What's New

• Three-tier tenancy

  Cloud providers can use the three-tier tenancy model to establish sub-provider organizations with restricted administrative privileges over a limited set of tenants. Use cases include reselling cloud services through resellers or managed service providers and enabling nested multi-tenancy within enterprise organizations. This release brings three-tier tenancy capability to all aspects of resources and services available through VMware Cloud Director. See Overview of VMware Cloud Director Administration in the VMware Cloud Director Service Provider Admin Guide and Understanding the Sub-Provider Role in VMware Cloud Director in the VMware Cloud Director Sub-Provider and Tenant Guide.

• VMware Cloud Director 10.6 requires PostgreSQL 13 or later

  For external PostgreSQL configurations, VMware Cloud Director 10.6 requires PostgreSQL version 13 or later.

• Management of container resources and applications

  • Kubernetes cluster administrators now can control individual tenant users' access to a Kubernetes cluster or to individual namespaces within a cluster. Tenant users can deploy container applications in the namespaces for which they have been granted access. This allows multiple tenant users to share a Kubernetes cluster and deploy their container applications in the same cluster but under different namespaces. Tenant users granted cluster level access can also deploy container applications which request cluster level resources.

  • Container application owners can see the history of application revisions on the application detail page. Each revision has a state indicating whether it has been applied successfully.

  • This release brings a new version of Content Hub Operator. Content Hub Operator runs in the Kubernetes cluster and communicates with VMware Cloud Director through the WebSocket protocol for improved performance.  Content Hub Operator can also report its version compatibility with VMware Cloud Director back to the Tenant Portal, which helps the cluster owner to decide when to upgrade the operator. 

• Global catalog

  Cloud providers can create and publish catalogs that are globally consistent across multiple vCenter instances and multiple VMware Cloud Director sites. The capability requires the use of a shared storage replication technology. Any shared storage solution that meets documented scale and performance requirements can be used to enable global distributed catalogs. See Configure Distributed Catalogs for an Organization in the VMware Cloud Director Service Provider Admin Guide and Create a Distributed Catalog in the VMware Cloud Director Sub-Provider and Tenant Guide.

• IPv6 support for VMware Cloud Director appliance nodes

  VMware Cloud Director appliance cells can run in an IPv6 network environment.

• Multiple VM snapshots

  VMware Cloud Director now supports multiple snapshots per VM up to a maximum number that the cloud providers can configure.

• Scale limits increase

  This release brings significant maximum scale increase in several areas of the platform. The supported number of VMs per VMware Cloud Director instance is up to 55,000 (regardless of the power state); the number of concurrent remote consoles is up to 22,000 and the maximum number of users is up to 300,000.  The maximum number of organization Virtual Data Centers (VDCs) in an organization VDC group increases to 2000 members from 16.

• Photon OS 4.0

  The VMware Cloud Director appliance is now based on Photon OS 4.0, which brings improved security and upgraded OS packages.

• Improved VM template instantiation performance

  In cases where a VM template is instantiated to a VM on a different vCenter VMware Cloud Director will attempt to optimize the instantiation time by using cloning the VM. If the clone operation fails then VMware Cloud Director will fall back to OVF export/import. See KB article 2106952 for more details on vCenter clone preprequisites.

• Tenant admin IP reservation system

  Major enhancements have been made to IP Address Management with focus on IP Reservations for workloads and to supply IP addresses to VMware Cloud Director long lived services (e.g. LB VIP). The improvements are aligned to 3 tier permissions and provide an intuitive user experience for managing IP address lifecycles derived from IP Pools for tenants, sub-providers, and provider personas.

  • New UX for deploying Avi Controllers and NSX Cloud Connectors

    VMware Cloud Director 10.6 enhances the provisioning of Avi Controllers and NSX Cloud Connectors and adds new UX to increase Avi scalability by adding more Cloud Controllers to existing Avi Controllers. The UX provides consumption information for appraising controller and NSX cloud, and edge gateway capacity.

  • Tenant Self-Service of Custom Health Monitors for NSX Advanced Load Balancer

    Custom health monitors are now available when deploying the NSX Advanced Load Balancer. Custom health monitors complement HTTP policies and enable tenant self-service configuration of pool member health checks. The user experience provides highly customized methods to ensure that applications are running as designed while removing errant pool members that fail customized health checks. See Create and Assign a Custom Health Monitor in the Service Provider Admin Portal and Create and Assign a Custom Health Monitor in the Tenant Portal.

  • Security Log Ingestion and Observability by Tenant

    VMware Cloud Director 10.6 supports log ingestion by integrating with VMware Aria Operations for Logs. NSX gateway firewall and distributed firewall logs are now processed by VMware Aria Operations for Logs and seamlessly integrated with the VMware Cloud Director Tenant Portal. Tenants can export logs to CSV files and use filters and time ranges to focus on specific events. See the Configure a Log Provider topic in the VMware Cloud Director Service Provider Admin Guide and the edge gateway firewall logs, provider gateway firewall logs, and distributed firewall logs dosumentation in the VMware Cloud Director Sub-Provider and Tenant Guide.

  • IPsec VPN on Provider Gateways and Edge Gateways

    In version 10.6, VMware Cloud Director expands the IPsec VPN functionality to include tunnel establishment on dedicated provider gateways. IPsec VPNs management is also aligned to the three-tier model, enabling tenants, sub-providers, and providers to set up VPNs and use BGP to control which IP prefixes will use the VPN. BGP configuration can be automated for tenants when Providers opt to use IP Spaces to manage network assignments for public and private addressing. In addition, the providers, sub-providers can delegate some BGP configurations to their tenants. See the IPsec VPN for NSX Edge Gateways documentation in the Service Provider Admin Portal Guide and the Tenant Portal Guide, and the Configure NSX IPSec VPN on a Dedicated Provider Gateway documentation in the Service Provider Admin Portal Guide and the Tenant Portal Guide.

