How to: Upgrading DellEMC PowerProtect

In this blog post, I will show how easy it is to upgrade a PowerProtect Virtual Instance running within VMware. If you have ever administered Avamar before, you know just how painful it can be to upgrade.

It consisted of:

    1. Open a SR
    2. Performing a health check
    3. Downloading several RPM files that were GBs in size,
    4. Uploading those files to the node
    5. Running Prechecks (Better Hope you Checkpoint didn’t fail)
    6. Making sure your Data Domain on a code that was compatible with Avamar
    7. Taking a Checkpoint, stopping all backup jobs, Replication jobs, etc

Normally this would take several hours. Then once that was done (if you didn’t have any issues with the file system), you would ensure GSAN and MCS is working. To say the process was easy would be an understatement. The process often took weeks to plan and execute.

Thankfully, upgrading the PowerProtect Data Manager is much easier. I was able to download the patch, upgrade the appliance and resume backups in about an hour.

1

To get started log into the appliance.

2

Select Upgrade.

3

Select Upload Package.

4

Select the previously download package, and select Open.

5

The file will now upload.

6

The upload may take several minutes.

7

Once you get confirmation the package has been uploaded, select OK.

8

You will now see a prompt to upgrade. When you select “Upgrade” the process, which includes VMware taking a snapshot of the server, begin. The snapshot will allow you to roll back if issues are experienced during the upgrade.

9

The final confirmation includes putting the Lockbox Passphrase in (normally the same as Root).

10

Select YES to confirm the upgrade process.

11

The upgrade process now begins. Do not interrupt the process.

12

You will now see the Upgrade status displayed. This process may take several minutes to complete.

13

Continue to monitor and watch the install progress as each RPM is installed.

14

 

15

Once the upgrade has been completed, at 100%, you can refresh the page if it doesn’t redirect you to the PowerProtect main screen. Once that completes, you have been upgraded.

How to: Protecting Workloads with PowerProtect

In a previous blog post, I stated how to deploy DellEMC PowerProtect. However, once PowerProtect is deployed you must add a workload in order to start protecting data. In this blog post, I will show you the steps required in order to protect VM workloads within VMware.

Continue reading “How to: Protecting Workloads with PowerProtect”

How to: Deploying DellEMC PowerProtect

PowerProtect is a Software defined data management software from DellEMC. It comes in two different variants, a hardware appliance with storage and a Virtual edition. The Virtual Edition must be pointed to a Data Domain. This software has been written from the ground up, and mainly competes against Rubrik and Cohesity. PowerProtect uses protection policies to protect assets. This software has been written from the ground up, and appears to have address a lot of the shortcomings that newer backup vendors poke DellEMC for. Personally (my open unofficial opinion), I believe this solution will eventually replace traditional Avamar/Data Domain/IDPA.

Continue reading “How to: Deploying DellEMC PowerProtect”

How to: Enabling vSphere/vSAN Encryption

How to: Enabling vSphere/vSAN Encryption

Previously, I wrote a blog post on how to configure vSAN/vSphere encryption. This was just the first step of a two step process. The first step, as previously stated, was how to deploy and configure the KMS Keystore. Without the KMS Keystore, encryption can’t occur. However once that is deployed, enabling vSphere/vSAN encryption is as simple as toggling a switch! Check out this post before proceeding.

Within this blog post I will go over both methods, which include:

1) Per VM Encryption in vSphere
2) vSAN Encryption

Part 1: Enable and Configure per VM encryption within vSphere

To get started log into vSphere so that a new encryption policy can be created. It’s always best to create a new one to not only show how to, but also leave the defaults as defaults.

Capture2

Select Menu, then Policies and Profiles.

Capture1

Select VM Storage Policies. 

Capture3

Create new VM Storage Policies.

Capture4

Name the policy.

Capture5

Ensure Enable host based rules is selected.

Capture6

Select Use Storage Policy components “Default Encryption properties” is selected.

Capture7

You should see all available Datastores.

Capture8

Select finish. You have successfully created a VM Encryption policy. Alternatively, you can use the default “VM Encryption Policy”. 

Now that you have created a Policy, you can not select a VM to encrypt.

Capture

Select a VM and go to edit, the VM Options.

Capture2

Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier.

Capture3

Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted.

Capture4

Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time.

CaptureFinal

Once completed, you should see a lock showing you that the VM is now encrypted!

Part 2: Enable and Configure vSAN encryption 

To get started, log into vSphere, then go to your vSAN DataCenter and vSAN Cluster.

Capture

Go to configure, then go to vSAN and select Services. Note the Encryption is set to disabled. Select Edit.

Capture2PNG

Toggle Encryption to ON.

Capture3

Select KMS Cluster, which was previously deployed. Select Apply.

Capture1

The cluster will now reconfigure to enable Encryption.

Capture2

Several Disk and Disk Groups will be reconfigured.

Capture3

You may see Disks added or removed from the cluster.

Capture4

Additionally, you may see some Entity Scanned, etc.

Capture5

Wait until all tasks have completed.

Capture2

Select a VM and go to edit, the VM Options. Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier. Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted. Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time, and once completed you should see a lock indicating you VM is now encrypted!

Note: You can create additional policies or use defaults. vSphere should come with a default VM Encryption Policy and a vSAN policy. You can edit and select different ones, the process is the same. Best practice is to create new policies with you exact requirements.

How to: Configuring vSphere/vSAN Encryption

How to: Configuring vSphere/vSAN Encryption

Encryption: One word that means a lot of different things. Often times it is not understood.  Within the last few years, encryption has become not only more prevalent, but required in some instances.  There are several different types of encryption: At rest, in flight, etc.

