| VMware Cloud Director 10.3.3 | 14 APR 2022 | Build 19610875 (installed build 19610595) Check for additions and updates to these release notes. |
| VMware Cloud Director 10.3.3 | 14 APR 2022 | Build 19610875 (installed build 19610595) Check for additions and updates to these release notes. |
The VMware Cloud Director 10.3.3 release provides bug fixes, API enhancements, and enhancements of the VMware Cloud Director appliance management user interface:
Backup and restore of VMware Cloud Director appliance certificates. VMware Cloud Director appliance management interface UI and API backup and restore now includes VMware Cloud Director certificates. See Backup and Restore of VMware Cloud Director Appliance in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
SSO login now requires user interaction before redirecting to the identity provider (IdP). When you navigate to an SSO enabled organization, you see a screen with the organization name and options to either log in with local credentials or to log in with SSO. Selecting the option to log in with SSO redirects you to the identity provider, similar to the behavior in earlier versions. With this feature, you can identify which organization you are signing in to before being redirected away from VMware Cloud Director.
New /admin/user/{id}/action/takeOwnership API to reassign the owner of media.
Improved support for routed vApp network configuration of the MoveVApp API.
This release resolves CVE-2022-22966. For information, see https://www.vmware.com/security/advisories.
For information about system requirements and installation instructions, see VMware Cloud Director 10.3 Release Notes.
To access the full set of product documentation, go to VMware Cloud Director Documentation.
New When you enable FIPS mode, the vRealize Orchestrator integration fails with an error related to invalid parameters
When you enable FIPS mode, the integration between VMware Cloud Director and vRealize Orchestrator does not work. The VMware Cloud Director UI returns an Invalid VRO request params error. The API calls return the following error:
Caused by: java.lang.IllegalArgumentException: 'param' arg cannot be null at org.bouncycastle.jcajce.provider.ProvJKS$JKSKeyStoreSpi.engineLoad(Unknown Source) at java.base/java.security.KeyStore.load(KeyStore.java:1513) at com.vmware.vim.install.impl.CertificateGetter.createKeyStore(CertificateGetter.java:128) at com.vmware.vim.install.impl.AdminServiceAccess. (AdminServiceAccess.java:157) at com.vmware.vim.install.impl.AdminServiceAccess.createDiscover(AdminServiceAccess.java:238) at com.vmware.vim.install.impl.RegistrationProviderImpl. (RegistrationProviderImpl.java:56) at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:143) at com.vmware.vcloud.vro.client.connection.STSClient.getRegistrationProvider(STSClient.java:126) ... 136 more
If you enable the non-blocking AMQP notifications, AMQP based API extensibility requests to VMware Cloud Director time out
After upgrading to VMware Cloud Director 10.3.2, AMQP API reply messages to VMware Cloud Director are not handled and time out if non-blocking AMQP notifications are enabled in VMware Cloud Director.
You cannot merge provider VDCs backed by NSX-T Data Center, nor provider VDCs with no NSX backing
When you merge two provider Virtual Data Centers (VDCs) that are backed by NSX-T Data Center or provider VDCs with no NSX backing, the following error occurs: Cannot merge Provider VDCs. Found NSX-T backed Provider VDC.
Modifying an existing distributed firewall rule configured with an auto-discovered virtual machine as the source results in an error message
When editing a distributed firewall rule that contains an auto-discovered VM as the source, the operation fails with an error message.
Distributed Firewall rule <firewall-name> has an invalid specification of value
Creating new virtual machine with multiple storage disks fails with a The requested operation will exceed the VDC's storage quota error message
When creating a new standalone VM, if you configure multiple storage disks, the operation fails with an error message.
The requested operation will exceed the VDC's storage quota
Add and edit operations for a distributed firewall rule fails with an error message
Adding a new distributed firewall rule to the scope of the organization VDC and editing an existing distributed firewall rule fails with an error message.
Precondition failed. Please update the current configuration with the latest generation Number.
You cannot configure your browser to use your published proxies
When attempting to configure your browser to use your published proxies, copying the URL of the proxy auto-config (PAC) file into your browser fails with an error message.
"minorErrorCode" : "NOT_ACCEPTABLE"
As a result, you cannot open the endpoint of a dedicated vCenter Server instance with your VMware Cloud Director account.
The New VM wizard displays a No enabled storage policies that support Virtual Machines error message
When creating a new VM, the New VM wizard briefly displays a No enabled storage policies that support Virtual Machines error message that automatically dissappears.