• This release resolves CVE-2024-22272

  For more information on this vulnerability and its impact on VMware by Broadcom products, see VMSA-2024-0014.

• New - Changes to tenant Runtime Defined Entity (RDE) creation by provider users

  In VMware Cloud Director 10.6, when you, as a provider user, create an RDE in the tenant context using the X-VMWARE-VCLOUD-TENANT-CONTEXT request header, the owner of the entity is the hidden system user. The system user does not appear in the list of users. VMware Cloud Director uses this user as owner of entities, such as VMs and RDEs, that provider users create in the tenant context.

  In previous VMware Cloud Director versions, the owners of such entities are the provider users that create them. When you upgrade to version 10.6, VMware Cloud Director changes the owners of existing tenant entities from previous VMware Cloud Director versions to the system user.

• New - Non-disruptive certificate management compliance

  VMware Cloud Director stores the Certificate Authority (CA) certificate that issues the vCenter SSL certificate. If the CA certificate remains the same, changes to the SSL certificate do not cause VMware Cloud Director to lose connectivity with vCenter.

Download VMware Cloud Director

VMware Cloud Provider Blog

Security

• Photon OS 4.0 Security Updates

  VMware Cloud Director appliance version 10.6.0 includes Photon OS 4.0 security updates for advisories up to and including PHSA-2024-4.0-0618. See the Photon OS 4.0 Security Advisories.

Product Support Notices

• Deprecation of localized languages

  Beginning with the next major release, we will be reducing the number of supported localization languages. The three supported languages will be:

  • Japanese

  • Spanish

  • French

  The following languages will no longer be supported: Brazilian Portuguese, German, Italian, Korean, Simplified Chinese, Traditional Chinese.

  Impact:

  • Users who have been using the deprecated languages will no longer receive updates or support in these languages.

  • All user interfaces, help documentation, and customer support will be available only in English or in the three supported languages mentioned above.

   

• AMQP and RabbitMQ deprecation

  Starting with VMware Cloud Director 10.6, the AMQP-based functionality is deprecated. To ensure continued support, consider updating any legacy extensions using AMQP. Newer extensions must be based on equivalent MQTT-backed functionality.

• TKG and TKGS clusters in VMware Cloud Director are unsupported with vSphere 8.0 Update 3

  Due to a change in the VMware Tanzu Kubernetes Grid and VMware Tanzu Kubernetes Grid Service architecture in vSphere 8.0.3, VMware Cloud Director supports TKG and TKGS clusters only with vSphere 8.0 Update 2c or earlier.

• Deprecation Process for VMware Cloud Director Local Users for Production Use

  Authentication for local users in VMware Cloud Director does not make use of modern authentication technologies, security best practices, and compliance requirements, such as password policies, 2FA, or MFA support. By using the VMware Cloud Director integration with external identity providers, you can take advantage of all existing and future advancements in the authentication technologies.

  VMware Cloud Director will continue to support local users for evaluation use. Production use of local users is under deprecation but will continue to be fully supported until the next major release of VMware Cloud Director.

• VMware Cloud Director 10.6 does not support guest customization of Windows Vista and Windows Server 2008 SP1 and earlier

  Starting with version 10.6, you cannot customize Windows Vista and Windows Server-2008 SP1 and earlier.

Upgrading from Previous Releases

System Requirements and Installation

• Ports and Protocols
• Compatibility Matrix
• Supported VMware Cloud Director Server Operating Systems
• Supported AMQP-Compliant Message Brokers
• Supported External Databases
• Supported Databases for Storing Historic Metric Data
• Disk Space Requirements
• Memory Requirements
• CPU Requirements
• Required Linux Software Packages
• Identity Provider Support
• Supported Security Protocols and Cipher Suites
• Supported Browsers
• Supported Guest Operating Systems and Virtual Hardware Versions

Documentation

Resolved Issues

• Importing a vApp fails with a Failed to attach vif uuid to network error

  When there are stale entries in the dv_portgroup_inv table, importing a vApp fails. The issue occurs when there is a sync problem between vSphere and NSX, in which case, VMware Cloud Director might pick an invalid NSX network.

• The Create Catalog wizard displays only the first 10 storage policies from the list of policies

  During the creation of a catalog, if there are more than 10 available storage policies, due to a problem with the drop-down menu, the wizard does not display more than the first 10 storage policies.

• In multisite environments, attempting to view the vGPU profile consumption fails with an error

  If you have a multisite environment, trying to view the vGPU profile consumption fails with the following error.

  Unknown property 'id' on class 'class com.vmware.vcloud.rest.openapi.model.VgpuVmConsumerEntity

• Moving and editing a VM fails with an Invalid AddressOnParent value (16) for disk with InstanceID error

  VMware Cloud Director does not support more than 15 disks on a SCSI controller, however, vCenter supports 64 disks on VMware Paravirtual SCSI controllers, which are a SCSI controller sub-type. When a VM with a VMware Paravirtual SCSI controller is imported from vCenter, if one of the VMs disks are on unit number greater than 15, you cannot edit or move the VM.

• If the target storage policy is vSAN, changing the storage policy of a VM might fail with an Internal Server Error

  When changing the storage policy of a VM within or across organization VDCs and the target storage policy is vSAN, the operation might fail with an Internal Server Error. The VMware Cloud Director logs show Invalid vSAN policy specified.

• The VMware Cloud Director placement engine places VMs on datastores which are in maintenance mode.

