vSAN on HPE Synergy Composeable Infrastructure – Part 3

Today’s blog post will be about how we configure a Synergy blade from a OneView perspective ready to install ESXi and vSAN.

Synergy is centrally managed using HPE OneView. This management appliance is actually a hardware module which slots into the front of the Synergy frames. It is a highly available configuration with active / passive appliances spread across Synergy frames / chassis.
The OneView appliance is capable of managing multiple stacks, therefore you will only need 1 pair of Synergy appliances per datacentre, they are networked together across multiple Synergy frames using a ring topology, with secondary uplink ports to your datacentre switching infrastructure for connectivity.

In our environment, we have 2 stacks (logical enclosures) of 3 frames, so a total of 6 enclosures, 2 uplinks from the Synergy management ring to datacentre switching.

Getting back to OneView, once the initial setup of Synergy is done (which I will not go into as part of this blog series) – you will first of all differentiate the Server Hardware types.
OneView automatically discovers components, so once it’s found your compute modules, it will categorise them into different Server Hardware types.
The benefit of this is that you can instantly identify different compute blades for your various workloads. As our frames have both vSAN, FC blades, and dual-height blades for HPC, it will separate those out. This is granular right down to the Mezz cards installed.


So, we can see in the above image, I have a server hardware type which I have renamed to make it easy to identify as our vSAN configuration. It has identified which adapters we have installed, and the SmartArray P416ie adapter is the important one, as this will be the SAS controller which connects out to the D3940 storage module across the frame’s backplane. It’s identified that there are 10 server hardware (compute modules) so we can now build a profile template to provision these.

Now onto creating a server profile template. This takes a static entry of the server hardware type we identified above, and an enclosure group to define a set of parameters to apply when creating a server profile against a specific compute module.


The great thing about using a profile template, is it ensures a standard configuration across all the compute modules using that profile, and if you change a setting in the template, you can pull those settings into the server profile. The profile allows you to define the following:
• Firmware baseline
• Connections (such as networking, FC)
• Local storage
• SAN storage (for 3PAR integration)
• Boot settings
• BIOS settings

You can see in the above picture how we have configured our server profile template. For the sake of this blog article I have narrowed it down to the network and storage configuration.
For network connectivity we have a tunnel for each ‘side’ of the frame to ensure redundancy across uplinks to physical networking. These trunk all the VLANs presented from the physical switching infrastructure up to the compute blade, where a DVS will handle the networking config.

The local storage controller we have configured to create a RAID 1 array with 2 drives internal to the compute module. As per the last blog, these are 300GB SSDs which we install ESXi on. We use this method because we have still found limitations around using an SD card install with large memory sizes for core dumps, and vSAN traces. We wanted to avoid having to setup some central log point for this. SATADOMs are an option for Synergy, but the complexity of how these are utilized in the SmartArray controllers was confusing, therefore we decided to just keep things simple.
This also incorporates the storage you configure from the D3940 storage module, as it’s SAS attached it’s considered local, vs. storage external to Synergy just as SAN storage.

This is the cool bit. OneView has already discovered what drives are in the storage module and shows you these when creating the mapping for the drives. So, for the vSAN capacity tier you can see I have requested 3 x 3.84TB SATA SSDs, and for the cache tier I am requesting a single 800GB SAS SSD. With this configured, when you create a server profile, it will automatically assign disks from the storage module in ascending numerical order. Below is a screenshot of the storage module in OneView for reference.

A few more settings for the BIOS, and boot order and we are finished with the template. Now we can use the template to do the heavy lifting of creating server profiles against the compute modules. No cabling SAS adapters / ports, installing drives, or network connections in sight!

I will briefly show a screenshot of how you can create a server profile in OneView, but it’s not my style to create 10 server profiles by hand, it’s got to be done in PowerShell!

How do you do this magic in PowerShell, actually the OneView PowerShell module is pretty powerful, and works fantastic for automating Synergy. With a few lines of code, I am able to automatically create all our server profiles ready for installing ESXi. And of course, that’s all going to automated too.

First of all, you are going to want to obtain the OneView PowerShell Module. You can find it over at the PowerShell Gallery.

