Topics started by Garet
It can sometimes be confusing as to which network port(s) a Nutanix product or service uses. Also, this information can often be helpful when configuring network security or firewall appliances. For the various Nutanix products and services, a handy list of ports, services, their respective protocols, and a simple description of each can be found in the Port Reference documentation of the Portal. This list is conveniently divided into sections corresponding to each Nutanix product or service. Also, specifically regarding the configuration of network firewalls, a recommendation regarding the specific ports configuration can be found within the Recommendation on Firewall Ports Config knowledge base article.
It can be found that, when using Nutanix Move to migrate older Windows VMs, an error is exhibited regarding a failure to install the Nutanix App Mobility device drivers and to check if the operating system is SHA2 compatible. This can be due to the fact that certain Windows operating system versions (such as Windows 7 and Windows Server 2008R2) do not natively support SHA2-signed drivers, which is the type of drivers that Nutanix Move uses.This condition can be overcome by: Ensuring that the operating system has all of the latest updates (which are available for it) installed Confirming specifically that Microsoft KB 3033929 is installed. More information regarding this can be found within the VirtIO 1.1.6 installation on Windows 7, Windows Server 2008 R2 knowledge base article.
NVIDIA GPUs primarily have two modes of operation: Compute and Graphics.Compute Mode: the GPU operates within a configuration that is optimized for high-performance computing applications.Graphics Mode: the GPU is optimized for graphics processing and can subsequently be assigned into vGPU profiles for virtual machines (vGPU profiles cannot be used while in compute mode).Various NVIDIA GPUs are provided with default configurations for either of these modes and, sometimes, it is necessary to change the mode to better suit the corresponding workload of the host.In previous models of GPUs, it has been necessary to temporarily boot an AHV host into a NVIDIA-provided Linux ISO and invoke a “gpumodeswich” command with options to apply this change. With newer models of GPU, a command can be found natively within the AHV host filesystem after the corresponding GRID driver has been installed.You can find more information regarding this command via the “Nvidia: Unable to Assign vGPUs to guests w
The iSCSI Data Services IP address is used to provide iSCSI access to the cluster storage. It is primarily used by Nutanix Volumes, but is also leveraged by other products such as Calm, Leap, Karbon, Objects and Files. This IP address is owned by one CVM of a cluster at a time, with ownership changing among the CVMs as needed to ensure that it is always available. To note, the iSCSI Data Services IP address CVM owner does not necessarily correlate with the CVM that currently maintains Prism service leadership.To find the current CVM acting as the iSCSI Data Services IP address owner, simply obtain the IP address output from all of the CVMs (generally by using the “allssh ifconfig” command) and verify which CVM reports as having this address. To find when a ownership change has occurred, the Stargate service logs from each CVM can be filtered for entries regarding “eth0:2”.You can find more information regarding the iSCSI Data Services IP Address from the Nutanix Volumes Guide along wit
The shutdown token is used by a Nutanix cluster to prevent more than one entity from being down or offline during the occasion of software upgrades or other cluster maintenance. The CVM that is holding the token is the only entity allowed to be down or offline. Sometimes, for various reasons, a CVM can remain holding the token even after an upgrade or maintenance has been successfully completed. This usually does not cause any issues, however, until another upgrade or maintenance is invoked on the cluster sometime in the future. Upgrades or other maintenance pre-checks will search for any unrevoked tokens and, if existing, not proceed until that token has been properly revoked. Before manually revoking the token, it is good practice to verify that there are indeed no outstanding or ongoing upgrades or maintenance activities currently occurring with the cluster. Once confirmed, manual token revocation is often accomplished by a simple restart of the Genesis service on the CVM currently
When migrating Windows VMs from AWS into a Nutanix cluster and while using automatic Windows VM preparation, it is important to verify permissions configurations in two places within AWS. Specifically, the permissions for the AWS account that is provided when adding an AWS source into Move and the permissions of the IAM profile associated with the VM instance to be migrated. AWS allows permissions configurations to be viewed/updated in a JSON format. Further, the Move User Guide also lists the necessary permissions for these entities in a JSON format. These JSON values can then be reviewed/compared and, if any of the permissions are missing or configured incorrectly from AWS, simply update the permissions according to the User Guide values. Also, it should be verified that the Windows VM instance is properly managed by the AWS SSM Manager prior to a migration attempt. Further information regarding this can be found within the AWS to Nutanix Clusters on AWS and AHV VM Migration section
Many users are not aware that a recent change has been made to the default password setting of new Nutanix nodes. Specifically, the default password for the IPMI interface is now the serial number of the node itself (using capital letters). Please note that the node serial number is different from the block serial number. You can find more information regarding this change as per the Common BMC and IPMI Utilities and Examples Knowledge Base article.Also, if you desire to change the IPMI password, you can do so using the IPMI management utility located within the file system of the operating system running on the node. Further, you can even change the password, without having an operating system installed/running, by using the utility from a bootable DOS environment. You can find more information regarding this within the Changing the IPMI Password section of the NX Series Hardware Administration Guide.
