VMware Cloud Director 10.4 | 14 JUL 2022 | Build 20079248 (installed build 20079017)

Check for additions and updates to these release notes.

What's New

VMware Cloud Director version 10.4 includes the following:

  • Networking Features

    Static Routing for NSX-T Data Center edge gateways. Both service providers and tenants can manually modify the routing table for an NSX-T edge gateway and to configure a static route within an organization VDC by specifying the network, next hop, and any specific networks or interfaces to which to direct traffic. If the specified next hop is part of an existing subnet that is associated with the edge gateway, you can specify a scope for the static route. A scope is an organization VDC network in which the next hop of the static route is located.

    Use static routing if you want to use a route that is not included in the routing table of your NSX-T edge gateway, or if you want to direct traffic trough a service edge gateway and a service interface, and to not use distributed routing. See Configure Static Routing.

    VMware NSX Advanced Load Balancer (Avi Networks) Feature set configuration at the service engine group level. All Controller instances that you register with VMware Cloud Director are now licensed and deployed with the Premium (also known as Enterprise) feature set. As a service provider, you can choose to restrict a tenant's feature set to Standard (Basic) at the Service Engine Group level.

    VMware NSX Advanced Load Balancer (Avi Networks) Standard feature set improvements for tenants

    • You can configure a single virtual service to use more than one port protocol.
    • You can configure multiple virtual services that are on the same edge gateway to be fronted by the same virtual IP address. The virtual services must use different ports.
    • You can use IPv6 for virtual IP addresses and for load balancer server pools.
    • You can configure a virtual service on the same subnet as an organization VDC network.

  • Fast Cross vCenter Server vApp Instantiation Utilizing Shared Storage

    This solution provides added flexibility for enabling fast instantiation of vApps from a catalog across vCenter Server instances. If a VMware Cloud Director catalog is backed by a VDC in vCenter Server A, instantiating a vApp from the catalog to a VDC backed by a cluster in vCenter Server B triggers a time-consuming OVF export-import process. In previous releases, the only way to avoid this was to ensure that the source and destination vCenter Server instances have shared storage, and the templates in the source vCenter Server reside on the same shared datastore where they are instantiated on the destination vCenter Server. Such configuration allows optimized copy of the templates, avoiding OVF export-import, and as a result leads to a significantly faster vApp instantiation. Starting with version 10.4, if vCenter Server A and vCenter Server B have a shared datastore and the templates reside there, VMware Cloud Director performs fast vApp instantiation to any destination datastore in vCenter Server B.

  • Photon OS 3.0

    VMware Cloud Director appliance is now based on Photon OS 3.0 which brings improved security and upgraded OS packages.

  • Service Accounts

    You can use VMware Cloud Director to create and manage service accounts for applications interacting with VMware Cloud Director. To provide continuous access to VMware Cloud Director, service accounts use OAuth refresh tokens instead of passwords. When using service accounts, applications cannot perform certain tasks and have only View rights for some resources, such as users, groups, roles, and rights. See Managing Service Accounts.

  • Consolidated VM Console Proxy Endpoint

    VM console proxy traffic is now using the same IP and port as the VMware Cloud Director UI and API. In previous releases, the console proxy traffic used separate IP and port. The unified access point eliminates the need to manage an additional endpoint and certificate, and allows for SSL termination at the load balancer level. The VMware Cloud Director HTTP request log records the VM console traffic. You can enable the LegacyConsoleProxy feature, however, before enabling the legacy console proxy implementation, verify that your system configuration has the necessary console proxy settings and see After you enable legacy console proxy mode, the VMware Cloud Director cell on which you enabled the… and If you run the cell management tool's clear-console-proxy-settings command while legacy console pro….

  • Enhanced trust management integration with vSphere

    VMware Cloud Director 10.4 enhances SSL connectivity to all vSphere infrastructure components, including ESXi, by incorporating the vSphere Certificate Authority (CA) into the VMware Cloud Director trust mechanisms which also affects previously added vCenter Server instances.

    IMPORTANT: Because of this enhancement to SSL connectivity, you must perform additional steps post-upgrade to ensure that VMware Cloud Director trusts all necessary vSphere certificates. Failure to perform these steps post-upgrade can disrupt the connection between VMware Cloud Director and vCenter Server instances.