  If a datastore is in maintenance mode, VMware Cloud Director must reject this datastore for placement, however, the placement engine incorrectly places VMs on datastores which are in maintenance mode.

• AMQP connection refresh fails with a No subject alternative names matching IP address error

  The AMQP client of VMware Cloud Director uses a DNS round-robin load-balancing technique. However, this method does not work when the connection is secured using TLS and the logs show the following error.

  Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address...

• When you delete a VM disk, before the deletion, VMware Cloud Director relocates the VM disk

  VMware Cloud Director always relocates the VM disk when you delete it and it has powered on VMs.

• You cannot create network context profiles with multiple attributes in an edge gateway

  Creating a new custom network context profile in the edge gateway section of the VMware Cloud Director Service Provider Admin Portal fails with the following error when selecting different attribute values separated by commas.

  Bad Request: Error occurred in the backing network provider: Duplicate attribute key found: DOMAIN_NAME., error code 521002

• Pool creation in edge gateways fails with error Field Pool.append_port cannot have NON_DEFAULT_80_443 as its value in BASIC license tier. Allowed value(s): NEVER

  The append_port field in VMware NSX Advanced Load Balancer server pool objects has three values: NON_DEFAULT_80_443, NEVER, and ALWAYS. For NSX Advanced Load Balancer Basic Edition license users, the correct value is NEVER, but the current VMware Cloud Director configuration default is set to NON_DEFAULT_80_443. This causes issues for customers with Basic NSX Advanced Load Balancer licenses who upgrade VMware Cloud Director.

• You cannot register your NSX Cloud instances with VMware Cloud Director because the list of available clouds is grayed out

  When registering an NSX Cloud in VMware Cloud Director, if you provide a URL with a forward slash at the end, even if the connection is successful, you cannot select NSX Cloud instances because the extra slash causes an issue with fetching the clouds, despite the connection being successful.

• You cannot modify the email settings of newly created organizations

  When you use the cloudapi endpoint to create organizations, VMware Cloud Director does not create entries in the smtp_server and org_email tables. However, in previous versions VMware Cloud Director uses the legacy API which inserts these records.

• Performing an action on a vApp results in an Entity not found error

  VMware Cloud Director incorrectly allows blank spaces in the vApp name during the vApp clone and copy operations. This results in VMware Cloud Director treating the vApp as a different entity and later, when you try to perform any actions on the vApp, the actions fail with the Entity not found error.

• When you try to rename a VM of a vApp, if the name is already taken, VMware Cloud Director returns an error, however, the name is changed in vCenter

  When you rename a VM of a vApp, if the same VM name is used in the vApp, in VMware Cloud Director, you receive an error that a duplicate key exists and the VM cannot be renamed but the operation carries out in vCenter. The reconfigure operation triggers a task to vCenter and name changes are done without performing a check if the name is already taken.

• Running the CMT command to configure a test connection denylist with an IP address range 0.0.0.0/0 fails with an error

  If you run the /opt/vmware/vcloud-director/bin/cell-management-tool manage-test-connection-denylist --add-range 0.0.0.0/0 cell management tool (CMT) command, VMware Cloud Director does not parse the range properly, and the operation fails with the following error.

  Error executing command: Index -1 out of bounds for length 0

• During a primary VMware Cloud Director appliance setup, if you leave the CEIP toggle activated by default, when the setup completes, CEIP is deactivated

  During the setup of a primary VMware Cloud Director appliance, the CEIP toggle is activated by default, but after the setup is complete, your VMware Cloud Director instance does not participate in the Customer Experience Improvement Program. If you upgrade VMware Cloud Director, CEIP continues to be deactivated.

• NSX-T backed vApps do not show the external IP under the External IP property when a port-forwarding NAT rule is activated

  When you activate a NAT rule with port-forwarding on NSX backed vApp network, the external IP does not show up in either the network information or the external IP property of the VM.

• When using the CloudAPI to create or update an organization, you cannot set to true the canPublish flag

  When using the CloudAPI to create an organization or update an organization enabling it to publish catalogs, the canPublish field remains false, despite you setting the value to true. The legacy API is not affected.

• Creating network pools in edge gateways fails with a Field Pool.append_port cannot have NON_DEFAULT_80_443 as its value in BASIC license tier. Allowed value(s): NEVER. error

  If you are using the Basic Edition of VMware NSX Advanced Load Balancer and you upgrade VMware Cloud Director from version 10.4.1 to version 10.5.1, you cannot create pools in edge gateways. The issue does not occur while using the VMware NSX Advance Load Balancer Enterprise Edition.

• When sharing vApps with users, you can navigate to nonexistent pages

  When sharing vApps with users, the buttons to go to the previous or next page are available even though you are already on the respective first or last page. As a result, you can navigate to pages that do not exist and do not have content.

• If you create a vApp network while copying a VM, when you close the Copy VM modal, an infinity spinner appears

  When you copy VMs to a target vApp, if you create a new vApp network in the target vApp and connect the source VMs to the newly created target vApp's network, closing the modal causes the spinner to appear, but it does not disappear once the copy operation is completed. This problem occurs only when a new vApp network is created during the copy process and does not occur when you copy VMs without creating a vApp network.

• Attempting to modify the port for the NSX Edge load balancer pool fails with an INTERNAL_SERVER_ERROR

  After you delete a virtual service, trying to update the pool which was previously connected to the deleted virtual service fails with an INTERNAL_SERVER_ERROR. For example, changing the port for the pool fails.

