VMware Cloud Director 10.5.1 | 30 NOV 2023 | Build 22821417 (installed build 22821164) Check for additions and updates to these release notes. |
VMware Cloud Director 10.5.1 | 30 NOV 2023 | Build 22821417 (installed build 22821164) Check for additions and updates to these release notes. |
VMware Cloud Director version 10.5.1 includes the following:
VMware Cloud Director Cell Certificate Management Through the UI
System administrators can use the VMware Cloud Director Provider Portal to manage the life-cycle of VMware Cloud Director cells. Starting with version 10.5.1, you can use the Cloud Cells view in the Service Provider Admin Portal to change the state of each cell to quiesced or maintenance mode. You can install a new certificate for each cell's Java Management Extensions (JMX) and API endpoints. Upon upgrade to version 10.5.1, VMware Cloud Director installs a self-signed certificate to the JMX endpoint of each cell. This mechanism replaces the cell management tool (CMT)certificates
command to install new certificates. The CMT certificates
command no longer works. See The cell management tool certificates command is deprecated.
Verify that none of the certificates in the certificate chain use SHA-1 as their signature algorithm, for example, sha1WithRSAEncryption
. VMware Cloud Director no longer accepts such certificates.
Newly generated self-signed certificates include SubjectKeyIdentifier and AuthorityKeyIdentifier certificate extensions
The VMware Cloud Director appliance adds the SubjectKeyIdentifier and AuthorityKeyIdentifier certificate extensions to the self-signed certificates you generate. Every time you run the generate-certificates.sh
script, the VMware Cloud Director appliance recreates the vcd_ova.{key, csr}
files. To generate self-signed certificates with the SubjectKeyIdentifier and AuthorityKeyIdentifier certificate extensions, see Renew Your VMware Cloud Director Appliance Certificates.
VCD Tenancy Aligned to NSX Projects
Creation of organizations in VMware Cloud Director is directly aligned to the creation of NSX Projects. NSX networking objects in VMware Cloud Director organizations are now natively associated with NSX Projects and are labeled as such. The labeling is also applied to logs, which simplifies multitenant log consumption. See Managing NSX Tenancy in VMware Cloud Director.
Provider Topology Intentions
VMware Cloud Director provides a graphical UX that guides the provider to a selection of route advertisement topologies. The choices are the following.
Advertisement Strict
All networks configured with IP Spaces associated with an uplink will be advertised by default. This can be changed on an individual network level later, if necessary. All other networks cannot be configured to be advertised at all.
Advertisement Flexible
All networks configured with IP Spaces associated with an uplink will be advertised by default. This can be changed on an individual network level. All other networks are not advertised by default but can be configured to be advertised after creation.
All Networks Advertised
All networks will be advertised by default. This can be changed on an individual network level after creation.
For details, see Configure Route Advertisement Topology Intentions on a Provider Gateway.
Configuration of NAT and Firewall Service Intentions on a Provider Gateway
As a provider, you can configure NAT and firewall service intentions. You can choose one of the three options.
- Provider Gateways: NAT and firewall rules are managed only on provider gateways.
- Edge Gateways: NAT and firewall rules are managed only on edge gateways.
- Provider and Edge gateways: NAT and firewall rules are managed on both the provider and edge gateways.
For details, see Configure NAT and Firewall Service Intentions on a Provider Gateway.
NAT For Provider Gateway
You can now configure NAT on your provider gateway. The main use cases that warrant pushing NAT configuration up to the provider gateway are the following.
Shared internet access (i.e. internet default SNAT rule) for an organization that has more than one edge gateway. Once any NAT rule is configured on the provider gateway, it must be manageable by the tenant.
High availability configuration requires two different public IP spaces (internet). The active egress uses one of the IP spaces, while the standby uses the second. The SNAT rules must be configured on the provider gateway and must be associated with specific interfaces.
Firewall Rules Configuration on Your Provider Gateway
Starting with VMware Cloud Director 10.5.1, you can configure firewall rules on your provider gateways. Only IP sets are supported. Note that default firewall rules for provider gateways exist but they differ from the default firewall rules for edge gateways. The default rule for edge gateways is DROP, and the default rule for provider gateways is ALLOW.
BGP Provider and Tenant Configuration
BGP configuration on the provider gateway is available both in the Tenant Portal and in the Provider Portal of VMware Cloud Director. The set of configuration capabilities now includes route maps and communities, as well as ASN configuration.
BGP Permission Groups Configuration
As a provider, you can configure BGP permission groups to manage a limited tenant access to the configuration settings. See Configure a BGP Permission Group on a Provider Gateway.
There are two use cases for BGP permission groups.
You can manage the BGP configuration in a single view and make changes as needed.
You can create a logical BGP configuration grouping and assign it tenant-level permissions. Groupings are aligned with provider gateway uplinks, for example, 'Internet' or 'IPSec Tunnel'. You can assign or revoke tenant access to specific configuration items.
NSX Advanced Load Balancer Self-service WAF
VMware Cloud Director 10.5.1 provides a tenant self-service UI for NSX Advanced Load Balancer Web Application Firewall (WAF) services. As a provider, you can enable WAF for your tenants as a new service offering if they are using Premium Service Engine Gateways. With WAF, tenants can add additional security controls and protection for their applications, and better control how users access their applications following industry best practices based on the OWASP top ten security controls. Tenants can configure how users access their applications, make any necessary modifications to the rules being used, create allowlists to enable specific users to bypass the rules, and use logging to see how enabling WAF and any rule modifications are impacting application users. With the new tenant-level logging, tenants can quickly see how WAF enablement is impacting their end users and consult recommendations for remediation of unexpected WAF enforcement on a user. See Configure WAF for a Virtual Service.
NSX Advanced Load Balancer Virtual Service Logging Analytics
Providers and tenants using NSX Advanced Load Balancer can view and export their logs using VMware Cloud Director. Both critical and non-critical logs are available along with filtering to quickly view the logs needed for common incident triage and compliance reporting. Used in conjunction with the new Web Application Firewall (WAF) capabilities, users will see additional recommendations for WAF remediation options. See View the Logs for a Virtual Service.
DHCP Static Bindings
You can use IP addresses from the static IP pools that are available to an organization VDC network to configure static DHCP bindings. This makes IP management possible in scenarios where DHCP static bindings and IP pools are used in concert. See Configure an IPv4 DHCP Binding and Configure an IPv6 DHCP Binding For an Organization VDC Network Backed by NSX.
More than one IdP integration with VMware Cloud Director
You can integrate your VMware Cloud Director organizations with more than one identity provider. You must not have identical user names across IdPs. You can have only one integration per IdP technology. See Managing Identity Providers.
You can customize the labels of the IdP buttons that appear on the VMware Cloud Director login page.
End User License Agreement (EULA) for Container Applications Imported from VMware Marketplace
When deploying container applications that are imported from VMware Marketplace, VMware Cloud Director provides links to the EULA for each application image and respective version for which the EULA exists. The tenant users must accept the EULA to complete the deployment. VMware Cloud Director reports the acceptance of the VMware Marketplace EULA back to VMware Marketplace. This acceptance is distinct from any EULA embedded in the vApp or VM that users must accept during the instantiation of a vApp template. See Working with Container Applications in Your VMware Cloud Director Tenant Portal.
