VCF 35 Administering PDF
VCF 35 Administering PDF
VCF 35 Administering PDF
Foundation Operations
and Administration Guide
VMware Cloud Foundation 3.5
VMware Cloud Foundation Operations and Administration Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
[email protected]
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2015, 2016, 2017, 2018 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
5 License Management 28
Add License Keys for the Software in Your Cloud Foundation System 28
Edit License Description 29
Enable vRealize Log Insight Logging for Workload Domains 29
Delete License Key 30
6 Composability 31
Configure Translation Layer 31
Compose a Server 32
View Composability Information 32
Decompose a Server 33
VMware, Inc. 3
VMware Cloud Foundation Operations and Administration Guide
11 Stretching Clusters 95
About Availability Zones and Regions 95
Prerequisites for Stretching a Cluster 96
Stretch a Cluster 97
Expand a Stretched Cluster 101
Replace a Failed Host in a Stretched Cluster 102
VMware, Inc. 4
VMware Cloud Foundation Operations and Administration Guide
VMware, Inc. 5
About the VMware Cloud Foundation
Operations and Administration Guide
The VMware Cloud Foundation Operations and Administration Guide provides information about
managing a VMware Cloud Foundation™ system, including managing the system's virtual infrastructure,
managing users, configuring and deploying service offerings, and upgrading and monitoring the system.
Intended Audience
The VMware Cloud Foundation Operations and Administration Guide is intended for cloud architects,
infrastructure administrators, and cloud administrators who are familiar with and want to use VMware
software to quickly deploy and manage an SDDC. The information in this document is written for
experienced data center system administrators who are familiar with:
n Concepts of virtualization, software-defined data centers, virtual infrastructure (VI), and virtual
desktop infrastructure (VDI)
n IP networks
Additionally, you should be familiar with these VMware software products, software components, and their
features:
®
n VMware vSphere
® ®
n VMware vCenter Server and VMware vCenter Server Appliance™
Related Publications
The VMware Cloud Foundation Planning and Preparation Guide provides detailed information about the
software, tools, and external services that are required for Cloud Foundation.
VMware, Inc. 6
VMware Cloud Foundation Operations and Administration Guide
The VMware Cloud Foundation Architecture and Deployment Guide contains detailed information about a
Cloud Foundation system, its components, and the network topology of a deployed system.
VMware, Inc. 7
Administering
Cloud Foundation Systems 1
As an SDDC administrator, you use the information in the VMware Cloud Foundation Operations and
Administration document to understand how to administer and operate your installed Cloud Foundation
system.
n Configure and provision the systems and the workload domains that are used to provide service
offerings.
n Troubleshoot issues and prevent problems across the physical and virtual infrastructure.
See the VMware Cloud Foundation Overview and Deployment document for an introduction to the
overview and architecture of a Cloud Foundation system, and detailed descriptions of the software that is
deployed in the environment.
Note For information about which specific editions of each VMware product are licensed for use with the
Cloud Foundation license, use the information resources at the Cloud Foundation product information
page at http://www.vmware.com/products/cloud-foundation.html.
VMware, Inc. 8
VMware Cloud Foundation Operations and Administration Guide
For the exact version numbers of the VMware products that you might see in your Cloud Foundation
system after the initial bring-up process, see the Release Notes document for your Cloud Foundation
version. If the system has been updated after the initial bring-up process using the Life Cycle
Management features, see View Upgrade History for details on how to view the versions of the VMware
software components that are within your system.
Caution Do not manually change any of the settings that SDDC Manager sets automatically. If you
change the generated settings, like names of VMs, unpredictable results might occur. Do not change
settings for the resources that are automatically created and deployed during workflows, the workload
domain processes, assigned IP addresses or names, and so on.
You can find the documentation for the following VMware software products and components at
docs.vmware.com:
n vSAN
n vRealize Operations
n vRealize Automation
In addition to using the SDDC Manager Dashboard, you can use the following user interfaces for
administration tasks involving their associated VMware software components that are part of a VMware
SDDC. All these interfaces run in a browser, and you can launch them from within the SDDC Manager
Dashboard.
Launch links are typically identified in the user interface by the launch icon: .
VMware, Inc. 9
VMware Cloud Foundation Operations and Administration Guide
vSphere Web interface This interface provides direct management of 1 On the SDDC Manager Dashboard, click
resources managed by the vCenter Server Inventory > Workload Domains.
instances, for identity management, and for 2 In the Name column, click a workload domain
management of the NSX resources that provide name.
the software-defined networking capabilities of 3 Click the Services tab.
the SDDC. You can also manage object level
4 Click the appropriate launch link.
storage policies for distributed software-defined
storage provided by vSAN.
vRealize Log Insight When the vRealize Log Insight instance is 1 On the SDDC Manager Dashboard, click
Web interface licensed for use in the system, this interface Inventory > Workload Domains.
provides direct access to the logs and event 2 In the Name column, click a workload domain
data collected and aggregated in name.
vRealize Log Insight for troubleshooting, trend 3 Click the Services tab.
analysis, and reporting.
4 Click the appropriate launch link.
VMware, Inc. 10
Getting Started with SDDC
Manager 2
You use SDDC Manager to perform administration tasks on your Cloud Foundation system. This user
interface provides an integrated view of the physical and virtual infrastructure and centralized access to
manage the physical and logical resources.
You work with the SDDC Manager Dashboard by loading it in a web browser. For the list of supported
browsers and versions, see the Release Notes.
Note When performing out-of-band (OOB) troubleshooting of hardware, some vendors may use Java-
based consoles. Refer to the vendor documentation for supported browsers.
Prerequisites
To log in, you need the SDDC Manager IP address or FQDN and the password for the vcf user. You had
added this information to the deployment parameter worksheet before bring-up.
Procedure
You are logged in to SDDC Manager and the Dashboard page appears in the browser.
VMware, Inc. 11
VMware Cloud Foundation Operations and Administration Guide
You use the Navigation bar to move between the main areas of the user interface.
Navigation Bar
On the left side of the interface is the Navigation bar. The Navigation bar provides a hierarchy for
navigating to the corresponding pages.
VMware, Inc. 12
VMware Cloud Foundation Operations and Administration Guide
VMware, Inc. 13
VMware Cloud Foundation Operations and Administration Guide
VMware, Inc. 14
VMware Cloud Foundation Operations and Administration Guide
Procedure
1 In the SDDC Manager Dashboard, open the logged-in account menu by clicking the down arrow next
to the account name in the upper right corner.
VMware, Inc. 15
Managing Users and Groups 3
You can allow the users and groups in your Microsoft Active Directory (AD) domain to use their
credentials to log in to the SDDC Manager Dashboard as well as the vCenter Server instances that are
deployed in your Cloud Foundation system.
You had provided a password for the superuser account (user name vcf) in the deployment parameter
sheet before bring-up. After Cloud Foundation is deployed, you can log in with the superuser credentials
and then add vCenter Server or AD users or groups to Cloud Foundation. Authentication to the SDDC
®
Manager Dashboard uses the VMware vCenter Single Sign-On authentication service that is installed
with the Platform Services Controller feature during the bring-up process for your Cloud Foundation
system.
Procedure
4 Select one or more user or group by clicking the check box next to the user or group.
You can either search for a user or group by name, or filter by user type or domain.
VMware, Inc. 16
VMware Cloud Foundation Operations and Administration Guide
Procedure
The Role Details page displays privilege for the Cloud Admin role.
Procedure
2 Hover your mouse in the user or group row that you want to remove.
VMware, Inc. 17
Managing Certificates for
Cloud Foundation Components 4
You can manage certificates for all external-facing Cloud Foundation component resources, including
configuring a certificate authority, generating and downloading CSRs, and installing them. This section
provides instructions for using both Microsoft and non-Microsoft certificate authorities.
n vCenter Server
n NSX Manager
n SDDC Manager
n vRealize Automation
n vRealize Operations
Note You cannot manage certificates for NSX-T in the SDDC Manager for version 3.5. Version 3.5.1
supports certificate management for NSX-T.
However, it is recommended that you replace all certificates right after deploying Cloud Foundation. After
you create new workload domains, you can replace certificates for the appropriate components as
needed.
VMware, Inc. 18
VMware Cloud Foundation Operations and Administration Guide
Procedure
The Workload Domains page displays information for all workload domains.
2 In the list of domains, click the name of the workload domain to open the details page for that domain.
The workload domain details page displays CPU, memory, and storage allocated to the domain.
This tab lists the certificates for each Cloud Foundation resource component, including the following
details:
n Current certificate status: Active, Expiring (will expire within 15 days), or Expired.
4 To view certificate details, expand the resource to view the certificate details In the Resource Type
column.
The expanded field displays certificate details including signature algorithm, public key, public key
algorithm, certificate string, and more.
VMware, Inc. 19
VMware Cloud Foundation Operations and Administration Guide
Prerequisites
n Verify that you have created a Microsoft Active Directory certificate service (.certsrv) template in an
IIS container on a CA address server.
n Verify that the certificate service template is properly configured for basic authentication.
To create the certificate service template with the proper authentication configuration, see Prepare the
Certificate Service Template.
Procedure
1 Navigate to Administration > Security > Certificate Management to open the Configure Certificate
Authority page.
Option Description
Certificate Authority Select the CA from the dropdown menu. The default is Microsoft.
CA Server URL Specify the URL for the CA address server. This address must begin with
https:// and end with certsrv, for example
https://www.mymicrosoftca.com/certsrv
Template Name Enter the certsrv template name. You must create this template in Microsoft
Certificate Authority.
3 Click Save.
A dialog appears, asking you to review and confirm the CA server certificate details.
Procedure
1 Create a Microsoft Active Directory CA with the following features and settings.
b Under Active Director Certificate Services, select Certification Authority and Certification
Authority Web Enrollment.
c Under Web Server (IIS) > Web Server > Security, select Basic Authentication.
VMware, Inc. 20
VMware Cloud Foundation Operations and Administration Guide
2 Configure and issue a VMware Certificate Template for Machine SSL and Solution User
certificates on this CA server.
For step by step procedures, see Knowledge Base article 2112009 Search Creating a Microsoft
Certificate Authority Template for SSL certificate creation in vSphere 6.x .
a Access the IIS manager and navigate to Server > Sites > Default Web Site > CertSrv.
What to do next
Use this template when configuring the certificate authority in Configure Certificate Authority.
Prerequisites
n Verify that you have configured the Certificate Authority, as described in Configure Certificate
Authority.
Procedure
The Workload Domains page displays information for all workload domains.
2 In the list of domains, click the name of the workload domain to open the details page for that domain.
The workload domain details page displays CPU, memory, and storage allocated to the domain.
This tab lists the default certificates, among other details, for the Cloud Foundation resource
components. It also provides controls for working with certificates.
Note You can view the current certificate and key information for a component by clicking the down-
arrow icon next to the name.
VMware, Inc. 21
VMware Cloud Foundation Operations and Administration Guide
a Use the check boxes to select the resource components for which you want to generate the CSR.
Option Description
Algorithm Select the key type for the certificate. RSA (the default) is typically used. The
key type defines the encryption algorithm for communication between the
hosts.
Key Size Select the key size (2048, 3072 or 4096 bit) from the dropdown list.
Organizational Unit Use this field to differentiate between divisions within your organization with
which this certificate is associated.
Organization Type name under which your company is legally registered. The listed
organization must be the legal registrant of the domain name in the certificate
request.
Locality Type the city or locality where your company is legally registered.
State or Province Name Type the full name (do not abbreviate) of the state, province, region, or
territory where your company is legally registered.
Country Type the country name where your company is legally registered. This value
must use the ISO 3166 country code.
The Generate CSRs dialog box closes. The Security tab displays a status of CSR Generation is
in progress. When the CSR generation completes, the Generate Signed Certificates button
becomes active.
The Generate Signed Certificates dialog box appears, listing the selected components.
c For the Select Certificate Authority, select the desired authority, and click Generate Certificate.
The Generate Signed Certificates dialog box closes. The Security tab displays a status of
Certificates Generation is in progress. When the certificate generation completes, the
Install Certificates button becomes active.
VMware, Inc. 22
VMware Cloud Foundation Operations and Administration Guide
Note As installation completes, the Certificates Installation Status column for each selected
resource component in the list changes to Successful with a green check mark.
Important If you selected SDDC Manager as one of the resource components, you must manually
restart SDDC Manager services to reflect the new certificate and to establish a successful connection
between Cloud Foundation services and other resources in the management domain.
Important If you selected vRealize Automation as one of the resource components, you must
ensure that the vRealize Automation resource root certificate is trusted by all the vRealize Automation
VMs in your deployment.
a Using SSH, log in to the SDDC Manager VM with the following credentials:
Username: vcf
sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
What to do next
If you have replaced the certificate for the vRealize Operations Manager resource component, you must
reconfigure the load balancer node. See Configure SSL Passthrough for vRealize Operations Manager.
Prerequisites
Verify that you have configured and packaged your certificate authority configuration files in the form of
a .tar.gz file. The contents of this archive must adhere to the following structure:
n The name of the top-level directory must exactly match the name of the domain as it appears in the
list on the Inventory > Workload Domains page. For example, MGMT.
VMware, Inc. 23
VMware Cloud Foundation Operations and Administration Guide
n The PEM-encoded root CA certificate chain file (rootca.crt) must reside inside this top-level
directory.
n This directory must contain one sub-directory for each component resource.
The name of each sub-directory must exactly match the resource hostname of a corresponding
component as it appears in the Resource Hostname column in the Workload Domains > Security
tab.
n Each sub-directory must contain a corresponding .csr file, whose name must exactly match the
resource as it appears in the Resource Type column in the Workload Domains > Security tab.
n Each sub-directory must contain a corresponding .crt file, whose name must exactly match the
resource as it appears in the Resource Type column in the Workload Domains > Security tab.
Note All resource and hostname values can be found in the list on the Inventory > Workload Domains
> Securitytab.
Procedure
The Workload Domains page displays information for all workload domains.
2 In the list of domains, click the name of the workload domain to open the details page for that domain.
The workload domain details page displays CPU, memory, and storage allocated to the domain.
This tab lists the default certificates, among other details, for the Cloud Foundation resource
components. It also provides controls for working with certificates.
Note You can view the current certificate and key information for a component by clicking the down-
arrow icon next to the name.
a Use the check boxes to select the resource components for which you want to generate the CSR.
VMware, Inc. 24
VMware Cloud Foundation Operations and Administration Guide
Option Description
Algorithm Select the key type for the certificate. RSA (the default) is typically used. The
key type defines the encryption algorithm for communication between the
hosts.
Key Size Select the key size (2048, 3072 or 4096 bit) from the dropdown list.
Organization Unit Use this field to differentiate between divisions within your organization with
which this certificate is associated.
Organization Type name under which your company is legally registered. The listed
organization must be the legal registrant of the domain name in the certificate
request.
Locality Type the city or locality where your company is legally registered.
State or Province Name Type the full name (do not abbreviate) of the state, province, region, or
territory where your company is legally registered.
Country Type the country name where your company is legally registered. This value
must use the ISO 3166 country code.
The Generate CSRs dialog box closes. The Security tab displays a status of CSR Generation is
in progress. When CSR generation is complete, the Download CSR button becomes active.
5 Click Download CSR to download and save the CSR files to the directory structure described in the
Prerequisites section above.
a Verify that the different .csr files have successfully generated and are allocated in the required
file structure.
c Verify that the newly acquired .crt files are correctly named and allocated in the required file
structure.
8 In the Upload and Install Certificates dialog box, click Browse to locate and select the newly created
<domain name>.tar.gz file.
After you select the file, the Upload button becomes active.
9 Click Upload.
VMware, Inc. 25
VMware Cloud Foundation Operations and Administration Guide
Note As installation completes, the Certificates Installation Status column for the affected
components in the list changes to Successful with a green check mark.
Important If you selected SDDC Manager as one of the resource components, you must manually
restart SDDC Manager services to reflect the new certificate and to establish a successful connection
between Cloud Foundation services and other resources in the management domain.
Important If you selected vRealize Automation as one of the resource components, you must
ensure that the vRealize Automation resource root certificate is trusted by all the vRealize Automation
VMs in your deployment.
a Using SSH, log in to the SDDC Manager VM with the following credentials:
Username: vcf
sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
What to do next
If you have replaced the certificate for the vRealize Operations Manager resource component, you must
reconfigure the load balancer node. See Configure SSL Passthrough for vRealize Operations Manager.
Procedure
1 Using SSH, log in to the SDDC Manager VM with the following credentials:
Username: vcf
VMware, Inc. 26
VMware Cloud Foundation Operations and Administration Guide
cd /opt/vmware/vcf/operationsmanager/scripts/cli
sddcmanager-ssl-util.sh -list
5 Using the name of the certificate, delete the old or unused certificate.
6 (Optional) Clean out root certificates in VMware Endpoint Certificate Store from the Platform Services
Controller node.
See Explore Certificate Stores from the vSphere Client in the vSphere product documentation.
