Sep
07

Windows Get Some Love with #Docker EE 17.06

With the new release of Docker 17.06 EE Windows containers gets lots of added features. First up is the ability to run Windows and Linux worker nodes in the same same cluster. This is great because you have centralized security and logging across your whole environment. Your .NET and Java teams can live in peace to consolidate your infrastructure instead of spinning of separate environments.

Continuously scanning for vulnerabilities in Windows images was added if your have Advanced EE license. Not only does it scan images it will also alert when new vulnerabilities are found in existing images.

Bringing everything together you can use the same overlay networks to connect your application in the case of SQL server and web servers running on Linux. Your developers can create a single compose file covering both SQL and web severs.

Other New Windows related features in Docker 17.06:

Windows Server 2016 support
Windows 10586 is marked as deprecated; it will not be supported going forward in stable releases
Integration with Docker Cloud, with the ability to control remote Swarms from the local command line interface (CLI) and view your repositories
Unified login between the Docker CLI and Docker Hub, Docker Cloud.
Sharing a drive can be done on demand, the first time a mount is requested
Add an experimental DNS name for the host: docker.for.win.localhost
Support for client (i.e. “login”) certificates for authenticating registry access (fixes docker/for-win#569)
New installer experience

Sep
06

Nutanix Native File Services (AFS) Now Supports AV Offload Scanning

With AFS 2.2 and AOS 5.1.2 now supports ICAP(Internet Content Adaptation Protocol), which is supported by a wide range of security vendors and products, is a standard protocol that allows file and web servers to be integrated with security products. Nutanix chose this method to give customers the ability to choose the antivirus solution that works best for their specific environment.

Following is the workflow for an ICAP-supported antivirus solution:
An SMB client submits a request to open or close a file.
The file server determines if the file needs to be scanned, based on the metadata and virus scan policies. If a scan is needed, the file server sends the file to the ICAP server and issues a scan request.
The ICAP server scans the file and reports the scan results back to the file server.
The file server takes an action based on the scan results:
If the file is infected, the file server quarantines it and returns an “access denied” message to the SMB client.
If the file is clean, it returns the file handle to the SMB client.

The ICAP service runs on each AFS file server and can interact with more than one ICAP server in parallel to support horizontal scale-out of the antivirus server. We recommend configuring two or more ICAP servers for production. The scale-out nature of AFS and one-click optimization greatly mitigates any antivirus scanning performance overhead. If the scanning affects AFS file server VM performance, one-click optimization recommends increasing the virtual CPU resources or scaling out the file server VMs. This feature also allows both the ICAP server and AFS to scale out, ensuring fast responses from the customer’s antivirus vendor.

AFS sets scanning defaults across the entire file server, but they are disabled by default per share when you enable file scanning. You can enable scan on write and scan on read. Scan on write begins when the file is closed, and scan on read occurs when the file is opened. You can also exclude certain file types and files over a certain size. Share scan polices can override any defaults set for the file server.

For each ICAP server, we spin up no more than 10 parallel connections per FSVM and randomly dispatch the file scanning among all the ICAP servers. With heavier workloads, which may encounter many scan requests and use all connections, the scan servers with more processing power scan more files. As soon as the current scan finishes, the next file is picked up from the queue, which keeps the number of active connections at 10.

Once AFS quarantines a file, the admin can rescan, unquarantine, or delete the file. Quarantined files can be searched if it is necessary to restore a file quickly.
If your antivirus vendor doesn’t support ICAP, you can scan the shares by installing an antivirus agent onto a Windows machine and then mounting all the shares from the file server. This approach allows you to schedule scans during periods of low usage. At the desktop or client level, you can set your antivirus solution to scan on write or scan only when files are modified. You can configure high-security environments to scan inline for both reads and writes.

Sep
04

Multi-stage build support in #Docker EE 17.06

New in Docker EE 17.06 is the ability to have multi-stage builds. This is important because you can now just grab the files(artifacts) you need for the next stage of your build and keep your builds small which leads to faster build times. This change allows you to have mutiple from arguments in your docker file.

Devs have optional give a name the build stage. Then afterward this name can be used in COPY –from=name src dest and FROM name. If a build stage is defined with that name it takes precedence in these commands, if it is not found, an image with that name is attempted to be used instead.