HTTP Transparent Proxy
This VMware Cloud Director release introduces the ability to configure custom API endpoints that redirect requests to a configurable HTTP endpoint that resides outside of VMware Cloud Director. This capability enables the implementation of UI and API extensions in VMware Cloud Director that accept requests from a user's browser or API client and communicate with another system that is reachable for VMware Cloud Director through HTTP, but it might not be accessible to users who are accessing VMware Cloud Director from the internet.
VMware Cloud Director Encryption Management
By using the VMware Cloud Director Encryption Management solution add-on to VMware Cloud Director, tenants can bring their own encryption keys (BYOK) and their own key management system (BYOKMS) when creating and encrypting virtual machines (VMs) within their respective virtual data centers (VDCs). The service providers set up connections to individual Key Management Servers (KMS), making the KMS accessible to organizations. Subsequently, the tenant administrator gains access to the KMS, goes through an authentication process, and allocates encryption keys to each of their VDCs. See the VMware Cloud Director Encryption Management Documentation.
New Organization: Traversal Right
With this release, VMware Cloud Director has a new access right that controls the ability of a service provider user to navigate into the context of a tenant. Previously, this right was implied in any service provider role. Starting with version 10.5.1, the Organization: Traversal (Administer and traverse into other organizations)
right protects the ability to navigate into a tenant's context. All existing service provider roles have the right after the upgrade to version 10.5.1. If any new service provider roles need the right, you must activate it manually.
Standalone Virtual Machine Metadata Tags
When creating a standalone VM by using a catalog vApp template, the resulting VM includes information about the source vApp ID, source vApp name, and source vApp type as values set in the VM metadata. See Manage the Metadata of a Virtual Machine in VMware Cloud Director.
The VMware Cloud Director UI displays the current organization name
In the top right corner of the VMware Cloud Director UI, below your user name, you can see the name of the organization in which you are currently in. In earilier releases, VMware Cloud Director displayed the user role.
Photon OS 3.0 Security Updates
The VMware Cloud Director appliance version 10.5.1 includes Photon OS 3.0 security updates for advisories up to and including PHSA-2023-3.0-0687. See the Photon OS 3.0 Security Advisories.
VMware Cloud Director 10.5.1 also patches VMSA-2023-0026 (CVE-2023-34060), and you do not need to use any manual workarounds.
PostgreSQL 11 End of Life Notice
The final release of PostgreSQL 11 occurred on November 9, 2023. PostgreSQL version 11 is currently unsupported. If you are using an external PostgreSQL configuration, consider upgrading to a later major version.
Angular version support notice
VMware Cloud Director 10.5.1 and earlier support UI plug-ins created using Angular versions 2 through 9 and version 15. Angular does not support versions 2 through 13. The next major VMware Cloud Director release will stop supporting UI plug-ins created using Angular versions 2 through 9.
The cell management tool certificates
command is deprecated
Starting with VMware Cloud Director 10.5.1, the certificates
command of the cell management tool is deprecated. The certificates command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later, VMware Cloud Director reads the certificates from the Certificates Library. You can use the Service Provider Admin Portal to manage the certificates of a cell.
For information on the network ports and protocols that VMware Cloud Director 10.5.1 uses, see VMware Ports and Protocols.
See the VMware Product Interoperability Matrixes for current information about:
VMware Cloud Director interoperability with other VMware platforms
Supported VMware Cloud Director databases
CentOS 7
CentOS 8
CentOS 9
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
VMware Cloud Director uses AMQP to provide the message bus used by extension services, object extensions, and notifications. This release of VMware Cloud Director requires RabbitMQ version 3.10.x, 3.11.x or 3.12.x.
For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
VMware Cloud Director supports Apache Cassandra versions 4.0.x and 4.1.x.
Each VMware Cloud Director server requires approximately 2100 MB of free space for the installation and log files.
Please consult VMware Cloud Director Installation, Configuration, and Upgrade Guide for memory requirements.
VMware Cloud Director is a CPU-bound application. You must follow the CPU over-commitment guidelines for the appropriate version of vSphere. In virtualized environments, regardless of the number of cores available to VMware Cloud Director, there must be a sensible vCPU to physical CPU ratio, that does not result in extreme over-committing.
Each VMware Cloud Director server must include installations of several common Linux software packages. These packages are typically installed by default with the operating system software. If any of the packages are missing, the installer fails with a diagnostic message.
In addition to the installer required packages, several procedures for configuring the network connections and creating SSL certificates require the use of the Linux nslookup command, which is available in the Linux bind-utils package.
VMware Cloud Director 10.5.1 supports LDAP, SAML, and OpenId Connect (OIDC) identity providers.
VMware Cloud Director requires the client connections to be secure. SSL version 3 and TLS version 1.0 and 1.1 have been found to have serious security vulnerabilities and are no longer included in the default set of protocols that the server offers to use when making a client connection. System administrators can enable more protocols and cipher suites. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide. The following security protocols are supported:
TLS version 1.3
TLS version 1.2
TLS version 1.1 (deactivated by default)
TLS version 1.0 (deactivated by default)
To activate the deactivated versions, see KB 88929.
Supported cipher suites activated by default:
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
If you want to use TLS version 1.3, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, or both must be activated.
Supported cipher suites deactivated by default:
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
System administrators can use the cell management tool to explicitly enable the supported cipher suites that are deactivated by default.
VMware Cloud Director is compatible with the current major and previous major release of the following browsers:
Google Chrome
Mozilla Firefox
Microsoft Edge
VMware Cloud Director supports all guest operating systems and virtual hardware versions supported by the ESXi hosts that back each resource pool.
New - When you open the Container Applications page, a NullPointerException
is thrown
In the VMware Cloud Director Tenant Portal, when you open the Container applications page, a NullPointerException
is thrown. When you filter container applications by cluster, the NullPointerException
does not appear.
New - New Web Console and VMware Remote Console (VMRC) connections might fail to connect intermittently with an HTTP 400 error
The generated Web MKS ticket that VMware Cloud Director uses for remote console access to VMs might contain a double slash (//) which results in an incorrectly formed URL.
Deleting a VMware Marketplace resource from VMware Cloud Director fails with a NullPointerException
error message
If you delete an application image that is associated with a VM application imported from VMware Marketplace, deleting the VMware Marketplace resource fails with a NullPointerException
error message.
Reverting to a vApp snapshot results in a VM does not comply with compute policy
warning message
If a placement policy supports multiple VM groups and you create a new VM using this placement policy, reverting the VM to a snapshot results in a warning message.
Virtual machine is expected to be part of vm groups as per its policy. It is currently part of only [vm_group_name] vm groups. VM does not comply with compute policy
This happens because VMware Cloud Director expects the VM to be part of all VM groups that the placement policy supports.
