It’s been a while, (a year?) since I’ve spent much time on vCloud Director 5.1. To prepare for the exam, I went through the blueprint thoroughly, reinstalled vCD in the lab and made sure I knew how to find/execute the objectives.
The environment:
You switch between the test questions/information and the Remote Desktop session to the Control Station. I would have preferred dual monitors so that I could look at the required values in the text while entering them. As it were, I spent a lot if time flipping between the question and the RDP session to make sure I entered the values verbatim.
Speaking of time…. The time constraint is the real test. I completed the questions with less than 10 minutes left to review and correct.
Obviously, some test stations/connections will be better than others, but in my case, it took three full seconds after a click for the vCD web GUI to respond.
Many of the questions build on one another. For example, Completing #4 correctly is necessary for #27 to make sense.
There are multiple vCD environments, make sure you read the question carefully and alter the correct cell. (Oops)
Hints & Tips:
Multi-task. While waiting for one item to complete (say waiting for a vCNS edge to redeploy), proceed to the next question so you can read it and begin it’s required steps. Return to your original question to verify your completed all the sub-tasks before getting too far ahead. There is no way I would have completed all the questions had I waited for each to complete before proceeding.
Read the blueprint. Know it cold. Know it well enough to identify which tasks will take you the longest.
In my case, I re-read the documentation for vCenter Chargeback Manager, but did not reinstall it or refresh my hands-on experience with it. (It’s crap, IMHO). So, I knew that the vCBM question would take me a bit to complete. I poked around for a few minutes, but left that item incomplete, hoping to return if time allowed (It didn’t).
Rather than trying to remember “/opt/vmware/vcloud-director”, just use “$VCLOUD_HOME”, it saved me some typing and recollection time.
Additional resources
I recommendKarthic Kumar’s VCAP-CIA Study Material, it’s more thorough that what I have here
Selected Objectives
Not comprehensive, just the items that I thought needed an explanation. This is kind of messy since I just pasted it from my word doc I used to prepare.
VCAP-CIA Objectives
Section 1 – Configure and Maintain vCloud Director
Objective 1.1 – Configure centralized logging
Skill 1.1.1 Determine use cases for and configure local and syslog options for vCloud Director
Syslog host can be set during installation. Settings can be altered in the /opt/vmware/vcloud-director/etc/log4j.properties file. Per Org-vDC syslog settings are in the Org vDC properties. Local logs are in /opt/vmware/vcloud-director/logs. Syslog host should be changed via the configuration script, but can be altered in the global.properties file.
Skill 1.1.2 Configure and administer logging options for VMware vShield™ Manager
Syslog settings on Edge Gateways in Org vDCs can be synchronized by right-clicking the edge gateway under an Org vDC and selecting “Synchronize syslog settings”. vShield Edge syslog settings are under Configuration|General|Syslog Server on vShield Manger web GUI. Syslog settings can be set per Edge on the Syslog Server Settings tab of the Edge Gateway properties.
Skill 1.1.3 Configure Log4j options for vCloud Director
Within the log4j.properties file, the log level can be altered to TRACE, DEBUG, INFO, WARN, ERROR, ALL or OFF. Root logger and several vCloud loggers are included. Syslog appender is not used in the default configuration, vCD logs to both log4j and syslog natively.
Objective 1.2 – Configure vCloud Director for scalability
Know 1.2.1 Identify vCloud Director Installation methods
A vCloud Director sever groups consists of one of more vCD servers sharing a common database. vCD 5.1 requires RHEL 5U4,5U5,5U6,5U8, 6U1 or 6U2. Requires 1Gb RAM, 2Gb Recommended. Can use MSSQL or Oracle for database. HTTP service should be load-balanced. Transfer Server Storage must be mounted at $VCLOUD_HOME/data/transfer on each cell. Before install first cell, install and configure vShield Manager. Not necessary to register vShield Manager as a vSphere Client plug-in.
