Snapshots are not backups! or VDP and YOU

Ominous words would be echoed in the meeting… “You do have a BACKUP right?”

plan-b

Working in production environments the constant challenge of maintaining uptime aka ‘steady-state’ but at the same slowly or as quick as feasible move forward with changing demands of the business.

Change can came in many forms. It is a driver for your organization.

A simple response to a vulnerability; patching is a necessity.

New features are required. Upgrades will be needed.

And more importantly disaster avoidance. The idea is to prepare in advance avoid disaster. It is akin to shift and dodge BEFORE some bump comes in the road. There are many approaches to this like having a stretched geo-location metro cluster.

Whatever the driver you have to have a fallback plan. If the post-change activity fails, if there is an unforeseen after-effect.. Things do not always work 100% as planned. What is your fallback plan? What? You have a VMware environment. You did click the snapshot button.. Well, that does work but it isn’t a full backup

From KB 1025279

  • Snapshots are not backups. A snapshot file is only a change log of the original virtual disk.
  • Snapshots are not complete copies of the original vmdk disk files….it only copies the delta disks. The change log in the snapshot file combines with the original disk files to make up the current state of the virtual machine. If the base disks are deleted, the snapshot files are useless.
  • Delta files can grow to the same size as the original base disk file, which is why the provisioned storage size of a virtual machine increases by an amount up to the original size of the virtual machine multiplied by the number of snapshots on the virtual machine.
  • The maximum supported amount of snapshots in a chain is 32. However, VMware recommends that you use only 2-3 snapshots in a chain. — [ed The reason is there is a performance hit]

In fact VMware recommendation is to setup an alarm in vcenter if the VM is running from a snapshot to avoid this condition

See KB 1018029 “Configuring VMware vCenter Server to send alarms when virtual machines are running from snapshots”

Now the question still remains.. What options do you have?

Well there is good news!! VMware as of March 1, 2015. “VMware vSphere Data Protection Advanced will be consolidated into VMware vSphere Data Protection (available through vSphere Essentials Plus Kit or higher vSphere editions, all vSphere with Operations Management editions and all vCloud Suite editions) and will no longer require purchase of a separate license. All functionality available with vSphere Data Protection Advanced, previously available as a standalone product, is now included in VMware vSphere Data Protection 6.0 – See more at: Announcement

WOOHOO.

Why is this cool? There are many reasons but to sum things up.

VMware Data Protection Advanced (VDP) is very cool. It is based on modern backup solutions.

  • There are no tapes
  • There is deduplication – Variable length up
  • There is replication
  • File recovery
  • VM recovery
  • Application aware backups
  • Efficient, bandwidth throttling
  • Changed Block Tracking (CBT) Restore
    vSphere Data Protection uses Changed Block Tracking (CBT) during image-level backups. CBT is also utilized with image-level restores in some cases to improve speed and efficiency
  • It can plug into something really big (Data Domain and Avamar)
    • Data Domain allows for “Consolidate backup, archive, and disaster recovery with high-speed deduplication”
    • Avamar  DEDUPLICATION BACKUP SOFTWARE AND SYSTEM — VDP is based on Avamar. See the announcement.

It is super easy to install and use. I did say easy and it is, because you can even configure VDP to allow for.

  • Linux-based virtual appliance: Easily install and configure backups.
  • Self-Service File Level Recovery: Enable guest OS administrators to restore individual files and folders.
  • Wizard-driven backup policies: Assign backup jobs to individual virtual machines or larger containers such as a cluster or resource pool, with specific schedules and retention policies.
  • There is no need for agents in the VM for normal backups.
  • Application aware backups. Backup agents for Microsoft SQL Server, Exchange, and SharePoint. The agents enable application consistent backup and recovery of these applications on virtual and physical machines

– See more at: http://www.vmware.com/products/vsphere/features/data-protection.html

Some tips about VDP deployment.

Do not put the all your eggs in the same basket

— Don’t setup your backup volumes in the same datastore your VMs reside in. The option to use Data Domain is great option! Data Domain can be data backup target.

DNS. Have it working!

It is fast enough? Avoid problems and run a performance test before your backups. Make sure your Data backup targets are validated for performance.

Initial configuration is deployment via OVF. 

Log on via the https://ip-address-assigned/:8543/vdp-configure/

Here you log in as root/changeme

vdp-intial

BUT if you need to ssh in later via IP or hostname. You cannot use the root account. You must use the admin account, which has the same password then you su to root.

“Currently, users can access the VDP appliance command line using the vSphere Client console, SSH, or Putty sessions. With the VDP 5.8 and later releases, the ability to use SSH or Putty to log on to the VDP appliance with the root user has been removed.” — Administration Guide

and lastly

VAMI is your friend and so is the log.

The VAMI is: Virtual Appliance Management Infrastructure (VAMI). VAMI provides end‐users of virtual appliances with a Web console and command line interface that can:

  • „Configure network settings
  • „Check for updates and install them, manually or automatically„
  • Review basic system information for the virtual appliance
  • Stop or restart the virtual appliance

Where is the magical vami?

