ESXi Datastore Performance Battle: iSCSI vs. NFS on Synology NAS with VAAI

Posted on September 29, 2023 by brian.wuchner

I recently got my hands on a new Synology DS723+ and a couple of 4TB HDD disks for my home lab. My plan is to use this device as a backup target, either as a storage destination for my existing backup product, or perhaps switching to the Synology Active Backup application that can be enabled on the Synology device. I’ll be doing a bit more testing with this in the future, and do plan to write up those results in a future post.

However, since I had this new device, I wanted to revisit a decision I made several years ago — whether I should use iSCSI or NFS for my ESXi Datastores. I wanted to do a side-by-side comparison of the protocols to make sure I was using the optimial one. I also wanted to test NFS with & without the NFS VAAI plugin, to make sure it was worth installing as part of host builds. Several years ago, I purchased a Synology DS1817+ to use as the primary storage in my lab and decided to use NFS with the VAAI plugin. This has worked very well for me, but it never hurts to re-think a decision.

For this test I decided to perform a couple of virtual machine copy and move operations. I wanted to use the same virtual machine, but decided to use one smaller template and one that was a bit larger. Here are some storage details on the two VMs that I used for comparisons:

  • photon5 – 16GB VMDK, thin provisioned & using about 860MB on disk
  • win22 – 50GB VMDK, thin provisioned & using about 16GB on disk

Both test VMs were placed on a local NVME disk on a test host which also had a pair of NFS datastores and a pair of iSCSI datastores backed by the Synology DS723+, connected to the network with a single 1GbE port. The DS723+ has two gigabit connections available and can be upgraded to include a 10GbE connection. However, for this test I wanted to focus specifically on storage protocols and having this bottleneck in the network and using HDD instead of SSD seemed acceptable. Changing these factors would improve performance, but my focus of this test was the protocol & VAAI impact instead of pure performance.

To execute the tests & capture results, I decided to use PowerCLI commands inside of a Measure-Command code block and focus on total seconds. I had originally started this test using ESXi 7.0 only, but after seeing another thread mention that the Synology NFS VAAI VIB would work with vSphere 8.0 (although it is not officially supported), I decided to double up all the tests to see if drastic differences existed between the two versions. From the testing below, we can see that the ESXi version had no noticable impact on the testing. I listed the total seconds for the first test only, but did see some variance in multiple runs. I suspect if we averaged the results across 10 runs they would be even closer to the same value.

Test1: Full VM Copy across the network – completed & measured using syntax similar to: Measure-Command {New-VM -VM 'localdisk_photon5' -Name 'nfs_photon5' -VMHost 'testhost' -Datastore 'nfs1'} | Select-Object TotalSeconds

VMESXiSource DSDest DSTime (seconds)
photon57.0u3LocalNFS12.25
photon58.0u1LocalNFS13.80
photon57.0u3LocaliSCSI10.98
photon58.0u1LocaliSCSI11.96
win227.0u3LocalNFS169.53
win228.0u1LocalNFS164.36
win227.0u3LocaliSCSI178.77
win228.0u1LocaliSCSI168.55
Results of Test Case 1

Based on the table above, we can see that the performance of all the New-VM operations are roughly the same for the same per source VM size.

Test2: Full VM Copy between datastores of the same type – completed & measured using syntax similar to: Measure-Command { Move-VM -VM 'nfs_photon5' -Datastore 'nfs2' } | Select-Object TotalSeconds

VMESXiSource DSDest DSTime (seconds)
photon57.0u3NFSNFS428.32
photon58.0u1NFSNFS430.61
photon57.0u3NFS (VAAI)NFS (VAAI)22.31
photon58.0u1NFS (VAAI)NFS (VAAI)21.97
photon57.0u3iSCSIiSCSI2.45
photon58.0u1iSCSIiSCSI3.56
win227.0u3NFSNFS1384.99
win228.0u1NFSNFS1387.60
win227.0u3NFS (VAAI)NFS (VAAI)231.77
win228.0u1NFS (VAAI)NFS (VAAI)225.20
win227.0u3iSCSIiSCSI4.54
win228.0u1iSCSIiSCSI4.56
Results of Test Case 2

I did not include specific results, but the tests observed above for Move-VM had similar results to New-VM copies that used the same source/destination datastores. For example, a Windows 2022 New-VM from iSCSI to iSCSI (similar to the last 2 rows of the above table) only took 3.83 seconds. This is most likely due to the fact that both clone and migrate requests are using the XCOPY VAAI primitive, described here: https://core.vmware.com/resource/vmware-vsphere-apis-array-integration-vaai#sec9410-sub4.

