What's in this Document

• What's New
• Security
• Product Support Notices
• Upgrading from Previous Releases
• System Requirements and Installation
• Resolved Issues
• Known Issues

What's New

VMware Cloud Director version 10.3 includes the following:

• Kubernetes with VMware Cloud Director
  • Tanzu Kubernetes clusters support for NSX-T Data Center group networking. Tanzu Kubernetes clusters are by default only reachable from IP subnets of networks within the same organization virtual data center in which a cluster is created. You can manually configure external access to specific services in a Tanzu Kubernetes cluster. If a Kubernetes cluster is hosted in a VDC that is part of an NSX-T data center group, you can permit access to the cluster’s control plane and to published Kubernetes services from workloads within that data center group.
  • Service providers and tenants can upgrade native and Tanzu Kubernetes clusters by using the VMware Cloud Director UI
  • Tenants can use a public single API endpoint for all LCM of both Tanzu Kubernetes Grid Service, Tanzu Kubernetes Grid, and upstream Kubernetes clusters
• VMware Cloud Director appliance management UI improvements for turning on and off FIPS-compliant mode
• API support for moving  vApps across vCenter Server instances
• VM placement improvements. For VMware Cloud Director 10.2.x and earlier, any update to a VM property causes VMware Cloud Director to initiate a new VM placement search. In some cases, where another resource pool has lower resource utilization, VMware Cloud Director migrates the VM to a different resource pool. VMware Cloud Director might migrate a VM even if the change to the VM has no impact on its resource consumption, for example a VM description update, and can cause unnecessary VM migrations. Starting with version 10.3, when you update VM properties, VMware Cloud Director always gives preference to the current resource pool to avoid unnecessary VM migrations.
• Catalog management UI improvements
• VMware Cloud Director Service Library support for vRealize Orchestrator 8.x
  • The Service Library items in VMware Cloud Director are vRealize Orchestrator workflows that expand the cloud management capabilities and make it possible for system administrators and organization administrators to monitor and manipulate different services. If you are using vRealize Orchestrator 7.x, your current functionality and workflows continue to work as expected. 
  • VMware Cloud Director 10.3 ships with a vRealize Orchestrator plug-in that you can use to render vRealize Orchestrator workflows that are published to tenants. You must publish the plug-in to all tenants that you want to run Service Library Workflows based on vRealize Orchestrator. 
• Streamlined Quick Search and Global Search UI
• Customizable Keyboard Shortcuts
• Improvements in the performance of Auto Scaling extension
• Networking Features
  • vApp network services in organization VDCs backed by NSX-T Data Center. You can use NAT, firewall, and static routing in vApp networks.
  • Distributed Firewall Dynamic Group Membership with NSX-T Data Center Networking. You can create security groups of VMs with a dynamic membership that is based on VM characteristics, such as VM names and VM tags. You use dynamic groups to create distributed firewall rules and edge gateway firewall rules that are applied on a per-VM basis in a data center group networking context. By using dynamic security groups in distributed firewall rules, you can micro-segment network traffic and effectively secure the workloads in your organization.
  • Service providers can create external networks backed by VLAN and overlay NSX-T Data Center segments
  • Service providers can import networks backed by vSphere DVPGs. System administrators can create organization virtual data center networks by importing a distributed port group from a vSphere distributed switch. Imported DVPG networks can be shared across data center groups.
  • VLAN and port-group network pools for VDCs backed by NSX-T Data Center
  • Support for provider VDC creation without associating it with NSX Data Center for vSphere or NSX-T Data Center Update port groups of external networks
  • Avi 20.1.3 and 20.1.4 support
• Networking UI Enhancements
  • UI support for assigning a primary IP address to an NSX-T edge gateway
  • UI support for DHCPv6 and SLAAC configuration
  • Support for IPv6 static pools creation and management
  • VDC group network list view in the UI
  • Improved Edge Cluster assignment in organization VDCs
  • Added support for DHCP management for isolated networks in organization VDCs backed by NSX-T Data Center
  • Service providers can edit Avi SEG general details
  • New Tier-0 Gateway Networking UI Section in the Service Provider Portal
• Networking General Enhancements
  • Allocated DHCP IP addresses are visible on VM details screen
  • You can edit and remove DHCP pools from networks backed by NSX-T Data Center
  • Reject action for NSX-T Data Center edge gateway firewall rules. When creating a firewall rule on an NSX-T Data Center edge gateway, you can choose to block traffic from specific sources and notify the blocked client that traffic was rejected.
  • You can change the priority of NAT rules
  • Reflexive NAT support
  • VMware Cloud on AWS support for imported networks
  • Advertise services for internal subnets with route advertisement
  • Support for /32 subnets on external networks backed by NSX-T Data Center
  • Guest VLAN Tagging for networks backed by NSX-T Data Center segments
• Alpha API availability. The Alpha APIs are enabled by default. System administrators can activate and deactivate VMware Cloud Director Alpha APIs by using the VMware Cloud Director API or by turning Alpha Features on or off in the VMware Cloud Director UI. The following functionalities are available when Alpha APIs are active:
  • ​Kubernetes Container Clusters. When Alpha API support is active, you can provision Tanzu Kubernetes Grid Service clusters in addition to native clusters.
  • Legacy API Login. When you specify API version 37.0.0-alpha in your request, the legacy API login endpoints are unavailable. The removal of the /api/sessions API login endpoint is due in the next major VMware Cloud Director release (VMware Cloud Director API version 37.0).
• Please note that the recently released Terraform Provider for VMware Cloud Director 3.3 supports VMware Cloud Director 10.3.
• Cell Management Tool Updates
  • VMware Cloud Director 10.3 includes key updates that help log your environment's health and make it faster than ever to debug the VMware Cloud Director environment. You can use the env-check subcommand of the cell management tool to view the health status of a VMware Cloud Director cell. See the Cell Management Tool Reference documentation. 
  • The cell management tool supports the generation and configuration of private keys and certificates only in PEM format. Keystore files are no longer supported.