After startup, VMware Cloud Director services fail continuously with an java.lang.OutOfMemoryError: Java heap space
error
The problem can occur when the resolve operation is invoked on a Runtime Defined Entity (RDE) which has a large number of tasks associated with it. As a result, the /opt/vmware/vcloud-director/logs/cell-runtime.log
on VMware Cloud Director cells shows errors similar to the following:
FATAL | ... | UncaughtExceptionHandlerStartupAction | Uncaught Exception. Originating thread: Thread[...]. Message: Java heap space |java.lang.OutOfMemoryError: Java heap space
In addition, VMware Cloud Director generates and presents Java .hprof
files in the /opt/vmware/vcloud-director/logs/
directory of the cells.
See KB article 95464.
Adding a virtual server on an NSX Data Center for vSphere edge gateway fails with an Internal Server Error
error message
When adding a virtual server on an NSX Data Center for vSphere edge gateway, if you configure an IPv6 address as the IP address that the load balancer listens on, VMware Cloud Director compresses the IPv6 address into a format different than the one you enter and passes it to the configuration payload. As a result of the mismatch between the format you enter and the format in the payload, the operation fails with an Internal Server Error
error message.
You cannot remove the attached organization VDC network from a L2 VPN tunnel
When attempting to remove an attached organization VDC network from a L2 VPN tunnel, VMware Cloud Director reports the operation as successful, but the tunnel remains assigned to the same organization VDC network.
An attempt to configure additional routing services on an edge gateway that has a dedicated provider gateway fails with a Routing configuration is not supported for edge
error message
If an edge gateway has a dedicated provider gateway and can connect to an external network, configuring additional routing services on this edge gateway, such as route advertisement and border gateway protocol (BGP) configuration, fails with an error message.
Routing configuration is not supported for edge
You cannot deactivate an L2 VPN Tunnel in client session mode
When deactivating an L2 VPN tunnel in client session mode with configured organization VDC network, VMware Cloud Director reports the operation as successful, but the tunnel remains in activate mode.
API clients throw Invalid mime type
errors for responses from multisite VMware Cloud Director APIs
If the multisite field in the response header values specifies a list of organizations, the API client generates the following error.
org.springframework.util.InvalidMimeTypeException: Invalid mime type
The issue occurs because the VMware Cloud Director API returns an illegal @ character in the MIME (Multipurpose Internet Mail Extensions) type headers of the response. You can ignore the error because VMware Cloud Director continues to function properly.
Copying a powered on virtual machine with multiple NIcs to a vApp fails with a Internal Server
error message
When attempting to copy a powered on VM with multiple NICs to a vApp, if you select the option to reset the MAC addresses of all NICs, the operation fails with an Internal Server
error message.
Creating custom application port profiles results in a Bad Request
error message
When creating custom application port profiles on a VMware NSX edge gateway, if you configure more than 15 ports, the operation fails with an error message.
Bad Request: Field level validation errors: {service_entries[0].destination_ports has exceeded maximum size 15}, error code 255
The port profile is created and any subsequent update operation on it results in a Required operation parameter 'service_id' is missing
error message.
An attempt to delete an IP space uplink fails without an error message
If you create an IP space uplink and the associated IP prefixes or the IP addresses are in use, an attempt to delete the IP space uplink fails without an error message.
All VM consoles disconnect after one minute
When a system user opens the Web Console or the VMware Remote Console (VMRC), after one minute, the console automatically closes. Because the Web Console always retries to connect after a disconnect, this problem might stay unnoticed, but a console you open through VMRC remains disconnected. The problem occurs because the monitoring that ends VM console sessions for deactivated users incorrectly ends the VM console sessions of all service provider users after the default interval of one minute. The problem does not affect tenant users of VMware Cloud Director.
The Container Applications page does not list any container applications and shows a NullPointerException
warning
After removing a VMware Cloud Director Container Service Extension cluster, the Container Applications page does not display any container applications and a NullPointerException
warning appears.
If you use fast cross vCenter Server vApp instantiation and you upgrade the hardware version of the original vApp template in vSphere, the operation fails on all but the original vCenter Servers with a Cannot create shadow VM of primary VM
error message
When you fast provision a VM from a vApp template, VMware Cloud Director creates a shadow VM and a VM with prefix multi-vc-vm
to support linked clone creation across vCenter Server data centers and datastores. To maintain synchronization with the original vApp template, certain operations, such as hardware version upgrade, on the VM with prefix multi-vc-vm
are not permitted. In vSphere, if you upgrade the hardware version of the vApp template and the shadow VM, you cannot upgrade the VM with prefix multi-vc-vm
. This results in fast provisioning failing on all vCenter Servers except for the original vCenter Server, where the associated vApp template resides.
New - When using the CloudAPI to create or update an organization, you cannot set to true the canPublish
flag
When using the CloudAPI to create an organization or update an organization enabling it to publish catalogs, the canPublish
field remains false
, despite you setting the value to true
. The legacy API is not affected.
Workaround: Use the VMware Cloud Director UI to activate or deactivate the option to Publish catalog externally for an organization.
New - Creating network pools in edge gateways fails with a Field Pool.append_port cannot have NON_DEFAULT_80_443 as its value in BASIC license tier. Allowed value(s): NEVER.
error
If you are using the Basic Edition of VMware NSX Advanced Load Balancer and you upgrade VMware Cloud Director from version 10.4.1 to version 10.5.1, you cannot create pools in edge gateways. The issue does not occur while using the VMware NSX Advance Load Balancer Enterprise Edition.
Workaround: None.
New - VMware Cloud Director backup fails
If you use Ubuntu or Linux distributions that are based on Debian as NFS for the VMware Cloud Director appliance, the NFS server cannot be configured appropriately to support the creation of backups through the PostgreSQL user.
Workaround: Depending on the file that the appliance has, run the following commands from appliance's secure shell as the root
user.
If the appliance has the /opt/vmware/appliance/bin/create-db-backup
file, run the following command.
sed -i '/PG_BACK_UP() {/,/}/ { /PG_BACK_UP() {/!{ /}/!d }}; /PG_BACK_UP() {/ a\su - postgres -c "$VMWARE_POSTGRES_BIN\/pg_dump -v -Fc \$DBNAME" > \$DB_DUMP_PATH 2>> \$LOG_FILE' /opt/vmware/appliance/bin/create-db-backup
If the appliance has the /opt/vmware/appliance/bin/create-backup.sh
file, run the following commands.
sed -i '/DB_BACKUP() {/,/}/ { /DB_BACKUP() {/!{ /}/!d }}; /DB_BACKUP() {/ a\su - postgres -c "$VMWARE_POSTGRES_BIN\/pg_dump -v -Fc \$DBNAME" > \$DB_DUMP_PATH 2>> \$LOG_FILE' /opt/vmware/appliance/bin/create-backup.sh
sed -i '/DB_USER_BACKUP() {/,/}/ { /DB_USER_BACKUP() {/!{ /}/!d }}; /DB_USER_BACKUP() {/ a\su - postgres -c "$VMWARE_POSTGRES_BIN\/pg_dumpall --roles-only | grep -e '\''CREATE ROLE vcloud;\\|ALTER ROLE vcloud WITH'\''" > \$BACKUP_DIR\/vcloud-user.sql' /opt/vmware/appliance/bin/create-backup.sh
New - In the Kubernetes Container Clusters UI plugin, the Kubernetes Version dropdown menu in the cluster creation wizard for a TKGs cluster displays a spinner indefinitely.