Based on the table above, we observe some differences for NFS vs. iSCSI. Installing the NFS VAAI plugin offered a significant improvement vs. the default NFS configuration. However, the VAAI iSCSI performance for Move-VM operations was noticeably better than the best case NFS configuartion.

Summary: These are not the results I had initially expected. I had assumed NFS performance with VAAI enabled would have been much closer to the iSCSI performance numbers. I was very impressed by the iSCSI performance for clones/moves when using VAAI. Based on Test 1, I’m likely to leave the majority of VMs already deployed in their current NFS configuration. I don’t move the VMs around and the VMs aren’t observing any latency, so I can’t think of a compelling reason to go back & move them. However, based on Test 2, I do plan to make some changes. I currently have a couple Aria Automation deployments that use linked clones to improve provisioning times. I’m likely to revisit that configuration, moving the template VMs & target deployments to iSCSI datastores backed by the same Synology array to unlock the super-fast cloning.

Posted in Lab Infrastructure, Virtualization | 1 Comment

Content Library item validation with Power CLI

Posted on September 5, 2023 by brian.wuchner

Have you ever had a new site come online and want to validate that the items in a subscriber content library are in sync? Or experience some storage issues/corruption and want to make sure your sync’d library is still intact? This post will use a PowerCLI script to quickly validate items in a content library. 

$contentLibraryName = 'h114-sub'
$testHost = 'lab-esxi-02.example.org'
$testDatastore = 'local-hdd'

foreach ($clitem in ( Get-ContentLibraryItem -ContentLibrary $contentLibraryName -ItemType ovf | Sort-Object Name ) ) {
  "Starting deploy of item $($clitem.name)..."
  $thisNewVM = $clitem | New-VM -Name "Test_$($clitem.Name)" -VMHost $testHost -Datastore $testDatastore
  if ($thisNewVM) {
    "  New VM created. Will attempt power on."
    [void]($thisNewVM | Get-NetworkAdapter | Set-NetworkAdapter -StartConnected:$false -confirm:$false)
    $thisVMstarted = $thisNewVM | Start-VM | Wait-Tools
    if ($thisVMstarted) {
      "  Startup success, doing cleanup."
      [void]($thisVMstarted | Stop-VM -Confirm:$false)
      [void]($thisVMstarted | Remove-VM -DeletePermanently -Confirm:$false)
    } else {
      "  There was an issue with a test VM for content library item $($clitem.Name).  Cleanup not completed."
    }
  } else {
    write-warning "  Failure occured creating new VM based on $($clitem.Name)!"
  }
}

This script has three variables that must be defined — the name of the subscriber content library, a test host in the site/environment you wish to test, and a datastore from that test host to use for provisioning.

The script will retrieve a list of OVF templates, deploy a new VM from each using the creative name Test + the name of the content library item. Once the item is deployed, the VM will be powered on and wait for tools to start. If Tools start successfully, we can likely assume that the VM is in working order, so the script proceeds to power off/delete the test VM, otherwise it will throw a warning to the screen and continue.

During testing I encountered/created a few issues which I’ll describe below.

The first was caused by an ’empty’ VM which didn’t have an OS installed. It failed with an error that VMware Tools was not installed. The script didn’t delete this VM, but after reviewing an confirming this was expected behavior for the VM, I deleted it anyway.

Wait-Tools : 8/21/2023 6:53:45 AM       Wait-Tools              The specified VM 'Test_emptyVM-notools' does not have VMware Tools
installed.
At line:7 char:46
+     $thisVMstarted = $thisNewVM | Start-VM | Wait-Tools
+                                              ~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Test_emptyVM-notools:VirtualMachineImpl) [Wait-Tools], ViError
    + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_WaitTools_ToolsNotInstalledOrVersionIncorrect,VMware.VimAuto
   mation.ViCore.Cmdlets.Commands.WaitTools

To contrive the next error, I ssh’d to the test host, found the content library item on the filesystem, and intentionally corrupted the VMDK by running echo blah > emptyVM-notools-1_248c256e-cab1-4512-b7a0-48322ad4a7bf-flat.vmdk. This resulted in the following error (read below the next error for the resolution to this):

New-VM : 8/21/2023 6:15:29 AM   New-VM          Transfer failed: Error during transfer of
ds:///vmfs/volumes/639245e5-399bba0d-e1e8-000c2927a169//Test_emptyVM-notools/Test_emptyVM-notools.vmdk: The virtual
disk is either corrupted or not a supported format..
At line:3 char:26
+ ... = $clitem | New-VM -Name "Test_$($clitem.Name)" -VMHost $testHost -Da ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-VM], ViError
    + FullyQualifiedErrorId : ViCore_VMServiceImpl_DeployFromLibraryItem_ViNetException,VMware.VimAutomation.ViCore.Cm
   dlets.Commands.NewVM