Creating the profile is actually pretty straight forward. Below is how I bulk created the profiles for the vSAN compute nodes:

That’s it! I named the hosts in an ascending numerical sequence. The profile will automatically pull in the setting from the template, then assign the SSDs in the D3940 storage module based on the allocation config. Unfortunately, there is no iLO configuration in OneView – which is a shame, I wish there was as it has all the rights into the iLO for orchestration, so it would be relatively simple to put a base configuration down. So, I also automate the base iLO config. For this you will need the HPREST PowerShell Module. This effectively sets the password, and the iLO hostname, then reboots it. We use DHCP with Dynamic DNS in our iLO management network, so that helps keep things simple. Here’s the code:

After this we are ready to start getting ESXi installed, and vSAN Configured!

That’s it for the blog article for today. Next blog post will detail automating the ESXi installation and getting vSAN configured.

vSAN on HPE Synergy Composeable Infrastructure – Part 2

Firstly, Apologies for the delay in getting the follow up to this series posted. I am getting all these together now to post in quicker succession. Hopefully will have all these posted around VMworld US!

So, this blog post is going to dive into the configuration and components of our vSAN setup using HPE Synergy, based on the overview in Part 1 where I mentioned this would be supporting VDI workloads.

Firstly, a little terminology to help you follow along with the rest of the blog articles:
Frame – Enclosure chassis which can hold up to 12 compute modules, and 8 interconnect modules.
Interconnect – Linkage between blade connectivity and datacentre such as Fibre Channel, Ethernet, and SAS.
Compute Module – Blade server containing CPU, Memory, PCI Expansion cards, and optionally Disk.
Storage Module – Storage chassis within above frame which can hold up to 40 SFF drives (SAS / SATA / SSD). Each storage module occupies 2 compute slots.
Stack – Between 1 and 3 Synergy frames combined together to form a single logical enclosure. Allows sharing of Ethernet uplinks to datacentre with Virtual Connect.
Virtual Connect – HPE technology to allow multiple compute nodes to share a smaller set of uplinks to datacentre networking infrastructure. Acts similar to a switch internal to the Synergy stack.

All of the vSAN nodes are contained within a single Synergy frame or chassis. Main reason behind this is that today, HPE do not support SAS connectivity across multiple frames within a stack, therefore the compute nodes accessing storage must be in the same frame as the storage module. You can mix the density of storage vs. compute within Synergy how you like. So, using a single storage module will leave 10 bays for compute.

Our vSAN configuration is set out as so:
1 x 12000 Synergy Frame with:

2 x SAS Interconnect Modules
2 x Synergy 20Gb Interconnect Link Modules
1 x D3940 Storage module with:

10 x 800GB SAS SSDs for Cache
30 x 3.84TB SATA SSDs for Capacity
2 x I/O Modules

10 x SY480 Gen 10 computer modules with:

768GB RAM (24 x 32GB DDR4 Sticks)
2 x Intel Xeon Gold 6140 CPUs (2.3Ghz x 18 cores)
2 x 300GB SSDs (for ESXi Installation)
Synergy 3820C CNA / Network Adapter
P416ie-m SmartArray Controller

The above frame is actually housed within a logical enclosure or stack containing 3 frames. This means the entire stack shares 2 redundant Virtual Connect Interconnects out to the physical switching infrastructure – but in our configuration these are in a different frame to that containing the vSAN nodes. The stack is interconnected with 20GB Interconnect modules to a pair of master Virtual Connects. For our environment, we have 4 x 40Gbe uplinks to the physical switching infrastructure per stack (2 per redundant Interconnect).

We keep our datacentre networking relatively simple, so all VLANs are trunked through the Virtual Connect switches directly to ESXi. We decided not to have any separation of networking, or internal networking configured within Virtual Connect. Therefore, vSAN replication traffic, and vMotion traffic will traverse out to the physical switching infrastructure, and hairpin back in, however this is of little concern given the bandwidth available to the stack.

That’s all for an overview of the hardware. But do let me know if there is any other detail you would like to see surrounding this topic! The next post will detail how a blade is ‘cabled’ to use the storage and network in a profile.

vSAN on HPE Synergy Composeable Infrastructure – Part 1

It’s been a while since I have posted, been pulled in many different directions with work priorities so blogging took a temporary side-line! I am now back and going to blog about a project I am currently working on to build out an extended VDI vSAN environment.

Our existing vSAN environment is running on DL380 G9 rackmounts, which whilst we had some initial teething issues have been particularly solid and reliable of late!