On the Kubernetes Policy page in the cluster creation wizard, the Kubernetes Version dropdown selection displays a spinner indefinitely. This occurs due to the supported Kubernetes version API sending an invalid response to the Kubernetes Container Clusters UI plugin, so the UI plugin fails to parse it.
Workaround: None.
New - After reverting a virtual machine to a snapshot, the guest operating system does not automatically roll back to a previous version
If you upgrade the guest operation system of a virtual machine after taking a snapshot, after reverting to the snapshot, the guest operation system does not automatically roll back to a previous version.
Workaround: None.
New - Any update to a VM triggers a relocation even when the current location can still accommodate the VM
The issue occurs because of missing per-disk datastore requirements that also pin the disks.
Workaround: Deactivate Storage DRS.
New - After upgrading a VMware Cloud Director appliance, the management API and the management UI report an incorrect older version of the appliance
The problem occurs because the VMware Cloud Director appliance management API uses a different source of truth for obtaining the current version of the VMware Cloud Director appliance than the vamicli version --appliance
command. This alternate source of truth is not always being updated during the appliance upgrade causing incorrect information to appear.
Workaround: Use the vamicli version --appliance
command to verify the VMware Cloud Director appliance version.
New - If a media file is backed by a specific VDC storage, recursive and force deleting of the VDC automatically deletes the media file instead of showing an error message
If you upload a media file to a catalog with a storage policy associated with an organization VDC, when you delete the VDC, VMware Cloud Director deletes all media files that the VDC backs.
Workaround: None.
New - While adding an NSX edge gateway firewall rule, you cannot select the applications for which the rule applies
While adding an NSX edge gateway firewall rule, if you try clicking the pencil icon next to Applications , the list of applications you can select to apply to the rule does not appear.
Workaround: Move the mouse pointer away from the pencil icon. As a result, the list of the applications appears.
New - VMware Cloud Director assigns the vGPU policy to a newly deployed virtual machine tagged with the general purpose policy
If you add a newly deployed virtual machine to a vApp and you tag the virtual machine with the general purpose policy, VMware Cloud Director assigns the vGPU policy instead.
Workaround: None.
New - VMware Cloud Director stores the request logs after the end of the retention period
Despite manually configuring the vcloud.http.log.retainDays attribute with the Cell Management Tool and setting a new retention policy value, VMware Cloud Director still stores the request logs after the end of the retention period.
Workaround: None.
New - After renaming a template, the application name does not change automatically
If you rename a template through Content Hub, the application name does not change to the new name. As a result, you might have two templates with the same name under the same catalog.
Workaround: None.
New - When you deploy a VM from a template with a storage policy that includes a configured IOPS limit, after deployment, the VM disks do not have an IOPS limit configured or have a different IOPS limit
The problem occurs because the the I/O Operations Per Second (IOPS) limit set in the VM template overrides the storage policy's IOPS limit. For example, if the VM template does not have a configured IOPS value, after deployment, the VM disks do not have a configured IOPS limit.
Workaround: You can use vApp templates, or edit the VM after deployment.
New - Some operations on replication tracking VMs might fail with a vim.fault.MethodDisabled
exception from vCenter stating that VMware Cloud Director disabled the method
To increase the stability of replication tracking VMs, VMware Cloud Director has a list of methods that are deactivated by default for every state of a replication tracking VM. However, in some use cases, the default list might be too restrictive.
Workaround: Edit the list of methods by changing the configuration values using the VMware Cloud Director API or cell management tool (CMT).
For the configurations
API, use urn:vcloud:configuration:TestFailoverModeRtVmDisabledMethods
and urn:vcloud:configuration:ReplicationModeRtVmDisabledMethods
to view and change the list of deactivated methods.
Alternatively, use the TestFailoverModeRtVmDisabledMethods
and ReplicationModeRtVmDisabledMethods
cell management tool commands to change the VMware Cloud Director configuration values.
New - Editing the general settings of an edge gateway removes any connected external network
If an edge gateway has a connected external network, when you use the VMware Cloud Director Tenant Portal to change any of the edge gateway settings under the General tab, saving the settings removes the connected external network.
Workaround: Use the API to edit the general settings of the edge gateway.
New - When sharing vApps with users, you can navigate to nonexistent pages
When sharing vApps with users, the buttons to go to the previous or next page are available even though you are already on the respective first or last page. As a result, you can navigate to pages that do not exist and do not have content.
Workaround: None.
New - You cannot select NIC IP mode when creating a new VM connection during vApp deployment from a template
The problem occurs in the vApp creation wizard when you start creating a new VM. The VMware Cloud Director UI freezes in the wizard when you try to change the IP mode while adding a new NIC connection.
Workaround: Create the VM connection after creating the vApp.
New - VMware Cloud Director UI is extremely slow or unresponsive when displaying or loading large number of gateway firewall rules
When VMware Cloud Director has to display or load 100 or more firewall rules, the UI is very slow to display the information or might become unresponsive. The same problem might occur with the Edit Rules or Rearrange modals. The browser slowness is due to the process of rendering a long list containing table rows.
Workaround: Use the VMware Cloud Director API.
New - If you create a vApp network while copying a VM, when you close the Copy VM modal, an infinity spinner appears
When you copy VMs to a target vApp, if you create a new vApp network in the target vApp and connect the source VMs to the newly created target vApp's network, closing the modal causes the spinner to appear, but it does not disappear once the copy operation is completed. This problem occurs only when a new vApp network is created during the copy process and does not occur when you copy VMs without creating a vApp network.
Workaround: Navigating to another page and returning to the VM list reloads the grid and the spinner disappears.
New - If you create a vApp network while copying a VM, when you close the Copy VM modal, an infinity spinner appears
When you copy VMs to a target vApp, if you create a new vApp network in the target vApp and connect the source VMs to the newly created target vApp's network, closing the modal causes the spinner to appear, but it does not disappear once the copy operation is completed. This problem occurs only when a new vApp network is created during the copy process and does not occur when you copy VMs without creating a vApp network.
Workaround: Navigating to another page and returning to the VM list reloads the grid and the spinner disappears.
New - The VMware Cloud Director API does not return some provider VDCs as merge candidates
If you attempt to get merge candidates for a provider VDC and there are more provider VDCs in the system than the value specified in the page size query parameter, the merge candidate API only processes the first page size number of provider VDCs to check if they are merge candidates and ignores the other provider VDCs in the system.
Workaround: To ensure the VMware Cloud Director API processes all the provider VDCs, specify a page size greater than or equal to the number of provider VDCs in the system.
New - You cannot change the VMware Cloud Director storage policy of existing hard disks of a VM
If VM home and the hard disks of a VM are on different storage policies, attempting to change the storage policy of the hard disks fails with The operation failed because no suitable resource was found
error.
Workaround: If you want to move the VM to a different storage policy, change all disk storage policies to VM default policy and change the VM storage policy to the one you want.