VMware, Inc. 27
License Management 5
In the deployment parameter sheet you completed before bring-up, you entered license keys for the
following components:
n VMware vSphere
n VMware vSAN
n vCenter
After bring-up, these license keys appear in the Licensing screen of the SDDC Manager Dashboard.
You must have adequate license units available before you create a VI workload domain, add a host to a
cluster, or add a cluster to a workload domain. Add license keys as appropriate before you begin any of
these tasks.
n Add License Keys for the Software in Your Cloud Foundation System
Procedure
3 Select the product key for which you are entering a license key.
VMware, Inc. 28
VMware Cloud Foundation Operations and Administration Guide
If you have multiple license keys for a product, the description can help in identifying the license. For
example, you may want to use one license for high performance workload domains and the other
license for regular workload domains.
6 Click Add.
Procedure
2 Hover your mouse in the license row that you want to edit.
4 On the Edit License Key Description window, edit the description as appropriate.
5 Click Save.
Once logging is enabled for workload domains, you cannot disable this setting.
Procedure
1 On the SDDC Manager Dashboard, click navigate to Administration > vRealize Suite.
4 Login to vRealize Log Insight with the admin credentials you provided in the deployment parameters
sheet before bring-up.
VMware, Inc. 29
VMware Cloud Foundation Operations and Administration Guide
8 Verify that the license you added is displayed in the license table and the status is active.
9 On the SDDC Manager Dashboard, click Enable in the Enable Logging for all Workload Domains
window.
Cloud Foundation connects the vSphere and NSX components for all existing workload domains to
vRealize Log Insight. Workload domains created after enabling logging are automatically connected to
vRealize Log Insight.
Procedure
2 Hover your mouse in the license row that you want to edit.
VMware, Inc. 30
Composability 6
With composability, you can dynamically configure servers to meet the needs of your workloads without
physically moving any hardware components. You bind disaggregated hardware components (compute,
network, storage, and offload components) together to create a logical system based on the needs of
your applications. These logical systems function like traditional rack mount systems.
The Cloud Foundation composability feature uses the Redfish translation layer to connect to the
composable hardware infrastructure. Redfish Translation Layer supports data models used to get
composable resources and zones restrictions from the hardware infrastructure. It is designed to be
extensible and vendor agnostic.
Note You must obtain and install the Redfish appliance from the composable hardware vendor.
n Compose a Server
n Decompose a Server
Procedure
3 Enter the user name and password for the Redfish translation layer.
4 Click Connect.
VMware, Inc. 31
VMware Cloud Foundation Operations and Administration Guide
Compose a Server
You can compose one or more servers by selecting the compute, network, and storage resources.
Prerequisites
n The composed server must meet the minimum hardware requirements. See the VMware Cloud
Foundation Planning and Preparation Guide.
Procedure
2 From the Available Resources table, select the zone where you want to compose a server. A zone
corresponds to a physical boundary.
3 Click Compose.
4 In the Allocate Resources dialog box, select the compute for the server.
The Choose number of servers section displays the number of servers you can compose based on
the selected resources.
8 Click Next.
10 Click Finish.
The compose server task is displayed in the Tasks table at the bottom of the Composable Infrastructure
page. Click the name of the task for more information. When the server is composed, it is added to the
Server Composition Summary table.
What to do next
1 Image the composed servers. See Chapter 7 Installing ESXi Software on Cloud Foundation Servers.
VMware, Inc. 32
VMware Cloud Foundation Operations and Administration Guide
Procedure
The Composable Infrastructure page appears. The Redfish translation layer information is displayed
on the top of the page.
The Available Resources table displays the available zones and computer, storage, and network
information available in each zone.
The task panel at the bottom of the page shows the tasks performed and their status.
Decompose a Server
You can decompose a server that has not been assigned to a VI workload domain.
Prerequisites
Procedure
2 From the Server Composition Summary table, select the server to be decomposed.
3 Click Decompose.
VMware, Inc. 33
Installing ESXi Software on
Cloud Foundation Servers 7
You can use the VMware Imaging Appliance (VIA) included with the Cloud Foundation Builder VM to
image servers for use in the management domain and VI workload domains.
Before you can complete the deployment parameters spreadsheet to define your network information,
host details, and other required information, you must install ESXi on your servers. If your servers are
already installed with a supported version of ESXi, you can skip imaging. Otherwise, you can use VIA.
This guide describes using VIA to image servers prior to bring-up of a Cloud Foundation system. You can
also use VIA to image servers prior to adding them to Cloud Foundation as part of the host
commissioning process after bring-up is complete. See the VMware Cloud Foundation Operations and
Administration Guide for more information.
You can use VIA to image servers prior to adding them to Cloud Foundation as part of the host
commissioning process. For information about imaging servers prior to bring-up, see the VMware Cloud
Foundation Architecture and Deployment Guide.
You must have access to the Cloud Foundation Builder VM to use the VMware Imaging Appliance. If you
deleted VIA after bring-up, you can redeploy it as described in "Deploy Cloud Foundation Builder VM" in
the VMware Cloud Foundation Architecture and Deployment Guide.
Server Prerequisites
The servers that you image must meet certain prerequisites:
n PXE Boot is configured as primary boot option
n Legacy boot mode configured in BIOS (UEFI boot mode is not supported)
n Server hardware/firmware should be configured for virtualization and vSAN and match the
Cloud Foundation BOM as described in the Release Notes
VMware, Inc. 34
VMware Cloud Foundation Operations and Administration Guide
n Any onboard NICs are disabled on the servers and only the two 10 GbE NICs reserved for use with
Cloud Foundation are enabled in BIOS
The default root credentials for servers imaged with VIA are user root, password EvoSddc!2016.
n Post-Imaging Tasks
You can download the ISO and VIBs from My VMware (https://my.vmware.com) to any location on the
Windows machine that is connected to the Cloud Foundation Builder VM. Make sure to record the MD5 or
SHA-1 checksums. You will need them when you upload the ISO/VIB to the VMware Imaging Appliance.
Procedure
1 SSH into the Cloud Foundation Builder VM using the credentials specified when you deployed the
VM. See GUID-78EEF782-CF21-4228-97E0-37B8D2165B81#GUID-78EEF782-
CF21-4228-97E0-37B8D2165B81.
2 SSH into the Cloud Foundation Builder VM using the credentials specified when you deployed the
VM. See "Deploy Cloud Foundation Builder VM" in the VMware Cloud Foundation Architecture and
Deployment Guide.
VMware, Inc. 35
VMware Cloud Foundation Operations and Administration Guide
a If the Cloud Foundation Builder VM is using the eth0 interface (default), then you do not need to
modify any of the properties in Section A. If the Cloud Foundation Builder VM has multiple
network interfaces and is not using eth0, you must update the following properties.
Property Description
via.web.url The IP address used to access the VMware Imaging Appliance UI. Update this
with the IP address of Cloud Foundation Builder VM in the management
network.
via.network.ifaceaddr Update this with the IP address of Cloud Foundation Builder VM in the
management network.
via.dhcp.esxi.tftpServer IP address of the server where TFTP is running. Update this with the IP
address of Cloud Foundation Builder VM in the management network.
Property Description
7 Type systemctl status imaging.service to verify that the imaging service is running.
What to do next
Procedure
1 In a web browser on the Windows machine that is connected to the Cloud Foundation Builder VM,
navigate to https://Cloud_Builder_VM_IP:8445/via.
2 Enter the admin credentials you provided when you deployed the Cloud Foundation Builder VM and
click Log in.
VMware, Inc. 36
VMware Cloud Foundation Operations and Administration Guide
7 When the uploaded ISO appears, select Activate to use the ISO for imaging servers.
11 When the uploaded VIB appears, select In use to use the VIB for imaging servers.
What to do next
Use the selected ISO and VIB(s) to image servers for use with Cloud Foundation.
VMware, Inc. 37
VMware Cloud Foundation Operations and Administration Guide
You can use VIA to image servers for use in the management domain and VI workload domains. The
management domain requires a minimum of four servers. See the VMware Cloud Foundation Planning
and Preparation Guide for more information about requirements.
Note When you image servers, VIA uses the ESXi ISO that you activated and the VIB(s) that you
marked as In use.
Procedure
1 In a web browser on the Windows machine that is connected to the Cloud Foundation Builder VM,
navigate to https://Cloud_Builder_VM_IP:8445/via.
2 Enter the admin credentials you provided when you deployed the Cloud Foundation Builder VM and
click Log in.
3 Click Imaging.
Option Description
Number Enter the number of servers you want to image with the selected ISO and VIBs.
VMware, Inc. 38
VMware Cloud Foundation Operations and Administration Guide
Option Description
VIA displays information about the progress of imaging. Click a server to view details. Once imaging
is complete, VIA performs verification of the servers.
What to do next
Perform post-imaging tasks before you download the deployment parameter sheet and begin the bring-up
process.
Post-Imaging Tasks
After you image your servers with ESXi and VIBs, you must perform some post-imaging tasks, depending
on whether you use an untagged or a tagged management VLAN.
For imaging servers, the VMware Imaging Appliance requires an untagged VLAN. You can continue to
use an untagged VLAN for management, or you can use a tagged VLAN.
VMware, Inc. 39
VMware Cloud Foundation Operations and Administration Guide
n Ensure that the Management Network and VM Network port groups on each host use the untagged
VLAN (VLAN ID 0)
n Modify the Management Network and VM Network port groups on each host to use the tagged VLAN
n Migrate the hosts from the provisioning network to the management network on the TOR switches
VMware, Inc. 40
Adding Hosts to
Cloud Foundation 8
To add hosts to the Cloud Foundation inventory, you must first create a network pool or expand the
default network pool created during bring-up.
You then commission hosts to Cloud Foundation. During the commissioning process, you associate hosts
with a network pool. Commissioned hosts are added to the Cloud Foundation inventory. You can add
these hosts to the management domain or to a VI workload domain. When a host is added to a workload
domain, an IP address from the network pool's IP inclusion range is assigned to it.
n Commission Hosts
n Decommission Hosts
A network pool is a collection of a set of subnets within an L2 domain. Depending on the storage option
you are using, it includes information about subnets reserved for the vMotion and vSAN or NFS networks
that are required for adding a host to the Cloud Foundation inventory.
VMware, Inc. 41
VMware Cloud Foundation Operations and Administration Guide
The network pool also contains a range of IP addresses, called an inclusion range. IP addresses from the
inclusion ranges are assigned to the vMotion and vSAN or NFS vmkernel ports on the host. The use of
inclusion ranges allows you to limit the IP addresses that will be consumed from a given subnet. You can
add more inclusion ranges in order to expand the use of the provided subnet.
A default network pool (named bringup-networkpool) is created during bring-up. This network pool is
automatically associated with the management domain. Network information for this network pool is
based on the deployment parameter sheet you provided during bring-up. This network pool contains
vMotion and vSAN networks only - an NFS network is not supported in this network pool. If you have a
single L2 domain in your environment for management workload domain vSAN and vMotion networks or
if you want to expand the management domain by adding a host, you can expand this default network
pool.
In order to create a workload domain with hosts in a different L2 domain than the management domain, or
if you want to use external NFS storage, you must create a new network pool. A network pool can contain
both vSAN and NFS networks.
All hosts in a cluster must be associated with the same network pool. However, a workload domain can
contain multiple clusters, each with its own network pool. You may want to have multiple clusters within a
workload domain to provide separate fail over domains (i.e. a VM only fails over between hosts in a
cluster). Multiple clusters also provide isolation for security reasons and are also useful for grouping
servers of a particular type of configuration together. Multiple clusters can also be used to handle growth.
Original servers used in the first cluster may get outdated at some point. Newer server models can then
be added in a new cluster to the workload domain and workloads can be migrated at a leisurely pace.
You begin sizing a network pool by determining the number of hosts that you will have in each cluster. A
workload domain must contain a minimum of one cluster. As each cluster leverages vSAN for storage, the
minimum number of hosts within a cluster is three. The exception to this rule is the management workload
domain. It is recommended that the management workload domain contain a minimum of four hosts. This
allows for an additional level of availability for the critical infrastructure components. A cluster can be
expanded to the maximum number of hosts supported by vCenter, which is currently 64 hosts.
Allocate a minimum of one IP address per host plus enough additional IP addresses to account for growth
and expansion of the environment. Ensure that the subnet defined provides enough unused IP addresses
and that appropriate inclusion ranges are defined. Note that some of the IP addresses within the subnet
will be used for other purposes, such as defining the gateway address, firewalls, or other entities. Use
care not to conflict with these addresses.
VMware, Inc. 42
VMware Cloud Foundation Operations and Administration Guide
Here are some important considerations for determining the size of your network pool:
Number of ports
n Where the network switches are placed (at the top of the rack or at the end of a row)
n Whether the network switches will be shared with non-Cloud Foundation hosts
The subnet in a network pool cannot overlap the subnet of another pool.
Procedure
You can include both vSAN and NFS network information in the same network pool.
5 Provide the following network information for vMotion and the selected storage network type.
VMware, Inc. 43
VMware Cloud Foundation Operations and Administration Guide
f Enter an IP address range from which an IP address can be assigned to hosts that are
associated with this network pool.
The IP address range must be from within the specified subnet. You cannot include the IP
address of the default gateway in the IP address range. You can enter multiple IP address
ranges.
Note Ensure that you have entered the correct IP address range. IP ranges cannot be edited
after the network pool is created.
6 Click Save.
Procedure
A high-level summary of the network pool's vSAN and vMotion network information is displayed.
Procedure
2 Hover your mouse in the network pool row that you want to edit.
A set of three dots appear on the left of the pool name. Click these dots and then click Edit.
4 Click Save.
VMware, Inc. 44
VMware Cloud Foundation Operations and Administration Guide
Prerequisites
Ensure that the hosts in the network pool are not assigned to a workload domain. To verify this, navigate
to Administration > Network Settings and confirm that the Used IPs for the network pool is 0.
Procedure
2 Hover your mouse in the network pool row that you want to delete.
A set of three dots appear on the left of the pool name. Click these dots and then click Delete.
Commission Hosts
Adding hosts to the Cloud Foundation inventory is called commissioning. You can add hosts individually,
or use a JSON template to add multiple hosts at once. You can commission a maximum of 32 hosts at a
time.
The hosts that you want to commission must meet a set of criteria. After you specify host details and
select the network pool to associate a host with, Cloud Foundation validates and commissions each host.
Each host is added to the free pool and is available for workload domain creation.
Prerequisites
Ensure that each host you are commissioning meets the following criteria.
n Host is vSAN compliant and certified on the VMware Hardware Compatibility Guide.
n Host is configured with appropriate gateway. The gateway must be part of the management subnet.
n A supported version of ESXi is installed on the host. See the VMware Cloud Foundation Release
Notes for information about supported versions.
n Host has the drivers and firmware versions specified in the VMware Hardware Compatibility Guide.
n Two NIC ports with a minimum 10 Gbps speed. One port must be free and the other port must be
configured on a standard switch. This switch should be restricted to the management portgroup.
Note You must have a network pool available in order to commission a host.
Procedure
VMware, Inc. 45
VMware Cloud Foundation Operations and Administration Guide
3 Confirm that hosts to be commissioned meet each criterion in the checklist and select the check
boxes.
4 Click Proceed.
VMware, Inc. 46
VMware Cloud Foundation Operations and Administration Guide
5 Select whether you want to add hosts one at a time, or import a JSON file to add multiple hosts at
once.
The storage type you select for a host (vSAN or NFS), must be supported by its associated network
pool. A network pool can support both vSAN and NFS. Hosts that use vSAN storage can only be
used with vSAN-based workload domains and hosts that use NFS storage can only be used with
NFS-based workload domains.
Option Description
Add new Manually enter the following information for the host you want to add:
n FQDN
n Network pool (choose an existing network pool from the list)
n User name and password (root credentials)
n Storage type (vSAN or NFS)
Click Add.
You can now add more hosts or proceed to the next step.
VMware, Inc. 47
VMware Cloud Foundation Operations and Administration Guide
Option Description
c Click Browse to locate and select the JSON file containing host information.
d Click Upload.
6
Verify that the server fingerprint is correct for each host and then click the confirm fingerprint icon .
Cloud Foundation validates the host information you provided. Each host is marked as Valid or
Invalid.
For invalid hosts, you can correct the problem and validate again, or select the host and click
Remove to proceed with commissioning the valid hosts.
8 Click Next to review the host information and then click Commission to begin commissioning.
The Hosts page appears and the status of the commission task is displayed. Click View Status in
Task to display the task bar.
The commissioned hosts are added to the host table. The host belongs to a free pool until you assign it to
a workload domain.
Decommission Hosts
Removing hosts from the Cloud Foundation inventory is called decommissioning. You can decommission
a host for maintenance work or if you want to add it to another network pool. If you want to re-use a host
in a different workload domain, you must decommission the host and clean it up before adding it to the
workload domain.
VMware, Inc. 48
VMware Cloud Foundation Operations and Administration Guide
Prerequisites
The hosts that you want to decommission must not be assigned to a workload domain. If a host is
assigned to a workload domain, you must remove it before you can decommission it. See Remove a Host
from a Cluster in a Workload Domain.
