VMware Cloud Director 10.3 | 15 JULY 2021 | Build 18296069 (installed build 18295834)

Check for additions and updates to these release notes.

What's in this Document

 

What's New

VMware Cloud Director version 10.3 includes the following:

  • Kubernetes with VMware Cloud Director
    • Tanzu Kubernetes clusters support for NSX-T Data Center group networking. Tanzu Kubernetes clusters are by default only reachable from IP subnets of networks within the same organization virtual data center in which a cluster is created. You can manually configure external access to specific services in a Tanzu Kubernetes cluster. If a Kubernetes cluster is hosted in a VDC that is part of an NSX-T data center group, you can permit access to the cluster’s control plane and to published Kubernetes services from workloads within that data center group.
    • Service providers and tenants can upgrade native and Tanzu Kubernetes clusters by using the VMware Cloud Director UI
    • Tenants can use a public single API endpoint for all LCM of both Tanzu Kubernetes Grid Service, Tanzu Kubernetes Grid, and upstream Kubernetes clusters
  • VMware Cloud Director appliance management UI improvements for turning on and off FIPS-compliant mode
  • API support for moving  vApps across vCenter Server instances
  • Catalog management UI improvements
  • VMware Cloud Director Service Library support for vRealize Orchestrator 8.x
    • The Service Library items in VMware Cloud Director are vRealize Orchestrator workflows that expand the cloud management capabilities and make it possible for system administrators and organization administrators to monitor and manipulate different services. If you are using vRealize Orchestrator 7.x, your current functionality and workflows continue to work as expected. 
    • VMware Cloud Director 10.3 ships with a vRealize Orchestrator plug-in that you can use to render vRealize Orchestrator workflows that are published to tenants. You must publish the plug-in to all tenants that you want to run Service Library Workflows based on vRealize Orchestrator. 
  • Streamlined Quick Search and Global Search UI
  • Customizable Keyboard Shortcuts
  • Improvements in the performance of Auto Scaling extension
  • Networking Features
    • vApp network services in organization VDCs backed by NSX-T Data Center. You can use NAT, firewall, and static routing in vApp networks.
    • Distributed Firewall Dynamic Group Membership with NSX-T Data Center Networking. You can create security groups of VMs with a dynamic membership that is based on VM characteristics, such as VM names and VM tags. You use dynamic groups to create distributed firewall rules and edge gateway firewall rules that are applied on a per-VM basis in a data center group networking context. By using dynamic security groups in distributed firewall rules, you can micro-segment network traffic and effectively secure the workloads in your organization.
    • Service providers can create external networks backed by VLAN and overlay NSX-T Data Center segments
    • Service providers can import networks backed by vSphere DVPGs. System administrators can create organization virtual data center networks by importing a distributed port group from a vSphere distributed switch. Imported DVPG networks can be shared across data center groups.
    • VLAN and port-group network pools for VDCs backed by NSX-T Data Center
    • Support for provider VDC creation without associating it with NSX Data Center for vSphere or NSX-T Data Center Update port groups of external networks
    • Avi 20.1.3 and 20.1.4 support
  • Networking UI Enhancements
    • UI support for assigning a primary IP address to an NSX-T edge gateway
    • UI support for DHCPv6 and SLAAC configuration
    • Support for IPv6 static pools creation and management
    • VDC group network list view in the UI
    • Improved Edge Cluster assignment in organization VDCs
    • Added support for DHCP management for isolated networks in organization VDCs backed by NSX-T Data Center
    • Service providers can edit Avi SEG general details
    • New Tier-0 Gateway Networking UI Section in the Service Provider Portal
  • Networking General Enhancements
    • Allocated DHCP IP addresses are visible on VM details screen
    • You can edit and remove DHCP pools from networks backed by NSX-T Data Center
    • Reject action for NSX-T Data Center edge gateway firewall rules. When creating a firewall rule on an NSX-T Data Center edge gateway, you can choose to block traffic from specific sources and notify the blocked client that traffic was rejected.
    • You can change the priority of NAT rules
    • Reflexive NAT support
    • VMware Cloud on AWS support for imported networks
    • Advertise services for internal subnets with route advertisement
    • Support for /32 subnets on external networks backed by NSX-T Data Center
    • Guest VLAN Tagging for networks backed by NSX-T Data Center segments
  • Alpha API availability. The Alpha APIs are enabled by default. System administrators can activate and deactivate VMware Cloud Director Alpha APIs by using the VMware Cloud Director API or by turning Alpha Features on or off in the VMware Cloud Director UI. The following functionalities are available when Alpha APIs are active:
    • Kubernetes Container Clusters. When Alpha API support is active, you can provision Tanzu Kubernetes Grid Service clusters in addition to native clusters.
    • Legacy API Login. When you specify API version 37.0.0-alpha in your request, the legacy API login endpoints are unavailable. The removal of the /api/sessions API login endpoint is due in the next major VMware Cloud Director release (VMware Cloud Director API version 37.0).
  • Please note that the recently released Terraform Provider for VMware Cloud Director 3.3 supports VMware Cloud Director 10.3.
  • The cell management tool supports generation and configuration of private keys and certificates only in PEM format. The support of keystore files is removed.