From the command line you can find it here: /opt/vmware/share/vami/

vami

and if you run into problems..

Log in via ssh to the vdp appliance. Run the following while you attempt the action where you see the error.

root@vdp01:~/#: tail -f /usr/local/avamar/var/vdr/server_logs/vdr-server.log

Then watch the log and try to reproduce the error.

Additional Resources:

Here is a great overview from the VMware HOL team!

VDP overview install and backups! VDP DEMO

and more VDP feature walk through DEMO

and learn how to:

  1. Creating a Virtual Machine Backup Job
  2. Creating a Replication Job
  3. Creating an Application Backup Job
  4. File Level Restore
  5. Restoring a Virtual Machine
  6. Restoring an Application

Advertisements

Joining VCSA 5.5 to AD Domain with Secure Token Service (STS)

The easiest choice is:

1. Active Directory with (Integrated Windows Authentication)

a. Use the Machine name.

” If you’re adding AD authentication, simply make sure the VCSA is added to the domain, then use Integrated Windows Authentication using the computer account. Couldn’t be simpler.”

Normally, you would do the above.

I had some problem with this as the error messaged stated the VCSA was improperly joined to the domain. I had to remove and rejoin, without success. So eventually I explored another method.

==

Following KB: 2058298 “Creating and using a Service Principal Account in vCenter Single Sign-On 5.5”
Service Principal Account (SPN) is a new feature in vCenter Single Sign-On (SSO) 5.5. The SPN account acts as the Secure Token Service (STS) for token issuing.
This article provides steps to configure and use a SPN when creating an Active Directory Identity Source for SSO 5.5.
1. verify domain
C:\>echo %UserDNSDomain%
You see output similar to:
child-domain.vmware.com
Type setspn -Q sts/DNS_domain_name and press Enter. This verifies that no other SPNs have been created on this domain.
For example:
C:\>setspn -Q STS/child-domain.vmware.com
You see output similar to:
No such SPN Found.
Note: If a SPN is found, consult your Active Directory administrator.
(Here I created a SSOServiceAccount set to domain admin)
Next step is to setspn
C:\>setspn -S STS/child-domain.vmware.com SSOServiceAccount
From here you “Set the Active Directory Identity Source with SSO 5.5”
Creating an Active Directory Identity Source for use with SSO 5.5

To create an Active Directory (Integrated Windows Authentication) Identity Source:
Log in to the vSphere Web Client as administrator@vsphere.local or as another user with SSO administrator privileges. The default vSphere Web Client URL is:

https://client-hostname:9443/vsphere-client

Navigate to Administration > Single Sign-On > Configuration.
In the Identity Sources tab, click the Add Identity Source icon (Add Identity Source icon) under the option menu.
Click Active Directory (Integrated Windows Authentication).

Select the Use SPN option.
Enter this information:

Domain name: DNS_Domain_name
Service Principal Name (SPN): STS/DNS_Domain_name
User Principal Name (UPN): Domain User assigned SPN@DNS_Domain_name.com
Password: Password

For example:

Domain name: child-domain.vmware.com
Service Principal Name (SPN): STS/child-domain.vmware.com
User Principal Name (UPN): SSOServiceAccount@child-domain.vmware.com
Password: WelcomeToSSO55

And there you have it..you can now log onto SSO and you will be able to see the AD you joined in the SSO. Delegate SSO Admin Rights (in the web client “vCenter Users and Groups”. Add AD groups to Administrator group.

How to “fix” VCSA IP settings from command line.

More and more often customers are looking for an easier method to deploy their vsphere management.

Vcenter traditionally has been an application loaded on top of Windows. .. but “the times they are a changing”

There are more use cases that the business requirements will allow for deployment of vcenter appliance.

But here is a quick post to help you “fix” your IP configuration for your appliance. Sometimes during the deploy of the VCSA OVA there is a miss communication or fat finger incident.. Here is how to address that.

It also allows you to change hostname, DNS, default gateway and proxy.

Summary:

Open a console session of the VCSA
Login as: root
Default password is: vmware
Execute the following command: /opt/vmware/share/vami/vami_config_net

/opt/vmware/share/vami/vami_config_net

 Main Menu

0)    Show Current Configuration (scroll with Shift-PgUp/PgDown)
1)    Exit this program
2)    Default Gateway
3)    Hostname
4)    DNS
5)    Proxy Server
6)    IP Address Allocation for eth0

After executing the command, a menu is displayed. Within the menu It is possible to change the IP address, hostname, DNS, Default gateway and proxy server.
After allocating a static IP Address to the VCSA, the post configuration can be done by using the following URL:

https://static-ip-address:5480

Symptoms:

VCSA was powered on.

ping was not responsive

Verified IP address

cat /etc/sysconfig/networking/devices/ifcfg-eth0 showed

cat /etc/sysconfig/networking/devices/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=’static’
STARTMODE=’auto’
TYPE=Ethernet
USERCONTROL=’no’
IPADDR=’10.72.60.53′
NETMASK=’255.255.255.192′
BROADCAST=’10.72.60.63′