Procedure
5 Click Confirm.
The Hosts page appears and the status of the decommission task is displayed. Click View Status in
Task to display the task bar.
What to do next
Clean the decommissioned host before adding it to a workload domain. See Cleaning Up
Decommissioned Hosts.
The best way to clean up a decommissioned host is by using the SoS utility on the SDDC Manger VM. If
the SoS utility is unable to clean up the host for some reason, you can use the Direct Console User
Interface (DCUI) on the host to perform the cleanup.
Prerequisites
Gather the following information for each host that you want to clean up:
n IP address
Procedure
1 Using SSH, log in to the SDDC Manager VM with the following credentials:
Username: vcf
VMware, Inc. 49
VMware Cloud Foundation Operations and Administration Guide
./sos --cleanup-decommissioned-host
/opt/vmware/sddc-support/decommissioned_host_cleanup_sample.json
What to do next
You can now commission the host to the Cloud Foundation inventory and add it to a workload domain.
Prerequisites
n You must have access to Direct Console User Interface (DCUI) on the host.
n root password
n VLAN ID
Procedure
#vdq -i
#esxcli vsan storage remove -s SSD Device Name
For example:
[root@esx-6:/tmp] vdq -i
[
{
"SSD" : "naa.55cd2e414dc36b15",
"MD" : [
VMware, Inc. 50
VMware Cloud Foundation Operations and Administration Guide
"naa.55cd2e414d7abb5d",
"naa.55cd2e414d7aa215",
"naa.55cd2e414d7abb46",
]
},
{
"SSD" : "naa.55cd2e414dc36d53",
"MD" : [
"naa.55cd2e414d705c35",
"naa.55cd2e414d7aa1eb",
"naa.55cd2e414d7abb10",
]
},
]
[root@esx-6:/tmp] esxcli vsan storage remove -s naa.55cd2e414dc36b15
[root@esx-6:/tmp] esxcli vsan storage remove -s naa.55cd2e414dc36d53
[root@esx-6:/tmp] vdq -i
[
]
5 Reset the system configuration and the root password by running the commands below.
/bin/firmwareConfig.sh --reset
When you reset the configuration, the software overrides all your network configuration changes,
deletes the password for the administrator account (root), and reboots the host.
7 Reset the root password. This password was deleted during step 5.
8 Configure the following network details to the same values that were set on the host before the
factory reset.
n VLAN
n IP address
n netmask
n gateway
10 Restart the management network by selecting the Restart Management Network option on the main
DCUI page.
What to do next
You can now commission the host to the Cloud Foundation inventory and add it to a workload domain.
VMware, Inc. 51
VMware Cloud Foundation Operations and Administration Guide
For each host, the Hosts page displays the following information:
n FQDN name
n IP address
n Current status
n Storage type
Procedure
1 From the the SDDC Manager Dashboard, navigate to Inventory > Hosts.
For example:
n To jump to the details page for the domain to which a listed host belongs, click the domain name
link in the Host State column. For information about viewing workload domains, see View
Workload Domain Details.
n To jump to the details page for the domain cluster to which a listed host belongs, click the cluster
name in the Cluster column. For information about clusters, see Expand a Workload Domain.
n To quickly view network assignment details for a specific host, click the info icon next to the value
in the Network Pool column.
3 To view the details of a specific host, click the FQDN name in the list.
n A summary of the networks (vSAN, vMotion, and Management) to which the host belongs and its
IP address on those networks.
VMware, Inc. 52
VMware Cloud Foundation Operations and Administration Guide
Note Below the page title, the host details page also provides quick links to the network pool and the
workload domain cluster to which the host belongs.
4 (Optional) To decommission the host from the host details page, click Actions near the page name
and select Decommission.
5 (Optional) To view host VM details, click Actions near the page name and select Open in ESXi
Client.
VMware, Inc. 53
Working with the Management
Domain and VI Workload
Domains 9
The management domain and deployed workload domains are logical units that carve up the compute,
network, and storage resources of the Cloud Foundation system. The logical units are groups of ESXi
hosts managed by vCenter Server instances with specific characteristics for redundancy and VMware
SDDC best practices.
The management domain is created by default during bring-up. The Cloud Foundation software stack is
deployed on the management domain. Additional infrastructure virtual machines which provide common
services, such as backup or security appliances, can be deployed in the management domain as well.
The management domain and workload domains include these VMware capabilities by default:
®
VMware vSphere High This feature supports distributed availability services for a group of ESXi
Availability (HA) hosts to provide rapid recovery from outages and cost-effective high
availability for applications running in virtual machines. Out of the box,
Cloud Foundation provides a highly available environment for workload
domains. There may be additional settings (not set by default) that can
increase availability even further. For more information about vSphere HA,
see the vSphere Availability documentation at
https://docs.vmware.com/en/VMware-vSphere/.
®
VMware vSphere This feature dynamically allocates and balances computing capacity across
Distributed Resource a group of hardware resources aggregated into logical resource pools or
Scheduler™ (DRS) clusters. Clusters are the primary unit of operation in Cloud Foundation.
DRS continuously monitors use across resource pools and allocates
available resources among the virtual machines based on predefined rules
that reflect business needs and changing priorities. When a virtual machine
experiences an increased load, vSphere DRS automatically allocates
additional resources by redistributing virtual machines among the physical
servers in the resource pool. For more information about DRS, see the
vSphere Resource Management documentation at
https://docs.vmware.com/en/VMware-vSphere/.
®
VMware vSAN This component aggregates local storage disks in a group of ESXi hosts to
create a storage pool shared across all hosts in that group. For more
information about vSAN, see the VMware vSAN documentation at
https://docs.vmware.com/en/VMware-vSAN/.
VMware, Inc. 54
VMware Cloud Foundation Operations and Administration Guide
Each Cloud Foundation instance is one SSO domain to which all vCenter Servers are joined. The
maximum number of supported workload domains and vCenter Servers per Cloud Foundation instance
depends on the vSphere version in the management cluster. For more information, see the Configuration
Maximums vSphere document.
Note if you use cross vCenter vMotion between two VI workload domains with dissimilar hardware, you
must enable EVC on the corresponding clusters. See Enable EVC on an Existing Cluster in the vSphere
product documentation.
You must be careful when adding virtual machines to the management domain. You do not want to
consume excessive resources that would obstruct standard operations. Excess capacity consumption can
cause failures of virtual machine fail overs in the event of a host failure or maintenance action.
You can add capacity to the management domain by adding a host(s) in order to expand the
management workload domain. To expand the management domain, see Expand a Workload Domain.
Procedure
This opens the vSphere Web Client for the management domain.
VMware, Inc. 55
VMware Cloud Foundation Operations and Administration Guide
5 Create a VM.
Note Do not move any of the Cloud Foundation management VMs into the resource pool.
Note Do not move any of the Cloud Foundation management VMs to the newly created resource
pool.
n Deploys an additional vCenter Server Appliance for the new workload domain within the management
domain.
By leveraging a separate vCenter Server instance per workload domain, software updates can be
applied without impacting other workload domains. It also allows for each workload domain to have
additional isolation as needed.
n Connects the specified ESXi servers to this vCenter Server instance and groups them into a cluster.
Each host is configured with the port groups applicable for the workload domain.
n For each NSX for vSphere workload domain, the workflow deploys an NSX Manager in the
management domain and three NSX controllers on the ESXi datastore. The workflow also configures
an anti-affinity rule between the controller VMs to prevent them from being on the same host for High
Availability.
n For the first NSX-T VI workload domain in your environment, the workflow deploys an NSX Manager
and three NSX controllers in the management domain. The workflow also configures an anti-affinity
rule between the controller VMs to prevent them from being on the same host for High Availability. All
subsequent NSX-T workload domains share this NSX-T Manager and Controllers.
For an NSX-T workload domain, NSX Edges are needed to enable overlay VI networks and public
networks for north-south traffic. NSX Edges are not deployed automatically for an NSX-T VI workload
domain. You can deploy them manually after the VI workload domain is created. Subsequent NSX-T
VI workload domains share the NSX-T Edges deployed for the first workload domain.
n Licenses and integrates the deployed components with the appropriate pieces in the
Cloud Foundation software stack.
VMware, Inc. 56
VMware Cloud Foundation Operations and Administration Guide
Note You can only perform one workload domain operation at a time. For example, while creating a new
workload domain, you cannot add a cluster to any other workload domain.
Procedure
4 Specify Name
Provide a name for the VI workload domain, cluster, and organization.
8 Select Hosts
The Host Selection page displays available hosts along with hosts details. Hosts that are powered
off, cannot be accessed via SSH, or have not been properly commissioned are not displayed.
10 Select Licenses
The Licenses page displays the available licenses for vCenter, vSphere, vSAN, and NSX based on
the information you provided.
VMware, Inc. 57
VMware Cloud Foundation Operations and Administration Guide
NSX-T VI workload domains have additional pre-requisites. See Additional Prerequisites for an NSX-T
Based Workload Domain.
n A DHCP server must be configured on the VXLAN VLAN of the management domain. When NSX
creates VXLAN VTEPs for the VI workload domain, they are assigned IP addresses from the DHCP
server.
n A minimum of three hosts marked with the appropriate storage must be available in your
Cloud Foundation inventory. To create a VI workload domain with NFS storage, the hosts must be
commissioned with NFS as the storage type and must be associated with an NFS network pool. To
create a VI workload domain with vSAN storage, the hosts must be commissioned with vSAN as the
storage type and must be associated with an vSAN network pool. For information on adding hosts to
your inventory, see Chapter 8 Adding Hosts to Cloud Foundation.
n There must be a free uplink on each host to be used for the workload domain.
n Decide on a name for your VI workload domain. It is good practice to include region and site
information in the name since resource object names (such as host and vCenter names) are
generated on the basis of the VI workload domain name. The name can be three to twenty characters
long and can contain any combination of the following:
n Numbers
n Hyphens
n Underscores
Note Spaces are not allowed in any of the names you specify when creating a VI workload domain.
n NSX Manager enable password to enable administrator privileges for NSX Manager (only for
NSX-V)
VMware, Inc. 58
VMware Cloud Foundation Operations and Administration Guide
n Gather the information that you will need during the workload domain creation workflow:
n NSX Manager IP address, DNS name, subnet mask, and default gateway
n NSX Controller IP address, subnet mask, and default gateway for three controllers
n The IP addresses and Fully Qualified Domain Names (FQDN) for the vCenter and NSX Manager
instances to be deployed for the VI Workload domain must be resolvable by DNS.
n If you are using NFS storage for the workload domain, you need the following information:
n Datastore name
The NFS share and server must be accessible from the Cloud Foundation network. You must have
read/write permission to the NFS share since NSX controllers will be deployed there.
n You must have specified valid license keys for the following products:
n vCenter Server
n vSphere
Since vSphere and vSAN licenses are per CPU, ensure that you have sufficient licenses for the
ESXi hosts to be used for the workload domain. See Chapter 5 License Management.
n (Optional) Enable vRealize Log Insight logging for workload domains. See Enable vRealize Log
Insight Logging for Workload Domains.
VMware, Inc. 59
VMware Cloud Foundation Operations and Administration Guide
n If you have upgraded the management domain in your environment to a later release, download the
VI workload domain install bundle to deploy later versions of the software components instead of the
versions in your original Cloud Foundation installation. See Download Install Bundle from the SDDC
Manager.
Procedure
1 Download the following files to a computer that has connectivity to SDDC Manager.
a NSX-T OVA files from the NSX-T Datacenter product download page. Download the correct NSX-
T version for your version of VMware Cloud Foundation. Refer to the VMware Cloud Foundation
Release Notes for the supported versions of NSX-T.
n NSX-T Manager
n NSX-T Controllers
n NSX-Edge (optional)
b To enable vRealize Log Insight on the NSX-T workload domain, download the vRealize Log
Insight content pack for NSX-T 2.3 from Solution Exchange. This is optional.
c Rename the vRealize Log Insight content pack for NSX-T 2.3 file name to VMware-NSX-T-
v3.1.vlcp.
2 Using SSH, log in to the SDDC Manager VM with the following credentials:
Username: vcf
su -
mkdir /mnt/cdrom/nsxt_ova
6 Copy the files you downloaded in step 1 to the /mnt/cdrom/nsxt_ova directory on SDDC Manager.
VMware, Inc. 60
VMware Cloud Foundation Operations and Administration Guide
Procedure
1 On the SDDC Manager Dashboard, click + Workload Domain and then click VI Virtual
Infrastructure.
Specify Name
Provide a name for the VI workload domain, cluster, and organization.
Prerequisites
Verify that you have met the prerequisites described in Create a VI Workload Domain.
Procedure
1 Type a name for the VI workload domain, such as sfo01. The name must contain between 3 and 20
characters.
It is good practise to include location information in the name since resource object names (such as
host and vCenter names) are generated on the basis of the VI workload domain name.
2 Type a name for the VI cluster. The name must contain between 3 and 20 characters.
3 (Optional) Type a name for the organization that requested or will use the virtual infrastructure, such
as Finance. The name must contain between 3 and 20 characters.
4 Click Next.
Procedure
1 On the Compute page of the wizard, type the vCenter IP address and DNS name.
4 Click Next.
VMware, Inc. 61
VMware Cloud Foundation Operations and Administration Guide
Procedure
For NSX for vSphere, enter the VLAN ID for VXLAN Networking.
Note This is the VXLAN VLAN of the management domain. A DHCP server must be configured to
lease IPs in the specified VLAN. When NSX creates VXLAN VTEPs, they are assigned IP addresses
from the DHCP server.
n IP address
n Name
n Subnet mask
n Default gateway
n Admin password
n Subnet mask
n Default gateway
n Password
5 Click Next.
n Which specific hosts in your environment are available and appropriate to fulfill those selections
n The virtual infrastructure features and their specific configurations that are needed to fulfill those
selections
Note You can modify the vSAN configuration in vSphere without negatively affecting the
Cloud Foundation configuration.
VMware, Inc. 62
VMware Cloud Foundation Operations and Administration Guide
Procedure
1 Specify the level of availability you want configured for this virtual environment.
The availability level determines the level of redundancy that is set for the assigned resources. For
more information, see Managing Fault Domains in Virtual SAN Clusters in Administering VMware
Virtual SAN.
Option Description
2 Click Next.
Select Hosts
The Host Selection page displays available hosts along with hosts details. Hosts that are powered off,
cannot be accessed via SSH, or have not been properly commissioned are not displayed.
To check a host's health, SSH in to the SDDC Manager VM using the vcf administrative user
account. Enter su to switch to the root user and navigate to the /opt/vmware/sddc-support
directory and type the following command.
./sos --health-check
For more information, see Chapter 14 Supportability and Serviceability (SoS) Utility
n For optimum performance, you must select hosts that are identical in terms of memory, CPU types,
and disks.
If you select unbalanced hosts, the UI displays a warning message, but you can proceed with the
workload domain creation.
n You cannot select hosts that are in a dirty state. A host is in a dirty state when it has been removed
from a cluster in a workload domain.
To clean a dirty host, see Clean up a Decommissioned Host Using the Direct Console User Interface.
n All selected hosts must be associated with the same network pool.
VMware, Inc. 63
VMware Cloud Foundation Operations and Administration Guide
Procedure
For a vSAN VI workload domain with 0 or 1 availability, a minimum of three hosts is required. For a VI
workload domain with 2 availability, a minimum of five hosts is required. When you select hosts with
sufficient storage to form a VI cluster, the Next button is enabled.
2 Click Next.
Procedure
1 On the NFS Storage page, enter a name for the NFS datastore name.
Note When creating additional datastores for an NFS share and server, use the same datastore
name. If you use a different datastore name, vCenter overwrites the datastore name provided earlier.
4 Click Next.
Select Licenses
The Licenses page displays the available licenses for vCenter, vSphere, vSAN, and NSX based on the
information you provided.
Prerequisites
You must have specified valid license keys for the following products:
NSX-T license is currently not integrated with the VI Workload domain wizard.
n vSphere
Since vSphere and vSAN licenses are per CPU, ensure that you have sufficient licenses for the ESXi
hosts to be used for the workload domain.
For information on adding license keys, see Add License Keys for the Software in Your Cloud Foundation
System.
VMware, Inc. 64
VMware Cloud Foundation Operations and Administration Guide
Procedure
1 Depending on the storage option and NSX platform being used, select the appropriate licenses to
apply to the VI workload domain.
2 Click Next.
Procedure
1 Review the syntax that will be used for the vSphere objects generated for this domain.
2 Click Next.
The Review page displays information about the resources and their configurations that will be deployed
when the workflow creates and deploys the virtual infrastructure for this workload domain.
The hosts that will be added to the workload domain are listed along with information such as the network
pool they belong to, memory, CPU, and so on.
Procedure
The Workload Domains page appears and a notification is displayed letting you know that VI
workload domain is being added. Click View Task Status to view the domain creation tasks and sub
tasks.
If a task fails, you can fix the issue and re-run the task. If the workload domain creation fails, contact
VMware Support.
