Установка LWA VMware на ESXi 7.0

Олег

28 мая 2023

На смену Avago MegaRAID Storage Manager (MSM) для мониторинга и управления LSI RAID контроллерами пришла утилита LSI Storage Authority (LSA). Оно же Avago Lightweight Monitor (LWM).

LSA (LSI Storage Authority Software) — это утилита для операционных систем Windows и Linux, которая предназначена для управления RAID контроллерами LSI/Avago/Broadcom. Утилита позволяет настраивать контроллер, создавать и управлять массивами, кэшированием. Обновлять прошивки. Есть возможность оповещений и фоновой проверки на наличие ошибок.

Так вот для этой утилиты существует пакет для установки на гипервизор ESXi под названием LWA VMware (LW VMAgent).

Тестовый стенд:

Гипервизор ESXi 7.0.3
RAID контроллер LSI MegaRAID SAS 9361-8i

Дистрибутив LWA VMware

Смотрим последнюю версию пакета LWA VMware для своего адаптера.

https://www.broadcom.com/support/download-search

Можно было бы скачать архив vmware-lwm_008.003.012.000-01_20606540-package.zip. Однако, как показывает практика, в нём вырезан сервис LSA и оставлен только LWM, который работает на 9000 порту. Кручу-верчу, запутать хочу. Не наглядно. Потом буду смотреть новую версию, там, наверное, всё ручками без GUI настраивается.

Скачиваем чуть более раннюю версию 008.002.016.000_LWA_ESXi_64.zip (MR 7.22).

=====================
Supported Controllers
=====================
Broadcom 3916 SAS3/PCIe4 Tri-mode RAID on Chip, SAS 3516 Ventura based MegaRAID and iMR, SAS 3108 (Invader) based MegaRAID and iMR, SAS 3008 (Fury) based HBAs,
SAS3816 based IOC, SAS3808 based IOC, SAS3008 based HBAs, Initiator-Target 3 (IT3) controller
9660 Family RAID Adapters, 9670 Family RAID Adapters, 9600 Family eHBA Adapters, 9620 Family eHBA Adapters

===================
Package Information
===================
LSA version = 008.002.016.000
OS supported = VMware ESXi 7.0 U1, 7.0 U2, 7.0 U3c.
Browsers = IE9 or later, Microsoft Edge 94.0, Firefox9 or later and Chrome16 or later
Language(s) supported = English

This package can be installed on ESXi x64 systems (or) platforms.

Установка LWA VMware

В архиве есть ZIP файл — Offline Bundle vmware-lsa_008.002.016.000-01_20140327.zip.

Воспользуемся WinSCP и загрузим его на гипервизор в директорию /tmp.

Включаем на гипервизоре службу SSH и логинимся в консоль гипервизора. Гипервизор у меня в Maintenance Mode.

Устанавливаем пакет:

esxcli software component apply -d /tmp/vmware-lsa_008.002.016.000-01_20140327.zip

Пакет установлен, но требуется перезагрузка. Перезагружаем гипервизор.

Проверим что новая служба работает:

/etc/init.d/lsad status

LSA is running

LWM Service:

Запуск "/etc/init.d/lsad start"
Остановка "/etc/init.d/lsad stop"
Перезапуск "/etc/init.d/lsad restart"
Статус "/etc/init.d/lsad status"

Проверим на каких портах работает служба:

esxcli network ip connection list | grep LSA
esxcli network ip connection list | grep 2463

netstat на ESXi

Службы поднялись, нас интересует та, что на порту TCP 2463.

Firewall

Однако, если мы попробуем зайти снаружи на этот порт, то ничего не получится. Не даёт Firewall.

ESXi 7.0 Firewall

Отключаем его (потом обратно включим. Нам только ~~спросить~~ настроить):

esxcli network firewall set --enabled false

Теперь URL на http://адрес_хоста:2463 открывается.

Настройка LWA VMware

Входим под пользователем root.

Всё прекрасно, видим контроллер, диски. Даже доступно некоторое управление дисками. Есть ограничения, о них можно прочитать в сопроводительной документации или под катом.