For more information about the new and updated features of this release, see What's New in VMware Cloud Director 10.3.

Security

VMware Cloud Director 10.3 virtual appliance ships with Photon OS updated up to this Photon Security Advisory.

VMware Cloud Director 10.3 supports PKCS8 private keys and X.509 certificates in PEM format. You can use PKCS8 private keys and X.509 certificates when you configure the network and database connections of VMware Cloud Director, or when you use the cell management tool to generate or replace certificates. For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Product Support Notices

• VMware Cloud Director 10.3 and the subsequent 10.3.x update releases are the last versions of VMware Cloud Director to support NSX Data Center for vSphere.
• VMware Cloud Director API version 30.0 is not supported.
• API versions 31.0, 32.0, and 33.0 are deprecated. 
• The /api/sessions API login endpoint is deprecated since VMware Cloud Director API version 33.0/VMware Cloud Director 10.0. The removal of the /api/sessions API login endpoint is due in the next major VMware Cloud Director release (VMware Cloud Director API version 37.0). You can use the separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director. 

Upgrading from Previous Releases

For more information on upgrading to VMware Cloud Director 10.3, upgrade and migration paths and workflows, see Upgrading and Migrating the VMware Cloud Director Appliance or Upgrading VMware Cloud Director on Linux.

System Requirements and Installation

Ports and Protocols

For information on the network ports and protocols that VMware Cloud Director 10.3 uses, see VMware Ports and Protocols.

Compatibility Matrix

See the VMware Product Interoperability Matrixes for current information about:

• VMware Cloud Director interoperability with other VMware platforms
• Supported VMware Cloud Director databases

Supported VMware Cloud Director Server Operating Systems

• CentOS 7
• CentOS 8
• Red Hat Enterprise Linux 7
• Red Hat Enterprise Linux 8

Deploying the VMware Cloud Director Appliance

When you deploy the VMware Cloud Director appliance 10.3 as an OVF template by using the VMware OVF Tool, you must include the following parameter, which is new for version 10.3:  --X:enableHiddenProperties. If you do not include this parameter, the VMware OVF Tool fails with a Property vcloudapp.nfs_mount.VMware_vCloud_Director is not user configurable. error.
See Deploying the VMware Cloud Director Appliance by Using VMware OVF Tool.