After capturing this error, I deleted the files associated with the content library item. I had assumed that these missing files would trigger the content library to re-sync the content. Instead, I received the following error:

New-VM : 8/21/2023 6:22:32 AM   New-VM          Transfer failed: Error during transfer of ds:///vmfs/volumes/639245e5-399bba0d-e1e8-000c2927a169//contentlib-21c270a1-11
7e-4982-a014-ac122fdb74eb/088a872b-1098-441b-807a-251f76402991/emptyVM-notools-1_248c256e-cab1-4512-b7a0-48322ad4a7bf.vmdk?serverId=bad2b868-9a1e-4d68-ba7e-26
0f397cc0ca: Failed to resolve source datastore file URI(ds:///vmfs/volumes/639245e5-399bba0d-e1e8-000c2927a169//contentlib-21c270a1-117e-4982-a014-ac122fdb74e
b/088a872b-1098-441b-807a-251f76402991/emptyVM-notools-1_248c256e-cab1-4512-b7a0-48322ad4a7bf.vmdk?serverId=bad2b868-9a1e-4d68-ba7e-260f397cc0ca).
At line:3 char:26
+ ... = $clitem | New-VM -Name "Test_$($clitem.Name)" -VMHost $testHost -Da ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-VM], ViError
    + FullyQualifiedErrorId : ViCore_VMServiceImpl_DeployFromLibraryItem_ViNetException,VMware.VimAutomation.ViCore.Cmdlets.Commands.NewVM

To address the previous two items, I found the ‘bad’ content library item in the web interface, right clicked and selected delete item content. I had expected this operation to fail, as I assumed that content could only be deleted from the publisher repo and not the subscriber repo. However, this command was successful, removing the ‘size’ property of the item from the content library as if it had never sync’d. Rerunning the script to deploy this content library item caused the item to replicate and the deployment was successful.

Hopefully this script can help you validate content library items if needed. If you have any suggestions on how to improve this script, please leave a comment.

Posted in Lab Infrastructure, Virtualization | Leave a comment

Aria Automation Internal IPAM reserve / release API

Posted on August 29, 2023 by brian.wuchner

In the May 2023/8.12.1 release notes for Aria Automation, one of the what’s new items was the ability to reserve/unreserve an IP address to make it unavailable/available for deployment. In this release the functionality is supported via API only. This post will cover how to connect to and consume this API

The first thing we’ll look at is the network elements from the web interface to show which object we’ll be interacting with from the API. Under Assembler > Infrastructure > Network Profiles we see various networks. In this case we’ll use VLAN40, which in my lab contains physical network devices.

We will open this tile, then select the Networks tab. From here we can see the 192.168.40.0/24 network.

We will select the Network and then click Manage IP Ranges.

This ‘VLAN40 – Network Devices’ name (which I intentionally set different that the network profile name above) is the one we see when calling the API for a list of network-ranges. I defined the range as being 192.168.40.10 through 192.168.40.199, for a total of 190 usable addresses. Now that we’ve seen the elements in the web interface, we will interact with them using this new API.

Our first task will be logging into the API. We will provide a username/password to obtain a refresh token, then we’ll use that token to obtain a bearer token. This is based on the postman example from this KB article: https://kb.vmware.com/s/article/89129. 

$vraHost = 'https://cm-vra-01.lab.enterpriseadmins.org'

$restBody = @{
  username='configadmin'
  password='VMware1!'
  domain='System Domain'
} | Convertto-Json

$refreshToken = Invoke-RestMethod -Uri "$($vraHost)/csp/gateway/am/api/login?access_token" -Method 'POST' -Body $restBody -ContentType 'application/json'
$bearerToken = Invoke-RestMethod -Uri "$($vraHost)/iaas/api/login" -Method 'POST' -Body $(@{refreshToken=$($refreshToken.'refresh_token')}|ConvertTo-Json) -ContentType 'application/json'

Once we have our bearer token, we can use it as a header in our future posts. For example, to obtain a list of network-ip-ranages, we’ll use:

$networkIpRanges = Invoke-RestMethod -Uri "$($vraHost)/iaas/api/network-ip-ranges" -Method 'GET' -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}

We know from the web interface that the name of our network range is ‘VLAN40 – Network Devices’. We will use a where-object (using the question mark alias) to find the ID of this network.