We are almost to the point of exhausting our CPU and Memory resources for this environment, along with about 60% utilized on the vSAN datastores across the 3 clusters. So with this it felt a natural fit to expand our vSAN environment as we continue the migration to Windows 10, and manage the explosive growth of the environment – aided by recently implementing Microsoft Azure MFA authentication vs 2-factor using a VPN connection.

As an organization, we are about to a refresh a number of HP Gen8 blades in our datacentre, and in looking at going to Gen10 knowing that this could be the last generation to support C7000 chassis, we thought it would be a good time to look at other solutions. This is where HPE Synergy composable infrastructure came in! After an initial purchase of 4 frames, and a business requirement causing us to expand this further – we felt that expanding vSAN could be a good fit into Synergy with the D3940 storage module.

Now we have the hardware in the datacentre and finally racked up, I am going to be going through a series of blogs on how vSAN looks in HPE Synergy composable infrastructure, our configuration, and some of the Synergy features / automation capabilities which make this easier to implement vs the traditional DL380 Gen9 rackmount hardware we have in place today. Stay tuned or follow my twitter handle for notifications for more on this series.

Get AHS Data from HPE iLO4+ using PowerShell

I discovered this possibility a year back, and it’s only now I invested the time to get this working! It turned out not to be as challenging as I thought, in fact the hardest bit was getting the authentication token.

I have written a PowerShell function called Get-AHSData which allows you to gather the AHS data from an HPE iLO 4 or newer. These AHS logs are frequently requested by HPE Support when logging calls for Proliant, and downloading these using the iLO UI can be cumbersome – and involves a mouse!

Get-AHSData will allow you to specify the server, iLO Credentials and a Start / End date for the log range if necessary. By default it will grab metrics for 1 day. You specify a folder to export the file to and it will go grab the file and save it there, returning a file list (if you run against multiple iLOs).

Code is out on GitHub Here

Sorry it’s a little long to embed here, and keeping it in GitHub will allow me to iterate it with improvements without having to circle back and update this page.

An example of this running:

Let me know on GitHub if you have any issues, or feel free to fork and improve! I already have a couple of enhancements from my colleagues which I will look to include.

Home Assistant SSL Certificate renewal with uPnP

A slight niggle that has been going on with my Home Assistant install for a little while now where SSL certificate renewals were not happening, and I would end up having to renew them manually. Reason I am doing renewals in the first place is because I am using the very capable and free LetsEncrypt certificates to secure my Home Assistant instance.

I am not going to go into details of how you can provision certificates on Home Assistant, as this is covered very well on the HASS website already LINK

What this post is going to elaborate on, is the authentication process for getting / renewing a certificate.

Lets Encrypt have a number of security measures for verifying you are the owner of a system that a certificate is being requested for. In terms of HTTP/HTTPS authentication, it will only test against HTTP port 80, or HTTPS port 443, as these are considered privileged ports in Linux requiring elevated permissions to have an application claim them for listening upon.
I would hope most others are alike myself where I do not like the idea of opening/redirecting either of these ports to my Home Assistant server just for a certificate renewal, and rather it be temporary.

The certbot tool which is used to handle the certificate request/renewal process, can be configured to launch a http web server on a custom port, then you have to redirect either TCP port 80, or 443 (depending on your renewal parameters) to this custom port which certbot is listening on. Usually this step is done at your home router.
Again, configurations of home routers is not something to go into detail here and varies wildly.

I did not want to leave a forward permanently open so Home Assistant could automate it’s renewal request, and my router does not have any capability to automate configuration of port forwarding. So I decided to look at a different approach.

In comes uPnP – a network protocol which allows discovery and management of network devices. A subset of this is the ability for an application to request a port to be forward to it from your Internet router. This is more applicable in home environments than corporate. You likely have applications which do this already. This is where we are going to tag along with those applications and request a port forward temporarily to allow the certificate renewal.

More information about uPnP is available here.
The implementation I have used in the script for certbot is based on Python’s MiniuPnP and code written by Silas S. Brown

My complete Home Assistant configurations are available on GitHub, but extracts are below too.

Configuration is generally the same as the Home Assistant guide here but we will make a few tweaks to step 8 (auto-renew process).