Steps:
- Add database, logon and permissions
- Create and Import SSL Certificates (or create self-signed SSL certs)
- Download and install the VMware public keys from http://packages.vmware.com/tools/keys. To alleviate warning about key missing
- Verify Transfer storage volume is mounted
- Copy installation file, chmod u+x it to make it executable
- Run it, run configuration file
- backup and copy the response file
Know 1.2.2 Identify vCloud Director Installation options
Advanced Message Queuing Protocol, AMQP, is optional. It is used to provide a stream of notifications about events in vCD. By default, the messages are unencrypted. SSL Encryption can be enabled in the Extensibiity page of the vCD Web GUI by providing an SSL certificate pathname or a JCEKS trust store pathname and password.
Skill 1.2.3 Generate vCloud Director response files
Response file is located at /opt/vmware/vcloud-director/etc/responses.properties. It is created by the /opt/vmware/vcl oud-director/bin/configure script
Skill 1.2.4 Add vCloud cells to an existing installation using response files
Copy response file from first cell. Copy keystore and installation file. Chmod u+x installation file. As root, run installation-file –r path-to-response-file. Add HTTP address for new cell to load-balancer config.
Skill 1.2.5 Set up vCloud Director transfer storage space
Configure NFS export with write permission for root. Typically a few hundred GB. On each vCD host, add an entry to /etc/fstab to automatically mount the NFS export in the correct mount-point. <NFS host IP>:path/to/export /opt/vmware/vcloud-director/data/transfer/ nfs intr 0 0 Use chown to give vcloud user and group access to the share. Transfer space is used when subscribing to a published catalog.
Skill 1.2.6 Configure vCloud Director load balancing
Identify the HTTP addresses for each cell. Add each to the pool for HTTP/HTTPS. Create and import SSL certificates on each cell that use the FQDN of the virtual IP. Import the SSL certificate into the load-balancer for SSL-offload. Repeat for console proxy addresses, except do not configure SSL-offload, use SSL-passthrough only for console proxy.
Objective 1.3 – Maintain vCloud using command line tools
Skill 1.3.1 Manage and maintain vCloud Director cells using the cell management tool
Cell Management Tool is located at $VCLOUD_HOME/bin/cell-management-tool
Commands:
- cell – Manipulates the Cell and core components
- dbextract – Exports the data from the given set of tables
- certificates – Reconfigures the SSL certificates for the cell
- ciphers – Reconfigure the list of disallowed SSL ciphers for the cell
- generate-certs – Generates self-signed SSL certificates for use with vCD cell
- recover-password – Change a forgotten System Administrator password. Database credentials are required
- cell -m <arg> enter maintenance mode (vCD 5.5+ only)
- cell -q <arg> quiesce activity
- cell -s shut down cell
- cell -t show the cell status
Skill 1.3.2 Install and manage a vCloud Director installation using the configure script
Configure script is located at $VCLOUD_HOME/bin/configure. It can only be run of the vCD services are stopped. It can be used to replace the SSL certificates by specifying a new keystore.
Skill 1.3.4 Manage vCloud services using Red Hat command line tools including service, chkconfig and netstat
Use chkconfig to list the services and their auto-start setting
Use service to stop, start, restart and check the status of a service. vCD uses two services named “vmware-vcd-cell” and “vmware-vcd-watchdog” that are managed together through the service name “vmware-vcd”.
Use netstat to verify connections to database server or, with the –l –p options, verify vCD is listening on http and https
Skill 1.3.5 Collect logs for troubleshooting using the support script
Support script is located at $VCLOUD_HOME/bin/vmware-vcd-support
It zips all of the logfiles into a tgz file in $VCLOUD_HOME/bin. –m parameter collects data from multiple cells. –a collects all the data bundles.