$thisNetId=($networkIpRanges.content | ?{$_.Name -match 'vlan40'}).id

$networkIpRequest = Invoke-RestMethod -Uri "$($vraHost)/iaas/api/network-ip-ranges/$thisNetId/ip-addresses/allocate" -Method 'POST' -body $(@{description='I need some IPs for the demo app'; numberOfIps=2}|ConvertTo-Json) -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}

# wait a few seconds for the request to complete, then ask for results
$reqId = $networkIpRequest.id
foreach ($thisResource in (Invoke-RestMethod -Uri "$($vraHost)/iaas/api/request-tracker/$reqId" -Method 'GET' -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}).Resources) {
  Invoke-RestMethod -Uri "$($vraHost)$($thisResource)?apiVersion=2021-07-15" -Method 'GET' -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}
}

The networkIpRequest object that results will have an ID property to identify that specific network. In the codeblock below, we will use that ID to get the status of that request. Since we specified that we needed 2 addresses, the Resources property will be a collection of resource IDs. We will loop through the addresses and get more details on each item

$reqId = $networkIpRequest.id
foreach ($thisResource in (Invoke-RestMethod -Uri "$($vraHost)/iaas/api/request-tracker/$reqId" -Method 'GET' -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}).Resources) {
  Invoke-RestMethod -Uri "$($vraHost)$($thisResource)?apiVersion=2021-07-15" -Method 'GET' -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}
}

The above code will return the details of the two IP addresses that were allocated, results below.

ipAddress             : 192.168.40.10
ipAddressDecimalValue : 3232245770
ipVersion             : IPv4
ipAddressStatus       : ALLOCATED
ipAllocationType      : USER
description           : I need some IPs for the demo app
id                    : 3f025212-e50a-430e-a8f2-baf0e53deb8f
createdAt             : 2023-08-28
updatedAt             : 2023-08-28
orgId                 : e142c6b9-379b-4754-9790-00b4f4373ca4
_links                : @{network-ip-range=; self=}

ipAddress             : 192.168.40.11
ipAddressDecimalValue : 3232245771
ipVersion             : IPv4
ipAddressStatus       : ALLOCATED
ipAllocationType      : USER
description           : I need some IPs for the demo app
id                    : 32416121-39b5-4462-8d51-2bf6743368fa
createdAt             : 2023-08-28
updatedAt             : 2023-08-28
orgId                 : e142c6b9-379b-4754-9790-00b4f4373ca4
_links                : @{network-ip-range=; self=}

As you can see, 192.168.40.10 and 192.168.40.11 are the first two addresses in the pool and those are the ones given to us for our demo app.

Lets assume that we ended up only needing one of those addresses and now want to return / release one to the pool. We can do this with the API as well. The following code needs the Network ID from above, as well as the specific address we want to release. In this example we will return 192.168.40.11.

Invoke-RestMethod -Uri "$($vraHost)/iaas/api/network-ip-ranges/$thisNetId/ip-addresses/release"  -Method 'POST' -body $(@{ipAddresses=@('192.168.40.11')}|ConvertTo-Json) -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}

This will again return a task ID which looks like this:

progress : 1
status   : INPROGRESS
name     : IP Address Release Task
id       : ad5dc112-3dfc-4f7c-836a-6808084bcd56
selfLink : /iaas/api/request-tracker/ad5dc112-3dfc-4f7c-836a-6808084bcd56

To confirm this completed, we could post to the 'selfLink' to get a status, but instead we will look at our network-ip-ranage and see which addresses are in use. In this case we would only expect 1 address, the 192.168.40.10 IP.

(Invoke-RestMethod -Uri "$($vraHost)/iaas/api/network-ip-ranges/$thisNetId/ip-addresses?apiVersion=2021-07-15" -Method 'GET' -ContentType 'application/json' -Headers @{Authorization="Bearer $($bearerToken.token)"}).content


ipAddress             : 192.168.40.10
ipAddressDecimalValue : 3232245770
ipVersion             : IPv4
ipAddressStatus       : ALLOCATED
ipAllocationType      : USER
description           : I need some IPs for the demo app
id                    : 3f025212-e50a-430e-a8f2-baf0e53deb8f
createdAt             : 2023-08-28
updatedAt             : 2023-08-28
orgId                 : e142c6b9-379b-4754-9790-00b4f4373ca4
_links                : @{network-ip-range=; self=}

ipAddress             : 192.168.40.11
ipAddressDecimalValue : 3232245771
ipVersion             : IPv4
ipAddressStatus       : RELEASED
ipAllocationType      : NONE
description           :
id                    : 32416121-39b5-4462-8d51-2bf6743368fa
createdAt             : 2023-08-28
updatedAt             : 2023-08-28
orgId                 : e142c6b9-379b-4754-9790-00b4f4373ca4
_links                : @{network-ip-range=; self=}

As we can see above, the 192.168.40.10 address is allocated, while the 192.168.40.11 address has been released. In this case we can see that only 1 address is in use. If we are in the web interface (Assembler > Infrastructure > Network Profiles > specific tile > Networks > Manage IP Ranges) we can see the same — only 1 address is currently used.

