The author of the project in the past six months, received no less than three times the customer's urgent fault report, the contents are " our vCenter hung up, business is affected ."
In the customer's business system, vCenter is a management plane components, used to manage vSphere Server (ESXi) and virtual machine VM; With the development of technology, and now the vCenter has become the core of VMware Infrastructure for unified management of virtual servers of vSphere, and software-defined network NSX super fusion vSAN. In addition, in VC6.5 ago, we generally use VC to achieve high availability instance-based MSCS failover cluster + SQL Server AWO; after VC6.5, due to the strong VCSA6.5 original ecological HA features are used in the project VMware best practices to achieve high availability VC instance by turning VCHA.
So look, VC backup does not seem so important, many people will say, "a fault plane component of management, in theory, will not affect the customer's business system. Even if there is no backup, reinstall it wants a big deal." But the fact really the case Why? Let's look at a case.
Virtual desktop users a size of about 3,000 people, VCHA failure due to misuse, in case of failure of vCenter, Desktop Delivery Controller can not obtain power status and a list of the desktop virtual machine, the user can not log in normally, shut down the business. In the absence of VC backed up, the administrator had to reinstall VC deployed to restore service as quickly as possible. At the same time, the need to manually update the VC trust certificates delivered on the controller, VC inventory list, distributed switches and configuration, and to complete the migration of nearly 3,200 business virtual machine network in the final.
Thus, VC is a disaster recovery can not be ignored event, the event can not be ignored, can not be ignored event (important things to say three times).
So how do the backup VC it? Consider the following simple LAB.
Examples of environment:
VCSA65T: vCenter Server Appliance6.5U2,172.20.5.237, simulated failure of VC
ESXI65T: ESXI6.5U1,172.20.1.237, double physical NIC, vNIC0 management service - standard switch; vNIC1 manufacturing operations - Distributed Switch, bearer traffic simulation ESXI
Backup server: 172.20.1.199, using the FTP protocol to back up
Test Case:
1.VCSA65T using FQDN issued to vcsa65t.at.ent.com as the host name, certificate, test certificate is reserved VC
2.VCSA65T configuration data center DC-65T, a cluster CL-65T, one ESXi host ESXI65T, whether to keep a list of test VC
3.ESXI65T There are two virtual switches, vSwitch0 management traffic, the new distributed switch vDS-65T carry production traffic, the new distributed port group DPG-65T, whether to keep the distributed switch test
4. The license includes vcenter6 Standard Edition, Enterprise Edition vsphere6 whether the test license files remain
5.vCenter SSO configuration, the password never expires, VC test system configuration is retained
6.VAMI configuration, root password never expires, VC test the underlying operating system configuration is retained
First, we use manual backup :
1. Administrator access VCSA of VAMI interface, commonly known as "5480"
2. Go to the summary screen, click on the upper right corner of backup
3. Complete backup protocol used by the target server address, whether encryption settings
Note: You can not have any file or folder backup path must be empty
4. The system administrator input validation
Note: If the backup path is not empty, the system prompts "backup path is not empty" error reminder
The need to select the contents of the backup, the backup task is described as adding
6. ensure the parameter settings are correct, click Finish to manually start the backup operation
7. Wait for the backup task starts
8. Wait for the backup task is completed
9. After the backup progress backup job has been completed, close the screen
10. In the corresponding directory of the FTP server, can see that the backup files automatically generated
Upon completion of the backup VC, once the VC fails, administrators can quickly restore the backup VC , RTO author of the environment is less than 20 minutes.
Then the VC-reduction mechanism is how it? Let VC fault simulation, scene administrators backup and recovery operations.
准备工作:
1.下载并装入vCenter Server Appliance安装程序
2.如果计划在ESXi主机上还原vCenter Server Appliance,请验证目标ESXi主机是否未处于锁定状态或维护模式
3.如果计划在vCenter Server清单的DRS群集上还原vCenter Server Appliance,请验证群集是否包含至少一个未处于锁定或维护模式的ESXi主机
4.如果计划为设备分配静态IP地址,请验证是否已为IP地址配置了正向和反向DNS记录
5.如果您尝试还原仍在运行的vCenter Server实例,请在开始还原操作之前关闭备份的vCenter Server
详细的还原步骤:
1.启动VCSA安装向导,选择“还原”
2.首先执行第一阶段操作,安装新的vCenter实例
3.操作基本与vCenter全新安装相同
4.选择备份还原使用的FTP服务器
5.后续的配置操作与新安装VC无异
注:如果备份虚拟机备份大小为小型,那么选择新的部署时,只能选择小型以上的部署规模
6.完成第一阶段设置后,点击完成,开始执行第一阶段的vCenter实例部署
注:如果通过单击“ 关闭”退出向导,则必须登录vCenter Server Appliance Management Interface才能继续后续操作
7.开始执行第二阶段,配置还原的部署操作
8.对于加密备份的情况,需要输入备份还原密码
9.点击完成,开始vCenter实例的数据还原操作
10.等待vCenter还原操作完成
11.还原后的其他操作:
具有外部Platform Services Controller的vCenter Server Appliance
1.登录已还原的vCenter Server Appliance Bash shell
2.运行脚本/usr/bin/vcenter-restore
Platform Services Controller设备
对于域中的所有vCenter Server节点
1.登录已还原的vCenter Server Appliance Bash shell。
2.运行脚本/usr/bin/vcenter-restore。
具有嵌入式Platform Services Controller的vCenter Server Appliance
此节点类型不需要恢复后恢复。
通过VC备份还原后,我们所关注的,包括VC证书、许可、分布式交换机的配置是否也同样恢复了呢?
对于我们的测试用例,一一检验:
1.VAMI界面的系统配置保留
注:SSH自动关闭,需要重新手动打开,否则会造成VCHA部署失败
2.签发给vCenter的证书不变
文件: C:\Users\柒月流火\Desktop\vcsa65t-origin.cer
大小: 1368 字节
修改时间: 2018年11月27日, 11:27:38
MD5: 5DCF677679CB463B73C4851CCC8EA1E8
SHA1: AF8D657E94846BFCB3764AC26896F6A2FBD96745
CRC32: CEE82A81
文件: C:\Users\柒月流火\Desktop\vcsa65t-restore.cer
大小: 1368 字节
修改时间: 2018年11月27日, 13:43:48
MD5: 5DCF677679CB463B73C4851CCC8EA1E8
SHA1: AF8D657E94846BFCB3764AC26896F6A2FBD96745
CRC32: CEE82A81
3.嵌入式PSC模式的vCenter SSO站点配置还原
4.vCenter数据中心、集群和ESXi主机拓扑还原
5.许可证文件和分配情况不变
6.分布式交换机、交换机端口组等网络设置还原
相信通过上文的描述,相信各位读者对VC的备份与还原一定有所了解了。
其实,VC也支持自动备份,需要管理员在VC的操作系统底层调用Linux的crontab定时执行预先配置的脚本,来完成周期性的备份工作。
不过,经过笔者测试,在VCSA6.5以后,会出现crontab不生效的情况,原因是/etc/pam.d/crond配置文件中,将认证方式设置为VCSA6.5不存在的password-auth方式
第一种解决方案,将password-auth改成system-auth
第二种解决方案,使用命令ln -s system-auth password-auth