I have created a small script which will forward the port using uPNP, then request the certificate and remove the port once done to handle the renewal process. I have customized the process to use port 8124 temporarily so I do not have to stop/restart Home Assistant to perform the renewal.

So the script looks like this:

Simply replace the ‘certbot-auto’ line in step 8 of the guide with the path the the above script. Also save the script file below to the same location.

The certbot_upnp.sh script being called above, is an additional Python script to perform the actual port forwarding. I customized it from Silas code to simplify the request, and have hard coded the ports in the script for now. You can edit this and the certbot-auto line should you wish to use a different port:

NOTE – There are some prerequisites you need to for the uPnP module to work. You will need the python-miniupnp library for the script to work. On Ubuntu, you can install this by:

I am sure there are much more fluid ways to integrate this, and incorporate in a Home Assistant component, but I am still rather green to Python, but would be interested to see how others would take this and customize into their workflows!

Flash Marlin 3DP Firmware from Octopi / Raspberry Pi

I thought this would be useful to document here, as it’s something that I can refer back to, and hopefully will help others!

I have an Anet A8 3D Printer for numerous home projects, and I have got so much use out of it since getting it – love the versatility, and have even designed some parts to help around the house!
Anet A8

The printer is managed through the very popular Octoprint. I actually have the dedicated Octopi image running on a Raspberry Pi Zero W which works great and is a very cheap way to get your printer Wi-Fi enabled! It’s pretty much a case of just flashing the image to an SD card, then connecting your printer via a USB cable.
Octoprint Image

With my printer connected to my Pi, whenever I wanted to update the printers firmware (which is flashed with Marlin) I would have to disconnect from the Pi, and connect to a Windows 10 tablet (as my Mac does not play nice with the serial chip on the printer), so I went in search of a better solution, and I came across some tips on how I could flash the firmware using a Raspberry Pi (or my Octopi!). Details on this below:

1. Compile your firmware

I’m not going to go into details on how to download or install the firmware – There is plenty of documentation out there on how to do this normally. But I will touch on how to get that firmware ready to install from your Octopi / Raspberry Pi.

The CPU on Raspberry Pis is rather slow, and doing the full compile on the Pi would take a very long time! Also as most the documentation is aimed at how to configure Arduino to flash your 3DP firmware, with the Octopi not having a GUI installed that’s an additional complexity.

So – We can get around this by using your much more powerful PC to compile the firmware. Then it’s just a case of uploading to the Pi and flashing. To compile the firmware into a HEX file:
– Click Sketch -> Export Compiled Binary

This will save the HEX file into the same directory as your ino file. Make a note of where that file is, or have your file explorer open ready for the next step.

2. Upload HEX file to your Octopi / Octoprint

There are plenty of ways you can do this, and you may have a preferred method, however I am getting the file into my Octopi using SCP from my mac. If you are a windows user you can use WinSCP.
I uploaded the file into the /home/pi folder ready for the next step.

Note: The default password for octopi is the same as Raspbian. User: pi / Password: raspberry

SCP example:
scp pi@octopi:/home/pi

3. SSH into Octopi and flash firmware

Next you will need to SSH into your Octopi / Raspberry Pi so we can carry out the steps to install and flash. On Windows you can use PuTTY.

Once logged in:

This will install avrdude – the application which runs in the background to Arduino to upload your compiled code. This is what we will use to upload the HEX file to the mainboard.
apt-get update
apt-get install avrdude

Now we need to determine what the (Linux) name of the USB Serial port is that the printer is connected to. The best place to see this is in your connection tab of Octoprint:

As above – in my case it’s /dev/ttyUSB0

Whilst you are in Octoprint, make sure you Disconnect from the printer – that way it will release the Serial port for you to flash the board.

And finally – we can now flash the firmware:

avrdude -p m1284p -c arduino -P [USB Port from Octoprint] -b 57600 -D -U flash:w:[file you uploaded earlier]:I
In my case:
avrdude -p m1284p -c arduino -P /dev/ttyUSB0 -b 57600 -D -U flash:w:Marlin.ino.sanguino.hex:I

NOTE: The above code is specific to the Anet A8 v1.0 board. If you are using a different setup such as RAMPS, you will need to check which processor is being used and adjust accordingly.

The board will automatically reset when complete, and all being well you should be running the new firmware!

Please note – I do not take any responsibility for any damage / bricking / in-operation of your board. Usually these are not terminal if something does go wrong, but it’s too much to explain here if something does.

