedulerService
stop-service QlikSenseServiceDispatcher
get-service QlikSenseRepositoryService | stop-service
}
$scriptblock2={
get-service QlikSenseRepositoryService | start-service
get-service qlik* | ? status -eq 'stopped' | start-service
}

# Shutdown services on primary & secondary nodes
Invoke-Command -ScriptBlock $scriptblock1
Invoke-Command -ComputerName secondnode -ScriptBlock $scriptblock1

# Call Backup file
(start-process -FilePath "cmd.exe" -ArgumentList '/c c:\backup.bat' -Wait -PassThru).ExitCode

# Start Services up on primary & secondary nodes
Invoke-Command -ScriptBlock $scriptblock2
Invoke-Command -ComputerName secondnode -ScriptBlock $scriptblock2

# Move backup to another location 
$backupfile="d:\backups\QSR.tar"
$destination="\\locationofyourchoice\CONFIG\Backup"
Move-Item $backupfile -Destination $destination -Force

The script calls a backup.bat file which contains the following:

SET PGPASSFILE=C:\securefolder\pgpass.conf
"C:\Path to Qliksense\Repository\PostgreSQL\9.3\bin\pg_dump.exe" -U yourDBadminuser -h localhost -p 4432 QSR >"d:\backups\QSR.tar"

The file sets a path ref to your PGpass.conf file, then calls PG_Dump with the required parameters, so it can lookup the password and then output your backup to D:\backups.

Powershell picks the file up and moves it elsewhere (I suggest moving into the same file structure as your Root,Apps,Logs,CustomData & Static content is (specified on install) – so that you can use your prefered backup software (DPM etc…) to protect it.