In this Google-ready culture, many users will immediately turn to an internet search engine when seeking for information regarding a specific question or issue involving Prism. However, many users are unaware that Prism maintains an online help system which responds-to and changes depending upon which dashboard is currently being viewed within Prism.For example, a user may be interested in deploying a File Server and may have questions regarding this while reviewing the File Server dashboard within Prism. From that dashboard, simply clicking the global question mark icon from the top menu and selecting the “Help with this page” option will automatically open a new browser tab to the File Server Management section of the Prism Web Console Guide. What’s more, the specific version of the Prism Web Console Guide that is displayed corresponds to the current version of Prism from which it was launched.Further, some of the dialogue boxes within Prism also contain a question mark icon which wi
Flash Mode is a great feature ensuring that VM workloads remain within the flash (SSD) tier of storage. Once flash mode is enabled for a virtual machine, all of the disks associated with that VM (including any future created disks) automatically get added to the flash tier.However, sometimes having so many disks within the flash tier can cause performance degradation for other VMs that are not configured for flash mode (but could benefit from using the flash tier of storage) or can cause the available flash tier space to be consumed too quickly. Further, it is sometimes not desirable to have all of the disks associated with a virtual machine contained within the flash tier.Accordingly and, though not available as a Prism Web user-interface (UI) modifiable option, individual VM disks can be configured to not use the flash tier even while the VM itself is configured for Flash Mode. The procedure for removing individual VM disks from the flash tier involves using the Acropolis Command-Lin
Many users are unaware that there are additional (beyond what is presented via the Prism user-interface) security parameters that can be employed on AHV hosts to increase the overall security of them. These security parameters are configured via Nutanix Command-Line Interface (NCLI) and include the following: Advanced Intrusion Detection Environment (AIDE) - a file and directory integrity checker High Strength Password Enforcement - configure the maximum and minimum number of characters the password must contain along with number of passwords retained in history to prevent repeated use Core Dumps - the recorded state of the working memory for a process is dumped to a file if the process ever crashes Login Banner - display a customized messages when user login to a node More information regarding these parameters, including the procedures to enable/disable them, can be found within the Hardening AHV section of the Nutanix Security Guide. Also to note, there are similar parameters
Many users are already aware of how to configure CPU and memory resources for VMs under AHV. However, many users are unaware that these resources can be added even while a VM is running or powered-on. This feature can be particularly useful when an already-running VM is reaching CPU or memory exhaustion and needs to remain online while critical workloads are being processed.However and, different from adding resources while a VM is powered-down, there are some limitations to be aware of: Only additional vCPU sockets (not cores) can added The multi-queue storage controller will not dynamically create any additional queues if additional CPU sockets are added The amount of memory that can be added is limited to what is currently available on the specific AHV host which is currently hosting the VM The amount of times that memory can be added while a VM is running is limited to two or three According to the above limitations, it may be best to limit the use of this feature to explicit
Many users will create a Linux VM on their Nutanix AHV cluster using default installation options, then configure and install any appropriate applications or services within the VM, and then move onto other tasks. While this approach is certainly acceptable, many users are unaware that there are additional modifications that can be made to the Linux VM OS which can enhance the performance or the overall functionality of the VM.For example, there are several Linux kernel parameters which can be configured including “vm.overcommit_memory” and “vm.swappiness”. If leveraging iSCSI connectivity, there are several parameters that can be modified within the iscsid.conf file which can increase performance.Regarding disk usage, volume group striping can be employed using LVM to further increase throughput. There are further parameters that can be employed when mounting disks, and accessing disks can be assisted via a max_sector_kb parameter.You can find more information regarding these modifica
Many users try to periodically execute the NCC health checks as a good offensive tactic against any issues that might appear within their cluster, which is a great idea! However, rather than writing that down as a reminder somewhere or simply trying to remember to do so, many do not realize that this task can be scheduled right from within Prism.The task can be configured to execute as per the following schedules: Every 4 hours Every Day Every Week When choosing the every day or week options, you are also presented options to configure the execution according to a specific time of the day and specific days of the week respectively.What happens with the results when the scheduled NCC checks are executed? An email is sent to the email recipients configured within the Alert Email Configuration settings of the cluster.For more information, including the specific procedures for configuring this feature, please refer to the Scheduling and Automatically Emailing NCC Results section of the