For more information about the new and updated features of this release, see What's New in VMware Cloud Director 10.3.

Security

VMware Cloud Director 10.3 virtual appliance ships with Photon OS updated up to this Photon Security Advisory.

VMware Cloud Director 10.3 supports PKCS8 private keys and X.509 certificates in PEM format. You can use PKCS8 private keys and X.509 certificates when you configure the network and database connections of VMware Cloud Director, or when you use the cell management tool to generate or replace certificates. For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Product Support Notices

  • VMware Cloud Director 10.3 and the subsequent 10.3.x update releases are the last versions of VMware Cloud Director to support NSX Data Center for vSphere.
  • VMware Cloud Director 10.3 and the subsequent 10.3.x update releases are the last versions of VMware Cloud Director to support RabbitMQ. You can use the new built-in MQTT message functionality. 
  • VMware Cloud Director API version 30.0 is not supported.
  • API versions 31.0, 32.0, and 33.0 are deprecated. 
  • The /api/sessions API login endpoint is deprecated since VMware Cloud Director API version 33.0/VMware Cloud Director 10.0. The removal of the /api/sessions API login endpoint is due in the next major VMware Cloud Director release (VMware Cloud Director API version 37.0). You can use the separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director. 

Upgrading from Previous Releases

For more information on upgrading to VMware Cloud Director 10.3, upgrade and migration paths and workflows, see Upgrading and Migrating the VMware Cloud Director Appliance or Upgrading VMware Cloud Director on Linux.

System Requirements and Installation

Ports and Protocols

For information on the network ports and protocols that VMware Cloud Director 10.3 uses, see VMware Ports and Protocols.

Compatibility Matrix

See the VMware Product Interoperability Matrixes for current information about:

  • VMware Cloud Director interoperability with other VMware platforms
  • Supported VMware Cloud Director databases

Supported VMware Cloud Director Server Operating Systems

  • CentOS 7
  • CentOS 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Deploying the VMware Cloud Director Appliance

When you deploy the VMware Cloud Director appliance 10.3 as an OVF template by using the VMware OVF Tool, you must include the following parameter, which is new for version 10.3:  --X:enableHiddenProperties. If you do not include this parameter, the VMware OVF Tool fails with a Property vcloudapp.nfs_mount.VMware_vCloud_Director is not user configurable. error.
See Deploying the VMware Cloud Director Appliance by Using VMware OVF Tool.

Supported AMQP Servers

VMware Cloud Director uses AMQP to provide the message bus used by extension services, object extensions, and notifications. This release of VMware Cloud Director requires RabbitMQ version 3.8.x.

For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Disk Space Requirements

Each VMware Cloud Director server requires approximately 2100MB of free space for the installation and log files.