Happy Printing!

new vSAN cmdlet: Get-VSANObjectHealth

Been a while since I posted, so about time I caught up with some things I have been working on!

I will be posting a series of PowerCLI / Powershell cmdlets to assist with vSAN Day-2 operations. There is plenty out there for creating new clusters, but not much around for helping to troubleshoot / support production environments. Some of these have come from VMworld Europe Hackathon I recently attended in Europe which was a blast! I’ll do my best to credit others who helped contribute to the creation of these cmdlets also!

The first I created Get-VSANObjectHealth is to help obtain a state of the objects in a vSAN cluster. This is a great way to validate how things are in the environment, as it will give you the different status of objects, particularly if they are degraded or rebuilding. The idea of this cmdlet was to integrate into our host remediation script so I could verify that all the objects are healthy prior to moving onto the next host. I trust this verification in PowerCLI more so than VUM attempting to put a host into maintenance and then getting stuck.

Code is below and also posted on GitHub Here

How to use:

Details on the Switches:

– HealthyOnly
Will only return True if all objects are healthy, else will return False

– ShowObjectUUIDs
Will extend the query to include an array of ObjectUUIDs for each health category. Good if you need to investigate specific objects

– UseCachedInfo
Will use the cached vSAN Health data from the vCenter server rather than forcing an update from the cluster. Great if you need a quick check, but not recommended if you need a current picture of object health (such as just after exiting from Maintenance Mode)

Enjoy and please do let me know (either via comments here or GitHub) if there is any other enhancements you would like to see! More cmdlets to come soon.

Spinning Connecting page on Home Assistant

Something that had been bothering me a little over the past week or so, which I only now just had the time to investigate – is Home Assistant sitting with a spinning connecting logo.

Turns out that the browser elements of the application, and the reason I was getting this is because the script which manages the DNS update of my public IP had stopped!

So if this happens to you – check that you are using the right IP to access your Home Assistant instance!

Luckily things were still working fine in the background.

vSAN Invalid State Component Metadata Fixed!

Just a quick note to follow on from my post regarding the invalid component metadata on vSAN. This is now fixed by VMware in the latest round of patches.

https://kb.vmware.com/kb/2145347

I recently upgraded my lab servers to the latest round of patches (end June 2017) and the errors which appeared after updating the disk firmware when I applied VUM patches. Nice!

Get vSAN Invalid State Metadata using PowerShell

Have had some ‘fun’ with our All-Flash vSAN clusters recently, after updating to 6.0 U3, then VMware certifying new HBA firmware / driver for our HPE DL380 servers. Every time I have updated / rebooted we end up with invalid metadata:

We’ve had a couple of tickets with VMware on this issue now, and a fix for this is still outstanding. It was scheduled for 6.0 U3 but failed a regression test. So for now when we patch / reboot we have to go fixing these!

The vSAN health page shown above only shows the affected component. On a Hybrid environment, you can remove the capacity disk from the diskgroup and re-add to resolve this, but for All-Flash you need to remove the entire diskgroup. Our servers have 2 x diskgroups per host, so we need to identify which diskgroup needs destroying.

To discover the diskgroup, you have to identify which capacity disk the affected component resides on. There is a VMware KB article for this – but it never worked on our vSAN nodes, so there was a different set of commands VMware support provided us to obtain these. VMware KB is HERE.

Now I’ve ended up doing this several times, and decided pull this into a PowerShell function to make life easier. It will return an object showing the host, Disk UUID, Disk Name & Affected components:

The script does require Posh-SSH, as it connects to the host over SSH to obtain the information. You can download this over at the PowerShell Gallery.

Here’s the code I put together:

To use this, just pass in the VMHostName and Root Credential (using Get-Credential) or just call the function and it will ask for those and run. Of course for this to work you will need to have SSH access enabled for your hosts, and afaik it will not work in lockdown mode.

With the output you can see which capacity disks / diskgroup is affected to delete and re-create. As you can see from the first screenshot I’ve had quite of few of these to do today! 🙁

vSAN is pretty darn good when it’s running – but we do have these challenges when any maintenance is required which is a little more involved than it seems. That said I think some of our challenges stem form using All-Flash, our small Hybrid test cluster has always been solid on the other hand!

Happy Hyper-converging!