NOTE: This is only an overview. Due to the detailed nature of this project, I will break it up over several more-focused articles over time for easier reference.
Well, despite my more negative impression of this year’s VMworld conference, it still really paid off. There I learned about stateless ESX deployment. Using this information, I was able to build in my lab, after a couple months of trial and error, a highly robust VMware environment, fully managed and licensed, using the midwife scripts I modified for this effort. And configuration is hands-free.
Here are the system components:
- SERVER – HP c7000 Blade Enclosure with sixteen Bl465c blades, two 4 GB FC modules, and four VC Enet modules
- Each blade has two dual-core AMD CPUs, 16 GB RAM, two 72 GB SAS drives (hardware RAID-1), two embedded gig NICs, and a mezzanine card with two more gig NICs/iSCSI initiators and two FC HBAs
- NETWORK – Cisco 6509 with two SUP 720 cards, two 48 port LC Gig-E fiber cards, and four 48 port gig copper cards
- MANAGMENT – Dell 1850 with two 146 GB SAS drives (hardware RAID-1) for management and boot services
- STORAGE – Scavenged proof-of-concept totally ghetto Dell Optiplex desktop with four internal 1.5 TB SATA drives (software RAID-10 formatted with tuned XFS) providing 3 TB of NFS shared storage
- Scavenged HP IP-KVM box for OOB-management of the two Dells
Here are the steps I took:
- First I had to update all the firmware on the blade server. This includes the two OA cards for the Onboard Administrator, the Virtual Connect software, the iLO2 software for each blade, the BIOS on each blade, and the Power Management Controller firmware. There is a particular order this is done in, and it is not easy, but it really needs to be done. The fixes that come with these updates are often vital to success. Overall, I spent a week researching and updating. I set all the blades to boot via PXE.
- Next, I built the storage server. I really had no choice – nothing was available but a Dell Optiplex desktop. It had four internal SATA ports available, and room for four 1GB RAM modules. It also had a single dual-core Intel CPU and PCI slots for more NICs, and a PCI-Express mini-slot as well. I had to order parts, and it took a little while, but once done, it had a total of four gig NICs (one embedded, two PCI, one PCI-Express), four 1.5 TB SATA drives, and 4 GB RAM. I loaded it with 64-bit Ubuntu-9.04, hand-carved the partitions and RAID-10 setup, formatted the 3 TB volume with XFS, tuned as best I knew how, and then put it on the 2.6.31 kernel (I later updated it to 2.6.31.5). There were no BIOS or other firmware updates needed.
- I then built the management server on the Dell 1850. It only has one power supply (I cannot find a second one), but it does have 8 GB RAM and two dual-core CPUs. I loaded 64-bit Ubuntu-9.04 on it afte installing two 146 GB SAS drives in a RAID-1 mirror (hardware-based). I also updated the BIOS and other firmware on it.
- Having these components in place, I studied the blade server to see what I could get away with, and ultimately decided to use each NIC on a blade server to support a set of traffic types, and balanced the likelyhood of traffic demands across them. For example, Vmotion traffic, while it may be intense, should be relatively infrequent, so it shares a V-Net with another type of traffic that is low-bandwidth (the alternate management network). Altogether, I ended up with a primary management network on up V-Net, Vmotion and the alternate on another V-Net, storage traffic (NFS and iSCSI) on a third V-Net, and VM traffic on its own V-Net. Each V-Net maps to the its own NIC on a blade, the same NIC on each blade.
The physical network design:
For the V-Nets, the management network went on NIC 1 as an untagged VLAN. It has to be untagged, because when it boots up, it needs to get a DHCP address and talk to the boot server for its image. Since it comes up untagged, it will not be able to talk out to the DHCP/PXE server if the V-Net is set to pass through tags. The other V-Nets support tagged VLANs to further separate traffic. Each V-Net has four links to the Cisco 6509, except for the storage V-Net, which has eight. Two links form an LACP bundle from the active side (VC-Enet module in Bay 1), and two make up an LACP bundle (or etherchannel) from the module in Bay 2, which is the offline side. This is repeated for the other networks across the other modules in Bays 5 and 6. Bays 3 and 4 house the Fiber Channel modules, which I am not using. Everything is on its own individual private 10.x.x.x network as well, except for the VM traffic net, which will contain the virtual machine traffic.