• You cannot access the Service Provider Admin Portal and the VMware Cloud Director Tenant Portal after rebooting the VMware Cloud Director VM

  If you reboot the VMware Cloud Director VM by using a method other than using the vSphere Client, for example, by using vSphere High Availability or VMware Host Client, you cannot access the Service Provider Admin Portal and the VMware Cloud Director Tenant Portal. The problem occurs because after the reboot, the deployment OVF parameters are deleted from the ovfEnv.xml file, and the cell cannot be accessed.

• An Internal error. Please make sure sfcbd is running. error appears during the upgrade to VMware Cloud Director 10.5.1

  When you run vamicli update --install latest an Internal error. Please make sure sfcbd is running. error appears, however, the VMware Cloud Director upgrade is successful. You can ignore the error because VMware Cloud Director continues to function properly.

Known Issues

• New - Upgrading to version 10.6 fails, but VMware Cloud Director reports the upgrade as successful

  When you upgrade VMware Cloud Director to version 10.6, the upgrade appears successful, however, some Red Hat Package Manager files (RPMs) are not installed.

  Workaround: See Broadcom knowledge base article 372041.

• Catalog item metadata is not synchronized between published and subscribed catalogs

  When you create a catalog, you have the option to publish the catalog so that others can subscribe and gain access to the catalog through catalog synchronization. If the published catalog contains catalog items with metadata, that metadata does not appear on the subscriber side. The problem occurs only with catalog synchronization and not refresh of distributed catalogs.

  Workaround: None. 

• Tenant users cannot edit Kubernetes policies

  Despite having the necessary rights, if you are logged in as a tenant user, trying to edit the CPU or memory of Kubernetes policies fails with a 403 error saying Forbidden to set right restricted field pvdcComputePolicy, and you cannot redistribute your VDC resources between VM deployments and Kubernetes deployments.

  Workaround: System administrators can edit Kubernetes policies.

• You cannot create a vApp template if the VM or vApp has a TPM device and if the target catalog is a distributed catalog

  You cannot create a vApp template through any of the following operations if the template contains a VM with a TPM device and the target is a distributed catalog.

  • Copy a vApp template

  • Move a vApp template

  • Capture a vApp or VM to a template

  • Import a VM from vCenter

  Attempting to create a vApp through these operations fails with an error that the operation is not allowed for VMs with TPM devices where the target catalog is a distributed catalog.

  Workaround: Upload an OVF which specifies a VM containing a TPM device. See the TPM as a Virtual Device in OVF topic in the VMware vSphere product documentation.

• You cannot filter organization and provider VDCs by the granted provider VDC name

  As a sub-provider using the VMware Cloud Director Tenant Portal, you cannot filter your organization and provider VDCs by their granted provider VDC name.

  Workaround: None.

• After decommissioning of a VMware Cloud Director site, distributed catalogs appear as Degraded.

  When you decommission a VMware Cloud Director site whose distributed datastore was previously paired with your local site, a set of corresponding heartbeat files are kept in the replicated storage at the peer sites. As a result, your site keeps reporting that the corresponding datastores are not healthy and have Degraded distribution health.

  Workaround:

  1. In the VMware Cloud Director Tenant Portal, from the Peers datastore grid, for a peer with missing heartbeat for at least 10 minutes, take note of the Name, Site Name, and vCenter string values.

  2. Using the vCenter Console or another tool to browse datastore files, visualize the files of the corresponding local distributed datastore.

  3. Find all files under the distributedCatalogs folder with names that look like the following:

     distributedCatalogs/site-vc-22222222-11cc-1b11-1cd1-1a1a1a1aaa11-...

  4. Display the content of the files, for example:

     {"siteId":"a2222222-1234-1a11-1a11-a11a1aa111a","siteName":"obsolete-site","vcId":"22222222-11cc-1b11-1cd1-1a1a1a1aaa11","vcName":"obsolete-vc","dsMoref":"datastore-24","dsName":"shared-disk-obsolete"}

  5. Delete the file which has siteName, vcName, and dsName that match the corresponding strings from Step 1.

  6. After approximately 10 minutes, VMware Cloud Director will pick up the change and automatically cleanup the datastore and distributed catalog statuses.

• In a multisite deployment, if the other site is with version 10.5.x or earlier, sorting organizations in the Managed By column returns an error

  In a multisite deployment, if the other site is with VMware Cloud Director version 10.5.x or earlier, sorting organizations in the Managed By column, fails with the following error.

  Bad request: Null property value for 'managedBy.name' on bean class 'class com.vmware.vcloud.rest.openapi.model.Org'

  Workaround: Use the filtering option to exclude sites with VMware Cloud Director version 10.5.x or earlier.

• When using the CloudAPI to create or update an organization, you cannot set to true the canPublish flag

  When using the CloudAPI to create an organization or update an organization enabling it to publish catalogs, the canPublish field remains false, despite you setting the value to true. The legacy API is not affected.

  Workaround: Use the VMware Cloud Director UI to activate or deactivate the option to Publish catalog externally for an organization.

• Creating network pools in edge gateways fails with a Field Pool.append_port cannot have NON_DEFAULT_80_443 as its value in BASIC license tier. Allowed value(s): NEVER. error

  If you are using the Basic Edition of VMware NSX Advanced Load Balancer and you upgrade VMware Cloud Director from version 10.4.1 to version 10.5.1, you cannot create pools in edge gateways. The issue does not occur while using the VMware NSX Advance Load Balancer Enterprise Edition.

  Workaround: None.

• When sharing vApps with users, you can navigate to nonexistent pages

  When sharing vApps with users, the buttons to go to the previous or next page are available even though you are already on the respective first or last page. As a result, you can navigate to pages that do not exist and do not have content.

  Workaround: None.