Memory Requirements

Please consult VMware Cloud Director Installation, Configuration, and Upgrade Guide for memory requirements

CPU Requirements

VMware Cloud Director is a CPU-bound application. CPU over-commitment guidelines for the appropriate version of vSphere should be followed. In virtualized environments, regardless of the number of cores available to VMware Cloud Director, there must be a sensible vCPU to physical CPU ratio, that does not result in extreme over-committing.

Required Linux Software Packages

Each VMware Cloud Director server must include installations of several common Linux software packages. These packages are typically installed by default with the operating system software. If any of the packages are missing, the installer fails with a diagnostic message.

alsa-lib    
bash
chkconfig
coreutils
findutils
glibc
grep
initscripts
krb5-libs
libgcc
libICE
libSM
libstdc++
libX11
libXau
libXdmcp
libXext
libXi
libXt
libXtst
module-init-tools
net-tools
pciutils
procps
redhat-lsb
sed
tar
wget
which

In addition to the installer required packages, several procedures for configuring the network connections and creating SSL certificates require the use of the Linux nslookup command, which is available in the Linux bind-utils package.

SDK/Plugin Support

If you plan to build custom service plugins to run against VMware Cloud Director API version 37.0.0-alpha, use @vcd/sdk version 0.12.2-alpha.5 or later.

Supported LDAP Servers

You can import users and groups to VMware Cloud Director from the following LDAP services.

Platform LDAP Service Authentication Methods
Windows Server 2012 Active Directory Simple, Simple SSL
Windows Server 2016 Active Directory Simple, Simple SSL
Linux OpenLDAP Simple, Simple SSL

Supported Security Protocols and Cipher Suites

VMware Cloud Director requires the client connections to be secure. SSL version 3 and TLS version 1.0 and 1.1 have been found to have serious security vulnerabilities and are no longer included in the default set of protocols that the server offers to use when making a client connection. System administrators can enable more protocols and cipher suites. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide. The following security protocols are supported:

  • TLS version 1.2
  • TLS version 1.1 (disabled by default)
  • TLS version 1.0 (disabled by default)

Supported cipher suites enabled by default:

  • ​​TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Supported cipher suites disabled by default:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

System administrators can use the cell management tool to explicitly enable the supported cipher suites that are disabled by default.

Note: Interoperation with releases of vCenter Server earlier than 5.5-update-3e and versions of ovftool earlier than 4.2 require VMware Cloud Director to support TLS version 1.0. You can use the cell management tool to reconfigure the set of supported SSL protocols or ciphers. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Supported Browsers

VMware Cloud Director is compatible with the current major and previous major release of the following browsers:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge

Note: Internet Explorer 11 is not supported in VMware Cloud Director 10.3. You can use Microsoft Edge or another supported browser. If you must use Internet Explorer 11, consider staying on VMware Cloud Director version 10.0.x or 10.1.x until you can use another browser.

Supported Guest Operating Systems and Virtual Hardware Versions

VMware Cloud Director supports all guest operating systems and virtual hardware versions supported by the ESXi hosts that back each resource pool.

Resolved Issues

  • The VMware Cloud Director HTML5 UI displays the old name for a renamed virtual machine

    After renaming a VM, the Name in vSphere field on the VM general tab displays the old name instead of the new one.

  • VMware Cloud Director deletes the latest HTTP request log file and stops recording HTTPS log events until the next day

    If the total size of the request log files is exceeded, VMware Cloud Director deletes the latest log file and stops recording log events until the next day.

  • You can see the IDs of storage policies on catalogs that are shared with you even if the organization does not have access to the storage policies

    If you share a catalog with another organization, users from that organization can use the VMware Cloud Director API to make a GET request on that catalog and access the storage policy IDs even if the organization does not have access to the storage policies.