Objective 1.4 – Configure Alarms and Notifications
Skill 1.4.1 Configure SMTP and notification settings
System/Default SMTP and notification settings are configured under the Administration tab. Each Organization can use the system/default SMTP server or specify its own SMTP and notification settings under Organization properties|Email Preferences. Organizations may specify a different sender and recipients from the system/default. Optionally, audit events may be sent as notifications to the AMQP broker if one is configured.
Skill 1.4.2 Configure warning alerts
Default warnings for runtime and storage lease expiration are set under Preferences|Defaults.
Warning threshold for a Datastore is set in the datastore properties
Skill 1.4.3 Create System maintenance message
Run $VCLOUD_HOME/bin/vmware-vcd-cell maintenance to display a maintenance message
Run $VCLOUD_HOME/bin/vmware-vcd-cell stop to stop the service
Run $VCLOUD_HOME/bin/vmware-vcd-cell start to start the service
Section 2 – Manage vSphere Resources
Objective 2.1 – Add vSphere compute resources to vCloud Director
Skill 2.1.1 Add new vCenter servers to vCloud Director
Add/modify/delete vCenter Servers under Manage and Monitor|vCenters. The vShield Manager settings per vCenter Server are found on the vShield Manager tab of the vCenter Server properties.
Skill 2.1.2 Prepare/unprepared hosts in vCloud Director
Hosts are prepared/unprepared by right-clicking a host item under Manage and Monitor|Hosts. Hosts in lockdown mode cannot be prepared.
Skill 2.1.3 Add ESXi hosts to vCenter
Add hosts to vCenter Server using the vSphere or vSphere Web Client. Add the hosts to a cluster containing the resource pool assigned to a vCloud Director Provider vDC. Prepare and enable the new hosts.
Skill 2.1.4 Manage ESXi hosts and DRS resource pools in vCenter
vCD-managed resource pools should not be manipulated manually. Use vCD (Manage & Monitor|Hosts) to Right-click to disable a host, then redeploy all VMs to a different host and put the selected Host into maintenance mode. Redeploy put a host in maintenance mode, which migrates the VMs, then exits Maintenance Mode.
Objective 2.2 – Manage vSphere storage resources
Know 2.2.1 Identify components, characteristics and features of vSphere storage
(Note: exam version pre-dates VSAN)
FC, FCoE, iSCSI, NFS
Skill 2.2.2 Decommission storage
A datastore must be disabled before removing it. Enable/Disable and Remove actions are available by right-clicking a datastore under Manage and Monitor|Datastores. New vApps cannot be added to a disabled datastore. Existing vApps on a disabled datastore cannot be started. A Datastore must be disabled and removed from Provider vDCs before it can be removed. To vacate the datastore, update the datastore’s storage profile assigned in vSphere to one that is not used by vCD-managed VMs. It is not recommended to simply move the VMs via the vSphere client as the Fast Provisioned VMs will be inflated to full clones,
Skill 2.2.3 Create and manage storage profiles
Storage profiles are created and managed within vSphere. They are consumed by and represented within vCD. Storage profiles can be named to reflect tier of storage and list the storage capabilities. Storage profile assignment per datastore cannot be altered from with vCD, only from vSphere.
Storage Profiles are added to Provider vDCs to make the storage available for consumption by vCD.
Storage for an org vDC is allocated per Storage Profile. The default storage profile for an Org vDC is used to house VMDKs where the storage profile is not specified. When VMs are provisioned by vCD, they are assigned a Storage Profile and placed on compliant datastores.
Objective 2.3 – Manage vSphere network resources
Know 2.3.1 Identify vSphere networking components
vSphere Standard Switch (vSS) and vSphere Distributed Switch (vDS). Each vSS or vDS requires at least one physical uplink (vmnic). VMKernal ports can reside on either vSS or vDS.
vDS Uplink Load-balancing options:
- Route based on originating virtual port
- Route based on IP hash. Hash of source and dest IPs to select route
- Route based on physical NIC load
- Use explicit failover order
Skill 2.3.3 Configure vSphere network options including MTU and VLAN
On a vSS, the MTU is set on the vSwitch properties. Each VMKernel port can have its MTU set. VM port groups use the switch MTU. The VLAN for a VM port group or VMKernel port can be edited in its properties
On a vDS, the MTU is set on the vDS advanced properties. Port groups inherit the vDS MTU. On each host, the vmk (Virtual Adapter) is assigned to a vDS port group and can have its MTU set.