• If you create a vApp network while copying a VM, when you close the Copy VM modal, an infinity spinner appears

  When you copy VMs to a target vApp, if you create a new vApp network in the target vApp and connect the source VMs to the newly created target vApp's network, closing the modal causes the spinner to appear, but it does not disappear once the copy operation is completed. This problem occurs only when a new vApp network is created during the copy process and does not occur when you copy VMs without creating a vApp network.

  Workaround: Navigating to another page and returning to the VM list reloads the grid and the spinner disappears.

• Outgoing connections from VMware Cloud Director through a proxy might fail with a Connection refused error

  When setting proxy variables in the /etc/sysconfig/proxy file, the variables must not contain a trailing slash, such as in HTTP_PROXY="http://www.example.com:3128/" The problem occurs in both appliance deployments and Linux installations of VMware Cloud Director.

  Workaround: Update the values to exclude the trailing slash. For example, HTTP_PROXY="http://www.example.com:3128"

• Deleting an organization in VMware Cloud Director UI fails with a You must delete this Organization's Application Port Profiles before you can delete the organization error

  If application port profiles are created on an edge gateway associated with an organization, attempting to delete the organization fails. The issue occurs because VMware Cloud Director deletes the edge gateways before deleting the port profiles, which causes the following error.

  com.vmware.vcloud.api.presentation.service.InvalidStateException: You must delete this Organization's Application Port Profiles before you can delete the organization.

  Workaround: Use the VMware Cloud Director API to force delete an organization and to delete the stranded application port profiles associated with it. See Delete Stranded Application Port Profiles from VMware Cloud Director.

• Using the VMware Cloud Director API, attempting to delete an item with a secure field from an array in an RDE instance results in the item not being fully deleted

  If an RDE type schema contains an array object with items containing secure fields, trying to remove an item of the array from an RDE instance of that type through an RDE PUT call results in all fields in the item being deleted except for the secure fields. The item itself is not removed. The problem occurs when you use VMware Cloud Director API version 37.3 or earlier.

  If the RDE instance is in RESOLVED state and if after the update the entity contents of the instance do not match the schema in the RDE type of the instance, the PUT call results in an error response with status code 400 and error message RDE_CANNOT_VALIDATE_AGAINST_SCHEMA. If the entity contents of the instance after the update match the schema in the RDE type of the instance, the call does not return an error despite the item not being fully deleted.

  Workaround: To run the RDE update, use VMware Cloud Director API version 38.0 or later.

• You cannot edit the metadata of an organization

  If you use the VMware Cloud Director API to create two metadata entries for an organization using the same name for the entries, you cannot edit these metadata entries by using the UI because the Save button in the Edit Metadata wizard is not active.

  Workaround: Use the VMware Cloud Director API to edit the name of one of the metadata entries.

• VM does not receive the DNS Server IP addresses from the DHCP scope that is defined in the vApp network

  When you connect a VM to a routed vApp network in DHCP IP mode, the VM does not receive the DNS addresses defined in the DHCP scope.

  Workaround: Using NSX Manager, manually configure the DNS servers in the routed vApp network segment.

• Attaching a named disk to a VM fails with a java.util.concurrent.ExecutionException: org.hibernate.NonUniqueResultException error message

  Attaching a named disk to a VM fails with an error message.

  java.util.concurrent.ExecutionException: org.hibernate.NonUniqueResultException: query did not return a unique result:

  This happens because VMware Cloud Director records duplicate entries in the in inventory data collected from the vCenter Server instance where the VM resides.

  Workaround: To remove the duplicate entries from the inventory data, reconnect to the vCenter Server instance.

• You might receive an unable to find valid certification path to request target - PKIX path building failed error when changing the JMX certificate of a cell using the UI

  Using the the Service Provider Admin Portal, before you select a certificate as the JMX SSL certificate of a VMware Cloud Director cell, the certificate must be trusted.

  Workaround: If the certificate you want to select is self-signed, add it to the trusted certificates of the System organization. See Import Trusted Certificates Using Your VMware Cloud Director Service Provider Admin Portal. If an internal certificate authority signed the certificate, verify that the certificate authority appears in the list of trusted certificates of the System organization. If a well-known certificate authority signed the certificate, no action is necessary.

• Activating a cell using the cell management tool command does not update the cell status in the Service Provider Admin Portal

  If you use the cell management tool to set the cell status to Active, on the Cloud Cells page of the Service Provider Admin Portal, the status does not appear as active.

  Workaround: On the Cloud Cells page of the Service Provider Admin Portal, click the vertical ellipsis next to the cell name, and select Activate. See View and Manage Your VMware Cloud Director Cell Infrastructure.

• Fast Cross vCenter vApp instantiation fails when instantiating a template that has VMs with memory

  When instantiating a vApp template that has any VMs with memory across vCenter instances, if the conditions are met for VMware Cloud Director to perform a fast cross vCenter instantiation, the instantiation will fail with an INTERNAL_SERVER_ERROR.

  Workaround: Deactivate fast cross vCenter instantiations in VMware Cloud Director.

  1. Log in to the VMware Cloud Director Service Provider Admin Portal, and in the top navigation bar, click Administration.

  2. In the left panel, under Settings, select Feature Flags.

  3. Select Fast Cross VC Instantiation Utilizing Shared Storage, and click Disable.

• When using the multisite feature, you cannot create and manage VMware Marketplace and Helm chart repository connections from the Service Provider Admin Portal

  If you are a service provider and you use the VMware Cloud Director multisite feature, you cannot create and manage VMware Marketplace resources and Helm chart repository resources using the Service Provider Admin Portal.

  This issue does not affect tenants.

  Workaround: You can use the VMware Cloud Director API to create and manage VMware Marketplace resources and Helm chart repository resources.