Supported AMQP Servers

Updated VMware Cloud Director uses AMQP to provide the message bus used by extension services, object extensions, and notifications. This release of VMware Cloud Director requires RabbitMQ version 3.8.x or higher. For information about currently supported RabbitMQ releases, see https://www.rabbitmq.com/versions.html.

For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Supported Databases for Storing Historic Metric Data

VMware Cloud Director supports Apache Cassandra versions 3.11.x.

Disk Space Requirements

Each VMware Cloud Director server requires approximately 2100MB of free space for the installation and log files.

Memory Requirements

Please consult VMware Cloud Director Installation, Configuration, and Upgrade Guide for memory requirements

CPU Requirements

VMware Cloud Director is a CPU-bound application. CPU over-commitment guidelines for the appropriate version of vSphere should be followed. In virtualized environments, regardless of the number of cores available to VMware Cloud Director, there must be a sensible vCPU to physical CPU ratio, that does not result in extreme over-committing.

Required Linux Software Packages

Each VMware Cloud Director server must include installations of several common Linux software packages. These packages are typically installed by default with the operating system software. If any of the packages are missing, the installer fails with a diagnostic message.

alsa-lib    
bash
chkconfig
coreutils
findutils
glibc
grep
initscripts
krb5-libs
libgcc

libICE
libSM
libstdc++
libX11
libXau
libXdmcp
libXext
libXi
libXt
libXtst

module-init-tools
net-tools
pciutils
procps
redhat-lsb
sed
tar
wget
which

In addition to the installer required packages, several procedures for configuring the network connections and creating SSL certificates require the use of the Linux nslookup command, which is available in the Linux bind-utils package.

SDK/Plugin Support

If you plan to build custom service plugins to run against VMware Cloud Director API version 37.0.0-alpha, use @vcd/sdk version 0.12.2-alpha.5 or later.

Supported LDAP Servers

Note: VMware Cloud Director 10.3 and later supports Windows Server 2019 as a platform for the LDAP Service.

You can import users and groups to VMware Cloud Director from the following LDAP services.

Supported Security Protocols and Cipher Suites

VMware Cloud Director requires the client connections to be secure. SSL version 3 and TLS version 1.0 and 1.1 have been found to have serious security vulnerabilities and are no longer included in the default set of protocols that the server offers to use when making a client connection. System administrators can enable more protocols and cipher suites. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide. The following security protocols are supported:

• TLS version 1.2
• TLS version 1.1 (deactivated by default)
• TLS version 1.0 (deactivated by default)

Supported cipher suites enabled by default:

• ​​TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Supported cipher suites deactivated by default:

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

System administrators can use the cell management tool to explicitly enable the supported cipher suites that are deactivated by default.

Note: Interoperation with releases of vCenter Server earlier than 5.5-update-3e and versions of ovftool earlier than 4.2 require VMware Cloud Director to support TLS version 1.0. You can use the cell management tool to reconfigure the set of supported SSL protocols or ciphers. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Supported Browsers

VMware Cloud Director is compatible with the current major and previous major release of the following browsers:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge

Note: Internet Explorer 11 is not supported in VMware Cloud Director 10.3. You can use Microsoft Edge or another supported browser. If you must use Internet Explorer 11, consider staying on VMware Cloud Director version 10.0.x or 10.1.x until you can use another browser.

Supported Guest Operating Systems and Virtual Hardware Versions

VMware Cloud Director supports all guest operating systems and virtual hardware versions supported by the ESXi hosts that back each resource pool.

Resolved Issues

• New Updating the network of a standalone VM disconnects the network adapter for this VM in vSphere Client

  After updating the network on a running standalone VM in VMware Cloud Director, the network adapter for this VM gets disconnected in the vSphere Client.

• The VMware Cloud Director HTML5 UI displays the old name for a renamed virtual machine

  After renaming a VM, the Name in vSphere field on the VM general tab displays the old name instead of the new one.

• VMware Cloud Director deletes the latest HTTP request log file and stops recording HTTPS log events until the next day

  If the total size of the request log files is exceeded, VMware Cloud Director deletes the latest log file and stops recording log events until the next day.