Objective 3.2 – Manage vCloud Director network resources
Know 3.2.1 Identify vCloud Director network pool types
Certain Organization networks and all vApp networks are backed by network pools
A network pool can be backed by VLAN IDs, port groups or Cloud isolated networks (vCD-NI)
VLAN-backed relies on a range of VLAN IDs and a vSphere distributed switch. Provides the best security, scalability and performance. VLANs must be isolated at layer 2.
vCD-NI-backed relies on an underlay VLAN ID and a vSphere distributed switch. Additional headers can cause frame to exceed 1500 bytes, set MTU on network pool and physical network to 1600 to avoid fragmentation.
Port Group-backed can use vSphere standard switchs. Port groups must be isolated at layer 2 or physically isolated. Each port group must only a single VLAN. Create one network for each port group.
Skill 3.2.2 Create and manage network pools
Each Organization can have one network pool, multiple organizations can share the same network pool. Only system admins can create and manage network pools
Network pools are created and managed under the Manage & Monitor tab. Network Pool MTU size can be set by right-clicking a network pool name.
Skill 3.2.3 – Create Provider external networks
Existing vSS or vDS port groups on the connected vCenter Server may be selected. Network information is assigned including Gateway, network mask, DNS and a Static IP pool to use for VMs and gateways provisioned in that network by vCD. External networks may be used by multiple provider vDCs, be sure the hosts have access to the network.
Skill 3.2.4 Manage and remove network resources
Before deleting an external network, all of the edge gateways and org vDC networks that rely on it must be removed.
Objective 3.3 – Manage Organization VDCs
Know 3.3.1 Identify org VDC types
The three allocation models an Org vDC may use are: Allocation Pool, Pay-as-you-go, Reservation Pool
- Allocation Pool Only a percentage of the resources you allocate from the Provider vDC are committed to the Org vDC. Adding multiple resource pools to the provider vDC makes the org vDC elastic
- Pay-as-You-Go Resources are committed when users create new vApps in the Org vDC. Specify a percentage of resources to guarantee. Adding multiple resource pools to the provider vDC makes the org vDC elastic. The benefit of the PaYG model is that it can take advantage of new resources added to a provider vDC. No resources are reserved ahead of time, so a VM may fail to power on if insufficient resources are available.
- Reservation Pool All of the resources you allocate are immediately committed to the org vDC. Can fine-tune over-commitment, but it is not elastic and could be configured non-optimally.
Know 3.3.2 Identify org VDC options
An Org vDC must be based on a Provider vDC. The three allocation models are listed in 3.3.1. After selection, the actual resource allocation settings are made. Available Storage policies in the Provider vDC are added to the org vDC and a capacity limit is set. Options to enable thin provisioning and/or fast provisioning are selected. Fast Provisioning is linked cloning. Default is thin provisioning off and fast provisioning on. Optionally, the Org vDC may have a network pool assigned in order to draw from when vApp networks are created.
Know 3.3.3 Identify org VDC network options
An Org vDC network may be directly connected to an external network, be isolated or routed via edge gateway. An Org Network may optionally be shared with other Org vDCs in the Organization.
Skill 3.3.4 Configure storage tiers
Storage Profiles must be created in vSphere and assigned to appropriate datastores based on the datastore capabilities. The Storage profiles are added to the Provider vDCs, then to the Org vDCs. A vApp Template can specify a default Storage profile per VM. When provisioning a vApp from a vApp Template, you may select the storage profile per VM.