The storage design:
Like I said, a really ghetto NFS server. It does not have enough drives, so even though it would be overkill for a home PC, it will not cut it in this situation. I expect it to run out of steam after only a few VMs are added, but it does tie everything together and provides the shared storage component needed for HA, Vmotion, and DRS. I am working on an afforable and acceptable solution, rack-mounted, with more gig NICs and up to 24 hot-swap drives – more spindles should offer more thoughput. I bonded the NICs together into a single LACP link, untagged back the the Cisco, on the NFS storage VLAN. Once working, I stripped out all unneeded packages for a very minimal 64-bit Ubuntu server. It boots in seconds, and has no GUI. Unfortuately, I did not get into the weeds enough to align the partitions/volumes/etc. I just forgot to do that. I will have to figure that out next time I get a storage box in.
The management server:
It is also on a very minimal 64-bit Ubuntu-9.04 install. Ithas four NICs, but I only use two (the other two are only 100 MB). The two gig NICs are also bonded into one LACP link back to the Cisco, untagged. The server is running a stripped down 2.6.31 kernel, and has VMware Server 2.0.x installed for the vCenter Server (running on a Windows 2003 server virtual machine). On the Ubuntu host server, I have installed and configured DHCP, TFTP, and gPXE. I also extracted the boot guts from the ESXi 3.5.0 Update 4 ISO and set up the tftpboot directory so that each blade will get the image installed. On the vCenter Server virtual machine, I installed the Microsoft PowerShell tool (which installed ActiveState PERL), and the VMware PowerCLI tool. I also downloaded the midwife scripts and installed Notepad++ for easy editing. The vCenter Server VM is on a private 10.x.x.x net for isolated management, but this gets in the way of the Update Manager plugin, so I still have some work to do later to get around this.
Really key things I learned from this:
- The blade server VC-Enet modules are NOT layer-2 switches. They may look and feel that way in some aspects, but they, by design, actually present themselves to network devices as server ports (NICs), not as more network devices. Learn about them – RTFM. It makes a difference. For instance, it may be useful to know that the right side bay modules are placed in standby by default, and the left-side are active – they are linked via an internal 10Gig connection. I know of another lab with the same hardware that could not figure out why they could not connect the blade modules to the network if all the modules were enabled, so they solved it by disabling all but Bay-1, instead of learning about the features and really getting the most out of it.
- Beware old 64-bit CPUs. Just because it lets you load a cool 64-bit OS on it does NOT mean it will let you load a cool 64-bit virtual machine on it. If it does not have virtualization instruction sets in its CPU(s), you will run into failure. I found this out the hard way, after trying to get the RCLI appliance (64-bit) from VMware in order to manage the ESXi hosts. I am glad I failed, because it forced me to try the PowerCLI/PowerShell tools. Without those tools, I seriously doubt I could have gotten this project working.
- Learn PowerShell. The PowerCLI scripts extend it for VMware management, but there are plenty of cool tricks you can do using the base PowerShell scripts as well. I am no fan of Microsoft, so it is not often I express satisfaction with one of their products. Remember where you were on this day, ‘cuz it could be a while before it happens again.
- Name resolution is pretty important. HA wants it in a real bad way. Point your hosts to a DNS server, or give them identical hosts files (a little ghetto, but a good failsafe for a static environment). I did both.