New - Uploading a vApp template from an OVF fails with A specified parameter was not correct: profileId
error
When attempting to upload a vApp template from an OVF which contains both a StorageGroupSection
and a BootOrderSection
to a VDC backed by vCenter 8.0U2, the upload fails with the A specified parameter was not correct: profileId
error. This problem can also occur when performing catalog synchronization or importing applications from VMware Marketplace into VMware Cloud Director. The problem occurs only on version 8.0U2 of vCenter.
Workaround: Remove the BootOrderSection
or the StorageGroupSection
from the OVF and attempt the upload again.
New - If the default policy for your organization VDC is a vGPU policy, you might not be able to create a general purpose VM
When trying to create a general purpose VM, if the organization VDC's default policy is a vGPU policy and the organization VDC has zero or one VM sizing policy, a You need to select either sizing or placement compute policy
error appears.
Workaround: Assign to the organization VDC at least 2 VM sizing policies or a single VM placement policy.
New - Subscribed catalog items are timing out during catalog synchronization when the publisher has a password
Catalog synchronization times out and subscribers get a 401 ERROR
in the logs when the publisher has a password. The problem occurs because of concurrency at the subscriber side when parallel transfer is enabled.
Workaround: Use the VMware Cloud Director cell management tool (CMT) to deactivate parallel transfer.
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n catalog.sync.enableParallelChunkedTransfer -v false;
New - When you use the multiselect option for VM operations, the selection is not cleared and causes inconsistencies and duplicate actions
Using the VMware Cloud Director Tenant Portal UI, if you use the multiselect option to perform an operation on multiple VMs, once you start the operation the selection appears to be cleared but the selection counter retains the selected VMs. Afterwards, if you try to perform another operation, VMware Cloud Director creates tasks for both selections. This problem creates duplications which can cause operations to fail.
Workaround: Reload the page to reset the selection.
New - When working with container applications, the installation values in Manifest Editor might appear empty
The installation values might appear empty in the VMware Cloud Director Tenant Portal if you select an app from the marketplace. The VMware Cloud Director UI mishandles the chart file content, resulting in empty installation values.
Workaround: There are two ways to work around this problem:
Download the chart file and paste its values.yaml
content into the Manifests Editor.
Click Show Advanced Settings and find the file transfer link from the browser console, for example, https://example.vmware.com/transfer/.../file
.
Copy the transfer link into the browser address bar to download the file.
Extract values.yaml
from the downloaded file binary, and paste its contents into the Manifests Editor.
Alternatively, add the public Bitnami helm chart repository as a catalog source, and import the charts.
New - When using Content Hub, if you input an array using the Manifest Editor, your container application deploys without the array information
When you try to deploy a container application with VMware Cloud Director Content Hub in a Kubernetes cluster deployed through VMware Cloud Director Container Service Extension, if you use the Manifest Editor to input an array, the operation succeeds but the array information is missing. The problem occurs because the UI does not handle correctly arrays and the configuration that VMware Cloud Director deploys is missing some of the parameters.
Workaround: None.
New - Outgoing connections from VMware Cloud Director through a proxy might fail with a Connection refused
error
When setting proxy variables in the /etc/sysconfig/proxy
file, the variables must not contain a trailing slash, such as in HTTP_PROXY="http://www.example.com:3128/"
The problem occurs in both appliance deployments and Linux installations of VMware Cloud Director.
Workaround: Update the values to exclude the trailing slash. For example, HTTP_PROXY="http://www.example.com:3128"
New - Attempting to modify the port for the NSX Edge load balancer pool fails with an INTERNAL_SERVER_ERROR
After you delete a virtual service, trying to update the pool which was previously connected to the deleted virtual service fails with an INTERNAL_SERVER_ERROR
. For example, changing the port for the pool fails.
Workaround: None.
New - Tenants can acquire public provider IP addresses from the pool by creating a static route to them on an edge gateway with IP blocks enabled
If IP blocks are enabled on an edge gateway, tenants can create a static route to any non-allocated IP without any restriction. This allows them to use public provider IP addresses.
Workaround: None.
New - Deleting an organization in VMware Cloud Director UI fails with a You must delete this Organization's Application Port Profiles before you can delete the organization
error
If application port profiles are created on an edge gateway associated with an organization, attempting to delete the organization fails. The issue occurs because VMware Cloud Director deletes the edge gateways before deleting the port profiles, which causes the following error.
com.vmware.vcloud.api.presentation.service.InvalidStateException: You must delete this Organization's Application Port Profiles before you can delete the organization.
Workaround: Use the VMware Cloud Director API to force delete an organization and to delete the stranded application port profiles associated with it. See Delete Stranded Application Port Profiles from VMware Cloud Director.
New - You cannot access the Service Provider Admin Portal and the VMware Cloud Director Tenant Portal after rebooting the VMware Cloud Director VM
If you reboot the VMware Cloud Director VM by using a method other than using the vSphere Client, for example, by using vSphere High Availability or VMware Host Client, you cannot access the Service Provider Admin Portal and the VMware Cloud Director Tenant Portal. The problem occurs because after the reboot, the deployment OVF parameters are deleted from the ovfEnv.xml
file, and the cell cannot be accessed.
Workaround: Power off and then power on the VMware Cloud Director VM by using the vSphere Client.
New - Using the VMware Cloud Director API, attempting to delete an item with a secure
field from an array in an RDE instance results in the item not being fully deleted
If an RDE type schema contains an array object with items containing secure fields, trying to remove an item of the array from an RDE instance of that type through an RDE PUT call results in all fields in the item being deleted except for the secure fields. The item itself is not removed. The problem occurs when you use VMware Cloud Director API version 37.3 or earlier.
If the RDE instance is in RESOLVED
state and if after the update the entity contents of the instance do not match the schema in the RDE type of the instance, the PUT call results in an error response with status code 400
and error message RDE_CANNOT_VALIDATE_AGAINST_SCHEMA
. If the entity contents of the instance after the update match the schema in the RDE type of the instance, the call does not return an error despite the item not being fully deleted.
Workaround: To run the RDE update, use VMware Cloud Director API version 38.0 or later.
New - You cannot edit the metadata of an organization
If you use the VMware Cloud Director API to create two metadata entries for an organization using the same name for the entries, you cannot edit these metadata entries by using the UI because the Save button in the Edit Metadata wizard is not active.
Workaround: Use the VMware Cloud Director API to edit the name of one of the metadata entries.
New - Provisioning of a new Tanzu Kubernetes Grid Service cluster might fail
When attempting to provision a Tanzu Kubernetes Grid Service cluster, the operation might fail. The corresponding user task shows a status error message similar to the following.