    Follow the procedure outlined in the advisory that appears upon upgrade. See also KB 78885 and The VMware Cloud Director console proxy, uploading OVFs and media, and powering on a VM fail.

  • VMware Cloud Director appliance certificate backup and restore

    1. In addition to HTTP and console proxy certificates, VMware Cloud Director Appliance backup includes a vcd_ova certificate and keys.
    2. VMware Cloud Director Appliance management UI supports optionally restoring the PostgreSQL and virtual appliance management UI certificates.
  • IOPS Limits and Reservation Visibility Enhancements

    • Service providers can show or hide from tenants the IOPS limits and reservations on VM disks and named disks by using the new View Disk IOPS right. See Enabling the I/O Operations Per Second Setting.
    • VM disks and named disks views display both IOPS limits and reservations for each disk. VMware Cloud Director also returns the data in the corresponding API calls.
    • IOPS settings configured on a non-vSAN storage policy in vCenter Server appear in VMware Cloud Director named disk and VM disk views and in the corresponding API responses. By using the VMware Cloud Director UI, you cannot edit IOPS reservations and limits configured in vCenter Server.
  • Catalog Enhancements

    1. If a catalog is subscribed to a published catalog, the synchronization of templates from the published to the subscribed catalog goes through a number of distinct steps. VMware Cloud Director now provides a detailed view of the currently running catalog synchronization task step and the progress percentage of that step. The currently running task step appears in the Recent Tasks panel and a more detailed view appears if a user clicks the Status of the item being synced. Distinct steps examples are: initializing library item sync, waiting for publisher to download files, transferring files from publisher to subscriber, importing OVF.
    2. When the catalog item synchronization task is at the Transferring files from publisher to subscriber step, clicking the task details shows the Active File Transfers tab where you can see the file transfer progress of individual disk files.
    3. If a catalog synchronization fails in file transfer phase due to VMware Cloud Director service restart or crash, when the cell restarts, the sync resumes from the previous transfer session, and VMware Cloud Director reuses the previously transferred content.
    4. If you deactivate the Automatically download the content from an external catalog setting of a subscribed catalog, at catalog creation, VMware Cloud Director does not sync the items within the catalog. VMware Cloud Director synchronizes only the item metadata. VMware Cloud Director synchronizes the VMDKs when you request a sync on each item. Moreover, if a publisher does not have the content downloaded, the catalog subscription with this option does not trigger download of VMDKs at the publisher side.
  • API support for instantiating fenced vApp templates in NSX-T backed VDCs and for moving fenced vApps to VDCs backed by NSX-T Data Center

    You can use the VMware Cloud Director API to instantiate a vApp template that contains fenced networks into a VDC backed by NSX-T Data Center. You can also move a fenced vApp from a VDC backed by NSX Data Center for vSphere to a VDC backed by NSX-T Data Center.

VMware Cloud Provider Blog

For more information about the new and updated features of this release, see What's New in VMware Cloud Director 10.4.

Security

VMware Cloud Director STIG Readiness Guide

In the United States Department of Defense (DoD), Security Technical Implementation Guides (STIGs) provide technical, standards-based hardening guidance. Officially published STIGs are mandatory in the DoD and fill a crucial role in systems accreditation as part of the Risk Management Framework (RMF). STIGs purpose is to deal with a variety of threats, vulnerabilities and remediations:

  • Intrusion Avoidance
  • Intrusion Detection
  • Response and Recovery
  • Security Implementation Guidance

VMware Cloud Director 10.4 includes the first release of the VMware Cloud Director STIG Readiness Guide. VMware produces the VMware Cloud Director STIG Readiness Guide. The guide does not have Defense Information Systems Agency (DISA) ownership. The guide provides Security Requirements Guidelines (SRGs) content that is ready to go through the DISA process but is not a DISA published STIG. See the VMware Cloud Director STIG Readiness Guide Overview document at the download link.

STIG work for VMware Cloud Director is ongoing and will continue over the next several releases. STIG Readiness Guides for VMware Cloud Director Appliance and its underlying components, such as PostgreSQL, NGINX, Photon OS, and VMware Cloud Director Application, are accessible through the VMware Cloud Director Readiness Guide ZIP file. You can use STIG viewing tools to read and review the XML documents and to create and manage security compliance checklists for your deployments.

