VMware vSphere 4.0 Update 2 is released

This evening VMware released Update 2 for ESX/ESXi 4, vCenter Management Server 4, vCenter Update Manager 4 and VMware Data Recovery.
A quick scan of the ESX 4 Update 2 release notes shows expanded support for FT on Intel i3/i5 Clarkdale, Xeon 34xx Clarkdale and Xeon 56xxx processors. Support for IOMMU on AMD Opteron 61xx and 41xx processors. Guest OS support for Ubuntu 10.04 and improvements to esxtop and resxtop to include NFS performance statistics Reads/s, Writes/s, MBRead/s, MBWrtn/s, cmd/s and gavg/s latency. Included in the resolved issues is a change in the way the Snapshot Manager “Delete All” operation works. In previous versions the snapshot farthest away from the base disk was committed to its immediate parent, then that parent would be committed to its parent until the last remaining snapshot is committed to the base. The release notes report that this operation will now start with the snapshot closest to the base disk and work toward the farthest. This should reduce the amount of disk space required during the “delete all/commit” operation and reduce the amount of data that is repeatedly committed. I think this is a great change. I have seen customers run out of space in datastores when the failed to keep track of active snapshots and didn’t understand the “delete all/commit” process.

The vCenter Management Server 4 Update 2 release notes list support for guest customization of:

◦Windows XP Professional SP2 (x64) serviced by Windows Server 2003 SP2
◦SLES 11 (x32 and x64)
◦SLES 10 SP3 (x32 and x64)
◦RHEL 5.5 Server Platform (x32 and x64)
◦RHEL 5.4 Server Platform (x32 and x64)
◦RHEL 4.8 Server Platform (x32 and 64)
◦Debian 5.0 (x32 and x64)
◦Debian 5.0 R1 (x32 and x64)
◦Debian 5.0 R2 (x32 and x64)

Among the resolved items, there is an update JRE (1.5.0_22) and number of fixed related to Host Profiles, support for vSwitch portgroup named longer than 50 characters, advanced settings to allow the use vDS connections as additional HA heartbeat networks, the addision of a parameter in vpxd.cfg to set a greater timeout value for VMotion operations involving VMs with swap files on local datastores, among many others. In the known issues section is astatement that while USB controllers can be added to VMs, attaching USB devices is not supported and that vSphere Web Access is experimentally supported.

The vCenter Update Manager 4 Update 2 release notes list improvement of operations in low bandwidth, high latency and slow networks, including a reference to KB 1017253 detailing the configuration of extended timeout values for ESX, vCenter and Update Manager Update 2.
The compatability matrix shows that Update Manager 4 Update 2 is only compatible with vCenter Management Server 4 Update 2.

VMware Data Recovery Update 2 includes the following new items:

The following enhancements have been made for this release of Data Recovery.

•File Level Restore (FLR) is now available for use with Linux.
•Each vCenter Server instance supports up to ten Data Recovery backup appliances.
•The vSphere Client plug-in supports fast switching among Data Recovery backup appliances.
•Miscellaneous vSphere Client Plug-In user interface enhancements including:
◦The means to name backup jobs during their creation.
◦Additional information about the current status of destination disks including the disk’s health and the degree of space savings provided by the deduplication store’s optimizations.
◦Information about the datastore from which virtual disks are backed up.

The support for up to 10 Data Recovery appliances per vCenter will allow up to 1000 jobs (100 per appliance x10), this is a significant increase in backup capacity.

The build numbers for the various items are:

ESX 4.0 Update 2 Build 261974
ESXi 4.0 Update 2 Installable Build 261974
ESXi 4.0 Update 2 Embedded Build 261974
VMware Tools Build 261974
vCenter Server 4.0 Update 2 Build 258672
vCenter Update Manager 4.0 Update 2 Build 264019

vSphere 4 Update 2 components can be downloaded here.