• You can see the IDs of storage policies on catalogs that are shared with you even if the organization does not have access to the storage policies

  If you share a catalog with another organization, users from that organization can use the VMware Cloud Director API to make a GET request on that catalog and access the storage policy IDs even if the organization does not have access to the storage policies.

• While viewing the available VM consoles in a vApp, clicking on VM Consoles for a second time displays an empty list of available VM consoles

  In the VMware Cloud Director tenant portal, if you view the vApps in a grid view, clicking VM Consoles for a second time results in an empty list of available VM consoles for the selected vApp.

• Creating a vApp from a vApp template generates an audit log with vappTemplate.storageProfile.id property set to null

  After creating a vApp from a vApp template, in the audit log on the VMware Cloud Director database, the value for the vappTemplate.storageProfile.id property is set to null.

Known Issues

• New VMware Cloud Director UI and tasks are slow to load and complete

  The Artemis message bus communication is not working and when you trigger operations from the UI, they can take up to 5 minutes to complete or might time out. The performance issues can affect operations such as powering on VMs and vApps, provider VDC creation, vApp deployment, and so on.

  The log files might contain an error message, such as:

  • a) Connection failure to <VCD Cell IP Address> has been detected: AMQ229014: Did not receive data from <something> within the 60,000ms

  • b) Connection failure to /<VCD Cell IP Address>:61616 has been detected: AMQ219014: Timed out after waiting 30,000 ms

  • c) Bridge is stopping, will not retry

  • d) Local Member is not set at on ClusterConnection ClusterConnectionImp

  Workaround:

  For a) and b):

  1. Verify that the VMware Cloud Director cells have network connectivity and can communicate with each other.

  2. Restart the VMware Cloud Director cell that contains the error message.

  For c) and d), restart the VMware Cloud Director cell that contains the error message.

• New The VMware Cloud Director appliance database disk resize script might fail if the backing SCSI disk identifier changes

  The database disk resize script runs successfully only if the backing database SCSI disk ID remains the same. If the ID changes for any reason, the script might appear to run successfully but fails. The /opt/vmware/var/log/vcd/db_diskresize.log shows that the script fails with a No such file or directory error.

  Workaround:

  1. Log in directly or by using an SSH client to the primary cell as root.

  2. Run the lsblk --output NAME,FSTYPE,HCTL command.

  3. In the output, find the disk containing the database_vg-vpostgres partition and make note of its ID. The ID is under the HCTL column and has the following sample format 2:0:3:0.

  4. In the db_diskresize.sh script, modify the partition ID with the ID from Step 3. For example, if the ID is 2:0:3:0, in line

     echo 1 > /sys/class/scsi_device/2\:0\:2\:0/device/rescan

     you must change the ID to 2:0:3:0.

     echo 1 > /sys/class/scsi_device/2\:0\:3\:0/device/rescan

  5. Аfter saving the changes, manually re-invoke the resize script or reboot the appliance.

• New Publishing a vRealize Orchestrator workflow to the VMware Cloud Director service library fails with an error message

  When you attempt to publish a vRealize Orchestrator workflow, the operation fails with a 500 Server Error error message.

  This happens because the API returns a large number of links for each individual tenant to which the workflow is published and causes an overflow in the HTTP headers.

  Workaround: To publish the workflow, use CURL or POSTMAN to run an API request with increased HTTP header size limit.

• New When you use the VMware Cloud Director UI to create a new VM with a placement policy, all virtual machines that are part of the VM group defined in the used placement policy might disappear

  When you use the VMware Cloud Director UI to create a new VM that uses a certain placement policy, all virtual machines listed in the VM group that's defined in the used placement policy might disappear from the VM group.

  Workaround: When the VMs get deleted from the group, they become non-compliant with the placement policy that you used to create the new VM. To restore the VMs to the group, manually make each of them compliant with the used placement policy.

• New VMware Cloud Director operations, such as powering a VM on and off takes longer time to complete

  VMware Cloud Director operations, such as powering a VM on or off takes longer time to complete. The task displays a Starting virtual machine status and nothing happens.

  The jms-expired-messages.logs log file displays an error.

  RELIABLE:LargeServerMessage & expiration=

  Workaround: None.