Product Support Notices

  • NSX Data Center for vSphere Support

    VMware Cloud Director will continue to operate with NSX Data Center for vSphere to support migrations to VMware NSX-T Data Center until January 2023. At that time VMware will evaluate the future of NSX Data Center for vSphere as a backing networking platform in VMware Cloud Director. It is strongly recommended that VMware Cloud Director customers migrate to VMware NSX-T Data Center before January 2023 to avoid any disruptions in support.

  • VMware Cloud Director API versions 31.0 and 32.0 are not supported.

  • VMware Cloud Director API versions 33.0, 34.0, 35.0 and 35.2 are deprecated and will be unsupported starting with the next major VMware Cloud Director release.

Upgrading from Previous Releases

For more information on upgrading to VMware Cloud Director 10.4, upgrade and migration paths and workflows, see Upgrading and Migrating the VMware Cloud Director Appliance or Upgrading VMware Cloud Director on Linux.

System Requirements and Installation

Ports and Protocols

For information on the network ports and protocols that VMware Cloud Director 10.4 uses, see VMware Ports and Protocols.

Compatibility Matrix

See the VMware Product Interoperability Matrixes for current information about:

  • VMware Cloud Director interoperability with other VMware platforms
  • Supported VMware Cloud Director databases

Supported VMware Cloud Director Server Operating Systems

  • CentOS 7
  • CentOS 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Supported AMQP Servers

VMware Cloud Director uses AMQP to provide the message bus used by extension services, object extensions, and notifications. This release of VMware Cloud Director requires RabbitMQ version 3.8.x or 3.9.x.

For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.

Supported Databases for Storing Historic Metric Data

VMware Cloud Director supports Apache Cassandra versions 3.11.x and 4.0.x.

Disk Space Requirements

Each VMware Cloud Director server requires approximately 2100MB of free space for the installation and log files.

Memory Requirements

Please consult VMware Cloud Director Installation, Configuration, and Upgrade Guide for memory requirements.

CPU Requirements

VMware Cloud Director is a CPU-bound application. CPU over-commitment guidelines for the appropriate version of vSphere should be followed. In virtualized environments, regardless of the number of cores available to VMware Cloud Director, there must be a sensible vCPU to physical CPU ratio, that does not result in extreme over-committing.

Required Linux Software Packages

Each VMware Cloud Director server must include installations of several common Linux software packages. These packages are typically installed by default with the operating system software. If any of the packages are missing, the installer fails with a diagnostic message.

In addition to the installer required packages, several procedures for configuring the network connections and creating SSL certificates require the use of the Linux nslookup command, which is available in the Linux bind-utils package.

SDK/Plugin Support

If you plan to build custom service plugins to run against VMware Cloud Director API version 37.0.0-alpha, use @vcd/sdk version 0.12.2-alpha.5 or later.

Supported LDAP Servers

Note: VMware Cloud Director 10.4 and later supports Windows Server 2019 as a platform for the LDAP Service.

You can import users and groups to VMware Cloud Director from the following LDAP services.

Supported Security Protocols and Cipher Suites

VMware Cloud Director requires the client connections to be secure. SSL version 3 and TLS version 1.0 and 1.1 have been found to have serious security vulnerabilities and are no longer included in the default set of protocols that the server offers to use when making a client connection. System administrators can enable more protocols and cipher suites. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide. The following security protocols are supported:

  • TLS version 1.2
  • TLS version 1.1 (disabled by default)
  • TLS version 1.0 (disabled by default)

To enable the disabled versions, see KB 88929.

Supported cipher suites enabled by default:

  • ​​TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Supported cipher suites disabled by default:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

System administrators can use the cell management tool to explicitly enable the supported cipher suites that are disabled by default.

Supported Browsers

VMware Cloud Director is compatible with the current major and previous major release of the following browsers:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge

Supported Guest Operating Systems and Virtual Hardware Versions

VMware Cloud Director supports all guest operating systems and virtual hardware versions supported by the ESXi hosts that back each resource pool.

Resolved Issues

  • You can add new VMs to a vApp by using a user without Create and Reconfigure a vApp permissions

    As a user without Create and Reconfigure a vApp permissions, you can add a new VM to an existing vApp.