- Remember those Enet modules? Remember all that cool LACP stuff I mentioned? Rememeber RTFM? Do it, or you will miss the clue that while the E-net modules like to play with LACP, only one link per V-Net is set active to avoid loops. So if, on your active V-Net, you have two LACP links, each for a different tagged VLAN, and your NFS devices won’t talk to anyone, you will know that it is because it saw your iSCSI V-Net first, so it set your NFS link offline. Meaning, the iSCSI link on Bay-1 and it’s offline twin on Bay-2 both have to fail before your NFS link on Bay-1 will come up. Play it safe – one LACP link per V-Net per bay. Tag over multiple VLANs on the link instead. The E-net modules only see the LACP links, and do not care if they support different VLANs – only one is set active at a time.
- Be careful with spanning tree (this can be said for everything related to networking). Use portfast on your interfaces to the E-net modules, and be careful with spanning tree guards on the Cisco side. In testing, I would find that by pulling one of the pairs in a link, it would isolate the VLAN instead of carrying on as if nothing had happened. Turns out a guard on the interface was disabling the link to avoid potential loops. Once I disabled that, the port-channel link functioned as desired.
- Doesn’t it suck to get everything working, and then not have a clean way to import in VMs? I mean, now that you built it, how do you get stuff into it? I ended up restructuring my NFS server and installing Samba as well. This is because when importing a VM from the GUI (say, by right-clicking on a resource pool), the “Other Virtual Machine” option is the only one that fits. However, it then looks for a UNC path (Windows share-style) to the .vmx file. I could browse the datastore and do it that way, but for VMs not on the NFS datastore already, I needed to provide a means for other labs to drop in their VMs. Samba worked. Now they can drop in their VMs on the NFS server via Samba, and the vCenter Server can import the VMs from the same place.
Currently, we are restructuring phycial paths between labs for better management. It is part of an overall overhaul of the labs in my building. Once done, my next step is to start building framework services, such as repository proxy servers, WSUS servers, DHCP/DNS/file/print, RADIUS/S-LDAP/AD, etc., etc. I also need to wrap in a management service framework as well that extends to all the labs so everyone has an at-a-glance picture of what is happening to the network and the virtual environment. One last issue I am fighting is that I am unable to complete importing VMs I made on ESX 3.5 U2 earlier this year. It keeps failing to open the .vmdk files. I will have to pin that down first.
The end result?
- If I run the midwife service on the vCenter server and reboot a blade, it is reloaded and reconfigured within minutes.
- If I upgrade to beefier blades, I pop them in and let them build.
- If I update to a newer release of ESXi (say, update 5 or 6), I extract from the ISO to the tftpboot directory and reboot the blades. The old configs get applied on the new updated OS.
- All configs are identical – extremely important for cluster harmony. No typos.
- If someone alters a config and “breaks” something, I reboot it and it gets the original config applied back.
- If I make a change to the config, I change it in the script once, not on each blade individually. This also allows for immediate opportunity to DOCUMENT YOUR CHANGES AS YOU GO. Which is just a little bit important.
As stated before, this is an overview. I will add more detailed articles later, which will include scripts and pictures as appropriate. I am at home now and do not have access to my documentation, but once I get them, I will post some goodies that hopefully help someone else out. To include myself.
Filed under: Kernel, Kubuntu, Microsoft, NFS, Programming, RAID and LVM, VMWare, XFS | Tagged: 64-bit, 6509, Bl465c, bonding, c7000, channel-group, Cisco, console, datastore, Dell, DRS, ESX, ESXi, etherchannel, HA, Hardware, hostname, HP, LACP, midwife, modules, networking, NFS, Onboard Administrator, partitions, Perl, port-channel, port-group, PowerCLI, PowerShell, RAID-1, RAID-10, samba, scripts, Security, shared storage, troubleshooting, Ubuntu, V-Net, VC E-net, Virtual Center, Virtual Connect, virtual machine, VLAN, VM, VMWare, VMware-Server 2, vmworld, volumes, Windows, XFS | 2 Comments »
Linux Free Trade Zone 