[ <some unique id> ] An operation in vSphere for Kubernetes failed, reason message: Bad Request - admission webhook "default.validating.tanzukubernetescluster.run.tanzu.vmware.com" denied the request: Spec.Topology.ControlPlane.TKR.Reference.Name unable to resolve that TKR due to could not resolve TKR/OSImage for controlPlane, machineDeployments: [workers], query: {controlPlane: {k8sVersionPrefix: 'v1.23.8+vmware.3-tkg.1.ubuntu', tkrSelector: '', osImageSelector: 'os-name=photon'}, machineDeployments: [{k8sVersionPrefix: 'v1.23.8+vmware.3-tkg.1.ubuntu', tkrSelector: '', osImageSelector: 'os-name=photon'}]}, result: {controlPlane: {k8sVersion: '', tkrName: '', osImagesByTKR: map[]}, machineDeployments: [{k8sVersion: '', tkrName: '', osImagesByTKR: map[]}]} - Bad Request
The problem is related to a vSphere Supervisor cluster API backward compatibility issue that breaks the integration with VMware Cloud Director. The compatibility is completely broken for with vSphere 8.x and later updates, and partially broken for vSphere 7.x updates.
Workaround: None.
New - VM does not receive the DNS Server IP addresses from the DHCP scope that is defined in the vApp network
When you connect a VM to a routed vApp network in DHCP IP mode, the VM does not receive the DNS addresses defined in the DHCP scope.
Workaround: Using NSX Manager, manually configure the DNS servers in the routed vApp network segment.
New - Attaching a named disk to a VM fails with a java.util.concurrent.ExecutionException: org.hibernate.NonUniqueResultException
error message
Attaching a named disk to a VM fails with an error message.
java.util.concurrent.ExecutionException: org.hibernate.NonUniqueResultException: query did not return a unique result:
This happens because VMware Cloud Director records duplicate entries in the in inventory data collected from the vCenter Server instance where the VM resides.
Workaround: To remove the duplicate entries from the inventory data, reconnect to the vCenter Server instance.
In version 10.5.1, when restoring an appliance backup, VMware Cloud Director might replace the cell HTTPS certificate with an older certificate
During the upgrade to version 10.5.1, VMware Cloud Director migrates the cell HTTPS certificate from the existing on-disk to being stored in the database. Afterwards, if you change the cell HTTPS certificate and create a new backup, during a restore of that backup, VMware Cloud Director incorrectly reverts the cell HTTPS certificate to its previous version.
Workaround: The new cell HTTPS certificate is present in the database. Use the Change the Certificates of a Cell procedure to reassign the correct certificate to the restored cell.
You might receive an unable to find valid certification path to request target - PKIX path building failed
error when changing the JMX certificate of a cell using the UI
Using the the Service Provider Admin Portal, before you select a certificate as the JMX SSL certificate of a VMware Cloud Director cell, the certificate must be trusted.
Workaround: If the certificate you want to select is self-signed, add it to the trusted certificates of the System organization. See Import Trusted Certificates Using Your VMware Cloud Director Service Provider Admin Portal. If an internal certificate authority signed the certificate, verify that the certificate authority appears in the list of trusted certificates of the System organization. If a well-known certificate authority signed the certificate, no action is necessary.
Activating a cell using the cell management tool command does not update the cell status in the Service Provider Admin Portal
If you use the cell management tool to set the cell status to Active
, on the Cloud Cells page of the Service Provider Admin Portal, the status does not appear as active.
Workaround: On the Cloud Cells page of the Service Provider Admin Portal, click the vertical ellipsis next to the cell name, and select Activate. See View and Manage Your VMware Cloud Director Cell Infrastructure.
An Internal error. Please make sure sfcbd is running. error appears during the upgrade to VMware Cloud Director 10.5.1
When you run vamicli update --install latest
an Internal error. Please make sure sfcbd is running. error appears, however, the VMware Cloud Director upgrade is successful. You can ignore the error because VMware Cloud Director continues to function properly.
Workaround: None.
Fast Cross vCenter vApp instantiation fails when instantiating a template that has VMs with memory
When instantiating a vApp template that has any VMs with memory across vCenter instances, if the conditions are met for VMware Cloud Director to perform a fast cross vCenter instantiation, the instantiation will fail with an INTERNAL_SERVER_ERROR
.
Workaround: Deactivate fast cross vCenter instantiations in VMware Cloud Director.
Log in to the VMware Cloud Director Service Provider Admin Portal, and in the top navigation bar, click Administration.
In the left panel, under Settings, select Feature Flags.
Select Fast Cross VC Instantiation Utilizing Shared Storage, and click Disable.
When using the multisite feature, you cannot create and manage VMware Marketplace and Helm chart repository connections from the Service Provider Admin Portal
If you are a service provider and you use the VMware Cloud Director multisite feature, you cannot create and manage VMware Marketplace resources and Helm chart repository resources using the Service Provider Admin Portal.
This issue does not affect tenants.
Workaround: You can use the VMware Cloud Director API to create and manage VMware Marketplace resources and Helm chart repository resources.
Deploying a Helm chart application fails with a Cannot parse "Z" as "-0700"
error message
If VMware Cloud Director is running in UTC timezone, attempting to deploy a Helm chart application fail with a Cannot parse "Z" as "-0700"
error message.
Workaround:
Option 1: Edit the Content Hub operator on the Kubernetes cluster to use a custom registry. Enter the projects.registry.vmware.com/content_hub/vcd-contenthub-package-repo
location as a custom registry and version 1.0.1
as the version of the Content Hub Kubernetes operator package. For information about editing a Kubernetes operator, see Edit a Kubernetes Operator in VMware Cloud Director.
Option 2:
Change the server timezone, on which VMware Cloud Director resides, to non-UTC timezone.
Restart the VMware Cloud Director server.
Deploying container applications fails with an Unable to perform this action
error message
When deploying a container application, if the description of the application template contains more than 255 characters, the operation fails with an error message.
Unable to perform this action. Contact your cloud administrator.
Workaround: Update the description for the application template to consist of less than 255 characters.
If there are no existing user-created firewall rules on an NSX edge gateway, you might not be able to create a single firewall rule
If there are no existing user-defined firewall rules on an NSX edge gateway and you start the firewall rule creation wizard by clicking New, when you attempt to save the firewall rule that you defined, the wizard becomes suspended in a Please wait... state and the firewall rule is not created.
Workaround: Refresh the page, or click away and back to the Firewall screen, and use the Edit Rules button instead of the New button to start the firewall rule creation wizard.
The VMware Cloud Director quick search does not display results when searching for users, service accounts, and VDC groups
In the Quick Search, entering Users
, users/bulk-update
, service-accounts
, and vdc-groups
as a search criteria results in a No results found.
message.
Workaround: None.
The VMware Cloud Director appliance database disk resize script might fail if the backing SCSI disk identifier changes
The database disk resize script runs successfully only if the backing database SCSI disk ID remains the same. If the ID changes for any reason, the script might appear to run successfully but fails. The /opt/vmware/var/log/vcd/db_diskresize.log
shows that the script fails with a No such file or directory
error.
Workaround:
Log in directly or by using an SSH client to the primary cell as root.
Run the lsblk --output NAME,FSTYPE,HCTL
command.
In the output, find the disk containing the database_vg-vpostgres
partition and make note of its ID. The ID is under the HCTL column and has the following sample format 2:0:3:0
.