  • Creating a vApp from a vApp template or by using an OVF deploys the new vApp with an incorrect configuration for the administrator password on the guest operating system

    If you create a new vApp by using an OVF or a vApp template that is disabled for guest customization, VMware Cloud Director deploys the new vApp with enabled option to allow setting an administrator password on the guest operating system.

  • After upgrading to VMware Cloud Director 10.3.2, you cannot execute commands with the cell management tool when using credentials from an external LDAP identity provider

    After upgrading to VMware Cloud Director 10.3.2, when attempting to run commands by using a user from an external LDAP identity provider, the cell management tool returns the Unable to connect to the cell: Invalid credentials. Exiting. error message.

  • An attempt to migrate tenant storage fails with an Internal Server Error error message

    In the HTML5 UI, using the Migrate Tenant Storage option to migrate all the items stored on a datastore to other datastores in an SDRS Clusterfails to migrate the VMs with an errors message.

    Internal Server ErrorCaused by: java.lang.RuntimeException: The operation failed because no suitable resource was found. Out of x candidate hubs:x hubs eliminated because: No valid storage containers found for VirtualMachine "{vm-uuid}". All x available storage containers were filtered out as being invalid.

  • When you use VMware Cloud Director API version 35.2 or earlier to access a powered off and deployed VM, or a suspended and deployed VM, the power states of the VMs appear as PARTIALLY_POWERED_OFF and PARTIALLY_SUSPENDED, respectively

    When you use a version of VMware Cloud Director API version 35.2 or earlier to access a VM that is powered off and deployed or a VM that is suspended and deployed, the power states of the VMs appear as PARTIALLY_POWERED_OFF and PARTIALLY_SUSPENDED, respectively. This happens because of a backward incompatible change in VMware Cloud Director API version 36.0 which introduced these new power states. As a result, API calls from versions 35.2 and earlier that attempt to process these states fail. This issue is resolved in this release. If you are using an API client version 35.2 or earlier, the states of the VMs appear as POWERED_OFF and SUSPENDED, respectively.

  • Using the VMware Cloud Director API 36.2 or later to power off or discard the suspended state of a VM also results in undeploying the VM

    In VMware Cloud Director API 36.2 and later versions, when you make the following API requests, this results in undeploying the VM besides powering it off or discarding its suspended state.

     POST /vApp/{vm-id}/action/powerOff

     POST /vApp/{vm-id}/action/discardSuspendedState

    This change creates a backward incompatibility with API versions 36.1 and 36.0, in which these API calls result only in powering off or discarding the suspended state of the VM, respectively. This issue is resolved in this release - if you are using an API client version 36.1 or 36.0, the API request results only in powering off or discarding the suspended state of the VM, respectively.

  • When performing a database upgrade for VMware Cloud Director, the upgrade fails with insert or update on table error

    The issue occurs due to stale information in tables associated with a foreign key constraint. Missing data in one of the tables causes a conflict with the foreign key constraint.

Known Issues

  • New - The VMware Cloud Director Tenant Portal UI does not display the IOPS limits and reservations for a vSAN storage policy

    vSAN manages itself the IOPS limits on vSAN storage policies. As a result, the VMware Cloud Director Tenant Portal UI does not display the IOPS reservations and limits for a vSAN storage policy and you cannot modify their values.

    Workaround: None.

  • VMware Cloud Director appliance upgrade fails with an invalid version error when FIPS mode is enabled

    For VMware Cloud Director versions 10.3.x and later, when FIPS mode is enabled, VMware Cloud Director appliance upgrade fails with the following error.

    Failure: Installation failed abnormally (program aborted), the current version may be invalid.

    Workaround:

    1. Before you upgrade the VMware Cloud Director appliance, deactivate FIPS Mode on the cells in the server group and the VMware Cloud Director appliance. See Enable or Disable FIPS Mode on the VMware Cloud Director Appliance.
    2. Verify that the /etc/vmware/system_fips file does not exist on any appliance.
    3. Upgrade the VMware Cloud Director appliance.
    4. Enable FIPS mode again.

  • Restore from an appliance backup might fail with an Invalid command-line arguments. Missing argument for option: consoleproxy-cert error

    If you run the clear-console-proxy-settingsCMT command before you take an appliance backup, then, if you choose to restore the console proxy certificate from the backup, the restore process fails with an Invalid command-line arguments. Missing argument for option: consoleproxy-cert error.