A Nutanix cluster relies upon passwordless secure-shell (SSH) connectivity between the controller VMs (CVMs) and the hosts. If you are ever prompted for a password when attempting to connect from a CVM to a host using SSH (instead of being taken directly to the host shell), this could indicate that there is an issue with the SSH key exchange. This could also manifest as other issues such as a hypervisor upgrade failing due to the inability to copy the upgrade bundle to the host. However, please be aware that a prompt for a password could also indicate that a username is being attempted for connection which is not configured for passwordless authentication (i.e. not using the “root” username to login to an AHV or ESXi host).A host SSH key exchange issue can sometimes be resolved by verifying that an entry for the public key from each CVM is maintained within the authorized_keys file of each of the hosts. If an entry for any of the CVMs is missing, it can simply be added back with a manu
Many users are unaware that Nutanix Files itself maintains an application programming interface (API) similar to but separate from that of Prism. Nutanix Files uses the same backend service as Prism (Aplos) to respond to requests, and can be connected to using the same port (9440). However, instead of connecting to the Nutanix cluster virtual IP (VIP) address or the IP addresses of any of the controller virtual machines (CVMs), the requests for the Files API would be directed to the Nutanix Files VIP and/or the addresses of the file server virtual machines (FSVMs).The Nutanix Files API can be used to collect information regarding a Nutanix Files instance, and the individual requests can result in the following standard HTTP response codes: 200 (successful connection) 400 (bad request) 404 (the URL is not found) 500 (internal server error) The Nutanix Files API even has an explorer page (similar to that of Prism) which can be used to demonstrate the type of output expected to be r
Many users are unaware that network traffic can be segmented (or separated) within a Nutanix cluster for various functions or purposes. For example, backplane traffic can be separated from Management-Plane Traffic so as to allow for even greater available bandwidth for the backplane traffic. Further, as another example, DMZ related traffic could be isolated to specific host uplinks. The four primary means of network segmentation are the following:Isolating Backplane Traffic by using VLANs (Logical Segmentation) Isolating Backplane Traffic Physically (Physical Segmentation) Isolating Service-Specific Traffic Isolating Stargate-to-Stargate traffic over RDMATo note, certain means of segmentation are limited to certain hypervisor versions. For example, the segmentation of management and backplane traffic is supported across the AHV, ESX and Hyper-V (Hyper-V offering logical segmentation only) hypervisors, while service-specific segmentation is supported only by the AHV and ESX hypervisors.
Many users are unaware that there are additional (beyond what is displayed through the Prism web user-interface) configurable security-related options which can be used to increase the security settings of the controller VMs (CVMs) themselves. These options are modified using the Nutanix Command Line Interface (nCLI) of the CVMs and include some of the following items: Enablement of an Advanced Intrusion Detection Environment (AIDE) Enforcement of a strong password policy Enablement of a defense knowledge consent banner Restriction to allow only SNMP version 3 You can find more information regarding these options, including the procedures to enable/disable them, within the Hardening Controller VM section of the AOS Security Guide. Also to note, there are similar options available for Acropolis Hypervisor (AHV) hosts which are configured using the same procedures. You can find more information regarding those options within the Hardening AHV section of this same guide.
As of Nutanix Collector release version 3.0 and later, it is now possible to collect statistics for Hyper-V clusters along with AHV and ESX clusters.From the initial home screen, simply select the “Hyper-V” option from the “Run on” drop-down, then enter the IP address or fully-qualified domain name (FQDN) of a Hyper-V host, followed by the username and password of an Windows administrator from the administrator group. Thereafter, simply select the entities from which you would like to collect statistics and click the “Collect” button.Please note that any Hyper-V hosts being connected to should be running PowerShell version 5 or later. Also, as Collector currently only collects configuration data from Hyper-V clusters, the Collector performance graphs may appear as blank following a successful collection.You can find more information regarding Nutanix Collector from the Nutanix Collector User Guide.
Do you already have many security policies defined within one instance of Flow and, have another instance where you need the same set of policies but do not wish to recreate them? Or, do you wish to simply have a backup of your existing security policies just in case you should ever need to restore them sometime in the future?Flow has the native ability to export (and subsequently import) security policies that have already been defined previously. Policies are exported into a single binary file, which can then be transferred to a different instance of Flow or stored-away for backup purposes.Please also note that, when importing a previously exported binary file, any existing policies which are already defined within a given Flow instance are automatically removed in-favor of the newly imported policies.You can find more information regarding this within the Exporting and Importing Security Policies section of the Flow Microsegmentation Guide.