In the db_diskresize.sh
script, modify the partition ID with the ID from Step 3. For example, if the ID is 2:0:3:0
, in line
echo 1 > /sys/class/scsi_device/2\:0\:2\:0/device/rescan
you must change the ID to 2:0:3:0
.
echo 1 > /sys/class/scsi_device/2\:0\:3\:0/device/rescan
Аfter saving the changes, manually re-invoke the resize script or reboot the appliance.
Upgrading to VMware Cloud Director 10.4.1 or later fails with a Fix postgres user home directory
error
When you try to upgrade to VMware Cloud Director 10.4.1 or later, the upgrade fails. The update-postures-db.log
contains the following error.
2023-05-15 16:38:01 | update-postgres-db.sh | Fix postgres user home directory
usermod: user postgres is currently used by process 17236
Other processes that are logged in as the postgres
user on the VMware Cloud Director appliance might block the script that upgrades the PostgreSQL major version from 10 through 14.
Workaround:
Before starting the VMware Cloud Director upgrade, find any processes that are logged in as the postgres
user on the VMware Cloud Director appliance by running ps -u postgres
on the appliance.
Stop any process that the command returns by running kill -9 <PID>
, where PID is the unique process identifier.
Creating an organization VDC Kubernetes policy with provider gateways that uses IP spaces fails
If you configure an IP space backed provider gateway and you create a VDC and an edge gateway based on the same IP space, an attempt to create a Kubernetes policy for this VDC fails with an error message.
com.vmware.ssdc.util.LMException: Index 0 out of bounds for length 0
This happens because the IP space backed edge gateways are not associated with a primary IP address, which is required for the creation of SNAT by the Kubernetes policy.
Workaround: Create VDC and edge gateways with NSX network provider type and provider gateways that use legacy IP blocks.
When starting the VMware Cloud Director appliance, the message [FAILED] Failed to start Wait for Network to be Configured. See 'systemctl status systemd-networkd-wait-online.service' for details
appears
The message appears incorrectly and does not indicate an actual problem with the network. You can disregard the message and continue to use the VMware Cloud Director appliance as usual.
Workaround: None.
Creating an organization VDC template with NSX network provider type and provider gateways that uses IP spaces fails
When you attempt to create an organization VDC template with NSX network provider type and provider gateway that uses IP spaces, the operation fails with the following error. Error:Cannot support external Network that is utilizing IP Spaces. Only external networks with legacy IP blocks are supported.
Workaround: Create organization VDC templates with NSX network provider type and provider gateways that use legacy IP blocks.
Changing the storage policy on a virtual disk of a VM fails with a The operation failed because no suitable resource was found
error message
If the virtual disk of a VM resides on a remote vSAN datastore, changing the storage policy of the virtual disk results in an error message.
The operation failed because no suitable resource was found
Workaround: To move the VM to a different storage policy, change the virtual disk storage policy to VM default policy
and then change the VM storage policy to the desired storage policy.
VMware Cloud Director shows an empty value for the IOPS limit for a VM disk with VC-IOPS enabled storage policy
If you apply a VC-IOPS enabled storage policy with custom reservation, limit, and shares, on a VM disk, VMware Cloud Director displays the values for IOPS reservations, but displays the IOPS limit as empty. This happens because vCenter Server 8U1 introduces a new mechanism for Storage I/O Control (SIOC) which no longer sets the IOPS limit as a VM disk property.
Workaround: None.
You cannot create a deactivated organization using the legacy VMware Cloud Director API
Attempting to use the legacy VMware Cloud Director API organization creation endpoint POST [vcd_public_endpoint]/api/admin/orgs
to create a deactivated organization results in a 400 BadRequestException
containing the following snippet:
<Error ... stackTrace="com.vmware.vcloud.api.presentation.service.BadRequestException: Unexpected error. unexpected end of subtree
Workaround: Use the VMware Cloud Director OpenAPI endpoint to create a disabled organization. Alternatively, you can use the UI, OpenAPI, or legacy API to create an enabled organization and disable it after creation.
You cannot select Tanzu Kubernetes version 2.0 or later when creating a TKGs cluster
As a tenant, when attempting to create a TKGs cluster, you cannot select a Tanzu Kubernetes cluster version 2.0 and later.
Workaround: To offer and use Tanzu Kubernetes 2.0 and later, use VMware Cloud Director Container Service Extension 4.0.
Migrating VMs between organization VDCs might fail with an insufficient resource error
If VMware Cloud Director is running with vCenter Server 7.0 Update 3h or earlier, when relocating a VM to a different organization VDC, the VM migration might fail with an insufficient resource error even if the resources are available in the target organization VDC.
Workaround: Upgrade vCenter Server to version 7.0 Update 3i or later.
The VMware Cloud Director Tenant Portal UI does not display the IOPS limits and reservations for a vSAN storage policy
vSAN manages itself the IOPS limits on vSAN storage policies. As a result, the VMware Cloud Director Tenant Portal UI does not display the IOPS reservations and limits for a vSAN storage policy and you cannot modify their values.
Workaround: None.
VMware Cloud Director appliance upgrade fails with an invalid version error when FIPS mode is enabled
For VMware Cloud Director versions 10.3.x and later, when FIPS mode is enabled, VMware Cloud Director appliance upgrade fails with the following error.
Failure: Installation failed abnormally (program aborted), the current version may be invalid.
Workaround:
Before you upgrade the VMware Cloud Director appliance, deactivate FIPS Mode on the cells in the server group and the VMware Cloud Director appliance. See Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance.
Verify that the /etc/vmware/system_fips
file does not exist on any appliance.
Upgrade the VMware Cloud Director appliance.
Enable FIPS mode again.
You can't view and edit the license type for your previously registered NSX Advanced Load Balancer Controller instances in the VMware Cloud Director API
You can't view and edit the license for your previously registered NSX Advanced Load Balancer Controller instances in the VMware Cloud Director API. This happens because in VMware Cloud Director 10.4, the Controller license type was replaced by a selection between a Standard and a Premium feature set at the Service Engine Group level to provide more flexibility.
Workaround: Use the supportedFeatureSet
path for service engine groups and on edge gateways to activate and deactivate the available features.
You cannot create and use VMware Cloud Director VDC templates in VMware Cloud Director service environments that use VMware Cloud on AWS network pools
If you are using only a provider network pool that is backed by VMware Cloud on AWS for your provider VDC, you cannot create a VDC template and instantiate a VDC from a template. This happens because creating and instantiating VDC templates is supported only for provider VDCs backed by NSX-T Data Center and by NSX Data Center for vSphere. You can use VMware Cloud Director VDC templates with on-premises, Microsoft Azure VMware Solution, Oracle Cloud VMware Solution, or Google Cloud VMware Engine SDDCs.
Workaround: None.
Creating a new VM with encrypted vSAN storage policy fails with an Invalid storage policy for encryption operation
error message
When creating a new VM, if you specify the storage policy of the VM as vSAN encrypted and the storage policy for the VM hard disk as both non-encrypted and non-vSAN, the operation fails with an error message.
Invalid storage policy for encryption operation
Workaround:
Specify the storage policies for the VM and the VM hard disk as vSAN encrypted.