  • While viewing the available VM consoles in a vApp, clicking on VM Consoles for a second time displays an empty list of available VM consoles

    In the VMware Cloud Director tenant portal, if you view the vApps in a grid view, clicking VM Consoles for a second time results in an empty list of available VM consoles for the selected vApp.

  • Creating a vApp from a vApp template generates an audit log with vappTemplate.storageProfile.id property set to null

    After creating a vApp from a vApp template, in the audit log on the VMware Cloud Director database, the value for the vappTemplate.storageProfile.id property is set to null.

Known Issues

  • New VMware Cloud Director API calls to retrieve vCenter Server information return a URL instead of a UUID

    The issue occurs with vCenter Server instances that failed the initial registration with VMware Cloud Director version 10.2.1 and earlier. For those vCenter Server instances, when you make API calls to retrieve the vCenter Server information, the VMware Cloud Director API incorrectly returns a URL instead of the expected UUID.

    Workaround: Reconnect to the vCenter Server instance to VMware Cloud Director.

  • New If you try to use the VMware Cloud Director API to move a vApp across vCenter Server instances when the target datastore is vSAN based, the MoveVApp API fails with an internal server error

    When using the /vdc/action/moveVApp API, if the destination is in a different vCenter Server instance and the target datastore is vSAN based, the move fails with an internal server error.

    Workaround:
    When moving vApps across vCenter Server instances, verify that the datastores are not vSAN-based.

  • New After upgrading to vCenter Server 7.0 Update 2a or Update 2b, you cannot create Tanzu Kubernetes Grid clusters

    If the underlying vCenter Server version is 7.0 Update 2a or Update 2b, when you try to create a Tanzu Kubernetes Grid cluster by using the Kubernetes Container Clusters plug-in, the task fails.

    Workaround: None.

  • When turning Alpha features on or off, the VMware Cloud Director UI displays a message that tenants are not exposed to the Alpha features.

    When you activate or deactivate the VMware Cloud Director Alpha features, on the confirmation window, the UI displays a message that Alpha features are not exposed to Tenant users. However, when Alpha features are active, all users experience the API login changes and all users with the necessary rights can deploy TKGs clusters.

    Workaround: None.

  • Upgrading from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3 results in an Connection to sfcbd lost error message

    If you upgrade from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3, the upgrade operation reports an error message.
    Connection to sfcbd lost. Attempting to reconnect

    Workaround: You can ignore the error message and continue with the upgrade.

  • In the VMware Cloud Director tenant portal, increasing the vCPU of a VM does not update the CPU shares

    If a VDC has an allocation pool set as the allocation model, increasing the vCPU of a VM does not update the CPU shares.

    Workaround: 
    As a system administrator:

    As a tenant:

    In the VMware Cloud Director tenant portal, update the VM memory. For information, see Change the Hardware Properties of a Virtual Machine.

  • After Add and Remove a VDC from a VDC group operations, the status of an edge gateway that is shared across all data centers in the VDC group is displayed as Busy

    If a VDC is configured with a provider VDC Kubernetes policy, if you add or remove the VDC from a VDC group, on the Edge Gateway page, the status of the edge gateway that is shared across all data centers in the VDC group is displayed as Busy and you cannot edit this edge gateway.

    Workaround: 

    To add the VDC to the VDC group, you must delete the VDC from the VDC group and add it again.
    To remove the VDC from the VDC group, you must add the deleted VDC to the VDC group and delete it again.

  • When using FIPS mode, trying to upload OpenSSL-generated PKCS8 files fails with an error

    OpenSSL cannot generate FIPS-complaint private keys. When VMware Cloud Director is in FIPS mode and you try to upload PKCS8 files generated using OpenSSL, the upload fails with a Bad request: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: ... not available: No such algorithm: ... error or salt must be at least 128 bits error.

    Workaround: Disable FIPS mode to upload the PKCS8 files.

  • Creation of Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in fails

    When you create a Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in, you must select a Kubernetes version. Some of the versions in the drop-down menu are not compatible with the backing vSphere infrastructure. When you select an incompatible version, the cluster creation fails.