When the VI workload domain is created, it is added to the workload domains table.
What to do next
Enable vRealize Log Insight logging for the workload domain (if not done already).
n NSX Edges are needed to enable overlay VI and public networks for north-south traffic. NSX Edges
are not deployed automatically. To manually deploy the Edges, see Deploy NSX Edges for NSX-T VI
Workload Domains.
VMware, Inc. 65
VMware Cloud Foundation Operations and Administration Guide
n Network I/O Control is not automated. To manually optimize traffic prioritization, follow step 4 in the
following document:
Create Uplink Profiles, Network I/O Control Profile, and Edge Cluster Profile for the Shared Edge and
Compute Cluster
2 Join the NSX-T Edges to the management plane by following the steps here:
a Configure the Transport Zones for the Shared Edge and Compute Cluster
b Create Uplink Profiles, Network I/O Control Profile, and Edge Cluster Profile for the Shared Edge
and Compute Cluster
c Create Logical Switches for the Shared Edge and Compute Cluster
d Configure NSX-T Dynamic Routing in the Shared Edge and Compute Cluster
Prerequisites
n Your Cloud Foundation installation can include only one NSX-T VI workload domain in version 3.5.
Version 3.5.1 supports multiple NSX-T VI workload domains..
n Multiple clusters are not supported for an NSX-T workload domain in version 3.5. Version 3.5.1
supports multiple clusters in an NSX-T workload domain..
n You must replace certificates for NSX-T components manually in version 3.5. Version 3.5.1 supports
certificate management for NSX-T.
n You cannot rotate passwords for NSX-T components through SDDC Manager in version 3.5. Version
3.5.1 supports automated rotation of NSX-T passwords.
n LCM does not upgrade NSX-T components. These need to be upgraded manually.
VMware, Inc. 66
VMware Cloud Foundation Operations and Administration Guide
n An NSX-T workload domain is not integrated with vRealize Automation and vRealize Operations
Manager yet.
Procedure
2 In the workload domains table, click the name of the workload domain.
The domain details page displays CPU, memory, and storage allocated to the domain. The tabs on
the page display additional information as described in the table below.
Summary Clusters in the workload domain and availability level for each cluster.
Services SDDC software stack components deployed for the workload domain's virtual environment and their
IP addresses. Click a component name to navigate to that aspect of the virtual environment. For
example, click vCenter to reach the vSphere Web Client for that workload domain.
All the capabilities of a VMware SDDC are available to you in the VI workload domain's environment,
such as creating, provisioning, and deploying virtual machines, configuring the software-defined
networking features, and so on.
Updates/Patches Available updates for the workload domain. For more information, see Chapter 17 Patching and
Upgrading Cloud Foundation.
Hosts Names, IP addresses, status, associated clusters, and capacity utilization of the hosts in the workload
domain and the network pool they are associated with.
Clusters Names of the clusters, number of hosts in the clusters, and their capacity utilization.
Security Default certificates for the Cloud Foundation components. For more information, see Chapter 4
Managing Certificates for Cloud Foundation Components.
What to do next
You can add a cluster to the workload domain from this page.
Procedure
VMware, Inc. 67
VMware Cloud Foundation Operations and Administration Guide
The cluster detail page appears. The tabs on the page display additional information as described in
the table below.
Hosts Details about each host in the cluster. You can click a name in the FQDN column to access the host
detail page.
What to do next
You can add or remove a host, or access the vSphere Client from this page.
By adding an individual host to an existing workload domain, you can expand the amount of
resources contained within an existing cluster.
As workload domains support multiple clusters, you can add an additional cluster to an existing
workload domain to provide for increased capacity and VM failover isolation.
Prerequisites
n There must be a host available in the Cloud Foundation inventory. For information on adding a host to
Cloud Foundation, see Commission Hosts.
n You must have a valid vSphere license specified in the Licensing tab of the SDDC Manager
Dashboard with adequate sockets available for the host to be added. For more information, see Add
License Keys for the Software in Your Cloud Foundation System.
VMware, Inc. 68
VMware Cloud Foundation Operations and Administration Guide
n Verify that the host to be added to the workload domain matches the configuration of the hosts in the
cluster to which you want to add the domain. This allows the cluster configuration to remain balanced.
If the host to be added does not match the pre-existing hosts in the cluster, the cluster will be
unbalanced and a warning will be displayed. The warning will not prevent the expansion and can be
dismissed if needed.
Procedure
The Workload Domains page displays information for all workload domains.
2 In the workload domains table, click the name of the workload domain that you want to expand.
4 Click the name of the cluster where you want to add a host.
The host you select must be associated with the same network pool as the other hosts in the cluster.
For optimum performance, you should select hosts that are identical in terms of memory, CPU types,
and disks to the other hosts in the cluster. If you select unbalanced hosts, the UI displays a warning
message, but you can proceed with the workload domain creation.
7 Click Next.
9 Click Next.
The details page for the cluster appears with a message indicating that the host is being added. Wait
until the action is complete before performing additional workload domain tasks.
Note You cannot add a cluster to an NSX-T VI workload domain in version 3.5. Multiple clusters for an
NSX-T VI workload domain are supported in version 3.5.1.
Prerequisites
n There must be at least three hosts available in the Cloud Foundation inventory. For information on
adding a host to Cloud Foundation, see Commission Hosts.
VMware, Inc. 69
VMware Cloud Foundation Operations and Administration Guide
n Ensure that the hosts you want to add to the cluster are in an active state.
n You must have a valid vSphere and vSAN (if using vSAN storage) license specified in the Licensing
tab of the SDDC Manager Dashboard with adequate sockets available for the host to be added. For
more information, see Add License Keys for the Software in Your Cloud Foundation System.
n A DHCP server must be configured on the VXLAN VLAN of the management domain. When NSX
creates VXLAN VTEPs for the VI workload domain, they are assigned IP addresses from the DHCP
server.
Procedure
The Workload Domains page displays information for all workload domains.
A set of three dots appear on the left of the workload domain name.
3 Select the storage type for the cluster and click Begin.
5 On the Networking page, enter the VXLAN VLAN of the management domain and click Next.
This is the VXLAN VLAN of the management domain. A DHCP server must be configured to lease
IPs in the specified VLAN. When NSX creates VXLAN VTEPs, they are assigned IP addresses from
the DHCP server.
6 If you selected vSAN storage for the cluster, the vSAN parameters page appears. Specify the level of
availability you want configured for this cluster. The specified Failures To Tolerate (FTT) value
determines the number of hosts required the cluster.
7 Click Next.
8 On the Object Names page, review the syntax that will be used for the vSphere objects generated for
this cluster and click Next.
All selected hosts must be associated with the same network pool. When you have selected the
minimum number of hosts required for this cluster, the Next button is enabled.
VMware, Inc. 70
VMware Cloud Foundation Operations and Administration Guide
10 Click Next.
11 If you selected NFS storage for the cluster, the NFS Storage page appears. Enter the datastore
name, NFS share folder, and NFS server IP address.
12 Click Next.
13 On the Licenses page, select the vSphere and vSAN (if using vSAN storage) license to apply to this
cluster.
14 Click Next.
15 On the Review page, review the cluster details and click Finish.
The details page for the workload domain appears with the following message: Adding a new
cluster is in progress. When this process completes, the cluster appears in the Clusters tab in
the details page for the workload domain.
When a host is removed, the vSAN members are reduced. Ensure that you have enough hosts remaining
to facilitate the configured vSAN availability. Failure to do so might result in the datastore being marked as
read-only or in data loss.
Procedure
The Workload Domains page displays information for all workload domains.
2 In the workload domains table, click the name of the workload domain that you want to modify.
4 Click the name of the cluster from which you want to remove a host.
An alert appears, asking you to confirm or cancel the action. If the removal results in the number of
hosts in the cluster being less than the minimum number of required hosts, you must click Force
Remove to remove the host.
VMware, Inc. 71
VMware Cloud Foundation Operations and Administration Guide
The details page for the cluster appears with a message indicating that the host is being removed.
When the removal process is complete, the host is removed from the hosts table.
The host is removed from the workload domain and added to the free pool.
What to do next
Clean up the host so that you can use it again. See Clean up a Decommissioned Host Using the Direct
Console User Interface.
You cannot delete the last cluster in a workload domain. Instead, delete the workload domain. See Delete
a Workload Domain.
Prerequisites
Migrate or backup the VMs and data on the data store associated with the cluster to another location.
Procedure
The Workload Domains page displays information for all workload domains.
2 Click the name of the workload domain that contains the cluster you want to delete.
3 Click the Clusters tab to view the clusters in the workload domain.
5 Click the three dots next to the cluster name and click Delete Cluster.
6 Click Delete Cluster to confirm that you want to delete the cluster.
The details page for the workload domain appears with a message indicating that the cluster is being
deleted. When the removal process is complete, the cluster is removed from the clusters table.
Monitoring through Log Insight and vRealize Operations is removed and the components associated with
the workload domain to be deleted contained within the management domain are removed. This includes
the vCenter Server instance and NSX Manager.
VMware, Inc. 72
VMware Cloud Foundation Operations and Administration Guide
The network pools used by the workload domain are not deleted as part of the workload domain deletion
process and must be deleted separately.
Caution Deleting a workload domain is an irreversible operation. All clusters and VMs within the
workload domain are deleted and the underlying datastores are destroyed.
It can take up to 20 minutes for a workload domain to be deleted. During this process, you cannot perform
any operations on workload domains.
Prerequisites
n Back up the data on the workload domain. The datastores on the workload domain are destroyed
when the workload domain is deleted.
n Migrate the VMs that you want to keep to another workload domain.
Procedure
The Workload Domains page displays information for all workload domains.
2 Hover your mouse in the workload domain row that where you want to delete.
When you select the workload domain, three vertical dots appear next to the name.
A confirmation window appears with details about the impact of deleting the workload domain,
including how many hosts will be returned to the free pool.
The details page for the workload domain appears with a message indicating that the workload
domain is being deleted. When the removal process is complete, the workload domain is removed
from the domains table.
VMware, Inc. 73
Adding vRealize Suite Products
to Cloud Foundation 10
Using SDDC Manager, you can deploy vRealize Operations and vRealize Automation as
Cloud Foundation solutions. You can also enable vRealize Log Insight for all workload domans using in
the SDDC Manager user interface
VMware, Inc. 74
VMware Cloud Foundation Operations and Administration Guide
All vRealize Suite products require licenses purchases separately from Cloud Foundation.
Note For detailed information on prerequisites and preliminary procedures for adding vRealize Suite
products to your Cloud Foundation deployment, see the VMware Cloud Foundation Planning and
Preparation Guide.
Corporate
Router(s)
vRealize Network
vRealize
Automation
Appliance
Load Balancer
vRealize
Automation
IaaS Web Server
Load Balancer
vRealize
Automation
IaaS Manager
Load Balancer
vRealize
Operations
Manager
User Interface
Load Balancer
VMware, Inc. 75
VMware Cloud Foundation Operations and Administration Guide
Procedure
You can enter a license key for vRealize Automation or a suite license for a product that includes
vRealize Automation. For example, vCloud Suite or vRealize Suite.
If you have multiple license keys for a product, the description can help in identifying the license.
6 Click Add.
Prerequisites
n Verify you have a valid license key for vRealize Automation, which is purchased separately from
Cloud Foundation. You must add the license key to Cloud Foundation before deploying
vRealize Automation. See Add a vRealize Automation License Key to Cloud Foundation.
VMware, Inc. 76
VMware Cloud Foundation Operations and Administration Guide
n Verify you have downloaded the vRealize Suite bundles from the VMware Depot.
n Verify you have configured the VLAN and IP subnet on the switches for the vRealize Suite products.
n Verify that IP allocation and forward/reverse DNS records are prepared for the vRealize Automation
components.
n Verify you have created the required Active Directory (AD) service account for vRealize Automation.
n Verify that you have configured a certificate authority in SDDC Manager. See Configure Certificate
Authority.
n Verify the multi-SAN certificate and private key generated by a trusted certificate authority is available
for vRealize Automation.
n Verify Microsoft SQL Server is properly deployed and configured for vRealize Automation.
n Verify you have created and exported a Microsoft Windows Server OVA template for the
vRealize Automation IaaS components.
For more information, see the VMware Cloud Foundation Planning and Preparation Guide.
Procedure
The vRealize Suite navigation appears, listing the vRealize Suite products available for your
Cloud Foundation system deployment.
3 Click Deploy.
The vRealize Automation Installation Prerequisites page displays the prerequisites that you must
complete before beginning the installation.
4 Review the readiness of each prerequisite and verify by selecting each adjacent check box.
When all the boxes are selected, the Begin button is activated.
5 Click Begin.
6 On the Deployment Details page, enter the settings and Next to continue.
VMware, Inc. 77
VMware Cloud Foundation Operations and Administration Guide
Setting Description
Certificate Details
Certificate Enter the full certificate chain, including each
Chain -----BEGIN CERTIFICATE----- header and
-----END CERTIFICATE----- footer.
IaaS Windows Template Select one of the following options from the drop-down options:
owner: vcf_commonsvcs
group: vcf
The directories in the path must be readable and
executable for the user and the group.
For example:
VMware, Inc. 78
VMware Cloud Foundation Operations and Administration Guide
7 On the Network Settings page, enter the settings and Next to continue.
Note If you completed the network configuration when deploying vRealize Operations, you can skip
this step. See Deploy vRealize Operations in Cloud Foundation.
Setting Description
VLAN ID Enter a valid VLAN ID between 0 and 4094 for the dedicated network.
Subnet Mask Provide a valid subnet mask for the dedicated network.
DNS Displays the IP address(es) of the external DNS server(s) you specified part
of the Cloud Foundation bringup process. The DNS servers are used for the
vRealize Automation components in Cloud Foundation and must be able to
resolve the DNS records used during installation.
NTP Displays the IP address(es) or FQDN(s) of the external NTP server(s) you
specified part of the Cloud Foundation bringup process. The NTP servers
are used for the vRealize Automation components in Cloud Foundation and
must be reachable during installation.
Important The installation derives the Active Directory domain name for the computer account from
the DNS suffix provided in the host name for each vRealize Automation IaaS component. For
example. a host name of vra01iws01a.rainpole.local derives the Active Directory domain
rainpole.local. If the DNS suffix is different from Active Directory domain name, the installation will
be unsuccessful. For more information, see Knowledge Base article 59128 vRealize Automation
deployment in VMware Cloud Foundation does not allow for the explicit identification of the Active
Directory domain name.
Note If you completed the settings for vRealize Suite Lifecycle Manager when deploying
vRealize Operations, its configuration will be presented.
Setting Description
VMware, Inc. 79
VMware Cloud Foundation Operations and Administration Guide
Setting Description
DEM Workers
DEM Worker 1 Enter the FQDN as provided in the certificate.
Proxy Agents
Proxy Agent 1 Enter the FQDN.
Load Balancers When you deploy vRealize Automation, an NSX Edge Service Gateway is
deployed as a one-armed load balancer.
DNS Displays the IP address(es) of the external DNS server(s) you specified part
of the Cloud Foundation bringup process. The DNS servers are used for the
vRealize Automation components in Cloud Foundation and must be able to
resolve the DNS records used during installation.
NTP Displays the IP address(es) or FQDN(s) of the external NTP server(s) you
specified part of the Cloud Foundation bringup process. The NTP servers
are used for the vRealize Automation components in Cloud Foundation and
must be reachable during installation.
VMware, Inc. 80
VMware Cloud Foundation Operations and Administration Guide
9 On the Account Information page, enter the settings and Next to continue.
Note If you completed the settings for vRealize Suite Lifecycle Manager when deploying
vRealize Operations, its configuration will be presented.
Setting Description
Active Directory Use these settings to provide the service account that is used for services
on the IaaS VMs. This account must have administrative permissions to join
Windows VMs to Active Directory.
Microsoft SQL Server Use these settings to create the connection to the database.
Local Tenant Administrator Use these settings to define the administrative user for the default
vRealize Automation tenant.
VMware, Inc. 81
VMware Cloud Foundation Operations and Administration Guide
Setting Description
10 On the Review Summary page, review a summary of the installation configuration settings.
Note If necessary, you can use the Back button to return to preceding pages and modify settings.
You can also proceed without validation.
11 Click Finish.
The vRealize Automation page displays with the following message: Deployment in progress. If
the deployment fails, this page displays a deployment status of Failed. In this case, you can Retry
or Uninstall.
Important If you select to option to uninstall, please note that the uninstall operation does not
remove the computer accounts from Active Directory. As a result, this could cause a reinstallation to
fail. Manually remove the computer accounts from Active Directory and recreate the Microsoft SQL
Server database for vRealize Automation. See the VMware Cloud Foundation Planning and
Preparation Guide.
12 (Optional) Click View Status in Tasks to view the details of the deployment in progress or a
deployment failure.
The Tasks panel opens at the bottom page. You can open individual tasks to view details.
13 (Optional) After the successful deployment of vRealize Automation, click the vRealize Automation link
below the page title.