    The issue occurs because the command to clear the console proxy settings removes the console proxy certificate, and the console proxy settings are missing for the backup. If the console proxy certificate is not in the backup, you cannot restore it.

    If the console proxy settings were cleared, run the appliance restore without selecting to restore the console proxy certificate.

  • If you use fast cross vCenter Server vApp instantiation and then you delete the VM with prefix multi-vc-vm- that was created during the instantiation, this also deletes the VMX and VMDK files of the original VM source template of the instantiation

    If you use fast cross vCenter Server vApp instantiation and then you delete the VM with prefix multi-vc-vm- that was created during the instantiation, this also deletes the VMX and VMDK files of the original VM source template that you used for the instantiation. This happens because when you use fast cross vCenter Server vApp instantiation to instantiate a VM, the source VM template which is located on vCenter Server A is registered with vCenter Server B, creating a VM with prefix multi-vc-vm- which spans across the two vCenter Server instances, while its VMX and VMDK files are stored with the original VM template on vCenter Server A.  The multi-vc-vm- VM will be deleted either if it's deleted directly from vCenter Server or if it's imported to VMware Cloud Director with the Delete Source check box selected, and then deleted from VMware Cloud Director.

    Workaround: Do not delete or import multi-vc-vm- VMs.

  • In the VMware Cloud Director UI, clicking Help in the top navigation bar does not lead you to the relevant product documentation

    In the VMware Cloud Director UI, clicking Help in the top navigation bar does not lead you to the relevant product documentation. This happens because in VMware Cloud Director 10.4, the Help menu link is retrieved from a custom link, and the default value for the custom link is null.

    Use the branding vCloud OpenAPI methods to modify the custom link in the Help menu. See Customizing the VMware Cloud Director Portals and Getting Started with VMware Cloud Director OpenAPIat https://developer.vmware.com.

  • In the VMware Cloud Director UI, clicking Download VMRC does not lead you to the relevant download page

    In the VMware Cloud Director UI, clicking Download VMRC does not redirect you to https://my.vmware.com to download VMRC. This happens because in VMware Cloud Director 10.4, the Download VMRC link is retrieved from a custom link, and the default value for the custom link is null.

    Use the branding vCloud OpenAPI methods to modify the custom link in the Download VMRC menu item. See Customizing the VMware Cloud Director Portals and Getting Started with VMware Cloud Director OpenAPI at https://developer.vmware.com.

  • The VMware Cloud Director console proxy, uploading OVFs and media, and powering on a VM fail

    VMware Cloud Director 10.4 enhances SSL connectivity to all vSphere infrastructure components, including ESXi, by incorporating the vSphere Certificate Authority (CA) into the VMware Cloud Director trust mechanisms. In certain cases, the vSphere endpoint and the vSphere CA use different trust anchors and VMware Cloud Director must trust more than one trust anchor from vSphere. If the vSphere CA is not trusted, some VMware Cloud Director features do not work.

    To complete the vSphere integration, refer to KB 78885. You can also trust all the necessary certificates by running the trust-infra-certs CMT command. See Import Endpoints Certificates from vSphere Resources.

  • After you enable legacy console proxy mode, the VMware Cloud Director cell on which you enabled the feature fails to start 

    After you enable legacy console proxy mode from the Feature Flag settings menu, the VMware Cloud Director cell on which you enabled the feature fails to start. This happens because in VMware Cloud Director 10.4, the console proxy uses the same IP address and port as the REST API. Because the IP address and the port are not available, the cell cannot start with its default configuration.

    Workaround 1: If the legacy console proxy properties in the global.properties and response.properties files are missing, rerun the configure command /opt/vmware/vcloud-director/bin/configure --unattended-installation and specify the following properties.

    • --consoleproxy-host-https
    • --consoleproxy-keystore-password
    • --user-consoleproxy-certificate-path
    • --user-consoleproxy-key-path
    • --user-consoleproxy-key-password
    • --consoleproxy-port-https

    If you are not using the same IP address for the console proxy and for the REST API, specifying a port is optional. If you don't specify a port, the console proxy will use the default 443. See Unattended Configuration Reference.

