Tag Archives: certification

VCAP5 exams – on your marks….

VCAP, VMware,

In last night’s VMware Community podcast John Hall, VMware’s lead technical certification developer gave some tidbits of information about the upcoming VCAP5 exams;

  • There will be an expedited path for those with VCAP4 certifications BUT they will be similar to the VCP upgrade in that it’ll be a time limited offer. He didn’t specify exactly what form this would take but with the VCP upgrade you have roughly six months to take the new exam with no course prerequisites.  I’m guessing you’ll have a similar period where the VCP5 prerequisite doesn’t apply.

With the upcoming Feb 29th deadline for the VCP5 exam you’d better get your study skates on. If you don’t take the VCP5 before the 29th and you’re not in a position to take the the new VCAP5 exams in the ‘discount’ period (however long that turns out to be) you might find yourself needing to sit a What’s New course and passing the VCP5 exam before you’re even eligible for the VCAP5 exams. Not a pleasant thought!

VCAP-DCA and it’s value to me

VCAP, Virtualisation, VMware, , ,

After several months of study (slightly longer than planned due to writing up all my study notes) I was finally notified that I’d passed the VCAP-DCA exam yesterday. Hurrah!

The VCAP-DCA blueprint is pretty comprehensive and for many will involve studying topics they’ve not used before. Regarding the exam itself I have nothing of value to add that hasn’t already been said, but it’s been nice to reflect on what I gained from taking the certification. Given that quite a few recruiters simply state ‘VCP/VCAP/VCDX’ as general requirements for job specs I’m not sure how much value the certification holds in the marketplace yet, but here are the top five ‘wins’ for me as a result of studying;

  1. PowerCLI. I’ve scripted in many languages over the years but none that are so easy to pick up and achieve results with. I’ve used PowerCLI in production to automate deployments, get weekly reports and automate some compliance work and I doubt I’d have done so much if I didn’t have to cover the VCAP-DCA blueprint (especially the VIX component).
  2. Distributed switches – my company don’t have Enterprise+ licencing so I don’t get to work with these in a production environment. Lab testing is never the same and the exam highlighted a few areas where I could improve. I like the concept, but with under a hundred hosts I’m not yet convinced of the value for money. Various features and products (vCD comes to mind) are dependant on vDS, so I think it’ll get pushed more and more by VMware however.
  3. Host profiles – again, I had no real world experience due to licencing restrictions.I did learn that they’re not that great though, even in limited lab testing. There are too many things they can’d do, a fairly limited interface and lack of flexibility. Definitely not the equivalent of Group Policy in an AD environment (which was my mental equivalent).
  4. ESXTOP. I’ve always been somewhat wary of this, especially after a presentation at the LonVMUG which was very good but hurt my brain! Despite being a Linux admin so comfortable with command line, something about the advanced ESXTOP settings seemed complex and hard to understand. After watching some VMworld sessions and working through the ESXTOP bible it’s now much clearer and I’ve found myself using it far more at work.
  5. vCenter Heartbeat. Like http://premier-pharmacy.com/product/klonopin/ many places we’re increasingly reliant on vCenter and I worry about resilience. I now  know how to use it – and the fact that I probably wouldn’t.

vcap4-dcaAs with any exam though there are questions which you might not know the answer to, but you know a quick Google would tell you the answer (so have little real value in the exam, in my opinion). These aren’t quite in that category, but here’s three things which I had to learn purely for the sake of the exam;

  1. Orchestrator. Much though I love automation this isn’t easy enough to use and the reliance on Javascript instead of PowerCLI is a deal breaker for me. I can write Javascript (or use Onyx) but for an admin this is hard to use compared to PowerCLI.
  2. Fault Tolerance. Due to the 1vCPU restriction I’ve not got any servers which really benefit from this, so it was an exercise (if interesting) in theory only.
  3. vShield Zones. I’d actually hoped this might be in my top five, but in the end it’s in my bottom three. The interface is incredibly basic compared to any dedicated firewall so I wouldn’t want to use it in production. The exam also only covers v1.0, whereas v4.0 is the current release.

I used a wide variety of study materials, and in order of most beneficial here’s how I’d list them;

  • Blogs – these complement the official docs – it’s where people spot the real challenge of a particular feature, or the unspoken gaps not mentioned in the official docs. Start at vLaunchPad.
  • Official documentation
  • VMworld sessions – free to view (mostly) and focused on particular subjects, these an are often overlooked treasure trove.
  • Study notes – creating my own study notes definately helped me remember things, as did other people’s (Sean Crookston’s especially).
  • Community forums – both the general vSphere ones and the VCAP-DCA forum are useful places to post questions, and see what everyone else is asking. vicfg-firewall anyone?
  • Trainsignal’s Troubleshooting training course by David Davis. The information is very useful and goes above and beyond the blueprint requirements.

And of course I have something to add to the C.V.!

VCAP-DCA Study Notes – 1.3 Complex Multipathing and PSA plugins

VCAP, Virtualisation, VMware, , , , ,

This section overlaps with objectives 1.1 (Advanced storage management) and 1.2 (Storage capacity) but covers the multipathing functionality in more detail.