Objective 3.4 – Manage an Organization
Know 3.4.1 Identify Organization options and their uses
Org authentication can use:
- vCD system LDAP with or without a specific OU
- Custom LDAP service; vCD system LDAP must be linked to organization’s LDAP
- No LDAP; local vCD users only
Organizations can be granted the ability to share catalogs and publish and/or subscribe to external catalogs.
An Organization can use the system SMTP server and notification settings or use their own.
Leases, Quotas, Leases and Password Policies are set per Org.
Runtime lease: Upon expiration, the vApp is powered off
Storage lease: Upon expiration, the vApp is moved to expired items or deleted permanently depending on the storage cleanup setting
Storage Cleanup: select Move to expired items or delete permanently
vApp Template maximum storage lease: Applies to vApp Templates, move or delete upon expiration
All VMs Quota: Limits the total number of VMs in the org (default: unlimited)
Running VMs Quota: Limits the number of running VMs in the Org (default: unlimited)
Limits can be set to prevent DoS attacks, they are:
- Number of resource intensive operations per user (default: unlimited)
- Number of resource intensive operations per Org (default: unlimited)
- Number of simultaneous connections per VM (default: unlimited)
Local account lockout policies can be enabled, setting the number of invalid logins before lockout and the lockout duration.
Skill 3.4.2 Create and manage Organizations
Existing organizations can be managed on the administration tab of the Org.
The Organization Name and URL cannot be altered, but the full (display) name can.
Options listed in 3.4.1 can be updated plus:
Enable Domain Join – VMs join the LDAP domain using the credentials and OU provided
Federation – Single Sign-On via SAML
Adding new local users and importing groups from LDAP
Skill 3.4.3 Manage Organization policies and settings
See 3.4.1 & 3.4.2
Section 4 – Manage Complex vCloud Director Networks
Objective 4.1 – Configure Organization and vApp network services
Skill 4.1.1 Configure DHCP and DNS relay
DHCP is enabled and configured in the Edge Gateway Edge Gateway Services Properties. Must have an internal network to associate DHCP pool with
DNS relay is enabled in the Edge Gateway properties, DNS requests are received at the Edge and forwarded/relayed.
Skill 4.1.4 Configure and maintain static routes
Static Routes are created and maintained on the Static Routing tab of Edge Gateway Services properties.
Objective 4.2 – Create and maintain cloud networks
Skill 4.2.2 Configure Edge Gateways for availability and scalability
High Availability on an existing Edge Gateway can be enabled on the general tab of the edge gateway properties. This creates a second Edge Appliance and enabled automatic failover to the backup edge gateway.
An Edge Gateway’s configuration can be upgraded from compact to Full to Full-4 to provide more memory and compute resources to the Edge Appliances.
Section 5 – Manage Security
Objective 5.1 Manage vCloud Director SSL Certificates
If using signed certificates, use keytool to create the keystore, the untrusted certificates and the certificate signing requests. After receiving the signed certificates, import the CA’s root cert and the signed certs into the keystore.
If using self-signed certificates, use keytool to create the keystore and untrusted certificates.
The keystore must be readable by any user. Watch for overly-restrictive permissions.
Skill 5.1.1 Create and process certificate requests
Create untrusted certificate for http:
keytool -keystore certificates.ks -storetype JCEKS -storepass <passwd> -genkey -keyalg RSA -alias http
Create Certificate Signing Request named http.csr:
keytool -keystore certificates.ks -storetype JCEKS -storepass <passwd> -certreq -alias http -file http.csr
Import CA’s root certificate from root.cer into keystore:
keytool -keystore certificates.ks -storetype JCEKS -storepass <passwd> -import -alias root -file root.cer
Import CA signed certificate from http.cer:
keytool -keystore certificates.ks -storetype JCEKS -storepass <passwd> -import -alias http -file http.cer
Skill 5.1.2 Replace default certificates
Create new certificates in new keystore. Run $VCLOUD_HOME/bin/configure to provide path to new keystore. Restart services.