VMware Partner Exchange 2010

I just booked my flight to Las Vegas for VMware’s Partner Exchange. I will be attending the partner “Post-Sales Accreditation Bootcamp” on the weekend and staying for a couple of VMware View 4 design session on Tuesday. I have a cousin who lives in Las Vegas and Friday is his birthday. If I can locate him I will look him up! Thanks to my boss for picking up the tab! I will make sure he and the rest of our company gets a great return on the investment!

vCenter 2.5 Update 5 released

VMware released vCenter 2.5 Update 5. The release notes state:

VirtualCenter 2.5 Update 5 includes significant performance and scalability improvements to VMware HA. Use VirtualCenter 2.5 Update 5 for environments with more than 35 virtual machines per host in an HA cluster.
For information on the ESX Server host settings required for this scalability improvement, see ESX Server host settings required for environments with up to 80 virtual machines per host in an HA Cluster (KB 1012002).

KB 1012002 states that with vCenter 2.5 update 5 an ESX host in an HA cluster can support up to 80 VM’s. The article continues with the specific ESX settings that are needed. The “RunningVCpuLimit” needs to be set to 192, the Service Console memory needs to be raised to 512MB and the Host Agent (hostd) memory settings in /etc/vmware/hostd/config.xml need to be increased. Note that the ESX host will need to be restarted after changing the Service Consle memory allocation.

In addition to the HA change, the release adds new http connection timeout settings:

A new advanced setting entry vpxd.httpClientIdleTimeout can be used to configure the timeout value for an idle HTTP connection. The default value for this entry is 15 minutes (900 seconds), ensuring that the VirtualCenter Server closes the idle HTTP connection after the connection has been idle for 15 minutes. If a firewall session timeout value is set to less than 15 minutes, the value for vpxd.httpClientIdleTimeout should be changed to be smaller than the firewall’s timeout value.

No updates to the vCenter Enterprise Converter or Update Manager plug-ins have been made.

New ESX 3.5 patches for June released

VMware released 7 patches for ESX 3.5 including:

VMware ESX 3.5, Patch ESX350-200906401-BG : Updates vmkctl and vmkernel RPMs

Issues fixed in this patch (and their relevant symptoms, if applicable) include:

  • When you power on virtual machines on ESX 3.5 hosts, many inactive VMFS volumes are opened in addition to the VMFS volume containing the virtual machine disk files. This might cause the virtual machines to take more time to boot. In a cluster environment, this issue might also cause VMotion operations to timeout on the destination host. This fix ensures that only the VMFS volumes on which the virtual machines reside are opened.
  • While performing a host rescan on ESXi, the host and virtual machines might stop responding till the end of the rescan operation. During this time, connections to virtual machines are lost, including SSH, client connections, and communication to other clustered storage modules. The virtual machines start responding after the rescan operation is completed.
  • Excessive cold migration of virtual machines between ESX hosts might cause ESX hosts to be disconnected from vCenter Server due to a memory leak on the host agent (hostd).
  • Critical update. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906402-BG: Updates NetXen Driver

    This patch fixes a NetXen driver issue where the ESX 3.5 host or a virtual machine might lose network connectivity or become unstable when using a NetXen NX2031 device.

    Critical Update. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906403-BG: Updates Kernel Source and kernel-vmnix RPMs

    This patch upgrades kernel-source and kernel-vmnix to support the bnx2x and NetXen software driver updates, which fix the following issues:

  • When virtual machines are run with older versions of VMware Tools (ESX 3.0.x) on ESX 3.5 and ESXi 3.5 hosts containing bnx2x NICs, the virtual machines might experience a network outage…
    To work around this issue, upgrade the version of VMware Tools in the virtual machines.
  • A NetXen driver issue where the ESX 3.5 host or a virtual machine might lose network connectivity or become unstable when using a NetXen NX2031 device.
  • General Patch. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906405-BG: Updates bnx2x Driver for Broadcom

    Issues fixed in this patch (and their relevant symptoms, if applicable) include:

  • On Dell PowerEdgeServers 11G installed with ESX 3.5, BCM57710 Mezzanine cards might lose network connectivity to the network switch.
  • When virtual machines are run with older versions of VMware Tools (ESX 3.0.x) on ESX 3.5 and ESXi 3.5 hosts containing bnx2x NICs, the virtual machines might experience a network outage…

    To work around this issue, upgrade the version of VMware Tools in the virtual machines.

  • Critical Patch. Host reboot required.