    Workaround 2: Use the PostgreSQL interactive terminal to run the following command.

    UPDATE feature_flags SET is_enabled = false WHERE name='LegacyConsoleProxy'

    This disables the legacy console proxy feature that you enable from the Feature Flag settings menu and VMware Cloud Director reverts to using its default 10.4 console proxy implementation.

  • If you run the cell management tool's clear-console-proxy-settings command while legacy console proxy mode is enabled, you can't restart the cell on which you ran the command

    When you run the clear-console-proxy-settings subcommand of the cell management tool, it removes the console proxy certificates and properties regardless of whether the legacy console proxy feature flag is enabled or not. If you clear the settings while the legacy console proxy feature flag is enabled, this prevents the cell from restarting.

    Workaround 1: If the legacy console proxy properties in the global.properties and response.properties files are missing, rerun the configure command /opt/vmware/vcloud-director/bin/configure --unattended-installation and specify the following properties.

    • --consoleproxy-host-https
    • --consoleproxy-keystore-password
    • --user-consoleproxy-certificate-path
    • --user-consoleproxy-key-path
    • --user-consoleproxy-key-password
    • --consoleproxy-port-https

    If you are not using the same IP address for the console proxy and for the REST API, specifying a port is optional. If you don't specify a port, the console proxy will use the default 443. See Unattended Configuration Reference.

    Workaround 2: Use the PostgreSQL interactive terminal to run the following command.

    UPDATE feature_flags SET is_enabled = false WHERE name='LegacyConsoleProxy'

    This disables the legacy console proxy feature that you enable from the Feature Flag settings menu and VMware Cloud Director reverts to using its default 10.4 console proxy implementation.

  • You can't view and edit the license type for your previously registered NSX Advanced Load Balancer Controller instances in the VMware Cloud Director API

    You can't view and edit the license for your previously registered NSX Advanced Load Balancer Controller instances in the VMware Cloud Director API. This happens because in VMware Cloud Director 10.4, the Controller license type was replaced by a selection between a Standard and a Premium feature set at the Service Engine Group level to provide more flexibility.

    Workaround: Use the supportedFeatureSet path for service engine groups and on edge gateways to enable and disable the available features.

  • When you attempt to delete a stranded item in VMware Cloud Director by clicking OK on the Delete Standed Item window, the window becomes unresponsive

    When you attempt to delete a stranded item in VMware Cloud Director by clicking OK on the Delete Standed Item window, the window becomes unresponsive. This issue occurs when your network connection to the VMware Cloud Director instance is slow. Fetching a stranded item might take up to five minutes, during which the UI is unresponsive. If you click the Cancel button, the window closes, but the deletion of the item is not cancelled.

    Workaround: Wait for the window to close on its own.

  • You cannot create a VDC template and instantiate a VDC from a template if you are using only a VMware Cloud on AWS network pool for your provider VDC

    If you are using only a provider network pool that is backed by VMware Cloud on AWS for your provider VDC, you cannot create a VDC template and instantiate a VDC from a template.

    This happens because creating and instantiating VDC templates is supported only for provider VDCs backed by NSX-T Data Center and by NSX Data Center for vSphere.

    None.

  • Creating a new VM with encrypted vSAN storage policy fails with an Invalid storage policy for encryption operation error message

    When creating a new VM, if you specify the storage policy of the VM as vSAN encrypted and the storage policy for the VM hard disk as both non-encrypted and non-vSAN, the operation fails with an error message.

    Invalid storage policy for encryption operation

    1. Specify the storage policies for the VM and the VM hard disk as vSAN encrypted.
    2. After the VM deploys successfully, update the hard disk storage policy for the VM to non-encrypted and non-vSAN. For information, see Edit Virtual Machine Properties.
  • You cannot connect to VMware Cloud Director through the VMware OVF Tool

    When you attempt to connect to VMware Cloud Director through the OVF Tool, this results in the following error. Error: No supported vCloud version was found. This happens because of an API behavior change in VMware Cloud Director 10.4 where the API does not return links to all the VDCs in an organization.

    Workaround: None.