Objective 5.2 – Configure and manage vCD access control
Skill 5.2.1 Configure LDAP (Active Directory and Open LDAP)
System LDAP is configured under the Administration Page|LDAP settings. This establishes the default authentication for the system. Organization may use the default/system LDAP or an Organization-specific LDAP. Note that Org-specific LDAP directories must have a trust relationship with the system LDAP directory.
Skill 5.2.2 Import users and groups from a LDAP source
On the Administration Page for System, under System Administrators and Roles|Users, Users may be imported from the LDAP source and assigned to the System Administrator Role.
On the Administration Page for System, under System Administrators and Roles|Groups, Security Groups may be imported from the LDAP source and assigned to the System Administrator Role.
On the Administration Page for an Org, under Members|Users, Users may be imported from the LDAP source and assigned to a Role other than “System Administrators”
On the Administration Page for an Org, under Members|Groups, Security Groups may be imported from the LDAP source and assigned to a Role other than “System Administrators”
Skill 5.2.3 Create and assign roles
Roles are created under System|Administration|System Administrators and Roles|Roles. They can only be created, deleted or edited by System Administrators.
Roles (other than System Administrators) are assigned per Organization to users and/or groups.
Skill 5.2.5 Configure and maintain VMware Single Sign-On for vCloud Suite products
First vCD must be registered with the vSphere Lookup Service under System|Administration|System Settings|Federation. Provide lookup service URL and credentials. Then, the Use vSphere Single Sign-On option becomes available to enable.
Section 6 – Manage catalogs and vApps
Objective 6.1 – Share vApps and catalogs
Skill 6.1.1 Manage catalog sharing and access levels
Catalogs can be shared with Everyone in the Org or with specific users and groups in the Org. Each can be assigned Read Only, Read/Write or Full Control permission to the catalog. If the Org has the “Allow Sharing Catalogs to other organizations” option enabled, the catalog may be shared with all or selected organizations as Read Only.
Skill 6.1.3 Manage Catalog and vApp ownership
Within an Organization, highlight a catalog and select actions|Change Owner to select a different owner of the catalog.
vApps can be shared with selected members of the same Organization. Each can be assigned Read Only, Read/Write or Full Control permission to the vApp.
Objective 6.2 – Create and deploy vApps
Skill 6.2.1 Customize vApps
Open the Properties of an existing vApp to change its name, lease, startup/shutdown order and sharing.
Skill 6.2.2 Manage guest customization including SYSPREP utilities
(vCD 5.1)
- Create a folder on the vCD Cell. Eg: /usr/tmp/sysprepFiles
- Create subfolders for O/Ses. /win2000 /win2k3 /win2k3_64 /winxp /winxp_64
- Run $VCLOUD_HOME/deploymentPackageCreator/createSysprepPackage.sh /usr/tmp/sysprepFiles
- Restart the vmware-vcd services
- Copy $VCLOUD_HOME/guestcustomization/vcloud_sysprep.properties and $VCLOUD_HOME/guestcustomization/windows_deployment_package_sysprep.cab to remaining cells
- Restart the vmware-vcd services on the other cells
Skill 6.3.3 Import media into a catalog
Upon upload, media is copied to the transfer space, then to the datastore corresponding to the catalog.
Objective 6.4 – Manage vApp storage settings
Know 6.4.1 – Understand snapshots, consolidate and chain length
Skill 6.4.2 Create, discard and commit snapshots in vCloud Director
Use Actions|Create Snapshot to create, revert and remove (discard) a snapshot of a vApp.
Skill 6.4.3 Consolidate vApps
Consolidate VMs on the Virtual Machines tab of the vApp Properties.
Skill 6.4.4 Monitor chain length
Chain length for a VM is shown on the VM properties|General tab.
Brian Ragazzi 