I hope this walkthrough shows how to consume this new API to manage Aria Automation (formerly known as vRealize Automation) internal IPAM.

Posted in Lab Infrastructure, Scripting, Virtualization | Leave a comment

No repositories found for given version.

Posted on August 26, 2023 by brian.wuchner

I was recently working with someone who was using vRealize Suite Lifecycle Manager 8.10 (now known as Aria Suite Lifecycle) to update vRealize Network Insight from version 6.7 to 6.9 (now known as Aria Operations for Networks). The Product Support Pack was updated to the correct version, the binary mapping task had been completed, and the environment trigger inventory sync task completed without issue. However the very next screen where one would normally select the desired version repository had an error which stated “no repositories found for given version.” Even more interestingly, the choices for product version only provided 5.2 and 5.3 as choices. We had expected to see versions 6.8 and 6.9 instead.

After validating we had the correct PSPak and binary again we happened to look at the Lifecycle Operations > Requests tab and sorted by Request Status. We noticed a VRNI upgrade task from this environment in pending action state from early 2021. This task had more options, including one option to delete the request.

On a hunch, we decided to delete this old task. After doing so, the upgrade wizard continued without showing the “no repositories” error, and the drop down list showed the expected versions 6.8 and 6.9.

In the requests UI, there were similar pending tasks for a few other products, like vRealize Automation and vRealize Operations. We didn’t validate, but expect that this issue could be present for other products/environments being updated from within vRealize Lifecycle Manager. To prevent future issues, we decided to delete those pending requests as well. We didn’t see any communities articles or blog posts on this issue, but since it was a rather easy fix I wanted to document it here. I hope this saves you a few minutes of trubleshooting!

Posted in Virtualization | Leave a comment

Using VI/JSON with Powershell

Posted on June 13, 2023 by brian.wuchner

I recently saw a post on a new feature that is enabled by default in vSphere 8.0u1: https://blogs.vmware.com/code/2023/06/10/introducing-vi-json-a-modern-wire-protocol-for-vsphere-management. The article describes a new JSON-based, REST-like protocol named VI/JSON that allows access to all the familiar SOAP XML properties. It seemed interesting, so I decided to try it out with PowerShell.

$vc = 'vc3.example.com'

# Get SessionManager Value
$sessionManagerMoid = (Invoke-RestMethod "https://$VC/sdk/vim25/8.0.1.0/ServiceInstance/ServiceInstance/content").sessionManager.value

# Login/get sessionID
$sessionId = (Invoke-WebRequest -Uri "https://$VC/sdk/vim25/8.0.1.0/SessionManager/$sessionManagerMoid/Login" -Body ( @{'userName'='Administrator@vsphere.local'; 'password'='VMware1!'} | ConvertTo-Json ) -Method:POST -ContentType:'application/json').Headers.'vmware-api-session-id'

# Get output from a specific VM
(Invoke-WebRequest -Headers @{'vmware-api-session-id'=$sessionId} -Uri "https://$VC/sdk/vim25/8.0.1.0/VirtualMachine/vm-48/config" -ContentType:'application/json').Content | ConvertFrom-JSON

The above few lines logs in to the API and returns all the details of a specific VM (specifically moref vm-48 which is passed in via the last URI). I’ve included the first few lines of the output below for reference.

_typeName                    : VirtualMachineConfigInfo
changeVersion                : 2023-06-08T18:12:09.377525Z
modified                     : 1970-01-01T00:00:00Z
name                         : h006-vm-02
guestFullName                : Microsoft Windows Server 2016 or later (64-bit)
version                      : vmx-15
uuid                         : 423f0e56-bfe2-39c5-2096-52b59fdea9b8
createDate                   : 2022-12-05T13:42:45.640154Z
instanceUuid                 : 503fd66a-4f92-950d-18fd-1ab0a4f55ff2

This is an interesting way to get JSON output of objects and can allow for integrations with newer tooling. I hope this PowerShell example is helpful.

Posted in Scripting, Virtualization | Leave a comment