Updating the VM storage policy and adding a disk to a VM results in a The operation could not be performed because the object is in an invalid state error message
When updating the VM storage policy or adding a new hard disc to a VM, the operation fails with an error message.
The operation could not be performed because the object is in an invalid state. - The operation is not allowed in the current state of the host.
This happens because the placement engine attempts to move the VM to a host that is in a maintenance mode.
Configuring the IP mode for a VM NIC to Static - Manual with IPv4 address results in an error message
For a new or existing VM, if you attempt to configure the IP mode to Static - Manual with an IPv4 address, the validation fails with an error message.
<IP-address> is not a valid IPv6 address.
VMware Cloud Director applies the configured operation limits only to the system organization
VMware Cloud Director applies the general system settings related to operation limits only to the system organization instead system-wide.
You cannot access a virtual machine console
If you configure multiple VMware Cloud Director cells behind a load balancer and only some of the cells are in a healthy state, attempting to access a VM console by opening the virtual machine remote console or the Web console fails with an operation timeout error.
An attacker can reset a user password without knowing the current password
An attacker with access to a user account or JWT token can change the user password without knowing the current one.
If you migrate a VM, vApp, or independent disk to a vCenter Server instance that uses well-signed certificates, the migration fails
When trying to migrate a VM, vApp, or independent disk from one vCenter Server instance to another that uses well-signed certificates, the migration fails. The problem occurs when using the VMware Cloud Director UI and API requests like recompose, migrateVms, moveVApp, and so on.
New - VMs become non-compliant after converting a reservation pool VDC into a flex organization VDC
In an organization VDC with a reservation pool allocation model, if some of the VMs have nonzero reservation for CPU and Memory, non-unlimited configuration for CPU and Memory, or both, after converting into a flex organization VDC, these VMs become non-compliant. If you attempt to make the VMs compliant again, the system applies an incorrect policy for the reservation and limit and sets the CPU and Memory reservations to zero and the limits to Unlimited.
Workaround:
A system administrator must create a VM sizing policy with the correct configuration.
A system administrator must publish the new VM sizing policy to the converted flex organization VDC.
The tenants can use the VMware Cloud Director API or the VMware Cloud Director Tenant Portal to assign the VM sizing policy to the existing virtual machines in the flex organization VDC.
New - Migrating VMs between organization VDCs might fail with an insufficient resource error
If VMware Cloud Director is running with vCenter Server 7.0 Update 3h or earlier, when relocating a VM to a different organization VDC, the VM migration might fail with an insufficient resource error even if the resources are available in the target organization VDC.
Workaround: Upgrade vCenter Server to version 7.0 Update 3i or later.
New - Suspending a VM through the VMware Cloud Director UI results in a partially suspended state of the VM
In the VMware Cloud Director Tenant Portal, when you suspend a VM, VMware Cloud Director does not undeploy the VM, and the VM becomes Partially Suspended instead of Suspended.
Workaround: None.
New - Role name and description are localized in the VMware Cloud Director UI and can cause duplication of role names
The problem occurs because the UI translation does not affect the back end and API. You might create roles with the same names as the translated names which results in perceived duplicate roles in the UI and conflicts with the API usage of role names when creating service accounts.
Workaround: None.
New - The Customer Experience Improvement Program (CEIP) status is Enabled even after deactivating it during the installation of VMware Cloud Director
During the installation of VMware Cloud Director, if you deactivate the option to join the CEIP, after the installation completes, the CEIP status is active.
Workaround: Deactivate the CEIP by following the steps in the Join or Leave the VMware Customer Experience Improvement Program procedure.
New - When starting the VMware Cloud Director appliance, the message [FAILED] Failed to start Wait for Network to be Configured. See 'systemctl status systemd-networkd-wait-online.service' for details appears.
The message appears incorrectly and does not indicate an actual problem with the network. You can disregard the message and continue to use the VMware Cloud Director appliance as usual.
Workaround: None.
New - After VMware Cloud Director upgrade from version 10.2.2.x, adding a new node to the cluster fails with a file could not be found error
Upgrading VMware Cloud Director changes the location of the certificates.ks file which causes adding new nodes to fail with the following error.
Error: file could not be found: /opt/vmware/vcloud-director/user.http.pem
Error: invalid input: No valid HTTP SSL certificate providedWorkaround: Update the/opt/vmware/appliance/bin/setupvcd.sh script with the following commands.