FROM node AS test-env
ADD ./ /app
WORKDIR /app
RUN npm install
RUN npm run build

FROM nginx AS prod
COPY --from=test-env /app /var/www/html

You can run subsets of the dockerfile to get more use of out your work. If you wanted to only run the test-env section you can add a target to the docker build command with –target test-env

Aug
29

VMworld attendees get to the Docker booth to save money & time like Visa.

The Docker booth is right beside the Nutanix booth at VMworld this year so I have seen lots of people there but not 23,000 but there should be. Docker had been apart of all the announcements if you realized it our not. Lots of talk about Google with Kubernetes. Kubernetes still requires Docker as the container engine so whether it’s Swarm or Kubernetes you’re going to be using Docker. If you want Enterprise support Docker is both you want to be visiting and learning what they can do to develop better end to end software while saving you money.

With Docker EE has been in production at Visa for over 6 months and is seeing improvements in a number of ways:

Provisioning time: Visa can now provision in seconds rather than days even while more application teams join the effort. They can also deliver just-in-time infrastructure across multiple datacenters around the world with a standardized format that works across their diverse set of applications.
Patching & maintenance: With Docker, Visa can simply redeploy an application with a new image. This also allows Visa to respond quickly to new threats as they can deploy patches across their entire environment at one time.
Tech Refresh: Once applications are containerized with Docker, developers do not have to worry about the underlying infrastructure; the infrastructure is invisible.
Multi-tenancy: Docker containers provides both space and time division multiplexing by allowing Visa to provision and deprovision microservices quickly as needed. This allows them to strategically place new services into the available infrastructure which has allowed the team to support 10x the scale they could previously.

Visa moved a VM-based environment to containers running on bare metal and saved the time to provision and decommissioned its first containerized app by 50%.By saving time and money on the existing infrastructure and applications, organizations can reinvest the savings — both the time and money — in transforming the business.

BTW Nutanix can do bare-metal or run AHV to provide great experience for containers with our own Docker Volume plugin.

Aug
23

#Nutanix #AFS – Cannot access folders/files created with a dot “.”

You may experience issues with third party application when accessing folders/files with a dot “.” prefix in the name such as “.profile” or “.build”.

One of the error messages may look like the one below.

Error mesessage
The “.profile” has different permissions.

This is pertaining folders like “.profile” or “.build”. If can create the folders and see them, but when trying to access them with programs, it throws access errors. The “dot files” have different permissions.

There is a configuration option called “hide dot files” in AFS. This “hide dot files” configuration option is enabled by default in AFS.

You can run the following command on one of the FSVMs to turn off the “hide dot files” option globally.

scli smbcli global "hide dot files" No

Example of the command run successfully below.
nutanix@NTNX-x-x-x-x-A-FSVM:~$ scli smbcli global "hide dot files" no
No existing config 'hide dot files' in smb.conf. Creating a new entry now..!
smb.conf update is successful

Aug
18

Nutanix Docker volume plugin updated

Last week Nutanix published an update to the Nutanix docker volume plugin with support ubuntu, docker datacenter compatibility and improved logging among other improvements.

Supported scopes for the plugin are global and local. Any other value in Scope will be ignored, and local is used. Scope allows cluster managers to handle the volume in different ways. For instance, a scope of global, signals to the cluster manager that it only needs to create the volume once instead of on each Docker host.
https://docs.docker.com/engine/extend/plugins_volume/#volumedrivercapabilities

Aug
16

Move Your DBs From Cloud or 3-Tier Clunker to Nutanix with Xtract

Xtract for DBs enables you to migrate your Microsoft SQL Server instances from non-Nutanix infrastructures (source) to Nutanix Cloud Platform (target) with a 1-click operation. You can migrate both virtual and physical SQL Servers to Nutanix. Xtract captures the state of your source SQL Server environments, applies any recommended changes, recreates the state on Nutanix, and then migrates the underlying data.