• Deploying a Helm chart application fails with a Cannot parse "Z" as "-0700" error message

  If VMware Cloud Director is running in UTC timezone, attempting to deploy a Helm chart application fail with a Cannot parse "Z" as "-0700" error message.

  Workaround:

  Option 1: Edit the Content Hub operator on the Kubernetes cluster to use a custom registry. Enter the projects.registry.vmware.com/content_hub/vcd-contenthub-package-repo location as a custom registry and version 1.0.1 as the version of the Content Hub Kubernetes operator package. For information about editing a Kubernetes operator, see Edit a Kubernetes Operator in VMware Cloud Director.

  Option 2:

  1. Change the server timezone, on which VMware Cloud Director resides, to non-UTC timezone.

  2. Restart the VMware Cloud Director server.

• Deploying container applications fails with an Unable to perform this action error message

  When deploying a container application, if the description of the application template contains more than 255 characters, the operation fails with an error message.

  Unable to perform this action. Contact your cloud administrator.

  Workaround: Update the description for the application template to consist of less than 255 characters.

• If there are no existing user-created firewall rules on an NSX edge gateway, you might not be able to create a single firewall rule

  If there are no existing user-defined firewall rules on an NSX edge gateway and you start the firewall rule creation wizard by clicking New, when you attempt to save the firewall rule that you defined, the wizard becomes suspended in a Please wait... state and the firewall rule is not created.

  Workaround: Refresh the page, or click away and back to the Firewall screen, and use the Edit Rules button instead of the New button to start the firewall rule creation wizard.

• The VMware Cloud Director quick search does not display results when searching for users, service accounts, and VDC groups

  In the Quick Search, entering Users, users/bulk-update, service-accounts, and vdc-groups as a search criteria results in a No results found. message.

  Workaround: None.

• The VMware Cloud Director appliance database disk resize script might fail if the backing SCSI disk identifier changes

  The database disk resize script runs successfully only if the backing database SCSI disk ID remains the same. If the ID changes for any reason, the script might appear to run successfully but fails. The /opt/vmware/var/log/vcd/db_diskresize.log shows that the script fails with a No such file or directory error.

  Workaround:

  1. Log in directly or by using an SSH client to the primary cell as root.

  2. Run the lsblk --output NAME,FSTYPE,HCTL command.

  3. In the output, find the disk containing the database_vg-vpostgres partition and make note of its ID. The ID is under the HCTL column and has the following sample format 2:0:3:0.

  4. In the db_diskresize.sh script, modify the partition ID with the ID from Step 3. For example, if the ID is 2:0:3:0, in line

     echo 1 > /sys/class/scsi_device/2\:0\:2\:0/device/rescan

     you must change the ID to 2:0:3:0.

     echo 1 > /sys/class/scsi_device/2\:0\:3\:0/device/rescan

  5. Аfter saving the changes, manually re-invoke the resize script or reboot the appliance.

• Upgrading to VMware Cloud Director 10.4.1 or later fails with a Fix postgres user home directory error

  When you try to upgrade to VMware Cloud Director 10.4.1 or later, the upgrade fails. The update-postures-db.log contains the following error.

  2023-05-15 16:38:01 | update-postgres-db.sh | Fix postgres user home directory
  usermod: user postgres is currently used by process 17236

  Other processes that are logged in as the postgres user on the VMware Cloud Director appliance might block the script that upgrades the PostgreSQL major version from 10 through 14.

  Workaround:

  1. Before starting the VMware Cloud Director upgrade, find any processes that are logged in as the postgres user on the VMware Cloud Director appliance by running ps -u postgres on the appliance.

  2. Stop any process that the command returns by running kill -9 <PID>, where PID is the unique process identifier.

• Creating an organization VDC Kubernetes policy with provider gateways that uses IP spaces fails

  If you configure an IP space backed provider gateway and you create a VDC and an edge gateway based on the same IP space, an attempt to create a Kubernetes policy for this VDC fails with an error message.

  com.vmware.ssdc.util.LMException: Index 0 out of bounds for length 0

  This happens because the IP space backed edge gateways are not associated with a primary IP address, which is required for the creation of SNAT by the Kubernetes policy.

  Workaround: Create VDC and edge gateways with NSX network provider type and provider gateways that use legacy IP blocks.

• When starting the VMware Cloud Director appliance, the message [FAILED] Failed to start Wait for Network to be Configured. See 'systemctl status systemd-networkd-wait-online.service' for details appears

  The message appears incorrectly and does not indicate an actual problem with the network. You can disregard the message and continue to use the VMware Cloud Director appliance as usual.

  Workaround: None.

• Creating an organization VDC template with NSX network provider type and provider gateways that uses IP spaces fails

  When you attempt to create an organization VDC template with NSX network provider type and provider gateway that uses IP spaces, the operation fails with the following error. Error:Cannot support external Network that is utilizing IP Spaces. Only external networks with legacy IP blocks are supported.

  Workaround: Create organization VDC templates with NSX network provider type and provider gateways that use legacy IP blocks.

• Changing the storage policy on a virtual disk of a VM fails with a The operation failed because no suitable resource was found error message

  If the virtual disk of a VM resides on a remote vSAN datastore, changing the storage policy of the virtual disk results in an error message.

  The operation failed because no suitable resource was found

  Workaround: To move the VM to a different storage policy, change the virtual disk storage policy to VM default policy and then change the VM storage policy to the desired storage policy.

• VMware Cloud Director shows an empty value for the IOPS limit for a VM disk with VC-IOPS enabled storage policy

  If you apply a VC-IOPS enabled storage policy with custom reservation, limit, and shares, on a VM disk, VMware Cloud Director displays the values for IOPS reservations, but displays the IOPS limit as empty. This happens because vCenter Server 8U1 introduces a new mechanism for Storage I/O Control (SIOC) which no longer sets the IOPS limit as a VM disk property.