VMware, Inc. 82
VMware Cloud Foundation Operations and Administration Guide
After the successful deployment of vRealize Automation, the vRealize Automation page in SDDC
Manager > Administration > vRealize Suite displays an ACTIVE status and displays controls that
enable you to connect vRealize Automation to workload domains.
What to do next
You must manually start the vRealize Orchestrator configuration service. See Start the vRealize
Orchestrator Configurator Service in Cloud Foundation.
Procedure
1 Log in to the first vRealize Automation appliance by using Secure Shell (SSH) client to configure the
embedded vRealize Orchestrator Configurator service.
a Run the following command to verify that the service is set to automatically start.
chkconfig vco-configurator
b If the service reports Off, run the following command to enable an automatic restart of the
vRealize Orchestrator Configurator service upon subsequent reboots of the vRealize Automation
appliance.
chkconfig vco-configurator on
c Verify the status of the vRealize Orchestrator Configurator service by running the following
command .
d Repeat the procedure to configure vRealize Orchestrator for the other vRealize Automation
appliances.
VMware, Inc. 83
VMware Cloud Foundation Operations and Administration Guide
Procedure
1 On the SDDC Manager Dashboard, select Inventory > Workload Domains from the Navigation
pane.
4 Under the VMware Cloud Foundation Components section, click on the link for the vCenter Server.
A new browser window launch the landing page for the vSphere Web Client.
5 On the Welcome to VMware vSphere browser windows, click the link for vSphere Web Client
(Flash).
6 In the Navigator, select Host and Clusters and expand the tree for the Management Domain
vCenter Server instance..
a Select the Management Domain cluster and click the Configure tab.
d In the Create VM/Host Group dialog box, enter vRealize Automation IaaS Database in the
Name text box, select VM Group from the Type drop-down menu, and click the Add button.
e In the Add VM/Host Group Member dialog box, select virtual machine for the Microsoft SQL
Server (for example, vra01mssql01) and click OK.
vRealize Automation IaaS Web Servers vRealize Automation IaaS Web Server 1
vRealize Automation IaaS Manager Servers vRealize Automation IaaS Manager Server 1
VMware, Inc. 84
VMware Cloud Foundation Operations and Administration Guide
vRealize Automation IaaS DEM Workers vRealize Automation IaaS DEM Worker 1
9 Create a rule to power on the vRealize Automation IaaS database virtual machine before the
vRealize Automation virtual appliances and vRealize Automation IaaS virtual machines..
a Select the Management Domain cluster and click the Configure tab.
d In the Create VM/Host Rule dialog box, enter SDDC Cloud Management Platform 01 in the
Name text box, ensure the Enable Rule check box is selected, and select Virtual Machines to
Virtual Machines from the Type drop-down menu.
e Select vRealize Automation IaaS Database from the First restart VMs in VM group drop-down
menu.
f Select vRealize Automation Virtual Appliances from the Then restart VMs in VM group drop-
down menu, and click OK.
10 Repeat Step 5 to create the following VM/Host Rules to ensure the correct restart order for your
Cloud Management Platform.
VM/Host Rule Name First restart VMs in VM group Then restart VMs in VM group
SDDC Cloud Management Platform vRealize Automation Virtual Appliances vRealize Automation IaaS Web Servers
02
SDDC Cloud Management Platform vRealize Automation IaaS Web Servers vRealize Automation IaaS Manager
03 Servers
SDDC Cloud Management Platform vRealize Automation IaaS Manager vRealize Automation IaaS DEM Workers
04 Servers
SDDC Cloud Management Platform vRealize Automation IaaS Manager vRealize Automation Proxy Agents
05 Servers
VMware, Inc. 85
VMware Cloud Foundation Operations and Administration Guide
Procedure
You can enter a license key for vRealize Operations or a suite license for a product that includes
vRealize Operations. For example, vCloud Suite or vRealize Suite.
If you have multiple license keys for a product, the description can help in identifying the license.
6 Click Add.
Prerequisites
n Verify you have a valid license key for vRealize Operations, which is purchased separately from
Cloud Foundation. You must add the license key to Cloud Foundation before deploying
vRealize Operations. See Add a vRealize Operations License Key to Cloud Foundation.
n Verify you have downloaded the vRealize Suite bundles from the VMware Depot. The bundle is
obtained separately from the Cloud Foundation installation download.
For more information, see the VMware Cloud Foundation Planning and Preparation Guide.
n Verify you have configured the VLAN and IP subnet on the switches for the vRealize Suite products.
For more information, see the VMware Cloud Foundation Planning and Preparation Guide.
n Verify that IP allocation and forward/reverse DNS records are prepared the vRealize Operations
components.
For more information, see the VMware Cloud Foundation Planning and Preparation Guide.
n Verify that you have determined the size of the vRealize Operations deployment to provide enough
resources to accommodate the analytics operations for monitoring the expected number of workloads
and SDDC management packs in the Cloud Foundation system.
For more information, use the online vRealize Operations Sizing utility.
VMware, Inc. 86
VMware Cloud Foundation Operations and Administration Guide
Procedure
The vRealize Suite navigation appears, listing the vRealize Suite products available for your
Cloud Foundation system deployment.
3 Click Deploy.
The vRealize Operations Installation Prerequisites page displays the prerequisites that you must
complete before beginning the installation.
4 Review the readiness of each prerequisite and verify by selecting each adjacent check box.
When all the boxes are selected, the Begin button is activated.
5 Click Begin.
6 On the Deployment Details page, enter the settings and Next to continue.
Setting Description
License Key Select a valid license for vRealize Operations. This license may be for
vRealize Operations, vRealize Suite, or vCloud Suite. If no key is available,
you can add one in Administration > Licensing.
High Availability Optionally, move the button to green to deploy vRealize Operations with
high availability configured.
Note If you enable High Availability, you must specify a Node Size of
Medium or larger.
Note If you enable High Availability, you must specify a Node Count of 2
or more.
Note The Node Size limits the number of nodes you can specify. Review the vRealize Operations
Sizing Guidelines in VMware Knowledge Base article 54370.
7 On the Network Settings page, enter the settings and Next to continue.
Note If you completed the network configuration when deploying vRealize Automation, you can skip
this step.
Setting Description
VLAN ID Enter a valid VLAN ID between 0 and 4094 for the dedicated network.
Subnet Mask Provide a valid subnet mask for the dedicated network.
VMware, Inc. 87
VMware Cloud Foundation Operations and Administration Guide
Setting Description
DNS Displays the IP address(es) of the external DNS server(s) you specified part
of the Cloud Foundation bringup process. The DNS servers are used for the
vRealize Operations components in Cloud Foundation and must be able to
resolve the DNS records used during installation.
NTP Displays the IP address(es) or FQDN(s) of the external NTP server(s) you
specified part of the Cloud Foundation bringup process. The NTP servers
are used for the vRealize Operations components in Cloud Foundation and
must be reachable during installation.
Note If you completed the settings for vRealize Suite Lifecycle Manager when deploying
vRealize Automation, its configuration will be presented.
Setting Description
Load Balancers When you deploy vRealize Operations, an NSX Edge Service Gateway is deployed as a one-armed
load balancer.
vRealize Operations Enter the FQDN for the vRealize Operations virtual server on the
NSX Edge load balaner.
vRealize Operations
Node 1 Enter the FQDN.
Nodes
Node n Enter the FQDN for each Node n.
vRealize Suite
vRealize Suite Enter the FQDN.
Lifecycle Manager
Lifecycle Manager
VMware, Inc. 88
VMware Cloud Foundation Operations and Administration Guide
9 On the Account Information page, enter the settings and Next to continue.
Note If you completed the settings for vRealize Suite Lifecycle Manager when deploying
vRealize Automation, its configuration will be presented.
Setting Description
10 On the Review Summary page, review a summary of the installation configuration settings.
Note If necessary, you can use the Back button to return to preceding pages and modify settings.
You can also proceed without validation.
11 Click Finish.
The vRealize Operations page displays with the following message: Deployment in progress.
If the deployment fails, this page displays a deployment status of Failed and prompts you to
Uninstall.
Click Uninstall to return to the vRealize Operations page. Confirm your configuration settings, and
retry the deployment operation.
12 After deploying vRealize Operations on Cloud Foundation, you must replace the security certificate.
13 (Optional) Click View Status in Tasks to view the details of the deployment in progress or a
deployment failure.
The Tasks panel opens at the bottom page. You can open individual tasks to view details.
VMware, Inc. 89
VMware Cloud Foundation Operations and Administration Guide
14 (Optional) After the successful deployment of vRealize Operations, click the vRealize Operations link
below the page title.
After the successful deployment of vRealize Operations, the vRealize Operations page in SDDC
Manager > Administration > vRealize Suite displays an ACTIVE status and displays controls that
enable you to connect vRealize Operations to workload domains.
Prerequisites
Verify that you have successfully replaced the vRealize Operations Manager certificate using the
workflow described in Chapter 4 Managing Certificates for Cloud Foundation Components.
Procedure
1 Log in into the management vCenter Server and navigate to Home > Networking & Security.
3 Confirm that the IP address in the NSX Manager field is identical to he IP address for the
NSX Manager for the management domain in Cloud Foundation.
7 Find and click the profile named vrops-https, and click Edit.
VMware, Inc. 90
VMware Cloud Foundation Operations and Administration Guide
When connected, vRealize Automation and vRealize Operations monitor and collect data on the workload
domains in Cloud Foundation.
Note This version of Cloud Foundation does not support vRealize Automation or vRealize Operations
for NSX-T workload domains. NSX for vSphere workload domains are supported.
By default, the management workload domain is connected to vRealize Operations. You can also enable
log collection by enabling vRealize Log Insight within SDDC Manager.
Important Once you enable a connection between vRealize Automation and a workload domain, and
then complete the connection wizard, you cannot disable the connection.
Prerequisites
n Verify that vRealize Automation and vRealize Operations are deployed and operational.
Procedure
VMware, Inc. 91
VMware Cloud Foundation Operations and Administration Guide
Note This version of Cloud Foundation does not support vRealize Automation or vRealize Operations
for NSX-T workload domains. NSX for vSphere workload domains are supported.
Prerequisites
n Before you can connect the managment domain or workload domains to vRealize Operations, it must
be deployed. For more information, see Deploy vRealize Operations in Cloud Foundation.
n Before you can connect workload domains to vRealize Automation, it must be deployed. For more
information, see Deploy vRealize Automation in Cloud Foundation.
Procedure
The Connect to Workload Domains wizard opens to the Modify Connection page. This page
lists all currently configured workload domains and enables you to connect vRealize Operations
to each
The Connect to Workload Domains wizard opens to the Modify Connection page. This page
lists all currently configured workload domains and enables you to connect vRealize Automation
to each.
Important If you enable a connection between vRealize Automation and a workload domain,
and then complete the Connect to Workload Domains wizard, you cannot disable the
connection.
5 If prompted, provide the Active Directory credentials used during the deployment of
vRealize Automation and click Next. See Deploy vRealize Automation in Cloud Foundation.
VMware, Inc. 92
VMware Cloud Foundation Operations and Administration Guide
a On the vRealize Operations or vRealize Automation page, click the product name link below
the page title.
The vRealize Operations or vRealize Automation administrative opens to the Home page.
The Solutions page displays the status of adapters for solutions connected to
vRealize Operations. When successfully connected, the status indicates Data Receiving.
Note You may need to refresh the Solutions page to update the status.
Note This version of Cloud Foundation does not support vRealize Automation or vRealize Operations
for NSX-T workload domains. NSX for vSphere workload domains are supported.
Prerequisites
n Before you can connect the managment domain or workload domains to vRealize Operations, it must
be deployed. For more information, see Deploy vRealize Operations in Cloud Foundation.
n Before you can connect workload domains to vRealize Automation, it must be deployed. For more
information, see Deploy vRealize Automation in Cloud Foundation.
Procedure
The Workload Domains page displays information for all workload domains.
The Connect to vRealize Products wizard opens to the Modify Connection page. This page lists
all currently configured workload domains and enables you to connect workload domains to either
your vRealize Operations and vRealize Automation deployments.
5 If prompted, provide the Active Directory credentials used during the deployment of
vRealize Automation and click Next. See Deploy vRealize Automation in Cloud Foundation.
VMware, Inc. 93
VMware Cloud Foundation Operations and Administration Guide
Important If you enable a connection between vRealize Automation and a workload domain, and
then complete the Connect to Workload Domains wizard, you cannot disable the connection.
Once enabled, you cannot disable the connection to vRealize Log Insight. All subsequently created
workload domains will automatically connect and send logs to the vRealize Log Insight cluster.
Prerequisites
n Verify you have a valid license key for vRealize Log Insight, which is purchased separately from
Cloud Foundation.
You can view your license in the vRealize Log Insight interface by navigating to Management >
License.
n Verify that the vRealize Log Insight cluster is online and operational.
Procedure
The vRealize Suite navigation appears, listing the vRealize Suite products available for your
Cloud Foundation system deployment.
The top portion of the page allows you to enable log collection for all workload domains. If not
enabled, the Enable button is active.
The lower portion of the page displays the configuration details, including load balancer hostname,
node size, and node count.
3 Click Enable.
After a moment, the page will update with a message indicating Connect Workload Domains to
vRealize Log Insight in Progress. In Tasks, monitor the Status of the Connect Workload
Domains to vRealize Log Insight action. Once Successful, vRealize Log Insight will collect logs
from both the management workload domain and all additional workload domains.
VMware, Inc. 94
Stretching Clusters 11
You can stretch a cluster in the management domain or in an NSX for vSphere VI workload domain
across two availability zones. You cannot stretch a cluster in an NSX-T VI workload domain.
You can perform a planned maintenance on an availability zone without any downtime and then
migrate the applications after the maintenance is completed.
n Automated recovery
Stretching a cluster automatically initiates VM restart and recovery, and has a low recovery time
objective for the majority of unplanned failures.
n Disaster avoidance
With a stretched cluster, you can prevent service outages before an impending disaster such as a
hurricane or rising flood levels.
n Stretch a Cluster
VMware, Inc. 95
VMware Cloud Foundation Operations and Administration Guide
The physical distance between availability zones is short enough to offer low, single-digit latency (less
than 5 ms) and large bandwidth (10 Gbps) between the zones. Hence, availability zones can either be
two distinct data centers in a metro distance, or two safety or fire sectors (data halls) in the same large-
scale data center.
The recommended minimum number of hosts in each availability zone is 4 hosts and the maximum is 15
hosts. If you are expanding a cluster, you must add hosts in pairs. Each host in the pair must have the
same CPU, memory, and storage.
Note Cloud Foundation supports stretching a cluster across two availability zone within a region.
n Download the Deployment for Multiple Availability Zones document and read it to understand the
requirements.
n Ensure that you have a vSAN Enterprise license, which is required for stretching a cluster.
n The management VLAN between the two availability zones must be stretched.
n All VMs on an external network must be on a virtual wire. If they are on a VLAN, that VLAN must be
stretched as well.
n Each availability zone must have its own vMotion, vSAN, and VXLAN networks.
n The vMotion, vSAN, and VXLAN networks require L3 routing between the availability zones. vSAN
networks must also have L3 routing to the vSAN network of the witness host.
n Each stretched cluster requires a vSAN witness appliance in a third party location. The maximum
RTT on the witness is 200ms.
n If you are stretching a cluster in a VI workload domain, you must stretch the management domain
cluster first. vCenter Servers for all workload domains are in the management domain. Hence, you
must protect the management domain to ensure that you can access and manage the workload
domains.
n Ensure that you have enough hosts such that there is an equal number of hosts on each availability
zone. This is to ensure that there are sufficient resources in case an availability zone goes down
completely.
n TCP port and UDP Ports needs to be open for witness traffic between the witness host and the vSAN
cluster data nodes. See KB article 52959.
VMware, Inc. 96
VMware Cloud Foundation Operations and Administration Guide
Stretch a Cluster
This procedure describes how to stretch a cluster across two availability zones.
As an example, we will follow a use case with two availability zones in two buildings in an office campus -
AZ1 and AZ2. Each availability zone has its own power supply and network. The management domain is
on AZ1 and contains the default cluster, SDDC-Cluster1. This cluster contains four ESXi hosts. AZ1 also
contains the default bring-up pool, bringup-networkpool.
MTU=9000
Network=172.16.13.0
netmask 255.255.255.0
gateway 172.16.13.1
IP range=172.16.13.11 - 172.16.13.59
MTU=9000
Network=172.16.12.0
netmask 255.255.255.0
gateway 172.16.12.1
IP range=172.16.12.11 - 172.12.13.59
There are four ESXi hosts in AZ2 that are not in the Cloud Foundation inventory yet.
We will stretch the default cluster SDDC-Cluster1 in the management domain from AZ1 to AZ2.