  • You are unable to log in to VMware Cloud Director by using VMware PowerCLI

    When you attempt to log in to VMware Cloud Director by using VMware PowerCLI, this results in the following error. NOT_ACCEPTABLE: The request has invalid accept header: Invalid API version requested. This happens because VMware PowerCLI does not support VMware Cloud Director API versions later than 33.0.

    Workaround: None.

  • VMware Cloud Director displays the old version for an upgraded vCenter Server instance

    After you upgrade a vCenter Server instance to a newer version, in the list of vCenter Server instances, VMware Cloud Director still displays the old version for the upgraded instance.

    Reset the connection between the vCenter Server instance and VMware Cloud Director. See Reconnect a vCenter Server Instance in VMware Cloud Director Service Provider Admin Portal Guide.

  • You cannot login to the VMware Cloud Director portals by using Single Sign On

    When customizing the VMware Cloud Director portals, if you change the default configuration for the portalColor parameter, you cannot login to the portals by using Single Sign On. On the login page of the tenant portal, when you click on Sign In with Single Sign-On, the system redirects you back to the login page.

    Workaround: Set the value for the portalColor parameter to null.

  • Refreshing the LDAP page in your browser does not take you back to the same page

    In the Service Provider Admin Portal, refreshing the LDAP page in your browser takes you to the provider page instead of back to the LDAP page.

    Workaround: None.

  • Mounting an NFS datastore from NetApp storage array fails with an error message during the initial VMware Cloud Director appliance configuration

    During the initial VMware Cloud Director appliance configuration, if you configure an NFS datastore from NetApp storage array, the operation fails with an error message.

    Backend validation of NFS failed with: is owned by an unknown user

    Workaround: Configure the VMware Cloud Director appliance by using the VMware Cloud Director Appliance API.

  • The synchronization of a subscribed catalog times out while synchronizing large vApp templates

    If an external catalog contains large vApp templates, synchronizing the subscribed catalog with the external catalog times out.Theissue occurs when the timeout setting is set to its default value of five minutes.

    Workaround: Using the manage-config subcommand of the cell management tool, update the timeout configuration setting.

    ./cell-management-tool manage-config -n transfer.endpoint.socket.timeout -v [timeout-value]

  • After upgrade to VMware Cloud Director 10.3.2a, opening the list of external networks results in a warning message

    When trying to open the list of external networks, the VMware Cloud Director UI displays a warning message.

    One or more external networks or T0 Gateways have been disconnected from its IP address data.

    This happens because the external network gets disconnected from the Classless Inter-Domain Routing (CIDR) configuration before the upgrade to VMware Cloud Director 10.3.2a.

    Workaround: Contact VMware Global Support Services (GSS) for assistance with the workaround for this issue.

  • In an IP prefix list, configuring any as the Network value results in an error message

    When creating an IP prefix list, if you want to deny or accept any route and you configure the Network value as any, the dialog box displays an error message.

    "any" is not a valid CIDR notation. A valid CIDR is a valid IP address followed by a slash and a number between 0 and 32 or 64, depending on the IP version.

    Workaround: Leave the Network text box blank.

  • If you use vRealize Orchestrator 8.x, hidden input parameters in workflows are not populated automatically in the VMware Cloud Director UI

    If you use vRealize Orchestrator 8.x, when you attempt to run a workflow through the VMware Cloud Director UI, hidden input parameters are not populated automatically in the VMware Cloud Director UI.

    Workaround:To access the values of the workflow input parameters, you must create a vRealize Orchestrator action that has the same input parameter values as the workflow that you want to run. 

    1. Log in to the vRealize Orchestrator Client and navigate to Library>Workflows.
    2. Select the Input Form tab and click Values on the right-hand side.
    3. From the Value options drop-down menu, select External source,enter the Action inputs, and click Save.
    4. Run the workflow in the VMware Cloud Director UI.
  • The vpostgres process in a standby appliance fails to start

    The vpostgres process in a standby appliance fails to start and the PostgreSQL log shows an error similar to the following. FATAL: hot standby is not possible because max_worker_processes = 8 is a lower setting than on the master server (its value was 16). This happens because PostgreSQL requires standby nodes to have the same max_worker_processes setting as the primary node. VMware Cloud Director automatically configures the max_worker_processes setting based on the number of vCPUs assigned to each appliance VM. If the standby appliance has fewer vCPUs than the primary appliance, this results in an error.