  Workaround: None.

• You cannot create a deactivated organization using the legacy VMware Cloud Director API

  Attempting to use the legacy VMware Cloud Director API organization creation endpoint POST [vcd_public_endpoint]/api/admin/orgs to create a deactivated organization results in a 400 BadRequestException containing the following snippet:

  <Error ... stackTrace="com.vmware.vcloud.api.presentation.service.BadRequestException: Unexpected error.&#10;unexpected end of subtree

  Workaround: Use the VMware Cloud Director OpenAPI endpoint to create a disabled organization. Alternatively, you can use the UI, OpenAPI, or legacy API to create an enabled organization and disable it after creation.

• You cannot select Tanzu Kubernetes version 2.0 or later when creating a TKGs cluster

   As a tenant, when attempting to create a TKGs cluster, you cannot select a Tanzu Kubernetes cluster version 2.0 and later. 

  Workaround: To offer and use Tanzu Kubernetes 2.0 and later, use VMware Cloud Director Container Service Extension 4.0.

• Migrating VMs between organization VDCs might fail with an insufficient resource error

  If VMware Cloud Director is running with vCenter Server 7.0 Update 3h or earlier, when relocating a VM to a different organization VDC, the VM migration might fail with an insufficient resource error even if the resources are available in the target organization VDC.

  Workaround: Upgrade vCenter Server to version 7.0 Update 3i or later.

• The VMware Cloud Director Tenant Portal UI does not display the IOPS limits and reservations for a vSAN storage policy

  vSAN manages itself the IOPS limits on vSAN storage policies. As a result, the VMware Cloud Director Tenant Portal UI does not display the IOPS reservations and limits for a vSAN storage policy and you cannot modify their values.

  Workaround: None.

• VMware Cloud Director appliance upgrade fails with an invalid version error when FIPS mode is enabled

  For VMware Cloud Director versions 10.3.x and later, when FIPS mode is enabled, VMware Cloud Director appliance upgrade fails with the following error.

  Failure: Installation failed abnormally (program aborted), the current version may be invalid.

  Workaround:

  1. Before you upgrade the VMware Cloud Director appliance, deactivate FIPS Mode on the cells in the server group and the VMware Cloud Director appliance. See Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance.

  2. Verify that the /etc/vmware/system_fips file does not exist on any appliance.

  3. Upgrade the VMware Cloud Director appliance.

  4. Enable FIPS mode again.

• You can't view and edit the license type for your previously registered NSX Advanced Load Balancer Controller instances in the VMware Cloud Director API

  You can't view and edit the license for your previously registered NSX Advanced Load Balancer Controller instances in the VMware Cloud Director API. This happens because in VMware Cloud Director 10.4, the Controller license type was replaced by a selection between a Standard and a Premium feature set at the Service Engine Group level to provide more flexibility.

  Workaround: Use the supportedFeatureSet path for service engine groups and on edge gateways to activate and deactivate the available features.

• You cannot create and use VMware Cloud Director VDC templates in VMware Cloud Director service environments that use VMware Cloud on AWS network pools

  If you are using only a provider network pool that is backed by VMware Cloud on AWS for your provider VDC, you cannot create a VDC template and instantiate a VDC from a template. This happens because creating and instantiating VDC templates is supported only for provider VDCs backed by NSX-T Data Center and by NSX Data Center for vSphere. You can use VMware Cloud Director VDC templates with on-premises, Microsoft Azure VMware Solution, Oracle Cloud VMware Solution, or Google Cloud VMware Engine SDDCs.

  Workaround: None.

• Creating a new VM with encrypted vSAN storage policy fails with an Invalid storage policy for encryption operation error message

  When creating a new VM, if you specify the storage policy of the VM as vSAN encrypted and the storage policy for the VM hard disk as both non-encrypted and non-vSAN, the operation fails with an error message.

  Invalid storage policy for encryption operation

  Workaround:

  1. Specify the storage policies for the VM and the VM hard disk as vSAN encrypted.

  2. After the VM deploys successfully, update the hard disk storage policy for the VM to non-encrypted and non-vSAN. For information, see Edit Virtual Machine Properties.

• You cannot connect to VMware Cloud Director through VMware OVF Tool version 4.4.3 or earlier

  When you attempt to connect to VMware Cloud Director through OVF Tool version 4.4.3 or earlier, this results in the following error. Error: No supported vCloud version was found. This happens because of an API behavior change in VMware Cloud Director 10.4 where the API does not return links to all the VDCs in an organization.

  Workaround: Upgrade to OVF Tool 4.5.0. See VMware OVF Tool Release Notes.

• You are unable to log in to VMware Cloud Director by using VMware PowerCLI 12.7.0 or earlier

  When you attempt to log in to VMware Cloud Director by using VMware PowerCLI version 12.7.0 or earlier, this results in the following error. NOT_ACCEPTABLE: The request has invalid accept header: Invalid API version requested. This happens because VMware PowerCLI earlier than 13.0.0 do not support VMware Cloud Director API versions later than 33.0. See VMware Product Interoperability Matrix.

  Workaround: Upgrade VMware PowerCLI to version 13.0.0.

• VMware Cloud Director displays the old version for an upgraded vCenter Server instance

  After you upgrade a vCenter Server instance to a newer version, in the list of vCenter Server instances, VMware Cloud Director still displays the old version for the upgraded instance.

  Workaround: Reset the connection between the vCenter Server instance and VMware Cloud Director. See Reconnect a vCenter Server Instance in VMware Cloud Director Service Provider Admin Guide.