#$VCLOUD_HOME/bin/configure --unattended-installation --primary-ip $ip --console-proxy-ip $ip --console-proxy-port-https 8443 -r $responsefile$VCLOUD_HOME/bin/configure --unattended-installation --primary-ip $ip --console-proxy-ip $ip --console-proxy-port-https 8443 --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --consoleproxy-cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --consoleproxy-key /opt/vmware/vcloud-director/etc/user.consoleproxy.key -r $responsefileNew - VMware Cloud Director appliance upgrade fails with an invalid version error when FIPS mode is enabled
For VMware Cloud Director versions 10.3.x and later, when FIPS mode is enabled, VMware Cloud Director appliance upgrade fails with the following error.
Failure: Installation failed abnormally (program aborted), the current version may be invalid.
Workaround:
Before you upgrade the VMware Cloud Director appliance, deactivate FIPS Mode on the cells in the server group and the VMware Cloud Director appliance. See Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance.
Verify that the /etc/vmware/system_fips file does not exist on any appliance.
Upgrade the VMware Cloud Director appliance.
Enable FIPS mode again.
New - When performing a database upgrade for VMware Cloud Director, the upgrade fails with insert or update on table error
The issue occurs due to stale information in tables associated with a foreign key constraint. Missing data in one of the tables causes a conflict with the foreign key constraint.
New - You cannot login to the VMware Cloud Director portals by using Single Sign On
When customizing the VMware Cloud Director portals, if you change the default configuration for the portalColor parameter, you cannot login to the portals by using Single Sign On. On the login page of the tenant portal, when you click on Sign In with Single Sign-On, the system redirects you back to the login page.
Workaround: Set the value for the portalColor parameter to null.
Refreshing the LDAP page in your browser does not take you back to the same page
In the Service Provider Admin Portal, refreshing the LDAP page in your browser takes you to the provider page instead of back to the LDAP page.
Workaround: None.
Mounting an NFS datastore from NetApp storage array fails with an error message during the initial VMware Cloud Director appliance configuration
During the initial VMware Cloud Director appliance configuration, if you configure an NFS datastore from NetApp storage array, the operation fails with an error message.
Backend validation of NFS failed with: is owned by an unknown user
Workaround: Configure the VMware Cloud Director appliance by using the VMware Cloud Director Appliance API.
The synchronization of a subscribed catalog times out while synchronizing large vApp templates
If an external catalog contains large vApp templates, synchronizing the subscribed catalog with the external catalog times out.This happens when the timeout setting is set to its default value of five minutes.
Workaround: Using the manage-config subcommand of the cell management tool, update the timeout configuration setting.
./cell-management-tool manage-config -n transfer.endpoint.socket.timeout -v [timeout-value]
After upgrade to VMware Cloud Director 10.3.2a, opening the list of external networks results in a warning message
When trying to open the list of external networks, the VMware Cloud Director UI displays a warning message.
One or more external networks or T0 Gateways have been disconnected from its IP address data.
This happens because the external network gets disconnected from the Classless Inter-Domain Routing (CIDR) configuration before the upgrade to VMware Cloud Director 10.3.2a.
Workaround: Contact VMware Global Support Services (GSS) for assistance with the workaround for this issue.
In an IP prefix list, configuring any as the Network value results in an error message
When creating an IP prefix list, if want to deny or accept any route and you configure the Network value as any, the dialog box displays an error message.
"any" is not a valid CIDR notation. A valid CIDR is a valid IP address followed by a slash and a number between 0 and 32 or 64, depending on the IP version.
Workaround: Leave the Network text box blank.
If you use vRealize Orchestrator 8.x, hidden input parameters in workflows are not populated automatically in the VMware Cloud Director UI
If you use vRealize Orchestrator 8.x, when you attempt to run a workflow through the VMware Cloud Director UI, hidden input parameters are not populated automatically in the VMware Cloud Director UI.
Workaround:To access the values of the workflow input parameters, you must create a vRealize Orchestrator action that has the same input parameter values as the workflow that you want to run.
Log in to the vRealize Orchestrator Client and navigate to Library>Workflows.
Select the Input Form tab and click Values on the right-hand side.
From the Value options drop-down menu, select External source,enter the Action inputs and click Save.
Run the workflow in the VMware Cloud Director UI.