According to Wikipedia,
“Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.”

The need for encryption has been needed now more than ever. Most companies now suggest enabling encryption as a best practice. Additionally, most auditors now like to see companies use encryption when possible for compliance reasons. With that said, there are several different avenues and vehicles that can meet those requirements, which includes, but are not limited to: At rest encryption within a storage array with or without Self Encrypting Drives,  in flight encryption from applications, and hardware based encryption, etc. One way of offering encryption is with a technology called KMS. KMS Stands for “Key Management Service”. KMS doesn’t itself do the heavy lifting of encryption, rather it controls the keys, which are used to do the actual encryption. Without these keys, data is locked and with them, data can become unlocked.

vSphere/vSAN offers encryption, starting in 6.5. It allows for the encrypting of data (VMDK) to protect from unauthorized access. One of the great things about vSphere/vSAN encryption is that you only need 6.5 (Enterprise Plus), and a KMS Keystore. This is a great solution for those who have an encryption requirement, but don’t have the underlying storage to facilitate encryption (important note: KMS also works with some storage arrays, but mileage varies). One of the best features of vSphere/vSAN encryption is the ability to do encryption polices within vSphere for all or select VMs within vSphere using VM Storage Policies.

This would be very beneficial for a number of ways, for example, it would prevent a user from downloading a VM and importing it into another environment to access.

Townsend Security has an NFR program for vExperts. Since I am a vExpert, I thought I would give them a try. The setup was very easy. They also assisted me with a few issues. They should be worth a look for customers needing KMS encryption. You do not have to be a vExpert to try this product! Without NFR, you still get a 30 day trial.

There are several different types of supported KMS Key Stores that VMware supports, but ensure it is using the KMIP Standard and supported on VMWare’s compatibility list. To get started, download the VMware OVA from Townsend.

Continue reading “How to: Configuring vSphere/vSAN Encryption”

How to: Installing VMware Skyline

What’s Skyline?

I’ve had a few people ask me about VMware Skyline, so I thought it would be a good bit to blog on. So, with that said, what is VMware Skyline? Accordingly to VMware Skyline Documentation, VMware Skyline is a proactive support service that provides recommendations for not only vSphere, but NSX, vSAN, vRealize Operations and Horizon.

“VMware Skyline™ is a proactive support service aligned with VMware Global Support Services. VMware Skyline automatically and securely collects, aggregates, and analyzes product usage data which proactively identifies potential problems and helps VMware Technical Support Engineers improve the resolution time.

This enables richer, more informed interactions between customers and VMware without extensive time investments by Technical Support Engineers. These capabilities transform support operations from reactive, break/fix to a proactive, predictive, and prescriptive experience that produces an even greater return on your VMware support investment.”

Features: One of the best features of Skyline is “Skyline Log Assist”.

This feature allows for support log bundles to be automatically uploaded to VMware Support. Example: Say you are having an issue with your production environment. First, you would open a case with VMware. Second, (if determined), VMware support engineers will request that you upload a support bundle.

Once you approve of the request, VMware support engineers can automatically obtain access to the logs without your intervention. This is a huge step with productivity, since any VMware Administrator can tell you just how time consuming it is to upload files!

I would recommend VMware Skyline to anyone who is running a VMware environment. The challenges of managing a large environment is time consuming, and VMware administrators are having to do more with less time. The more you can automate, the more time one can free up for more pressing issues.

Requirements: VMware Skyline is free download, but it does require a valid production support contract.

The first step to deploying VMware Skyline is to login to your my VMware account and download it. During this time, the latest version is 2.3.02.

1

Accept the End User Agreement

2

The download takes little to no time with the total download time around 500MB.

4

Once downloaded, the Skyline Appliance can be deployed as an OVF.

5

Name the VM and place it within your cluster.

6

Once compatibility checks succeed, click next.

7

Review Deployment Details and click next.

8

Accept all license agreements, and click next.

9

Select an appropriate Datastore to deploy the VM to.

10

Next, select your appropriate networks and enter the correct IP information.

11

Enter a root password to be used to manage the appliance.

12

Confirm all Networking Properties are correct.

13

Once everything looks good, select Finish.

14

The Skyline Appliance will now deploy.

15

Once deployed, the Provisioning Agents will start.

16

Once you have successfully deployed you have access to the console screen, which gives you directions on how to access and manage the appliance. Make sure to put port 5480 at the end of your address <ip>:5480 to access the appliance interface through a browser.

17

Once you have successfully deployed, you can login. The default login and password for the Skyline collector is as follows.

Default login: admin
Default Password: default

19

Finally, once you have successfully logged in for the first time, you need to reset the password. Ensure the character requirements are met and reset the password. Deploying VMware Skyline is just that simple! I will write a followup blog post describing the steps needed to complete the collection process.

 

VMware HomeLab: SuperMicro E300-8D

Well the day is finally here, the day that I can share that I’ve successfully purchased my very own HomeLab! This has been a source of struggle for me, since I’ve always wanted a HomeLab. I entertained and researched various setups, including the Intel NUC. During my search I came across the SuperMicro E300-8D, which supports up to 128GB of RAM. For more information on the E300-8D, check out SuperMicro’s Website.   It was the perfect price point and it allowed me to get the most out of my investment. It fit what I was looking for, which was a small footprint server that didn’t require much power. Additionally I wanted something quiet. While some have complained about the noise, I don’t believe it’s an issue with the stock fans, so long that it isn’t located within a sleeping area. The Server is setup in my Home Office.  I also wanted to ensure I had plenty of memory so that I wouldn’t have any issues when provisioning a nested ESXi vSAN Lab.

Continue reading “VMware HomeLab: SuperMicro E300-8D”