• NEW Migrating a VM that is connected to a vSphere-backed external network between resource pools fails

  If a VM is connected to an external network which is backed by multiple vSphere networks, and you attempt to migrate the VM between resource pools, the operation fails if the source and destination resource pools are backed by different host clusters and if the destination resource pool does not have access to the external network to which the VM was originally connected.

  Workaround: None.

• New You cannot create VMware Cloud Director VDC templates in VMware Cloud Director service environments

  VMware Cloud Director service does not support Virtual Data Center (VDC) templates. You can use VDC templates on environments with provider VDCs with an NSX network provider type or an NSX Data Center for vSphere provider type. You cannot use VDC templates on VMware Cloud Director service environments because the provider VDCs have the VMC network provider type.

  Workaround: None.

• New Switching to a vApp or a VM using the Quick Search option while updating another vApp or VM, might result in changed object settings

  Using the Quick Search feature to switch between objects such as vApps or VMs while the task of updating another object is not finished might result in renaming the vApp or VM that you are updating or changing some of its other settings.

  Workaround: Before you use the Quick Search feature to switch to another object, wait for the ongoing update task to finish.

• New Migrating VMs between organization VDCs might fail with an insufficient resource error

  If VMware Cloud Director is running with vCenter Server 7.0 Update 3h or earlier, when relocating a VM to a different organization VDC, the VM migration might fail with an insufficient resource error even if the resources are available in the target organization VDC.

  Workaround: Upgrade vCenter Server to version 7.0 Update 3i or later.

• New Suspending a VM through the VMware Cloud Director UI results in a partially suspended state of the VM

  In the VMware Cloud Director Tenant Portal, when you suspend a VM, VMware Cloud Director does not undeploy the VM, and the VM becomes Partially Suspended instead of Suspended.

  Workaround: None.

• New Role name and description are localized in the VMware Cloud Director UI and can cause duplication of role names

  The problem occurs because the UI translation does not affect the back end and API. You might create roles with the same names as the translated names which results in perceived duplicate roles in the UI and conflicts with the API usage of role names when creating service accounts.

  Workaround: None.

• New The Customer Experience Improvement Program (CEIP) status is Enabled even after deactivating it during the installation of VMware Cloud Director

  During the installation of VMware Cloud Director, if you deactivate the option to join the CEIP, after the installation completes, the CEIP status is active.

  Workaround: Deactivate the CEIP by following the steps in the Join or Leave the VMware Customer Experience Improvement Program procedure.

• New When you use VMware Cloud Director API version 35.2 or earlier to access a powered off and deployed VM, or a suspended and deployed VM, the power states of the VMs appear as PARTIALLY_POWERED_OFF and PARTIALLY_SUSPENDED, respectively

  When you use a version of VMware Cloud Director API version 35.2 or earlier to access a VM that is powered off and deployed or a VM that is suspended and deployed, the power states of the VMs appear as PARTIALLY_POWERED_OFF and PARTIALLY_SUSPENDED, respectively. This happens because of a backward incompatible change in VMware Cloud Director API version 36.0 which introduced these new power states. As a result, API calls from versions 35.2 and earlier that attempt to process these states fail.

  Workaround: None.

• New VMware Cloud Director appliance upgrade fails with an invalid version error when FIPS mode is enabled

  For VMware Cloud Director versions 10.3.x and later, when FIPS mode is enabled, VMware Cloud Director appliance upgrade fails with the following error.

  Failure: Installation failed abnormally (program aborted), the current version may be invalid.

  Workaround:

  1. Before you upgrade the VMware Cloud Director appliance, deactivate FIPS Mode on the cells in the server group and the VMware Cloud Director appliance. See Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance.

  2. Verify that the /etc/vmware/system_fips file does not exist on any appliance.

  3. Upgrade the VMware Cloud Director appliance.

  4. Enable FIPS mode again.

• New Mounting an NFS datastore from NetApp storage array fails with an error message during the initial VMware Cloud Director appliance configuration

  During the initial VMware Cloud Director appliance configuration, if you configure an NFS datastore from NetApp storage array, the operation fails with an error message.
  Backend validation of NFS failed with: <nfs-file-path> is owned by an unknown user

  Workaround: Configure the VMware Cloud Director appliance by using the VMware Cloud Director Appliance API.