VMware, Inc. 97
VMware Cloud Foundation Operations and Administration Guide
vSAN
L3 routing between AZ1 & AZ2 Hosts
L3 routing between AZ1/AZ2 hosts & witness
VMotion
L3 routing between AZ1 & AZ2 hosts
Management:1611
172.16.11.0/24 GW 172.16.11.1
Host 1 Host 5
Host 2 Management cluster stretched Host 6
Host 3 across AZ1 to AZ2 Host 7
Host 4 Host 8
vMotion: 1612 VXLAN: 1614 vSAN: 1613 vMotion: 1612 VXLAN: 1614 vSAN: 1613
172.16.12.0/24 172.16.14.0/24 172.16.13.0/24 172.16.20.0/24 172.16.22.0/24 172.16.21.0/24
GW 172.16.12.1 GW 172.16.14.1 GW 172.16.13.1 GW 172.16.20.1 GW 172.16.22.1 GW 172.16.21.1
AZ1 AZ2
Prerequisites
Ensure you have completed the steps listed in Prerequisites for Stretching a Cluster.
Procedure
Based on our example, here are the network details for the network pool.
MTU=9000
Network=172.16.21.0
Netmask=255.255.255.0
Gateway=172.16.21.1
MTU=9000
Network=172.16.20.0
netmask 255.255.255.0
gateway 172.16.20.1
VMware, Inc. 98
VMware Cloud Foundation Operations and Administration Guide
2 Commission the four hosts in AZ2 and associate them with AZ2-networkpool. In our example, these
are 172.16.11.105, 172.16.11.106, 172.16.11.107, 172.16.11.108.
4 Prepare the cluster for stretching. The procedure to be followed depends on the Cloud Foundation
version in your environment.
2 Using SSH, log in to the SDDC Manager VM with the user name vcf and password you
specified in the deployment parameter sheet.
3 Using a file transfer utility, copy the file from the local computer to the /tmp directory on the
SDDC Manager VM.
cd /tmp
tar xf vsan-stretch-cluster-10365586.tar
6 Monitor the progress of the AZ2 hosts being added to the cluster.
n In Cloud Foundation 3.5.1, use SoS commands to prepare the cluster. See SoS Utility Options for
vSAN Stretched Clusters in SoS Utility Options.
When the AZ2 hosts have been added to SDDC-Cluster1, it is ready to be stretched.
VMware, Inc. 99
VMware Cloud Foundation Operations and Administration Guide
If there are any errors, resolve them before proceeding to the next step.
6 Follow the steps listed below as described in the Deployment for Multiple Availability Zones document
to add a vSAN witness, separate the ESXi nodes into AZ1 and AZ2, and make configuration changes
to support the two availability zones.
b "Add Static Routes for Both Availability Zones and the vSAN Witness Host"
If the default gateway in the vSAN network provided for the network pool does not provide routing
between the two availability zones and the witness host, perform all the steps in this procedure.
You must perform steps 1 and 2 on all ESXi hosts in both availability zones.
If the gateways for both availability zones provide access to the vSAN network of the witness
host, only perform step 3.
c Check connectivity between the vSAN vmkernel adapters in the two availability zones and the
witness host by following the instructions in KB article 1003728. Resolve errors, if any, before
proceeding to the next step.
d " Configure vSAN Stretched Cluster for the Management Cluster in Region A"
In step 5 of the section "Update the vSphere High Availability Settings of the Management Cluster
in Region A", set Host failures cluster tolerates to the number of hosts in AZ1.
Note Skip the section Update Host Profiles to Capture the vSAN Stretched Cluster
Configuration.
7 Validate that stretched cluster operations are working correctly by logging in to the vSphere Web
Client.
1 On the home page, click Host and Clusters and then select the stretched cluster (SDDC-
Cluster1 in our example).
3 Click Retest.
1 On the home page, click Policies and Profiles > VM Storage Policies > vSAN Default
Storage Policies .
2 Select the policy associated with the vCenter Server for the stretched cluster.
4 Click Refresh.
Procedure
1 Commission the additional hosts to Cloud Foundation. For each pair of hosts, associate one with the
network pool in AZ1 and the other with the network pool in AZ2.
2 Run the stretch_vsan.py script that you had downloaded as part of the stretch cluster procedure.
The script adds the newly commissioned hosts to the stretched cluster. The cluster now has four fault
domains in all - two for the original hosts and a fault domain for each host that was added to the
cluster.
3 If required, SSH in to each newly added hosts and add a static route to the vSAN network of the
witness host. Add static routes in the witness if it could not reach the vSAN network of the newly
added hosts.
4 Move the added host to the appropriate availability zone so that the cluster is back to containing two
fault domains again.
a On the SDDC Manager Dashboard, click Hosts and Clusters and then click the host name.
b Click the Services tab and click the vSphere Launch icon.
c In the vSphere Web Client, select the stretched cluster. Then select Configure > vSAN > Fault
Domains & Stretched Cluster.
d Select the first newly added host associated with the network pool on AZ1 and drag it to AZ1.
e Select the second newly added host associated with the network pool on AZ2 and drag it to AZ2.
5 Add these hosts to the VMHost rule so that you can deploy VMs on all hosts.
a In the vSphere Web Client, select Hosts and Clusters and then select the stretched cluster.
d Select the ESXi hosts newly added to availability zone 1 and click OK.
6 Update the value for Host failure cluster tolerates to the number of hosts in AZ1 after the
expansion.
b From the Home menu, select Hosts and Clusters and expand the stretched cluster.
e On the Admission Control page of the Edit Cluster Settings dialog box, set Host failures cluster
tolerates to the number of hosts in AZ1 and click OK.
Prerequisites
n Image the replacement host with the same ESXi version as the other hosts in the cluster.
Procedure
3 Commission the replacement host to the same network pool as the removed host.
4 Run the stretch_vsan.py script to add the new host to the stretched cluster.
5 If required, SSH in to the newly added host and add a static route to the vSAN network of the witness
host. Add static routes in the witness if it could not reach the vSAN network of the newly added host.
6 In the vSphere Web Client, move the host to the appropriate availability zone.
a On the SDDC Manager Dashboard, click Hosts and Clusters and then click the name of the new
host.
b Click the Services tab and click the vSphere Launch icon.
c In the vSphere Web Client, select the stretched cluster. Then select Configure > vSAN > Fault
Domains & Stretched Cluster.
d Select the newly added host and drag it to the appropriate availability zone.
7 If the host belongs to AZ1, add the host to the AZ1 VMHost rule. If the host belongs to AZ2, no
operation is required.
a In the vSphere Web Client, select Hosts and Clusters and then select the stretched cluster.
You use the built-in monitoring capabilities for these typical scenarios.
Scenario Examples
Are the systems online? A host or other component shows a failed or unhealthy status.
Why did a storage drive fail? Hardware-centric views spanning inventory, configuration, usage, and event history to
provide for diagnosis and resolution.
Is the infrastructure meeting tenant Analysis of system and device-level metrics to identify causes and resolutions.
service level agreements (SLAs)?
At what future time will the systems Trend analysis of detailed system and device-level metrics, with summarized periodic
get overloaded? reporting.
What person performed which History of secured user actions, with periodic reporting.
action and when? Workflow task history of actions performed in the system.
Tasks and subtasks A task is a unit of work or a series of subtasks that perform an overall goal,
such as creating a workload domain.
vRealize Log Insight Use of the vRealize Log Insight instance deployed by Cloud Foundation is
instance deployed by licensed separately. When this deployed vRealize Log Insight instance is
Cloud Foundation licensed for use in your environment, and enabled in the SDDC Manager
Dashboard, log content for the physical resources and the VMware SDDC
virtual infrastructure are sent to the vRealize Log Insight instance. As a
result, when you log in to the vRealize Log Insight Web interface, you can
obtain a unified view of event and syslog information to assist with
troubleshooting. Data from the events and audit events raised by
Cloud Foundation is also sent to vRealize Log Insight. You can use the
searching, query, and reporting features of vRealize Log Insight to create
trend reports and auditing reports from the event history. See Using
vRealize Log Insight Capabilities in Your Cloud Foundation System.
In addition to the most recent tasks, you can view and search for all tasks by clicking View All Tasks at
the bottom of the Recent Tasks widget. This opens the Tasks panel.
Note For more information about controlling the widgets that appear on the Dashboard page of the
SDDC Manager Dashboard, see Tour of the SDDC Manager User Interface.
n Search tasks by clicking the filter icon in the Task column header and entering a search string.
n Filter tasks by status by clicking the filter icon in Status column. Select by category All, Failed,
Successful, Running, or Pending.
Note Each category also displays the number of tasks with that status.
n Clear all filters by clicking Reset Filter at the top of the Tasks panel.
Note You can also sort the table by the contents of the Status and Last Occurrence columns.
n If a task is in a Failed state, you can also attempt to restart it by clicking Restart Task.
n If a task is in a Failed state, click on the icon next to the Failed status to view a detailed report on the
cause.
Note You can filter subtasks in the same way you filter tasks.
Note You can also sort the table by the contents of the Status and Last Occurrence columns.
vRealize Log Insight is a log aggregator that provides simplified log viewing and analysis. The
vRealize Log Insight instance collects and indexes log content for the environment's physical resources
and virtual infrastructure, and provides unified querying and analysis of the log content for problem
diagnosis and repair. Similarly, SDDC Manager is configured by default to send all logs to
vRealize Log Insight, enabling users to browse and search logs to troubleshoot SDDC Manager failures.
You can configure the vRealize Log Insight instance for remote syslog forwarding to an instance of
vRealize Log Insight that is external to the Cloud Foundation system or to another syslog server. To
configure vRealize Log Insight to forward events to a syslog target, see Add vRealize Log Insight Event
Forwarding Destination in the vRealize Log Insight documentation.
To log in to the vRealize Log Insight Web interface from the SDDC Manager Dashboard, see Enable
vRealize Log Insight in Cloud Foundation.
Content Packs
The vRealize Log Insight instance includes a set of content packs. Content packs are read-only plug-ins
to vRealize Log Insight that provide pre-defined knowledge about specific types of events such as log
messages. The purpose of a content pack is to provide knowledge about a specific set of events in a
format that is easily understandable by administrators, monitoring teams, and executives. A content pack
consists of information that can be saved from either the Dashboards or Interactive Analytics pages in the
vRealize Log Insight Web interface. Such information typically includes:
n Queries
n Fields
n Aggregations
n Alerts
n Dashboards
The vRealize Log Insight instance includes a number of VMware content packs, including the
Cloud Foundation content pack. In the vRealize Log Insight web interface, these content packs display as
widgets in the Dashboards > VMware-VCF page.
General This content pack includes multiple subcatergories of dashboards and analytics
including overview, problems, event types, statistics, and agents.
VMware - NSX for vSphere This content pack provides various dashboards and filters to give you insight into the
data that is sent by the NSX for vSphere virtual infrastructure in the management
and workload domains' vCenter Server instances.
VMware - Cloud Foundation This content pack includes an overview dashboard that gives overall summary views
of the data sent by the Cloud Foundation, and also provides detailed views for the
various levels of interest, such as rack-level, server-level, switch-level, device-level,
and so on.
VMware - vSAN This content pack provides various dashboards and filters to give you insight into the
logs that are sent by the management and workload domains' vSAN features.
VMware - vSphere This content pack provides various dashboards and filters to give you insight into the
data that is sent by the management and workload domains' vCenter Server
instances.
VMware - vROPs This content pack provides various dashboards and filters to give you insight into the
logs that are sent by the management and workload domains' vRealize Operations
features.
To see the dashboards for one of the content packs in the vRealize Log Insight Web interface, select
Dashboards and then select the specific content pack dashboard in the left hand navigation bar.
During bring-up, SDDC Manager deploys and configures the vRealize Log Insight virtual appliance. From
your deployed vRealize Log Insight instance, you can view and analyze logs to assist in troubleshooting,
trend analysis, and so on.
The bring-up process also installs and configures content packs in the vRealize Log Insight instance. A
content pack provides dashboards, extracted fields, predefined queries, and alerts that are related to the
content pack's specific product or set of logs. When you launch the vRealize Log Insight Web interface,
the installed content packs are ready for use. For an overview of these content packs, see Using vRealize
Log Insight Capabilities in Your Cloud Foundation System. For detailed information on how to use the
dashboards, predefined queries, and collected log data in vRealize Log Insight, see the vRealize Log
Insight product documentation.
You can open the vRealize Log Insight interface directly from the SDDC Manager Dashboard. For details,
see Enable vRealize Log Insight in Cloud Foundation.
If this is the first time after the initial bring-up process that the vRealize Log Insight Web interface is
launched, type the system-assigned credentials into the login screen and then click Login. Then use the
vRealize Log Insight Web interface to assign permissions to your superuser account and other user
accounts.
Note You can look up the system-assigned credentials for the vRealize Log Insight Web interface by
logging in to the SDDC Manager VM and running the /home/vrack/bin/lookup-password command.
Important Do not change the password of the admin account from within the vRealize Log Insight Web
interface, or unpredictable results can occur. To change the admin account's password without rotating all
account passwords, see Manually Update Passwords.
Procedure
2 If the vRealize Log Insight login screen appears, log in with the appropriate credentials.
n If this is the first time logging in to vRealize Log Insight after the initial bring-up process, use the
username admin and the randomized password that was set when the passwords were rotated at
the end of the bring-up process.
n If you are using an account that was set up for you in vRealize Log Insight, use those credentials
to log in.
When you are logging in to the vRealize Log Insight Web interface with the admin account after
updating passwords, you must use the randomized password that is set for that account by the
rotation procedure. For details about passwords, see Manually Update Passwords.
The vRealize Log Insight web interface appears with the display filtered to the Dashboards > VMware-
VCF > Overview page to show the various event widgets.
The CEIP provides VMware with information that enables VMware to improve its products and services,
to fix problems, and to advise you on how best to deploy and use our products. As part of the CEIP,
VMware collects technical information about your organization’s use of VMware products and services on
a regular basis in association with your organization’s VMware license key(s). This information does not
personally identify any individual. For additional information regarding the CEIP, refer to the Trust &
Assurance Center at http://www.vmware.com/trustvmware/ceip.html.
Procedure
2 Select the Join the VMware Customer Experience Improve Program check box.
To run the SoS utility, SSH in to the SDDC Manager VM using the vcf administrative user account, enter
su to switch to the root user, and navigate to the /opt/vmware/sddc-support directory and type ./sos
followed by the options required for your desired operation.
To list the available command options, use the --help long option or the -h short option.
./sos --help
./sos -h
Note You can specify some options in the conventional GNU/POSIX syntax, using -- for the long option
and - for the short option.
Option Description
Note For generic options related to log collection, see Collect Logs for Your Cloud Foundation System.
Option Description
--ceip-tagging-get Returns setting for the VMware CEIP program. For information about the program, see
Chapter 13 Configuring Customer Experience Improvement Program.
--domain-name DOMAINNAME Specify the name of the workload domain name on which the SoS operation is to be
performed.
To run the operation on all domains, specify --domain-name ALL .
Note If you omit the --domain-name flag and domain name, the SoS operation is performed
only on the management domain.
--ondemand-service Include this flag to execute commands on all ESXi hosts in a domain.
--ondemand-service-json Include this flag to execute commands in the JSON format on all ESXi hosts in a domain. For
JSON file path example, /opt/vmware/sddc-support/<JSON file name>
--skip-known-host-check Skips the specified check for SSL thumbprint for host in the known host.
A green status indicates that the health is normal, yellow provides a warning that attention might be
required, and red (critical) indicates that the component needs immediate attention.
Option Description
--certificate-health Verifies that the component certificates are valid (within the expiry date).
--connectivity-health Performs a connectivity health check to inspect whether the different components of the
system such as the ESXi hosts, Virtual Center Servers, Inventory Service VMs, Log Insight
VM, NSX Manager VMs, PSC VMs, SDDC Manager VM can be pinged.
--general-health Verifies ESXi entries across all sources, checks the Postgres DB operational status for hosts,
checks ESXi for error dumps, and gets NSX Manager and cluster status.
--get-inventory-info Returns in a tabular format inventory details for the specified Cloud Foundation component,
such as Platform Services ControllervCenter Server NSX, and ESXi. Optionally, add the flag
--domain name ALL to return all details.
--ntp-health Verifies whether the time on the components is synchronized with the NTP server in the
SDDC Manager VM. It also ensures that the hardware and software timestamp of ESXi hosts
are within 5 minutes of the SDDC Manager VM.
--password-health Returns the status of all current passwords, such as Last Changed Date, Expiry Date, and so
on.
--services-health Performs a services health check to confirm whether services within the Inventory Service
VM and within SDDC Manager (like Lifecycle Management Server) are running.
--storage-health Performs a check on the vSAN disk health of the ESXi hosts and vCenter clusters. Also runs
Proactive vSAN tests to verify the ability to create VMs within the vSAN disks.
Note These options are only available starting with VMware Cloud Foundation 3.5.1.
Option Description
Option Description
--reconfigure- Reconfigures the NSX Controllers for the specified domain/cluster. For example, --
nsxcontrollers reconfigure-nsxcontrollers --sc-domain MGMT --sc-cluster SDDC-Cluster1.
--sc-domain SCDOMAIN Specify the domain, SCDOMAIN, to use for stretched vSAN.