    Workaround: Deploy the primary and standby appliances with the same number of vCPUs.

  • VMware Cloud Director API calls to retrieve vCenter Server information return a URL instead of a UUID

    The issue occurs with vCenter Server instances that failed the initial registration with VMware Cloud Director version 10.2.1 and earlier. For those vCenter Server instances, when you make API calls to retrieve the vCenter Server information, the VMware Cloud Director API incorrectly returns a URL instead of the expected UUID.

    Workaround: Reconnect to the vCenter Server instance to VMware Cloud Director.

  • Upgrading from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3 results in an Connection to sfcbd lost error message

    If you upgrade from VMware Cloud Director 10.2.x to VMware Cloud Director 10.3, the upgrade operation reports an error message.

    Connection to sfcbd lost. Attempting to reconnect

    Workaround: You can ignore the error message and continue with the upgrade.

  • When using FIPS mode, trying to upload OpenSSL-generated PKCS8 files fails with an error

    OpenSSL cannot generate FIPS-complaint private keys. When VMware Cloud Director is in FIPS mode and you try to upload PKCS8 files generated using OpenSSL, the upload fails with a Bad request: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: ... not available: No such algorithm: ...error or salt must be at least 128 bits error.

    Workaround: Disable FIPS mode to upload the PKCS8 files.

  • Creation of Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in fails

    When you create a Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in, you must select a Kubernetes version. Some of the versions in the drop-down menu are not compatible with the backing vSphere infrastructure. When you select an incompatible version, the cluster creation fails.

    Workaround: Delete the failed cluster record and retry with a compatible Tanzu Kubernetes version. For information on the incompatibilities between Tanzu Kubernetes and vSphere, see Updating the vSphere with Tanzu Environment.

  • If you have any subscribed catalogs in your organization, when you upgrade VMware Cloud Director, the catalog synchronization fails

    After upgrade, if you have subscribed catalogs in your organization, VMware Cloud Director does not trust the published endpoint certificates automatically. Without trusting the certificates, the content library fails to synchronize.

    Workaround: Manually trust the certificates for each catalog subscription. When you edit the catalog subscription settings, a trust on first use (TOFU) dialog prompts you to trust the remote catalog certificate.

    If you do not have the necessary rights to trust the certificate, contact your organization administrator.

  • After upgrading VMware Cloud Director and enabling the Tanzu Kubernetes cluster creation, no automatically generated policy is available and you cannot create or publish a policy

    When you upgrade VMware Cloud Director to version 10.3.1 and vCenter Server to version 7.0.0d or later, and you create a provider VDC backed by a Supervisor Cluster, VMware Cloud Director displays a Kubernetes icon next to the VDC. However, there is no automatically generated Kubernetes policy in the new provider VDC. When you try to create or publish a Kubernetes policy to an organization VDC, no machine classes are available.

    Workaround: Manually trust the corresponding Kubernetes endpoint certificates. See VMware knowledge base article 83583.

  • Entering a Kubernetes cluster name with non-Latin characters disables the Next button in the Create New Cluster wizard

    The Kubernetes Container Clusters plug-in supports only Latin characters. If you enter non-Latin characters, the following error appears.

    Name must start with a letter and only contain alphanumeric or hyphen (-) characters. (Max 128 characters).

    Workaround: None.

  • NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction

    If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.

    Workaround: 

    • Fix the NFS state so that it is not read-only.
    • Clean up the NFS share if it is full.

  • Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error

    For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a Named disk encryption is not supported in this version of vCenter Server. error.

    Workaround: None.

  • A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes (VVols) cannot be consolidated

    In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by VVols. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated .

    Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or VVols. To consolidate a virtual machine with a snapshot on a VAAI or a VVol datastore, relocate the virtual machine to a different storage container.

  • If you add an IPv6 NIC to a VM and then you add an IPv4 NIC to the same VM, the IPv4 north-south traffic breaks

    Using the HTML5 UI, if you add an IPv6 NIC first or configure an IPv6 NIC as the primary NIC in a VM, and then you add an IPv4 NIC to the same VM, the IPv4 north-south communication breaks.

    Workaround: First you must add the IPv4 NIC to the VM and then the IPv6 NIC.

check-circle-line exclamation-circle-line close-line
Scroll to top icon