High-performance culture, redux
Author: Scott Moonen
High-performance culture
Unexpected reboot when rekeying a virtual machine
In recent builds of vSphere 7 and vSphere 8, my team has experienced unexpected spontaneous reboots of virtual machines while rekeying them. In our case we were rekeying these machines against a new key provider.
EDIT: Broadcom support has now published KB 387897 documenting this issue. The issue is a kind of race condition between the rekey task and some other activity that is touching the changed block tracking (CBT) file for the virtual machine. Under some conditions the latter activity fails to open the CBT file, and vSphere HA reboots the virtual machine.
The reboots seem unpredictable. Although we are using CBT for backup, we had no in-flight backup job running at the time (since you cannot rekey a virtual machine with snapshots). At times as few as 1% of the rekeyed machines were spontaneously rebooted, but at other times as high as 20% were affected.
We understand that Broadcom will fix this race condition in a future release, but in the meantime if you plan to rekey a virtual machine that is using CBT for backup or replication, you should either:
- Perform an orderly shutdown of the virtual machine if you cannot tolerate a spontaneous reboot, or
- Disable CBT for the duration of the rekey. You need to evaluate whether your BCDR software can tolerate this, or if you need to perform a full backup or replication to recover from the loss of CBT.
Common vCenter KMS problems and optimizations
Here I collect some blog posts with vCenter key provider configuration recommendations:
- If you plan to rekey your vSphere-encrypted virtual machines, you should understand and prepare for the possibility that they may be unexpectedly rebooted
- If you have intermittent connectivity alerts for your key provider, you should investigate whether the vCenter trust store holds expired certificates.
- For various reasons you should consider configuring vCenter to trust your KMIP server’s CA certificate instead of end-entity certificate
- By doing this you will not have to reconfigure trust as frequently, nor will you need to purge expired keys from your trust store as frequently
- This also corrects rare situations where the end-entity certificates for your KMIP server may vary from time to time (e.g., if there are several servers with differing certificates behind a load balancer)
- If your attempt to make your key provider trust vCenter fails, it may be because you used an older vCenter certificate or because you encountered a vCenter UI bug and copied the wrong certificate.
- If you encounter unexpected “failure to decrypt” errors when migrating encrypted VMs, starting them, or creating a snapshot, you should check whether you have upgraded to vCenter 7.0u3o or higher.
- You should be aware that VMware purposely leaks keys as objects are rekeyed or deleted, and plan to identify and cleanup these keys when they are no longer needed.
And here are some additional VMware encryption resources:
Experts
Thought leadership
Defect at the origin
Intermittent vCenter KMS connectivity alarms
I’ve seen a number of cases where vCenter issues intermittent KMS connectivity alarms. This often happens in environments where the network or KMS latency is relatively high. One tip provided by VMware / Broadcom support is to remove expired KMS certificates from the vCenter trust store. This is only my impression, but as best as I can tell, these expired certificates do not prevent successful connectivity, but they can contribute to an increased processing delay which is more likely to trigger health alarms.
If you are experiencing one of the following alarms intermittently, you should consider a cleanup of expired CA certificates:
- Certificate Status
- Key Management Server Health Status Alarm
- KMS Server Certificate Status
Broadcom support referred us to the following Knowledge Base articles to view and remove certificates from the vCenter trust store:
In particular, for KMS related alarms, you want to evaluate the certificates in the KMS_ENCRYPTION trust store.
FRagile
Outrushing the fall of man
Merry Christmas!
full◦valence 