--sc-cluster SCCLUSTER Specify the cluster, SCCLUSTER, to use for stretched vSAN.
--sc-hosts SCHOSTS Specify the hosts, SCHOSTS, to use for stretched vSAN.
[SCHOSTS ...]
--esxi-license-key Specify the license key, ESXILICENSEKEY, to use for ESXi hosts.
ESXILICENSEKEY
Option Description
--cleanup-vsan Cleans up vSAN Partitions in ESXi hosts. Optionally, you can specify the ESXi hosts, by IP
address, to run the vSAN cleanup. Use commas (with no spaces) to separate multiple IP
addresses.
Option Description
--cleanup-decommissioned- Performs clean-up on the specified, decommissioned ESXi hosts by passing the JSON.
host For example: --cleanup-decommissioned-host /opt/vmware/sddc-
support/decommissioned_host_cleanup_sample.json
Note A dirty host is a host that has been removed from a cluster in a workload domain. A
dirty host cannot be assigned to another workload domain until it is cleaned up.
Option Description
Note If you do not specify domain, this command affects only the MGMT domain by default.
Note If you do not specify domain, this command affects only the MGMT domain by default.
Note If you do not specify domain, this command affects only the MGMT domain by default.
Note If you do not specify domain, this command affects only the MGMT domain by default.
Note You should only redeploy vRealize Suite Lifecycle Manager when directed to do so by VMware
Support.
Option Description
--vrslcm-redeploy Redeploys vRealize Suite Lifecycle Manager. Provides a taskID for the operation.
--get-vrslcm-redeploy- Returns vRealize Suite Lifecycle Manager redeployment status for the specified taskID.
task-status <taskID>
Use these options when retrieving support logs from your environment's various components.
n To collect all logs from all components, you can run the SoS utility without specifying any component-
specific options.
n To collect logs for a specific component, run the utility with the appropriate options.
For example, the --domain-name option is important. If omitted, the SoS operation is performed only
on the management domain. See SoS Utility Options.
Log files for the vRealize Log Insight agent in vCenter Server are collected when vCenter Server log files
are collected.
After running the SoS utility, you can examine the resulting logs to troubleshoot issues, or provide to
VMware Technical Support if requested. VMware Technical Support might request these logs to help
resolve technical issues when you have submitted a support request. The diagnostic information collected
using the SoS utility includes logs for the various VMware software components and software products
deployed in your Cloud Foundation environment.
Procedure
1 Using SSH, log in to the SDDC Manager VM with the following credentials:
Username: vcf
4 To collect the logs, run the SoS utility without specifying any component-specific options. To collect
logs for a specific component, run the utility with the appropriate options.
Note By default, before writing the output to the directory, the utility deletes the prior run's output
files that might be present. If you want to retain the older output files, specify the --no-clean-old-
logs option.
If you do not specify the --log-dir option, the utility writes the output to
the /var/log/vmware/vcf/sddc-support directory in the SDDC Manager VM.
--api-logs Collects output from REST endpoints for SDDC Manager inventory and LCM.
--cassandra-logs Collects logs from the Apache Cassandra database only. cassandra-bundle.tgz contains
Cassandra nodetool and debug logs.
Apache Cassandra processes run in each of the infrastructure virtual machines.
--dump-only-sddc- Collects only the Java thread information from the SDDC Manager.
java-threads
--no-clean-old-logs Use this option to prevent the utility from removing any output from a previous collection run. By
default, the SoS utility.
By default, before writing the output to the directory, the utility deletes the prior run's output files
that might be present. If you want to retain the older output files, specify this option.
--nsx-logs Collects logs from the NSX Manager, NSX Controller, and NSX Edge instances only.
--psc-logs Collects logs from the Platform Services Controller instances only.
--rvc-logs Collects logs from the Ruby vSphere Console (RVC) only. RVC is an interface for ESXi and
vCenter.
Note If the Bash shell is not enabled in vCenter, RVC log collection will be skipped .
Note RVC logs are not collected by default with ./sos log collection. You must enable RVC to
collect RVC logs.
--sddc-manager-logs Collects logs from the SDDC Manager only. sddc<timestamp>.tgz contains logs from the
SDDC Manager file system's etc, tmp, usr, and var partitions.
The utility displays Welcome to SoS log collection utility!, the output directory, sos.log file
location, and messages about the utility's progress, for example:
The utility collects the log files from the various software components in all of the racks and writes the
output to the directory named in the --log-dir option. Inside that directory, the utility generates output in
a specific directory structure.
What to do next
File Description
esx-IP-address.tgz Diagnostic information from running the vm-support command on the ESXi host.
An example file is esx-192.168.100.101.tgz.
SmartInfo-IP- S.M.A.R.T. status of the ESXi host's hard drive (Self-Monitoring, Analysis, and Reporting Technology).
address.txt An example file is SmartInfo-192.168.100.101.txt.
vsan-health-IP- vSAN cluster health information from running the standard command
address.txt python /usr/lib/vmware/vsan/bin/vsan-health-status.pyc on the ESXi host.
An example file is vsan-health-192.168.100.101.txt.
File Description
load-balancer.vrack.vsphere.local-loginsight- Compressed TAR file consisting of support bundles collected from each node in
support.tgz the vRealize Log Insight cluster. For example: loginsight-loginsight-node-<node -
number>.vrack.vsphere.local-<time-stamp>.
loginsight-loginsight-node-<node - Contains the following: README, boot, error.log, etc, proc, usr, action.log,
number>.vrack.vsphere.local-<time-stamp> commands, errors-ignored.log, opt, storage, and var.
The number of files in this directory depends on the number of NSX Manager, NSX Controller, and NSX
Edge instances that are deployed in the rack. In a given rack, each management domain has one
NSX Manager instance and a minimum of three NSX Controller instances, and any VI workload domains
in the rack each have one NSX Manager instance and at least three NSX Controller instances. NSX Edge
instances are only deployed to support vRealize Operations and vRealize Automation, which are optional
components.
File Description
VMware-NSX-Manager- Standard NSX Manager compressed support bundle, generated using the NSX for vSphere API
tech-support- POST https://nsxmanagerIPaddr/api/1.0/appliance-management/techsupportlogs/NSX,
nsxmanagerIPaddr.tar.gz where nsxmanagerIPaddr is the IP address of the NSX Manager instance.
An example is VMware-NSX-Manager-tech-support-10.0.0.8.tar.gz.
VMware-NSX-Controller- Standard NSX Controller compressed support bundle, generated using the NSX for vSphere API to
tech-support- query the NSX Controller technical support logs: GET
nsxmanagerIPaddr- https://nsxmanagerIPaddr/api/2.0/vdn/controller/controllerId/techsupportlogs,
controller-controllerId.tgz where nsxmanagerIPaddr is the IP address of the NSX Manager instance and controllerID identifies
the NSX Controller instance.
Examples are VMware-NSX-Controller-tech-support-10.0.0.8-controller-1.tgz, VMware-NSX-
Controller-tech-support-10.0.0.8-controller-2.tgz, VMware-NSX-Controller-tech-support-10.0.0.8-
controller-3.tgz.
VMware-NSX-Edge-tech- Standard NSX Edge support bundle, generated using the NSX for vSphere API to query the NSX
support- Edge support logs: GET
nsxmanagerIPaddr- https://nsxmanagerIPaddr/api/4.0/edges/edgeId/techsupportlogs, where
edgeId.tgz nsxmanagerIPaddr is the IP address of the NSX Manager instance and edgeID identifies the NSX
Edge instance.
Note This information
An example is VMware-NSX-Edge-tech-support-10.0.0.7-edge-1.log.gz.
will only be collected if
NSX Edges are deployed.
File Description
vm-support-pscIPaddr.tar.gz Standard Platform Services Controller support bundle downloaded from the Platform Services
Controller instance with IP address pscIPaddr.
vc Directory Contents
In each rack-specific directory, the vc directory contains the diagnostic information files collected for the
vCenter Server instances deployed in that rack.
The number of files in this directory depends on the number of vCenter Server instances that are
deployed in the rack. In a given rack, each management domain has one vCenter Server instance, and
any VI workload domains in the rack each have one vCenter Server instance.
File Description
vc-vcsaFQDN- Standard vCenter Server support bundle downloaded from the vCenter Server Appliance instance
timestamp.tgz having a fully-qualified domain name vcsaFQDN. The support bundle is obtained from the instance
using the standard vc-support.sh command.
You specified passwords for your Cloud Foundation system's internal accounts as part of the bring-up
procedure. You can also modify the passwords for these accounts using RESTful API calls.
n Accounts used for service consoles, such as the ESXi root account.
Note Password rotation does not change the password of the SDDC Manager VM's root account.
Password rotation does not change the password of the SDDC Manager VM's root account. Also, the
lookup password command does not report this password.
Prerequisites
n Verify that there are no currently failed workflows in your Cloud Foundation system. To check for
failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom
of the page.
n Verify that no active workflows are running or are scheduled to run during the brief time period that
the password rotation process is running. It is recommended that you schedule password rotation for
a time when you expect to have no running workflows.
Procedure
1 From the navigation pane, choose Administration > Security > Password Management.
The Password Management page displays a table with detailed information about all domains,
including their component, credential type, FQDN, IP address, and user name. This table is dynamic.
Each column can be sorted.
You can click the filter icon next to the table header and filter the results by a string value. For
example, click this icon next to User Name and enter admin to display only domains with that user
name value.
When asked to confirmed, click Rotate or Cancel as appropriate in the alert box.
If you proceeded with the rotation, a message appears at the top of the page showing the progress of
the operation. The Tasks panel also shows detailed status of the password rotation operation. Click
on the task name to view sub-tasks.
As each of these tasks are run, the status is updated. If the Tasks panel shows the task as having
failed, click Retry.
Note You cannot use these controls to update the NSX-T password. You can only update the NSX-T
password from the NSX-T Manager product interface.
Prerequisites
n Verify that there are no currently failed workflows in your Cloud Foundation system. To check for
failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom
of the page.
n Verify that no active workflows are running or are scheduled to run during the manual password
update.
Procedure
1 From the navigation pane, choose Administration > Security > Password Management.
The Password Management page displays a table with detailed information about all domains,
including their component, credential type, FQDN, IP address, and user name. This table is dynamic.
Each column can be sorted.
You can click the filter icon next to the table header and filter the results by a string value. For
example, click this icon next to User Name and enter admin to display only domains with that user
name value.
2 Select the domain whose password you want to rotate and click Update at the top of the page.
Note If you select more than one domain, the Update button is disabled.
The Update Password dialog box appears. This dialog box also displays the entity name, credential
type, and user name in case you need to confirm you have selected the correct domain.
4 Click Update.
A message appears at the top of the page showing the progress of the operation. The Tasks panel
also shows detailed status of the password update operation. Click on the task name to view sub-
tasks.
If the Tasks panel shows the task as having failed, click Retry.
Prerequisites
You must have the root account credentials to log in to the SDDC Manager VM. See Log In to the SDDC
Manager Dashboard.
Procedure
Note Although the password management CLI commands are located in /usr/bin, you can run
them from any directory.
lookup_passwords
The output displays the account credentials and IP addresses for the physical and logical entities on
all racks in your environment. The username and password for each account is displayed.
4 (Optional) Save the command output to a secure location so that you can access it later and use it to
log in to the components as needed.
Look up passwords - Retrieves and lists in JSON format the account credentials for the built-in
JSON format accounts that are managed and rotated by SDDC Manager.
$ curl 'http://localhost/security/password/vault' \
-i -H 'Accept: application/json'
Look up passwords - Retrieves and lists in plain text format the account credentials for the built-
plain text format in accounts that are managed and rotated by SDDC Manager.
$ curl 'http://localhost/security/password/vault' \
-i -H 'Accept: text/plain'
"username" : "root"
}],
"type":"UPDATE"
}'
Password operation Returns in JSON format the password history recorded in the password
history management database.
$ curl 'https://localhost/security/password/vault/transactions' \
-i -H 'Accept: application/json' \
-k -u "<administrative user name>:<password>"
Password operation Returns in JSON format the latest (or current) workflow, which is an
status asynchronous job running in SDDC Manager. It polls the status of the
workflow and reports percentage completed until the workflow finishes, at
which time it reports its status.
$ curl 'https://localhost/security/password/vault/transactions/202' \
-i -H 'Accept: application/json'\
-k -u "<administrative user name>:<password>"
Retry failed password Retries the specified failed operation and returns results in JSON format
operation
$ curl 'http://localhost/security/password/vault/transactions/2002' \
-i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{
"entities": [{
"credentialType" : "<credential type such SSH or API>",
"entityIpAddress" : "<IP address>",
Cancel password Cancels failed password operations and returns results in JSON format
operation
$ curl 'https://localhost/security/password/vault/transactions/2002' \
-i -X DELETE -H 'Accept: application/json' \
-k -u "<administrative user name>:<password>"
n Memory
n BMC
n Power supply
Prerequisites
n Verify that the host is operational and is accessible by VMware Host Client.
n Verify that the Management, vSAN, and vMotion networks are available on the host. This can be
viewed through the Inventory > Hosts page.
n Verify that the HDD and SSD disks on the host are in a good state.
Procedure
7 Put the host back in the physical rack and connect it back to the appropriate switches.
9 In vSphere Web Client, right-click the host and click Exit Maintenance Mode.
Prerequisites
n Verify that the host is operational and is accessible by VMware Host Client.
n Verify that the HDD and SSD disks on the host are in a good state.
Procedure
5 Put the host back in the physical rack and connect it back to the appropriate switches.
7 In the SDDC Manager Dashboard, verify that the host is available in the free pool.
n Storage controllers
n Motherboards
n Boot disks
Prerequisites
If the host belongs to a workload domain, verify that there are at least 4 hosts in the management or
workload domain to which the faulty host belongs. If there are less than 4 hosts, add a host to the domain
from the capacity pool if possible.
Procedure
2 Power off the host and remove it from the physical rack.
Prerequisites
Verify that there are at least 4 hosts in the management or workload domain to which the faulty host
belongs. If there are less than 4 hosts, add a host to the domain from the capacity pool, if possible.
Procedure
1 If there are dual boot disks in the host setup as RAID 1 and only one of them fails:
n See Replacing Components of a Host Running in Degraded Mode to replace the failed disk.
The RAID 1 feature will rebuild the disks as needed. For more details, refer to the OEM vendor
documentation.
2 If there is a single boot disk in the host and it fails, see Replace a Dead Host.
n Download Bundles
n Monitor Upgrade
For example, suppose VMware just released ESXi version 6.5 EP 2. Your workload domain is at ESXi
version 6.5. The sequential upgrade path would be version 6.5 -> 6.5 P1 -> 6.5 P2 -> 6.5 EP1 -> 6.5 EP2.
Instead of applying four sequential patches to update the workload domain to 6.5 EP2, you can now apply
a cumulative bundle and update the workload domain from 6.5 directly to 6.5 EP2.
Cumulative bundles are available only for vCenter Server, Platform Services Controller, and ESXi.
Note that you can apply a cumulative bundle to a workload domain only if the target release in the bundle
is lower than or at the same version as the management domain. If the cumulative bundle is available for
both the management domain and VI workload domains, you must apply it to the management domain
before applying it to VI workload domains.
Install Bundles
If you have updated the management domain in your environment, you can download an install bundle
with updated software bits for VI workload domains and vRealize suite components.
n A VI workload domain install bundle is used to deploy later versions of the software components
rather than the versions in your original Cloud Foundation installation.
Download Bundles
If are logged in to your My VMware account, LCM automatically polls the depot to access the bundles.
You receive a notification when a bundle is available and can then download the bundle.
If you do not have internet connectivity, you can either use a proxy server to access the depot, or
download the bundles manually.
Procedure
2 Click Login.
Download Bundle
You can download bundles from the Bundles page or the workload domain that you want to update.
Procedure
2 Click the name of a workload domain and then click the Updates/Patches tab.
The number next to the Updates/Patches tab indicates the available updates.
The Available Updates section displays all updates applicable to this workload domain.
2 To view the metadata details for an update bundle, click View Details.
The bundle severity and detailed information about each component included in the bundle is
displayed. If a bundle is a cumulative bundle, this information is displayed as well. The bundle
severity levels are described in the table below.
Critical A problem may severely impact your production systems (including the loss of production
data). Such impacts could be system down or HA not functioning.
Important A problem may affect functionality, or cause a system to function in a severely reduced
capacity. The situation causes significant impact to portions of the business operations
and productivity. The system is exposed to potential loss or interruption of services. A
change to support hardware enablement (for example, a driver update), or a new feature
for an important product capability.
Moderate A problem may affect partial non-critical functionality loss. This may be a minor issue with
limited loss, no loss of functionality, or impact to the client's operations and issues in
which there is an easy circumvention or avoidance by the end user. This includes
documentation errors.
Low A problem which has low or no impact to a product's functionality or a client's operations.
There is no impact on quality, performance, or functionality of the product.
Select the date and time for the bundle download and click Schedule.