Xtract is a virtual appliance that runs as a web application. It migrates your source SQL Server instances to Nutanix in the following four phases:

Scanning. Scans and discovers your existing SQL Server environments through application-level inspection.
Design. Creates an automated best practice design for the target SQL Servers.
Deployment. Automates the full-stack deployment of the target SQL Servers with best practices.
Migration. Migrates the underlying SQL Server databases and security settings from your source SQL Servers to the target SQL Servers.
Note: Xtract supports SQL Server 2008 R2 through SQL Server 2016 running on Windows 2008 through Windows 2012 R2.

Xtract first scans your source SQL Server instances, so that it can generate a best-practice design template for your target SQL Server environment. To scan the source SQL Server instances, Xtract requires the access credentials of the source SQL Server instances to connect to the listening ports.

You can group one or more SQL Server instances for migration. Xtract performs migrations at the instance level, which means that all databases registered to a SQL Server instance are migrated and managed as part of a single migration plan. Xtract allows you to create multiple migration plans to assist with a phased migration of different SQL Server instances over time.

xtract

Once the full restore is complete and transaction logs are in the process of getting replayed, you can perform the following actions on your SQL Server instances:

In the Migration Plans screen, you can perform one of the following:

Start Cutover
The cutover operation quiesces the source SQL Server databases by placing them in the single user mode, takes a final backup, restores the backup to the target server, and then brings all the databases in the target server online and ready for use. This action completes all migration activities for a migration plan.

Test

The test operation takes a point-in-time copy of the databases in the source instance and brings them online for testing in the target SQL Server instance. This action does not provide a rollback. Once a Test action has been initiated, you can perform tests on the copy. However, if you want to perform a cutover after the Test operation, you should begin again from the scanning phase.

Come to the Nutanix Booth at VMworld in Vegas to see it in action. One-click yourself out of your AWS bill.

Aug
16

Top 10 Reasons Why Nutanix Is The Best Platform For Horizon View

1) Turn key-solution for desktops and RDSH with vGPU.
2) All roads lead to a non-persistent desktop, which means App Volumes and UEM or 3rd Party (Liquidware). Best home for user and profile data is Acropolis File Services(AFS). VDI is scale out, so should your NAS.
3) Easy restore of user files setting on AFS.
4) Easy DR for AFS.
5) AFS Home Share can spread over mutiple VMs allowing for only 1 Group Policy to manage.
6) Data locality for boot storms if you’re not using instant-clones and protection from noisy neighbour under load.
7) 2nd Copy of all data is placed based on capacity and performance to help with #5.
8) Shadow Clones and inline-dedupe for App Volume for in-memory Applications.
9) One Click Upgrades to get features, maintenance and security fixes without having to upgrade ESXi.
10) Over 400 health checks to make sure your desktops run smoothly.

Aug
15

NTC Pro Tip: Volume Groups to Save Bandwidth

Nutanix Technology Champion

Today there is no way to exclude certain disks from being replicated with protection domain on Nutanix. If you have a database that your dumping backup files to it can be problematic. To get around the problem you can use a Volume Group for the backup drive. When you go to select your SQL VM make sure to unselect “auto protect related entities” if you have Nutanix Guest Tools as it will automatically add the Volume Groups for you.
ntc-protip

By using a volume group on AHV and ESXi, ADS will automatically hosts the vDisks on nodes that are lightly loaded if load becomes heavy. No user action need. One-Click, so you can find another problem to pound your head against the desk for. 🙂

Jul
06

Recovery Points and Schedules with Near-Sync on Nutanix

Primer post on near-sync

For the GA release near-sync will be only offered with a telescopic schedule (time based retention). When you set the RPO <=15min to >=1 min you will have the option to save your snapshots for X number of weeks or months.

As example if you set the RPO to 1 min and schedule 1 month retention it would look like this:

X= is the RPO
Y = is the schedule

Every X min, create a snapshot retained for 15 mins (These are the Light-Weight Snaps. They appear as normal snap in Prism)
Every hour create a snapshot retained for 6 hours.
Every day, create a snapshot retained for 1 week
One weekly snapshot retained for 4 weeks (If you select a schedule to retain for 7 weeks, Y would be 7 weeks and no monthly snap would occur)
One Monthly snapshot retained for Y months.

Subject to change, as we’re still finalizing sizing and thresholds based on real-world testing but the user will have an option to change these retention values via NCLI.

SCHEDULE