• New Refreshing the LDAP page in your browser does not take you back to the same page

  In the Service Provider Admin Portal, refreshing the LDAP page in your browser takes you to the provider page instead of back to the LDAP page.

  Workaround: None.

• New The LDAP Synchronization Settings tab in the VMware Cloud Director Service Provider Admin Portal does not display the Edit button

  On the LDAP Synchronization Settings tab, the HTML5 UI does not display the Edit button and you cannot edit the LDAP settings for your organization.

  Workaround: None.

• New If you migrate a VM, vApp, or independent disk to a vCenter Server instance that uses well-signed certificates, the migration fails

  When trying to migrate a VM, vApp, or independent disk from one vCenter Server instance to another that uses well-signed certificates, the migration fails. The problem occurs when using the VMware Cloud Director UI and API requests like recompose, migrateVms, moveVApp, and so on.

  Workaround: None.

• New VMs become non-compliant after converting a reservation pool VDC into a flex organization VDC

  In an organization VDC with a reservation pool allocation model, if some of the VMs have nonzero reservation for CPU and Memory, non-unlimited configuration for CPU and Memory, or both, after converting into a flex organization VDC, these VMs become non-compliant. If you attempt to make the VMs compliant again, the system applies an incorrect policy for the reservation and limit and sets the CPU and Memory reservations to zero and the limits to Unlimited.

  Workaround:

  1. A system administrator must create a VM sizing policy with the correct configuration.
  2. A system administrator must publish the new VM sizing policy to the converted flex organization VDC.
  3. The tenants can use the VMware Cloud Director API or the VMware Cloud Director Tenant Portal to assign the VM sizing policy to the existing virtual machines in the flex organization VDC.
• New When you enable FIPS mode, the vRealize Orchestrator integration fails with an error related to invalid parameters.

  When you enable FIPS mode, the integration between VMware Cloud Director and vRealize Orchestrator does not work. The VMware Cloud Director UI returns an Invalid VRO request params error. The API calls return the following error: 

  Caused by: java.lang.IllegalArgumentException: 'param' arg cannot be null at org.bouncycastle.jcajce.provider.ProvJKS$JKSKeyStoreSpi.engineLoad(Unknown Source) at java.base/java.security.KeyStore.load(KeyStore.java:1513) at com.vmware.vim.install.impl.CertificateGetter.createKeyStore(CertificateGetter.java:128) at com.vmware.vim.install.impl.AdminServiceAccess.(AdminServiceAccess.java:157) at com.vmware.vim.install.impl.AdminServiceAccess.createDiscover(AdminServiceAccess.java:238) at com.vmware.vim.install.impl.RegistrationProviderImpl.(RegistrationProviderImpl.java:56) at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:143) at com.vmware.vcloud.vro.client.connection.STSClient.getRegistrationProvider(STSClient.java:126) ... 136 more

  Workaround: None.

• New In the Tenant Portal UI, when you create an affinity or an anti-affinity rule, deselecting the Required check box does not affect the rule configuration

  In the Tenant Portal UI, when you create an affinity or an anti-affinity rule, deselecting the Required check box does not affect the rule configuration. Affinity and anti-affinity rules are always Required, which means that if a rule cannot be satisfied, the VMs that are added to the rule don't power on.

  Workaround: None.

• New Users with the General Administrator View right but without the Access All Organization VDCs right cannot view any VMs in the tenant organization.

  If you grant a user the General Administrator View right but not the Access All Organization VDCs right, the user cannot view any VMs in the tenant organization.

  Workaround: Grant the General Administrator View right and the Access All Organization VDCs right to the user. Users without these two rights can view only VMs they own and shared VMs.

• New If you use vRealize Orchestrator 8.x, hidden input parameters in workflows are not populated automatically in the VMware Cloud Director UI

  If you use vRealize Orchestrator 8.x, when you attempt to run a workflow through the VMware Cloud Director UI, hidden input parameters are not populated automatically in the VMware Cloud Director UI.

  Workaround:
  To access the values of the workflow input parameters, you must create a vRealize Orchestrator action that has the same input parameter values as the workflow that you want to run. 
  1. Log in to the vRealize Orchestrator Client and navigate to Library>Workflows.
  2. Select the Input Form tab and click Values on the right-hand side.
  3. From the Value options drop-down menu, select External source, enter the Action inputs and click Save.
  4. Run the workflow in the VMware Cloud Director UI.