• Refreshing the LDAP page in your browser does not take you back to the same page

  In the Service Provider Admin Portal, refreshing the LDAP page in your browser takes you to the provider page instead of back to the LDAP page.

  Workaround: None.

• Mounting an NFS datastore from NetApp storage array fails with an error message during the initial VMware Cloud Director appliance configuration

  During the initial VMware Cloud Director appliance configuration, if you configure an NFS datastore from NetApp storage array, the operation fails with an error message.

  Backend validation of NFS failed with: is owned by an unknown user

  Workaround: See VMware knowledge base article 93252.

• The synchronization of a subscribed catalog times out while synchronizing large vApp templates

  If an external catalog contains large vApp templates, synchronizing the subscribed catalog with the external catalog times out. The issue occurs when the timeout setting is set to its default value of five minutes.

  Workaround: Using the manage-config subcommand of the cell management tool, update the timeout configuration setting.

  ./cell-management-tool manage-config -n transfer.endpoint.socket.timeout -v [timeout-value]

• In an IP prefix list, configuring any as the Network value results in an error message

  When creating an IP prefix list, if you want to deny or accept any route and you configure the Network value as any, the dialog box displays an error message.

  "any" is not a valid CIDR notation. A valid CIDR is a valid IP address followed by a slash and a number between 0 and 32 or 64, depending on the IP version.

  Workaround: Leave the Network text box blank.

• The vpostgres process in a standby appliance fails to start

  The vpostgres process in a standby appliance fails to start and the PostgreSQL log shows an error similar to the following. FATAL: hot standby is not possible because max_worker_processes = 8 is a lower setting than on the master server (its value was 16). This happens because PostgreSQL requires standby nodes to have the same max_worker_processes setting as the primary node. VMware Cloud Director automatically configures the max_worker_processes setting based on the number of vCPUs assigned to each appliance VM. If the standby appliance has fewer vCPUs than the primary appliance, this results in an error.

  Workaround: Deploy the primary and standby appliances with the same number of vCPUs.

• Upgrading the VMware Cloud Director appliance might result in an Connection to sfcbd lost error message

  If you upgrade the VMware Cloud Director appliance, the upgrade operation might report an error message.

  Connection to sfcbd lost. Attempting to reconnect

  Workaround: You can ignore the error message and continue with the upgrade.

• When using FIPS mode, trying to upload OpenSSL-generated PKCS8 files fails with an error

  OpenSSL cannot generate FIPS-complaint private keys. When VMware Cloud Director is in FIPS mode and you try to upload PKCS8 files generated using OpenSSL, the upload fails with a Bad request: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: ... not available: No such algorithm: ...error or salt must be at least 128 bits error.

  Workaround: Deactivate the FIPS mode to upload the PKCS8 files.

• Creation of Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in fails

  When you create a Tanzu Kubernetes cluster by using the Kubernetes Container Clusters plug-in, you must select a Kubernetes version. Some of the versions in the drop-down menu are not compatible with the backing vSphere infrastructure. When you select an incompatible version, the cluster creation fails.

  Workaround: Delete the failed cluster record and retry with a compatible Tanzu Kubernetes version. For information on the incompatibilities between Tanzu Kubernetes and vSphere, see Updating the vSphere with Tanzu Environment.

• If you have any subscribed catalogs in your organization, when you upgrade VMware Cloud Director, the catalog synchronization fails

  After upgrade, if you have subscribed catalogs in your organization, VMware Cloud Director does not trust the published endpoint certificates automatically. Without trusting the certificates, the content library fails to synchronize.

  Workaround: Manually trust the certificates for each catalog subscription. When you edit the catalog subscription settings, a trust on first use (TOFU) dialog box prompts you to trust the remote catalog certificate.

  If you do not have the necessary rights to trust the certificate, contact your organization administrator.

• After upgrading VMware Cloud Director and enabling the Tanzu Kubernetes cluster creation, no automatically generated policy is available and you cannot create or publish a policy

  When you upgrade VMware Cloud Director to version 10.3.1 and vCenter Server to version 7.0.0d or later, and you create a provider VDC backed by a Supervisor Cluster, VMware Cloud Director displays a Kubernetes icon next to the VDC. However, there is no automatically generated Kubernetes policy in the new provider VDC. When you try to create or publish a Kubernetes policy to an organization VDC, no machine classes are available.

  Workaround: Manually trust the corresponding Kubernetes endpoint certificates. See VMware knowledge base article 83583.

• Entering a Kubernetes cluster name with non-Latin characters deactivates the Next button in the Create New Cluster wizard

  The Kubernetes Container Clusters plug-in supports only Latin characters. If you enter non-Latin characters, the following error appears.

  Name must start with a letter and only contain alphanumeric or hyphen (-) characters. (Max 128 characters).

  Workaround: None.

• NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction

  If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.

  Workaround: 

  • Fix the NFS state so that it is not read-only.

  • Clean up the NFS share if it is full.

• Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error

  For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a Named disk encryption is not supported in this version of vCenter Server. error.

  Workaround: None.

• A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes cannot be consolidated

  In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by vSphere Virtual Volumes. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated.

  Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or vSphere Virtual Volumes. To consolidate a virtual machine with a snapshot on a VAAI or a vSphere Virtual Volumes datastore, relocate the virtual machine to a different storage container.

• If you add an IPv6 NIC to a VM and then you add an IPv4 NIC to the same VM, the IPv4 north-south traffic breaks

  Using the HTML5 UI, if you add an IPv6 NIC first or configure an IPv6 NIC as the primary NIC in a VM, and then you add an IPv4 NIC to the same VM, the IPv4 north-south communication breaks.

  Workaround: First you must add the IPv4 NIC to the VM and then the IPv6 NIC.