After the bundle is downloaded, the Schedule Update button is displayed. Click View Details to see
the version changes for each component that the bundle will apply.
When a bundle has been downloaded, it is not visible on the Bundle Download page. It is visible on
the Download History page.
Procedure
Available bundles are displayed. Install bundles display Install Only Bundle under the Availability
Type.
n Click Schedule Download to schedule the bundle download and follow the UI prompts to select
a date and time.
When you create a new VI workload domain, Cloud Foundation uses the software bits in the downloaded
install bundle to deploy the workload domain.
Prerequisites
A Windows or Linux computer with internet connectivity for downloading the bundles. If it is a Windows
computer, it must have Java 8 or later.
Procedure
1 Using SSH, log in to the SDDC Manager VM with the user name vcf and password you specified in
the deployment parameter sheet.
./lcm-bundle-transfer-util --generateMarker
The marker file (markerFile) is a JSON file that contains information on the current software
versions running on SDDC Manager. It also contains the bundles IDs for bundles that were
downloaded before this file was generated, but no other site-specific information. The
markerFile.md5 contains the checksum for the markerFile.
The /opt/vmware/vcf/lcm/lcm-tools directory includes the bundle transfer utility required for the
next step.
5 If the local computer uses a proxy to connect to the internet, perform the following steps.
lcm.depot.adapter.proxyEnabled=true
lcm.depot.adapter.proxyHost=proxy IP address
lcm.depot.adapter.proxyPort=proxy port
./lcm-bundle-transfer-util -download
-outputDirectory ${absolute-path-output-dir}
-depotUser ${depotUser}
-markerFile ${absolute-path-markerFile}
-markerMd5File ${absolute-path-markerFile.md5}
where
absolute-path- Path to the directory where the bundle files are to be downloaded. This directory folder must have
output-dir 777 permissions.
If you do not specify the download directory, bundles are downloaded to the default directory with 777
permissions.
depotUser User name for myVMware depot. You are prompted to enter the depot user password. If there are
any special characters in the password, specify the password within single quotes.
markerFile Absolute path to the marker file, as generated in the above step.
If you do not specify the path to the marker file, all update bundles on the depot are downloaded.
markerMd5File Absolute path to the marker MD5 checksum file, as generated in the above step.
The utility generates a delta file (deltaFileDownloaded) in the download directory based on the
software versions in the marker file and the update bundles available on the depot. The applicable
bundles identified in the delta file are downloaded. Download progress for each bundle is displayed.
7 Copy the update bundle directory from the external computer to the SDDC Manager VM.
For example:
8 In the SDDC Manager VM, change the ownership and permissions of the uploaded bundle.
9 In the SDDC Manager VM, upload the bundle files to the internal LCM repository.
cd /opt/vmware/vcf/lcm/lcm-tools/bin
./lcm-bundle-transfer-util -upload -bundleDirectory ${absolute-path-output-dir}
where absolute-path-output-dir is the directory where the bundle files have been be uploaded,
or /opt/vmware/vcf/vCF231to232Bundle as shown in the previous step.
The utility uploads the bundles specified in the deltaFileDownloaded file. The console displays
upload status for each bundle.
Procedure
1 Using SSH, log in to the SDDC Manager VM with the user name vcf and password you specified in
the deployment parameter sheet.
lcm.depot.adapter.proxyEnabled=true
lcm.depot.adapter.proxyHost=proxy IP address
lcm.depot.adapter.proxyPort=proxy port
Ensure that the above lines appear in the application-prod.properties file only once.
6 Restart the LCM server by typing the following command in the console window:
LCM makes update bundles available as they become applicable. The components within the
management domain or VI workload domain are upgraded in the following order:
3 vCenter Server
4 ESXi
5 vRSLCM ((management domain only). This is required only if you have a vRealize product in your
environment.
Note You must complete upgrading the management domain before upgrading any other domains.
Prerequisites
1 Take a backup of the SDDC Manager VM. The backup of this VM will contain backups of the other
VMs as well.
3 Do not run any domain operations while an update is in progress. Domain operations are creating a
new VI domain, adding hosts to a cluster or adding a cluster to a workload domain, and removing
clusters or hosts from a workload domain.
4 You must have downloaded the update bundles. See Download Bundles.
Procedure
Click View Status to see the update status for each component and the tests performed. Expand a
test by clicking the arrow next to it to see further details.
If any of the tests fail, fix the issue and click Retry Precheck.
The precheck results are displayed below the Precheck button. Ensure that the precheck results are
green beforeSchedule proceeding. A failed precheck may cause the update to fail.
4 Click Upgrade Now to start the update or click to schedule the update for a specific date and time
depending on your maintenance window.
6 After the update is completed successfully, log out of the SDDC Manager Dashboard and log back in.
What to do next
Delete the VM snapshots that you took before starting the upgrade.
Procedure
Click View Status to see the update status for each component and the tests performed. Expand a
test by clicking the arrow next to it to see further details.
If any of the tests fail, fix the issue and click Retry Precheck.
The precheck results are displayed below the Precheck button. Ensure that the precheck results are
green before proceeding. A failed precheck may cause the update to fail.
2 Click Upgrade Now to start the update or click Schedule to schedule the update for a specific date
and time depending on your maintenance window.
During the upgrade process, you provide a temporary IP address. LCM uses this IP address to deploy a
new appliance and then copies over the data from the source appliance to the newly deployed appliance.
After the upgrade, the new appliance inherits the IP address and networking configuration of the source
appliance.
The source appliances are powered off and left in inventory. These VMs can be deleted. They should not
be powered on with their network cards connected as this will cause a conflict with the appliances.
Procedure
Click View Status to see the update status for each component and the tests performed. Expand a
test by clicking the arrow next to it to see further details.
If any of the tests fail, fix the issue and click Retry Precheck.
The precheck results are displayed below the Precheck button. Ensure that the precheck results are
green before proceeding. A failed precheck may cause the update to fail.
2 Click Schedule to schedule the update for a specific date and time depending on your maintenance
window.
4 On the Configure Target Appliance page, enter an available IP address from the management domain
IP range.
5 Enter the subnet mask and gateway IP address of the management domain.
6 Click Next.
Upgrade ESXi
After vCenter Server and Platform Services Controllers are upgraded, the ESXi upgrade bundle is
available to be applied.
If you had installed Cloud Foundation with custom ESXi ISOs from a partner, see Knowledge Base article
65047.
If you want to skip any hosts while applying an ESXi update to the management domain or a VI workload
domain, you must add these hosts to the application-evo.properties file before you begin the
update. See Skip Hosts During ESXi Update.
Procedure
Click View Status to see the update status for each component and the tests performed. Expand a
test by clicking the arrow next to it to see further details.
If any of the tests fail, fix the issue and click Retry Precheck.
The precheck results are displayed below the Precheck button. Ensure that the precheck results are
green before proceeding. A failed precheck may cause the update to fail.
2 Click Upgrade Now to start the update or click Schedule to schedule the update for a specific date
and time depending on your maintenance window.
Procedure
1 Click Precheck to validate that vRealize Suite Lifecycle Manager is ready to be updated.
Click View Status to see the update status for each component and the tests performed. Expand a
test by clicking the arrow next to it to see further details.
If any of the tests fail, fix the issue and click Retry Precheck.
The precheck results are displayed below the Precheck button. Ensure that the precheck results are
green before proceeding. A failed precheck may cause the update to fail.
2 Click Upgrade Now to start the update or click Schedule to schedule the update for a specific date
and time depending on your maintenance window.
What to do next
Prerequisites
1 Take a backup of the SDDC Manager VM. The backup of this VM will contain backups of the other
VMs as well.
2 Do not run any domain operations while an update is in progress. Domain operations are creating a
new VI domain, adding hosts to a cluster or adding a cluster to a workload domain, and removing
clusters or hosts from a workload domain.
3 You must have downloaded the update bundles. See Download Bundles.
Procedure
2 Click the management domain and then click the Updates/Patches tab.
Click View Status to see the update status for each component and the tests performed. Expand a
test by clicking the arrow next to it to see further details.
If any of the tests fail, fix the issue and click Retry Precheck.
The precheck results are displayed below the Precheck button. Ensure that the precheck results are
green beforeSchedule proceeding. A failed precheck may cause the update to fail.
4 Click Upgrade Now to start the update or click to schedule the update for a specific date and time
depending on your maintenance window.
6 After the update is completed successfully, log out of the SDDC Manager Dashboard and log back in.
What to do next
Delete the SDDC Manager VM VM snapshot that you took before starting the upgrade.
Prerequisites
Procedure
1 Download the ESXi upgrade bundle. See Download Update Bundle from the SDDC Manager
Dashboard.
3 Create a directory for the vendor ISO under the /nfs/vmware/vcf/nfs-mount directory. For
example, /nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-binaries.
4 Copy the vendor-specific ISO to the directory you created on the SDDC Manager VM. For example,
you can copy the ISO to the /nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-binaries
directory.
5 Change permissions on the directory where you copied the ISO. For example,
{
"esxCustomImageSpecList": [{
"bundleId": "ID",
"targetEsxVersion": "version",
"useVcfBundle": false,
"customIsoAbsolutePath": "Path_to_ISO"
}]
}
where
bundleId ID of the ESXi upgrade bundle you downloaded. You can retrieve the bundle ID
by navigating to the Repository > Bundles page and looking at the bundle ID.
For example, 8c0de63d-b522-4db8-be6c-f1e0ab7ef554.
Note If an incorrect bundle ID is provided, the upgrade will proceed with the
Cloud Foundation stock ISO and replace the custom VIBs in your environment
with the stock VIBs.
useVcfBundle Specifies whether the Cloud Foundation ESXi bundle is to be used for the
upgrade.
Note If you want to upgrade with a custom ISO image, ensure that this is set to
false.
customIsoAbsolutePath Path to the custom ISO file on the SDDC Manager VM. For
example, /nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-binaries/
VMware-ESXi-6.7.0-Update1-10302608-HPE-Gen9plus-670.U1.10.3.5.12-
Oct2018.iso
{
"esxCustomImageSpecList": [{
"bundleId": "8c0de63d-b522-4db8-be6c-f1e0ab7ef554",
"targetEsxVersion": "6.7.0-10302608",
"useVcfBundle": false,
"customIsoAbsolutePath":
"/nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-binaries/VMware-ESXi-6.7.0-Update1-10302608-HPE-
Gen9plus-670.U1.10.3.5.12-Oct2018.iso"
}]
}
15 After the upgrade is complete, confirm the ESXi version by clicking Current Versions. The ESXi
hosts table displays the current ESXi version.
Upgrade ESXi with Cloud Foundation Stock ISO and Async Drivers
You can apply the stock ESXi upgrade bundle with specified async drivers. This feature is available for
Cloud Foundation version 3.5.1 and later.
Prerequisites
Download the appropriate async drivers for your hardware on a computer with internet access.
Procedure
1 Download the Cloud Foundation ESXi upgrade bundle. See Download Update Bundle from the
SDDC Manager Dashboard.
3 Create a directory for the vendor provided async drivers under the /nfs/vmware/vcf/nfs-mount
directory. For example, /nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-drivers.
4 Copy the async drivers to the directory you created on the SDDC Manager VM. For example, you can
copy the drivers to the /nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-drivers directory.
5 Change permissions on the directory where you copied the drivers. For example,
{
"esxCustomImageSpecList": [{
"bundleId": "ID",
"useVcfBundle": true,
"esxPatchesAbsolutePaths": [
"Path_to_Drivers"
]
}]
}
where
bundleId ID of the ESXi upgrade bundle you downloaded. You can retrieve the bundle ID
by navigating to the Repository > Bundles page and looking at the bundle ID.
For example, 8c0de63d-b522-4db8-be6c-f1e0ab7ef554.
useVcfBundle Specifies whether the Cloud Foundation ESXi bundle is to be used for the
upgrade. Set this to true.
esxPatchesAbsolutePaths Path to the async drivers on the SDDC Manager VM. For
example, /nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-
drivers/drivers/VMW-ESX-6.7.0-smartpqi-1.0.2.1038-
offline_bundle-8984687.zip
{
"esxCustomImageSpecList": [{
"bundleId": "8c0de63d-b522-4db8-be6c-f1e0ab7ef554",
"useVcfBundle": true,
"esxPatchesAbsolutePaths": [
"/nfs/vmware/vcf/nfs-mount/esx-upgrade-partner-drivers/drivers/VMW-ESX-6.7.0-smartpqi-1.0.2.1038-
offline_bundle-8984687.zip"
]
}]
}
15 After the upgrade is complete, confirm the ESXi version by clicking Current Versions. The ESXi
hosts table displays the current ESXi version.
Monitor Upgrade
Monitor the upgrade progress on your workload domain
Procedure
1 The Update in Progress section in the workload domain detail page displays the high level update
progress and the number of components to be updated.
3 Click the arrow to see a list of tasks being performed to update the component. As the task is
completed, it shows a green check mark.
4 When all tasks to update a component have been completed, the update status for the component is
displayed as Updated.
5 If a component fails to be updated, the status is displayed as Failed. The reason for the failure as well
as remediation steps are displayed.
6 After you resolve the issues, the bundle becomes available. You can then apply the bundle or
schedule it to be applied at a specific date and time.
What to do next
1 Remove the VM snapshots you had taken before starting the update.
Procedure
1 Retrieve the host IDs for the hosts you want to skip.
a Open a new tab in the browser where you are running SDDC Manager and type the following
URL:
https://SDDC_Manager_IP/inventory/esxis
{
"vcenterId": "d1a239e1-baef-11e8-a2de-d1b89736a031",
"networkPoolId": "d3643003-c854-43e7-91ad-fd8d0711a02f",
"bundleRepoDatastore": "lcm-bundle-repo",
"domainId": "d0ef8bb0-baef-11e8-a2de-d1b89736a031",
"clusterId": "d1b106f1-baef-11e8-a2de-d1b89736a031",
"vsanIpAddress": "10.0.4.3",
"vmotionIpAddress": "10.0.8.3",
"hostAttributes": {},
"dirty": false,
"id": "d19d57e1-baef-11e8-a2de-d1b89736a031",
"status": "ACTIVE",
"version": "6.5.0-9298722",
"hostName": "esxi-1.vrack.vsphere.local",
"privateIpAddress": "10.0.0.100",
"managementIpAddress": "10.0.0.100"
}
2 Using SSH, log in to the SDDC Manager VM with the user name vcf and password you specified in
the deployment parameter sheet.
7 Restart the LCM server by typing the following command in the console window:
The hosts added to the application-prod.properties are not updated when you update the workload
domain.
Procedure
2 Click the name of a workload domain and then click the Update History tab.
All updates applied to this workload domain are displayed. If an update bundle was applied more than
once, click View Past Attempts to see more information.
Procedure
All downloaded bundles are displayed. Click View Details to see bundle metadata details.
3 To create an sos bundle for support, see Chapter 14 Supportability and Serviceability (SoS) Utility.
availability zone Collection of infrastructure components. Each availability zone is isolated from other availability
zones to prevent the propagation of failure or outage across the data center.
bring-up Initial configuration of a newly deployed Cloud Foundation system. During the bring-up process,
the management domain is created and the Cloud Foundation software stack is deployed on
the management domain.
commission host Adding a host to Cloud Foundation inventory. The host remains in the free pool until it is
assigned to a workload domain.
composability Ability to dynamically configure servers to meet the needs of your workloads without physically
moving any hardware components. You bind disaggregated hardware components (compute,
network, storage, and offload components) together to create a logical system based on the
needs of your applications.
dirty host A host that has been removed from a cluster in a workload domain. A dirty host cannot be
assigned to another workload domain until it is cleaned up.
decommission host Remove an unassigned host from the Cloud Foundation inventory. SDDC Manager does not
manage decommissioned hosts.
free pool Hosts in the Cloud Foundation inventory that are not assigned to a workload domain
Lifecycle Manager (LCM) Automates patching and upgrading of the software stack.
management domain Cluster of physical hosts that contains the management component VMs
network pool Automatically assigns static IP addresses to vSAN and vMotion vmkernel ports so that you
don't need to enter IP addresses manually when creating a VI workload domain or adding a
host or cluster to a workload domain.
patch update bundle Contains bits to update the appropriate Cloud Foundation software components in your
management or VI workload domain.
SDDC Manager Software component that provisions, manages, and monitors the logical and physical resources
of a Cloud Foundation system.
SDDC Manager VM Virtual machine (VM) that contains the SDDC Manager services and a shell from which
command line tools can be run. This VM exposes the SDDC Manager UI.
server Bare metal server in a physical rack. After imaging, it is referred to as a host.
Term Description
unassigned host Host in the free pool that does not belong to a workload domain.
workload domain A policy based resource container with specific availability and performance attributes that
combines vSphere, storage (vSAN or NFS) and networking (NSX for vSphere or NSX-T) into a
single consumable entity. A workload domain can be created, expanded, and deleted as part of
the SDDC lifecycle operations. It can contain cluster(s) of physical hosts with a corresponding
vCenter to manage them. The vCenter for a workload domain physically lives in the
management domain.