    VMware ESX 3.5, Patch ESX350-200906406-BG:Updates VMware Tools

    This patch adds prebuilt modules for Ubuntu 9.04 and fixes the following issue:
    When diskinfo query is run, VMware Tools installed on Solaris 10.x virtual machines reports incorrect virtual disk size information. Also, some Linux virtual machines do not report correct logical volume manager (LVM) partitions.

    General Update. No host reboot is required.

    VMware ESX 3.5, Patch ESX350-200906407-BG: Updates krb5-libs and pam_krb5

    Issues fixed in this patch (and their relevant symptoms, if applicable) include:

  • Service Console package krb5 has been updated to version krb5-1.2.7-70. This fixes a input validation flaw that was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. The Common Vulnerabilities and Exposures Project has assigned the name CVE-2009-0846 to this issue.
  • The pam_krb5 package is upgraded to pam_krb5-1.81-1. This fixes an issue where a user authentication failure occurs under certain circumstances.
    For details on this issue, refer to the Red Hat advisory at https://rhn.redhat.com/errata/RHBA-2008-0813.html.
  • Security Update. Host Reboot is required.

    VMware ESX 3.5, Patch ESX350-200906408-BG: Updates VMX RPM

    This patch fixes an issue where virtual machines that use the Virtual Machine Interface (VMI) might stop responding.

    Critical Update. No host reboot is required.

    Patches are available on the downloads page.
    One of the locations that VMware lists updates is on the VMware Knowledge Base Blog.

    New VMware network technical papers published

    Network Segmentation in Virtualized Environments

    As virtualization becomes the standard infrastructure for server deployments, a growing number of organizations want to consolidate servers that belong to different trust zones. The demand is increasing for information to help network security professionals understand and mitigate the risks associated with this practice. This paper provides detailed descriptions of three different virtualized trust zone configurations and identifies best practice approaches that enable secure deployment.

    DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch

    This paper tackles the subject of DMZ security and virtualization. It covers a number of DMZ security requirements and scenarios, presenting how vSphere users can implement the Cisco Nexus 1000V virtual switch in a DMZ.

    VMware Security Advisory 2009-0008

    VMware has released security advisory VMSA-2009-0008. The advisory is for a vulnerability in an MIT Kerberos 5 package in the service console. The advisory explains:

    An input validation flaw in the asn1_decode_generaltime function in MIT Kerberos 5 before 1.6.4 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service.
    NOTE: ESX by default is unaffected by this issue, the daemons kadmind and krb5kdc are not installed in ESX.

    The advisory goes on to state that all currently supported version of ESX (not ESXi) are affected.
    For ESX 3.5 the patch: ESX 3.5.0 ESX350-200906407-SG
    md5sum: 6b8079430b0958abbf77e944a677ac6b
    KB Article: VMware ESX 3.5, Patch ESX350-200906407-BG: Updates krb5-libs and pam_krb5

    For ESX 2.5.5, 3.0.2, 3.0.3 and 4.0 patches are pending.

    You can subscribe to VMware Security announcments here: http://lists.vmware.com/mailman/listinfo/security-announce

    New patches released for ESX

    VMware released 6 patches for ESX 3.5 including:

    VMware ESX 3.5, Patch ESX350-200905401-BG: Updates vmkernel and hostd RPMs Critical updates related to HA failover of VM’s on NFS datastores and invalid license issues. Host reboot required.
    VMware ESX 3.5, Patch ESX350-200905402-BG: Updates VMX RPM General update to address a robustness issue with VMX. No Host reboot required.
    VMware ESX 3.5, Patch ESX350-200905403-BG: Updates aacraid driver for Adaptec Replaces the Adpatec aacraid_esx30 driver to mitigate potential failure under heavy load on some IBM, SUN or Fujitsu hosts. Host reboot required.
    VMware ESX 3.5, Patch ESX350-200905404-BG: Update to tzdata package Updates time zone information for changes in Brazil and Argentina. No host reboot required.
    VMware ESX 3.5, Patch ESX350-200905405-BG: Updates Kernel Source and VMNIX This patch updates kernel-source and kernel-vmnix to support the aacraid software driver update. Host Reboot is required.

    One of the locations that VMware lists updates is on the VMware Knowledge Base Blog.