Showing posts with label VI3. Show all posts
Showing posts with label VI3. Show all posts
Increasing hosts connection pool
Johnny Zhang
Note: This is tip is based on communications between engineering and myself. In most cases there is no need to make any change. This is just for you to know. (This also only based on VI3, not sure if there are changes on vSphere)

Sometimes we see ESX hosts disconnected from vCenter. from the vpxa log files:

['App' 7644 error] [VpxdVmomi] Got vmacore exception: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

This error is common in an environment which hosts are under load.
There could be multiple causes for this kind of connection request failure:

1. Network glitch
2. proxy server on hostd is not able to respond the request due to stress.
3. hostd process is busy or crashed at the time the request arrives.

Now, vCenter has a host connection pool, it will store idle connections between ESX server and vCenter. So when there is a need to connect the server, vCenter will not need to create the connections all over again (Which in some cases we will hit the above issues). The default connection size is set at 20. you can increase this (for example to 50)

You need to add to vpxd.cfg files:

Personally, I believe this will help for a large set-up by reducing the connection requests. please note, the active connection is not put into this pool, so in most cases 20 is good enough.
Labels: 0 comments | edit post
Changing scheduler cell size for 6 cores CPU
Johnny Zhang
In ESX 3.5, the CPU scheduler logically partitions a host's physical CPU into cells, by default, there are 4 cores per cell for scalability reason. The scheduler can make decision locally within a cell without affecting other cells. However, with the introduction of 6 cores CPU, this may lead into some cell span sockets. You might experience performance issue when VMs are using those cells. If you are using those CPUs. You can change it from both VIclient and command line.

Using the VI Client:

  1. Select the Configuration tab in the VI client.
  2. Select Advanced Settings.
  3. Select VMkernel.
  4. In the right pane, locate VMkernel.Boot.cpuCellSize .
  5. Change the value to 6 .
This will take effect the next time the ESX host is rebooted.

From the command line interface (on classic ESX):
1.Enter:
esxcfg-advcfg --set-kernel 6 cpuCellSize
2. Reboot the ESX host.
From the remote command line interface (on ESXi):
1.Enter:
vicfg-advcfg --set-kernel 6 cpuCellSize
2. Reboot the ESX host.

Note: ESX 4.0 uses per-pCPU locks instead of cell scheduler. You will not see the span socket performance issue on ESX 4.0
Labels: 0 comments | edit post
Restrict and monitor users' login
Johnny Zhang
By default, users can try to log into a Linux or in this case ESX server as many time as they want. Someone can sit there all day try to crack the password or just write up a script let it do the trick. You can change the behavior by add the following lines to /etc/pam.d/system-auth:

auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=3
no_magic_root

This will lock out the user after 3 attempts
(Keep in mind you might want to give more than 3 attempts before lock users out, just in case you forgot your password)

You can also setup the log to monitor it after this

To create the file for logging failed login attempts, execute the following commands:
touch /var/log/faillog
chown root:root /var/log/faillog
chmod 600 /var/log/faillog

Note: This will only work with VI3 since PAM on Redhat 5 (where ESX 4.x service console based on) does not work with those options
Labels: , 0 comments | edit post
VIClient bypass SSL Certificate Warning
Johnny Zhang
I think we are all used to the SSL certificate warning when using your VIClient to connect to your vCenter or ESX server. It would be nice we can bypass it. In fact, you can. You can do this for both VI3 and vSphere 4

You can right click on your viclient --> Properties --> find the Target: on my system is "C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe"

add a switch "-i yes" to the end make it like:
"C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe" -i yes
























Click ok
That's it, no more SSL certificate warning.

Note: The test on vSphere client did not work, seems like it will loop back to check the SSL certificate even after by pass it from the beginning. Not sure this is a minor bug.
Labels: 0 comments | edit post