After the VM deploys successfully, update the hard disk storage policy for the VM to non-encrypted and non-vSAN. For information, see Edit Virtual Machine Properties.
You cannot connect to VMware Cloud Director through VMware OVF Tool version 4.4.3 or earlier
When you attempt to connect to VMware Cloud Director through OVF Tool version 4.4.3 or earlier, this results in the following error. Error: No supported vCloud version was found
. This happens because of an API behavior change in VMware Cloud Director 10.4 where the API does not return links to all the VDCs in an organization.
Workaround: Upgrade to OVF Tool 4.5.0. See VMware OVF Tool Release Notes.
You are unable to log in to VMware Cloud Director by using VMware PowerCLI 12.7.0 or earlier
When you attempt to log in to VMware Cloud Director by using VMware PowerCLI version 12.7.0 or earlier, this results in the following error. NOT_ACCEPTABLE: The request has invalid accept header: Invalid API version requested.
This happens because VMware PowerCLI earlier than 13.0.0 do not support VMware Cloud Director API versions later than 33.0. See VMware Product Interoperability Matrix.
Workaround: Upgrade VMware PowerCLI to version 13.0.0.
VMware Cloud Director displays the old version for an upgraded vCenter Server instance
After you upgrade a vCenter Server instance to a newer version, in the list of vCenter Server instances, VMware Cloud Director still displays the old version for the upgraded instance.
Workaround: Reset the connection between the vCenter Server instance and VMware Cloud Director. See Reconnect a vCenter Server Instance in VMware Cloud Director Service Provider Admin Guide.
Refreshing the LDAP page in your browser does not take you back to the same page
In the Service Provider Admin Portal, refreshing the LDAP page in your browser takes you to the provider page instead of back to the LDAP page.
Workaround: None.
Mounting an NFS datastore from NetApp storage array fails with an error message during the initial VMware Cloud Director appliance configuration
During the initial VMware Cloud Director appliance configuration, if you configure an NFS datastore from NetApp storage array, the operation fails with an error message.
Backend validation of NFS failed with: is owned by an unknown user
Workaround: See the https://kb.vmware.com/s/article/93252 KB.
The synchronization of a subscribed catalog times out while synchronizing large vApp templates
If an external catalog contains large vApp templates, synchronizing the subscribed catalog with the external catalog times out. The issue occurs when the timeout setting is set to its default value of five minutes.
Workaround: Using the manage-config
subcommand of the cell management tool, update the timeout configuration setting.
./cell-management-tool manage-config -n transfer.endpoint.socket.timeout -v [timeout-value]
In an IP prefix list, configuring any
as the Network value results in an error message
When creating an IP prefix list, if you want to deny or accept any route and you configure the Network value as any
, the dialog box displays an error message.
"any" is not a valid CIDR notation. A valid CIDR is a valid IP address followed by a slash and a number between 0 and 32 or 64, depending on the IP version.
Workaround: Leave the Network text box blank.
The vpostgres process in a standby appliance fails to start
The vpostgres
process in a standby appliance fails to start and the PostgreSQL log shows an error similar to the following. FATAL: hot standby is not possible because max_worker_processes = 8 is a lower setting than on the master server (its value was 16).
This happens because PostgreSQL requires standby nodes to have the same max_worker_processes
setting as the primary node. VMware Cloud Director automatically configures the max_worker_processes
setting based on the number of vCPUs assigned to each appliance VM. If the standby appliance has fewer vCPUs than the primary appliance, this results in an error.
Workaround: Deploy the primary and standby appliances with the same number of vCPUs.
Upgrading the VMware Cloud Director appliance might result in an Connection to sfcbd lost
error message
If you upgrade the VMware Cloud Director appliance, the upgrade operation might report an error message.
Connection to sfcbd lost. Attempting to reconnect
Workaround: You can ignore the error message and continue with the upgrade.
When using FIPS mode, trying to upload OpenSSL-generated PKCS8 files fails with an error
OpenSSL cannot generate FIPS-complaint private keys. When VMware Cloud Director is in FIPS mode and you try to upload PKCS8 files generated using OpenSSL, the upload fails with a Bad request: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: ... not available: No such algorithm: ...
error or salt must be at least 128 bits
error.
Workaround: Deactivate the FIPS mode to upload the PKCS8 files.
Creation of Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in fails
When you create a Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in, you must select a Kubernetes version. Some of the versions in the drop-down menu are not compatible with the backing vSphere infrastructure. When you select an incompatible version, the cluster creation fails.
Workaround: Delete the failed cluster record and retry with a compatible Tanzu Kubernetes version. For information on the incompatibilities between Tanzu Kubernetes and vSphere, see Updating the vSphere with Tanzu Environment.
If you have any subscribed catalogs in your organization, when you upgrade VMware Cloud Director, the catalog synchronization fails
After upgrade, if you have subscribed catalogs in your organization, VMware Cloud Director does not trust the published endpoint certificates automatically. Without trusting the certificates, the content library fails to synchronize.
Workaround: Manually trust the certificates for each catalog subscription. When you edit the catalog subscription settings, a trust on first use (TOFU) dialog box prompts you to trust the remote catalog certificate.
If you do not have the necessary rights to trust the certificate, contact your organization administrator.
After upgrading VMware Cloud Director and enabling the Tanzu Kubernetes cluster creation, no automatically generated policy is available and you cannot create or publish a policy
When you upgrade VMware Cloud Director to version 10.3.1 and vCenter Server to version 7.0.0d or later, and you create a provider VDC backed by a Supervisor Cluster, VMware Cloud Director displays a Kubernetes icon next to the VDC. However, there is no automatically generated Kubernetes policy in the new provider VDC. When you try to create or publish a Kubernetes policy to an organization VDC, no machine classes are available.
Workaround: Manually trust the corresponding Kubernetes endpoint certificates. See VMware knowledge base article 83583.
Entering a Kubernetes cluster name with non-Latin characters deactivates the Next button in the Create New Cluster wizard
The Kubernetes Container Clusters plug-in supports only Latin characters. If you enter non-Latin characters, the following error appears.
Name must start with a letter and only contain alphanumeric or hyphen (-) characters. (Max 128 characters).
Workaround: None.
NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction
If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.
Workaround:
Fix the NFS state so that it is not read-only
.
Clean up the NFS share if it is full.
Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error
For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a Named disk encryption is not supported in this version of vCenter Server
. error.
Workaround: None.
A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes cannot be consolidated
In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by vSphere Virtual Volumes. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated.
Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or vSphere Virtual Volumes. To consolidate a virtual machine with a snapshot on a VAAI or a vSphere Virtual Volumes datastore, relocate the virtual machine to a different storage container.
If you add an IPv6 NIC to a VM and then you add an IPv4 NIC to the same VM, the IPv4 north-south traffic breaks
Using the HTML5 UI, if you add an IPv6 NIC first or configure an IPv6 NIC as the primary NIC in a VM, and then you add an IPv4 NIC to the same VM, the IPv4 north-south communication breaks.
Workaround: First you must add the IPv4 NIC to the VM and then the IPv6 NIC.