• New The vpostgres process in a standby appliance fails to start

  The vpostgres process in a standby appliance fails to start and the PostgreSQL log shows an error similar to the following. FATAL: hot standby is not possible because max_worker_processes = 8 is a lower setting than on the master server (its value was 16). This happens because PostgreSQL requires standby nodes to have the same max_worker_processes setting as the primary node. VMware Cloud Director automatically configures the max_worker_processes setting based on the number of vCPUs assigned to each appliance VM. If the standby appliance has fewer vCPUs than the primary appliance, this results in an error.

  Workaround: Deploy the primary and standby appliances with the same number of vCPUs.

• New VMware Cloud Director API calls to retrieve vCenter Server information return a URL instead of a UUID

  The issue occurs with vCenter Server instances that failed the initial registration with VMware Cloud Director version 10.2.1 and earlier. For those vCenter Server instances, when you make API calls to retrieve the vCenter Server information, the VMware Cloud Director API incorrectly returns a URL instead of the expected UUID.

  Workaround: Reconnect to the vCenter Server instance to VMware Cloud Director.

• New If you try to use the VMware Cloud Director API to move a vApp across vCenter Server instances when the target datastore is vSAN based, the MoveVApp API fails with an internal server error

  When using the /vdc/action/moveVApp API, if the destination is in a different vCenter Server instance and the target datastore is vSAN based, the move fails with an internal server error.

  Workaround:
  When moving vApps across vCenter Server instances, verify that the datastores are not vSAN-based.

• New After upgrading to vCenter Server 7.0 Update 2a or Update 2b, you cannot create Tanzu Kubernetes Grid clusters

  If the underlying vCenter Server version is 7.0 Update 2a or Update 2b, when you try to create a Tanzu Kubernetes Grid cluster by using the Kubernetes Container Clusters plug-in, the task fails.

  Workaround: None.

• When turning Alpha features on or off, the VMware Cloud Director UI displays a message that tenants are not exposed to the Alpha features.

  When you activate or deactivate the VMware Cloud Director Alpha features, on the confirmation window, the UI displays a message that Alpha features are not exposed to Tenant users. However, when Alpha features are active, all users experience the API login changes and all users with the necessary rights can deploy TKGs clusters.

  Workaround: None.

• Upgrading from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3 results in an Connection to sfcbd lost error message

  If you upgrade from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3, the upgrade operation reports an error message.
  Connection to sfcbd lost. Attempting to reconnect

  Workaround: You can ignore the error message and continue with the upgrade.

• In the VMware Cloud Director tenant portal, increasing the vCPU of a VM does not update the CPU shares

  If a VDC has an allocation pool set as the allocation model, increasing the vCPU of a VM does not update the CPU shares.

  Workaround: 
  As a system administrator:

  • Use the vSphere Client to update the CPU 
  • In the VMware Cloud Director tenant portal, update the CPU by changing the advanced properties of the VM. For information, see Change the Advanced Properties of a Virtual Machine.

  As a tenant:

  In the VMware Cloud Director tenant portal, update the VM memory. For information, see Change the Hardware Properties of a Virtual Machine.

• After Add and Remove a VDC from a VDC group operations, the status of an edge gateway that is shared across all data centers in the VDC group is displayed as Busy

  If a VDC is configured with a provider VDC Kubernetes policy, if you add or remove the VDC from a VDC group, on the Edge Gateway page, the status of the edge gateway that is shared across all data centers in the VDC group is displayed as Busy and you cannot edit this edge gateway.

  Workaround: 

  To add the VDC to the VDC group, you must delete the VDC from the VDC group and add it again.
  To remove the VDC from the VDC group, you must add the deleted VDC to the VDC group and delete it again.

• When you use the VMware Cloud Director API to create a VM from a template and you don't specify a default storage policy, if there is no default storage policy set for the template, the newly created VM attempts to use the storage policy of the source template itself ​

  When you use the VMware Cloud Director API to create a VM from a template and you don't specify a default storage policy, if there is no default storage policy set for the template, the newly created VM attempts to use the storage policy of the source template itself instead of using the storage policy of the organization VDC in which you are deploying it.