The vpostgres process in a standby appliance fails to start
The vpostgres process in a standby appliance fails to start and the PostgreSQL log shows an error similar to the following. FATAL: hot standby is not possible because max_worker_processes = 8 is a lower setting than on the master server (its value was 16). This happens because PostgreSQL requires standby nodes to have the same max_worker_processes setting as the primary node. VMware Cloud Director automatically configures the max_worker_processes setting based on the number of vCPUs assigned to each appliance VM. If the standby appliance has fewer vCPUs than the primary appliance, this results in an error.
Workaround: Deploy the primary and standby appliances with the same number of vCPUs.
VMware Cloud Director API calls to retrieve vCenter Server information return a URL instead of a UUID
The issue occurs with vCenter Server instances that failed the initial registration with VMware Cloud Director version 10.2.1 and earlier. For those vCenter Server instances, when you make API calls to retrieve the vCenter Server information, the VMware Cloud Director API incorrectly returns a URL instead of the expected UUID.
Workaround: Reconnect to the vCenter Server instance to VMware Cloud Director.
Upgrading from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3 results in an Connection to sfcbd lost error message
If you upgrade from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3, the upgrade operation reports an error message.
Connection to sfcbd lost. Attempting to reconnect
Workaround: You can ignore the error message and continue with the upgrade.
When using FIPS mode, trying to upload OpenSSL-generated PKCS8 files fails with an error
OpenSSL cannot generate FIPS-complaint private keys. When VMware Cloud Director is in FIPS mode and you try to upload PKCS8 files generated using OpenSSL, the upload fails with a Bad request: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: ... not available: No such algorithm: ...error or salt must be at least 128 bits error.
Workaround: Deactivate the FIPS mode to upload the PKCS8 files.
Creation of Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in fails
When you create a Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in, you must select a Kubernetes version. Some of the versions in the drop-down menu are not compatible with the backing vSphere infrastructure. When you select an incompatible version, the cluster creation fails.
Workaround: Delete the failed cluster record and retry with a compatible Tanzu Kubernetes version. For information on the incompatibilities between Tanzu Kubernetes and vSphere, see Updating the vSphere with Tanzu Environment.
If you have any subscribed catalogs in your organization, when you upgrade VMware Cloud Director, the catalog synchronization fails
After upgrade, if you have subscribed catalogs in your organization, VMware Cloud Director does not trust the published endpoint certificates automatically. Without trusting the certificates, the content library fails to synchronize.
Workaround: Manually trust the certificates for each catalog subscription. When you edit the catalog subscription settings, a trust on first use (TOFU) dialog prompts you to trust the remote catalog certificate.
If you do not have the necessary rights to trust the certificate, contact your organization administrator.
After upgrading VMware Cloud Director and enabling the Tanzu Kubernetes cluster creation, no automatically generated policy is available and you cannot create or publish a policy
When you upgrade VMware Cloud Director to version 10.3.1 and vCenter Server to version 7.0.0d or later, and you create a provider VDC backed by a Supervisor Cluster, VMware Cloud Director displays a Kubernetes icon next to the VDC. However, there is no automatically generated Kubernetes policy in the new provider VDC. When you try to create or publish a Kubernetes policy to an organization VDC, no machine classes are available.
Workaround: Manually trust the corresponding Kubernetes endpoint certificates. See VMware knowledge base article 83583.
Entering a Kubernetes cluster name with non-Latin characters deactivates the Next button in the Create New Cluster wizard
The Kubernetes Container Clusters plug-in supports only Latin characters. If you enter non-Latin characters, the following error appears.
Name must start with a letter and only contain alphanumeric or hyphen (-) characters. (Max 128 characters).
Workaround: None.
NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction
If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.
Workaround:
Fix the NFS state so that it is not read-only.
Clean up the NFS share if it is full.
Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error
For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a Named disk encryption is not supported in this version of vCenter Server. error.
Workaround: None.
A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes (VVols) cannot be consolidated
In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by VVols. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated .
Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or VVols. To consolidate a virtual machine with a snapshot on a VAAI or a VVol datastore, relocate the virtual machine to a different storage container.
If you add an IPv6 NIC to a VM and then you add an IPv4 NIC to the same VM, the IPv4 north-south traffic breaks
Using the HTML5 UI, if you add an IPv6 NIC first or configure an IPv6 NIC as the primary NIC in a VM, and then you add an IPv4 NIC to the same VM, the IPv4 north-south communication breaks.
Workaround: First you must add the IPv4 NIC to the VM and then the IPv6 NIC.