    Workaround: Delete the failed cluster record and retry with a compatible Tanzu Kubernetes version. For information on the incompatibilities between Tanzu Kubernetes and vSphere, see Updating the vSphere with Tanzu Environment.

  • If you have any subscribed catalogs in your organization, when you upgrade VMware Cloud Director, the catalog synchronization fails

    After upgrade, if you have subscribed catalogs in your organization, VMware Cloud Director does not trust the published endpoint certificates automatically. Without trusting the certificates, the content library fails to synchronize.

    Workaround: Manually trust the certificates for each catalog subscription. When you edit the catalog subscription settings, a trust on first use (TOFU) dialog prompts you to trust the remote catalog certificate.
    If you do not have the necessary rights to trust the certificate, contact your organization administrator.

  • After upgrading VMware Cloud Director and enabling the Tanzu Kubernetes cluster creation, no automatically generated policy is available and you cannot create or publish a policy

    When you upgrade VMware Cloud Director to version 10.3 and vCenter Server to version 7.0.0d or later, and you create a provider VDC backed by a Supervisor Cluster, VMware Cloud Director displays a Kubernetes icon next to the VDC. However, there is no automatically generated Kubernetes policy in the new provider VDC. When you try to create or publish a Kubernetes policy to an organization VDC, no machine classes are available.

    Workaround: Manually trust the corresponding Kubernetes endpoint certificates. See VMware knowledge base article 83583.

  • Entering a Kubernetes cluster name with non-Latin characters disables the Next button in the Create New Cluster wizard

    The Kubernetes Container Clusters plug-in supports only Latin characters. If you enter non-Latin characters, the following error appears. Name must start with a letter and only contain alphanumeric or hyphen (-) characters. (Max 128 characters).

    Workaround: None.

  • After resizing a TKGI cluster, some values in the data grid appear as blank or not applicable

    When you resize a VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) cluster, the cluster values for the organization and VDC in the data grid view appear to be blank or N/A.

    Workaround: None.

  • NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction

    If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.

    Workaround: 

    • Fix the NFS state so that it is not read-only.
    • Clean up the NFS share if it is full.
  • Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error

    For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a Named disk encryption is not supported in this version of vCenter Server. error.

    Workaround: None.

  • When using the VMware Cloud Director Service Provider Admin Portal with Firefox, you cannot load the tenant networking screens

    If you are using the VMware Cloud Director Service Provider Admin Portal with Firefox, the tenant networking screens, for example, the Manage Firewall screen for an organization virtual data center, might fail to load. This issue happens if your Firefox browser is configured to block Third-Party cookies.

    Workaround: Configure your Firefox browser to allow third-party cookies. For information, go to https://support.mozilla.org/en-US/ and see the Websites say cookies are blocked - Unblock them KB.

  • A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes (VVols) cannot be consolidated

    In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by VVols. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated .

    Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or VVols. To consolidate a virtual machine with a snapshot on a VAAI or a VVol datastore, relocate the virtual machine to a different storage container.

  • After upgrade to VMware Cloud Director 10.3, importing an SSL certificate from Cassandra fails with an error message in the cell-management-tool

    When you use the cell-management-tool to import SSL from Cassandra, the operation fails with an error message.
    Unable to load VCD's SSL context.

    Workaround: Use the VMware Cloud Director Service Provider Admin Portal to import the SSL from Cassandra. For information, see Import Trusted Certificates.

  • If you add an IPv6 NIC to a VM and then you add an IPv4 NIC to the same VM, the IPv4 north-south traffic breaks

    Using the HTML5 UI, if you add an IPv6 NIC first or configure an IPv6 NIC as the primary NIC in a VM, and then you add an IPv4 NIC to the same VM, the IPv4 north-south communication breaks.

    Workaround: First you must add the IPv4 NIC to the VM and then the IPv6 NIC.

check-circle-line exclamation-circle-line close-line
Scroll to top icon