  Workaround: None.

• When using FIPS mode, trying to upload OpenSSL-generated PKCS8 files fails with an error

  OpenSSL cannot generate FIPS-complaint private keys. When VMware Cloud Director is in FIPS mode and you try to upload PKCS8 files generated using OpenSSL, the upload fails with a Bad request: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: ... not available: No such algorithm: ... error or salt must be at least 128 bits error.

  Workaround: Deactivate the FIPS mode to upload the PKCS8 files.

• Creation of Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in fails

  When you create a Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in, you must select a Kubernetes version. Some of the versions in the drop-down menu are not compatible with the backing vSphere infrastructure. When you select an incompatible version, the cluster creation fails.

  Workaround: Delete the failed cluster record and retry with a compatible Tanzu Kubernetes version. For information on the incompatibilities between Tanzu Kubernetes and vSphere, see Updating the vSphere with Tanzu Environment.

• If you have any subscribed catalogs in your organization, when you upgrade VMware Cloud Director, the catalog synchronization fails

  After upgrade, if you have subscribed catalogs in your organization, VMware Cloud Director does not trust the published endpoint certificates automatically. Without trusting the certificates, the content library fails to synchronize.

  Workaround: Manually trust the certificates for each catalog subscription. When you edit the catalog subscription settings, a trust on first use (TOFU) dialog prompts you to trust the remote catalog certificate.
  If you do not have the necessary rights to trust the certificate, contact your organization administrator.

• After upgrading VMware Cloud Director and enabling the Tanzu Kubernetes cluster creation, no automatically generated policy is available and you cannot create or publish a policy

  When you upgrade VMware Cloud Director to version 10.3 and vCenter Server to version 7.0.0d or later, and you create a provider VDC backed by a Supervisor Cluster, VMware Cloud Director displays a Kubernetes icon next to the VDC. However, there is no automatically generated Kubernetes policy in the new provider VDC. When you try to create or publish a Kubernetes policy to an organization VDC, no machine classes are available.

  Workaround: Manually trust the corresponding Kubernetes endpoint certificates. See VMware knowledge base article 83583.

• Entering a Kubernetes cluster name with non-Latin characters deactivates the Next button in the Create New Cluster wizard

  The Kubernetes Container Clusters plug-in supports only Latin characters. If you enter non-Latin characters, the following error appears. Name must start with a letter and only contain alphanumeric or hyphen (-) characters. (Max 128 characters).

  Workaround: None.

• After resizing a TKGI cluster, some values in the data grid appear as blank or not applicable

  When you resize a VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) cluster, the cluster values for the organization and VDC in the data grid view appear to be blank or N/A.

  Workaround: None.

• NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction

  If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.

  Workaround: 

  • Fix the NFS state so that it is not read-only.
  • Clean up the NFS share if it is full.
• Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error

  For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a Named disk encryption is not supported in this version of vCenter Server. error.

  Workaround: None.

• When using the VMware Cloud Director Service Provider Admin Portal with Firefox, you cannot load the tenant networking screens

  If you are using the VMware Cloud Director Service Provider Admin Portal with Firefox, the tenant networking screens, for example, the Manage Firewall screen for an organization virtual data center, might fail to load. This issue happens if your Firefox browser is configured to block Third-Party cookies.

  Workaround: Configure your Firefox browser to allow third-party cookies. For information, go to https://support.mozilla.org/en-US/ and see the Websites say cookies are blocked - Unblock them KB.

• A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes (VVols) cannot be consolidated

  In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by VVols. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated .

  Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or VVols. To consolidate a virtual machine with a snapshot on a VAAI or a VVol datastore, relocate the virtual machine to a different storage container.

• If you add an IPv6 NIC to a VM and then you add an IPv4 NIC to the same VM, the IPv4 north-south traffic breaks

  Using the HTML5 UI, if you add an IPv6 NIC first or configure an IPv6 NIC as the primary NIC in a VM, and then you add an IPv4 NIC to the same VM, the IPv4 north-south communication breaks.

  Workaround: First you must add the IPv4 NIC to the VM and then the IPv6 NIC.