Nutanix Move is a very versatile tool which is used to migrate existing VMs, from various storage sources and hypervisors, into a Nutanix infrastructure. Many users have already enjoyed its functionality and ease-of-use.Often, users will migrate multitudes of VMs into their new Nutanix infrastructure using Move, and then either delete or forget about the Move VM itself thereafter. Later, when more VMs are sought to be migrated, users will either reinstall Move again or attempt to leverage the Move VM that remained from the previous migration.For those users leveraging an existing Move VM within their infrastructure and, as it is generally a good idea to use the latest version of Move when possible, it is possible to upgrade the Move VM to the latest available version right from its own dashboard (and, even by CLI if desired).You can find more information regarding upgrading Move from within the Online Upgrade section of the Move User Guide.
Ever wondered about the underlying mechanism used by AHV hosts to facilitate network communications for themselves and hosted VMs across a network? This underlying mechanism is an open-source software platform called Open vSwitch which operates as a software-defined switch on each host.This software-defined switch operates very similarly to a traditional layer-2 hardware switch in that it learns and maintains MAC addresses and makes frame-forwarding decisions based upon that information. However, it also can be considered much more scalable and extendable.With AHV, each host maintains its own Open vSwitch instance and parameters are passed to these instances using an open-standard protocol called OpenFlow.You can find more information regarding the Open vSwitch platform within the AHV Administration Guide and from the associated Linux Foundation website.
Is it really possible that a networking issue, which exists on the other side of a large/vast network, could manifest locally on a host as NIC CRC errors (rx_crc_errors)?Yes!The way that frames are moved across a network with cut-through switching (which is the model used by current/high-performant data center switches) differs from the traditional store-and-forward model.With store-and-forward switching, frames are entirely received (and error-checked) on a switch before being passed along to the next switch inline. If errors are found within a frame, the frame is not passed along to the next switch.However, with cut-through switching, a switch is simultaneously receiving a frame and already passing it along to the next switch inline! Error checking is then only completed on a frame after it has already left a switch. Accordingly, any errors within the frame simply get passed along to the next switch inline until the frame reaches its final destination.In this way, when troubleshooti
Sometimes, through the normal operation of a hypervisor host, network interfaces (NICs) can become “overwhelmed” and be unable to respond to traffic fast enough as being served by an upstream network switch. This condition results in frames, which are subsequently being dropped from the receive buffer of the host, to go unprocessed or “missed”.Though it is generally not a good situation when a host (and/or a downstream element from the host, like a VM) “misses” network traffic, many applications are robust enough to handle a few misses from time to time. However, if this condition is frequent and/or perpetual, it can cause production issues and alarms would be exhibited from Prism accordingly.To combat a frequent/perpetual condition, there are several available options. For ESX and Hyper-V hosts, the receive buffer size of NICs can simply be increased. For AHV hosts, instead of increasing the receive buffer size, it is recommended to employ load-balancing across the available uplinks.
Did you know that, as of Calm version 3.0 and later releases, all of your Calm data can now be backed-up? Previous versions of Calm, unfortunately, did not allow this functionality.All Calm data can now be backed-up to and restored from a single archive file. Taking a backup of the Calm data involves simply connecting to the Prism Central instance hosting the Calm service via CLI (i.e. via SSH), then connecting to the corresponding docker container (named “nucalm”) and executing a single command.More information regarding this procedure can be found within the “Taking Backup and Restoring Calm Data” section of the “Nutanix Calm Administration and Operations Guide”.
Did you know that many of the health checks and alerts within Prism can be configured according to alert policies?Though it is usually a good idea to leave alert configurations at their default values, some alerts (or checks) can be adjusted to accommodate particular needs through an associated alert policy. For example, if there is a known condition within an environment in which an associated alert goes purposefully and perpetually ignored or overlooked, the associated health check can simply be turned off.Alerts can also be enabled/disabled based upon a particular severity level (i.e. Info, Warning or Critical). Also, even better than outright disabling an alert or check, some alert policies can be configured for auto-resolution if the condition has not recurred within the proceeding 48 hours of its initial exhibition.More information regarding the configuration of checks and alerts can be found within the Configuring Health Checks section of the Prism Web Console Guide.
Login to the community
Login with your account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.