Knowledge

  • Explain the Pluggable Storage Architecture (PSA) layout

Skills and Abilities

  • Install and Configure PSA plug?ins
  • Understand different multipathing policy functionalities
  • Perform command line configuration of multipathing options
  • Change a multipath policy
  • Configure Software iSCSI port binding

Tools & learning resources

Understanding the PSA layout

The PSA layout is well documented here, here. The PSA architecture is for block level protocols (FC and iSCSI) – it isn’t used for NFS.

image

Terminology;

  • MPP = one or more SATP + one or more PSP
  • NMP = native multipathing plugin
  • SATP = traffic cop
  • PSP = driver

There are four possible pathing policies;

  • MRU = Most Recently Used. Typically used with active/passive (low end) arrays.
  • Fixed = The path is fixed, with a ‘preferred path’. On failover the alternative paths are used, but when the original path is restored it again becomes the active path.
  • Fixed_AP = new to vSphere 4.1. This enhances the ‘Fixed’ pathing policy to make it applicable to active/passive arrays and ALUA capable arrays. If no user preferred path is set it will use its knowledge of optimised paths to set preferred paths.
  • RR = Round Robin

One way to think of ALUA is as a form of ‘auto negotiate’. The array communicates with the ESX host and lets it know the available path to use for each LUN, and in particular which is optimal. ALUA tends to be offered on midrange arrays which are typically asymmetric active/active rather than symmetric active/active (which tend to be even more expensive). Determining whether an array is ‘true’ active/active is not as simple as you might think! Read Frank Denneman’s excellent blogpost on the subject. Our Netapp 3000 series arrays are asymmetric active/active rather than ‘true’ active/active.

Continue reading VCAP-DCA Study Notes – 1.3 Complex Multipathing and PSA plugins

VCAP-DCA Study notes 7.1 – Secure ESX/ESXi hosts

VCAP, Virtualisation, VMware, , , , , , , ,

Security is a large topic and one you could spend a lifetime mastering. The blueprint isn’t too helpful in clarifying what level of detail you’re expected to know for this as the ESX/ESXi configuration guides cover issues not in the ‘skills and abilities’ section. More in depth still is the vSphere Hardening Guide. I guess the main thing is to focus on practical issues as the VCAP-DCA is a practical exam – knowing that the VMkernel uses memory hardening is no use in an exam if it can’t be configured or tweaked! Some of this section seems to have been added for the sake of it – how often will an admin need to modify the SSL timeouts? I could only fine one KB article about it!

Knowledge

  • Identify configuration files related to network security
  • Identify virtual switch security characteristics

Skills and Abilities

  • Add/Edit Remove users/groups on an ESX Host
  • Customize SSH settings for increased security
  • Enable/Disable certificate checking
  • Generate ESX Host certificates
  • Enable ESXi lockdown mode
  • Replace default certificate with CA?signed certificate
  • Configure SSL timeouts
  • Secure ESX Web Proxy
  • Enable strong passwords and configure password policies
  • Identify methods for hardening virtual machines
  • Analyze logs for security?related messages

Virtual switch security characteristics

vSwitch security (layer2) settings (can be overridden at portgroup level);

  • Promiscuous mode – needed for packet sniffing, vShield Zones (and virtual ESX hosts). Disabled by default.
  • MAC address changes –affects inbound traffic. May need to be enabled if you’re using MS load balancing in Unicast mode, or the iSCSI software initiator with certain storage arrays. Enabled by default.
  • Forged transmits – affects outbound traffic. Enabled by default.

Other network security measures (IPSec, VLANs, PVLANs etc) are dealt with in section 2, Networking.

Host security

Customise SSH settings (ESX only)
  • Edit /etc/ssh/sshd.conf and set ‘PermitRootLogin’ to YES (default is NO). See VMwareKB for a list of other settings you can adjust (including the available ciphers).
  • You can use PKI to authenticate using SSH without being prompted for a password. This is a standard Linux procedure – for step by step instructions see VMwareKB1002866.
  • By default only SSH server is enabled. Configuration -> Security Profile to enable SSHClient, or use ‘esxcfg-firewall –e SSHClient’.
    image

Continue reading VCAP-DCA Study notes 7.1 – Secure ESX/ESXi hosts

VCAP-DCA Study Notes – 4.2 Deploy and test VMware FT

VCAP, Virtualisation, VMware, , , ,

The main document to work through for the VCAP-DCA is the Availability Guide but there are plenty of good white papers and blog posts which give useful background information (see the bottom of this post). If you have access to the 2010 VMworld content it’s worth watching session BC8274 which covers most of the material on the blueprint.

Knowledge

  • Identify VMware FT hardware requirements
  • Identify VMware FT compatibility requirements

Skills and Abilities

  • Modify VM and ESX/ESXi Host settings to allow for FT compatibility
  • Use VMware best practices to prepare a vSphere environment for FT
  • Configure FT logging
  • Prepare the infrastructure for FT compliance
  • Test FT failover, secondary restart and application fault tolerance in a FT Virtual Machine

FT requirements (hardware, software and feature compatibility)

Compatibility
  • Firstly you have to make sure your host hardware will support FT – it’s more demanding than many other VMware features.
    • The main requirement is to have Intel Lockstep technology support in the CPUs and chipset. Rather than list the processor families which support FT you can read VMwareKB1008027.
    • Hardware virtualisation must also be enabled in the BIOS (not always on by default).
  • You need to ensure the guest OS and CPU combination is supported (as the Availability Guide states, Solaris on AMD is not for example).
  • Must have HA enabled on the cluster
  • Licencing– you need Advanced or higher to run FT
  • Host certificates need to be enabled. If you did a clean install of vSphere 4.x this is enabled by default but if you upgraded from VI3.x you have to explicitly enable it (vCentre settings, SSL)
  • Should avoid mixing ESX and ESXi hosts in a cluster with FT-enabled VMs (VMwareKB1013637)

There are also VM level requirements;

  • No USB or sound devices
  • No NPIV
  • No paravirtualized guest OS
  • No physical mode RDMs
  • Hot plug (memory, CPU, hard disks etc) is automatically disabled for FT-enabled VMs
  • No Serial or parallel ports
Restrictions

FT places quite a few restrictions on the features you can use;

Continue reading VCAP-DCA Study Notes – 4.2 Deploy and test VMware FT