Known Restrictions/Issues

LSA is limited to display the history of persistent events only for IR/IT Controller.
Clear Configuration/Any operation- User(s) may see a time-out error(404) with large configuration (Can be Physical Drives (or) Virtual Drives). This is due to an issue in underlying layer, and CLI can be used to overcome this.
Localization-Events are always shown in "English".
It is possible to get a time-out from server. This time-out error is generated at the back-end if resource providing the content takes more time. eg: Fw flash may exceed the default timeout in server. To fix it, user will have to change the lighttd fastcgi_read_timeout variable in server/conf/lighttdp.conf to "300"seconds.
IR/IT Firmware Downgrade is not supported from One Phase to Another Phase due to the limitation in underlying layers. Downgrade is possible within same Phase of firmware.
If data is not updated in LSA as soon as secured Foreign drives are unlocked, as FW is not giving the event to Cache module of LSA. Work Around: Stop and Start the LSA services.
Recommendation is to clear the browser history every time user upgrades/downgrades or installs the software.
LSA does not allow to select PD from non-spanned VD and from Spanned VD
Whenever auto rebuild is enabled multi click PD actions are not updated properly(intermittent) , user has to refresh the page manually.
If user "Add the Virtual Drive(s)" from existing free space on drive group or "Delete virtual drive(s)" from existing drive group then LSA refresh the complete controller page to update configuration information. Due to page refresh mouse reference on page getting removed. So, page may not get scroll up/down if user scroll the page using mouse wheel. User has to click once anywhere on the page then only the page scroll works. Alternatively User can also use the scrollbar.
On fresh installation, LSA can process only the latest 30 events and perform the corresponding alert delivery methods.
VMWare Platform only - Sever may take few minute(s) to populate cache during first login. User will see delay in login response.
Sign in button is not getting enabled by default in Mozilla when user name and password is saved. Work Around: Don’t save the user name and password or click on the user name text box to enable the checkbox
For IT controllers, after Updating/Erasing the UEFI/BIOS from any utility other than LSA ,User should REBOOT the server to take this into effect. Till reboot is complete, LSA will display old UEFI/BIOS details.
Below are the limitations in-case a TR Ready DG present in LSA
1. User cannot Disable/Modify the security and cannot delete the Virtual Drive (or) Clear the configuration,
2. Irrespective of the state of controller/VD state will be optimal and some of the operations might fail on TR DG/VD which is beyond the scope of LSA. Recommendation : Please clear the TR from DG and perform the respective operations.
User may see delay in device display, if Firmware returns wrong state for Physical device(s) call. To see the latest data, user may need to refresh LSA client browser (F5).
It is recommended NOT to perform any operation in LSA during Online Controller Reset
Chrome latest Version 61.0.3163.100 & above has a problem with popup positioning.
View Event Log table will be empty When there are only progress related events.
Please edit LSA.conf file present under "<LSA_HOME>\conf" directory to configure LSA parameters. Each parameter and its usage is described in LSA.conf file
LSA displays connector and enclosure position as "-" in PD related events, in the case of corresponding element is removed from the FW stack
LSA displays extra line separators in other hardware tab during expansion of tree node. Note: This cosmetic observation is not same with different browser and monitor resolutions.
New Property/Operation/Terminology/Events (mismatch) related to Personality/TFM Management:The PR:SCGCQ01816544/SCGCQ01816546 in place to handle in the future releases.
1. LSA may not provide newly added properties/operation(s) compared with other Apps which results the terminology/operation/events mismatch.
2. New Events: LSA will not be handling any events and associated health changes will not be reflected.
User may observe "504 - Gateway Timeout" error during enclosure(s) insertion with more Foreign (or) UBAD (or) combination of Foreign and UBAD drives. Since under layer line also contributing for this behavior, as a workaround user should refresh the LSA page manually after waiting adequate time.
Intermittently Client pages might not get refreshed, when user modifies the default settings in a conf file. Workaround: Refresh the browser manually
It is recommended NOT to perform zoom related operation on browser until monitor resolution is low
If user performs any action(like Configuration,etc.,) from Server summary page and perform manual refresh anytime user will be redirected to the initially selected Action page.
LSA when launched with Linux Native Mozilla Firefox and kept idle for more than half an hour, LSA will become slow. Root Cause: Mozilla is sending multiple long poll calls on page refresh or moving across server landing and control console page. Similar bugs has been Raised with bugzilla, please find below the reference links https://bugzilla.mozilla.org/show_bug.cgi?id=1126689, https://bugzilla.mozilla.org/show_bug.cgi?id=1522781 Work Around: Logout, Close the browser and relaunch the LSA.
User will see the default values displayed initially , once the user gets response table will be populated with proper data.
Converting JBOD PD from JBOD to UG, applications will display different action menu name LSA displays it as "Make unconfigured good"
If the same Dedicated Hot Spare is assigned to multiple Drive Groups, User may see inconsistency in Element Count and DHSP Element selection checkboxes(Controller Page).
In MR, though the PR is running at the PD level, it is a controller level operation. So, Individual PD Patrol Read progress bar will not disappear after completing 100%, When all the PD's progress bar completes 100%, then only all PDs progress bars disappears.
Due to lower layer behavior, all EPD related events follows the FW event description and can not be localized.
As per lower layer behavior, only limited non-persistent events are maintained in its memory. In this case, those non-persistent event's sequence number would not be constant but it would be aligned with persisted events in sequential order.
ESXI specific
1. SLP is not packaged, hence this LSA shall be used as standalone
2. ldap is not supported in this build
3. In LW VMAgent (LWA) if user wants to initiate scheduler wrapper, configure "server":2 in /opt/lsa/server/html/files/Configfile.json
4. LWA has acceptance level accepted, as it needs non partner supported filesystem access to gain superDom privileges, DCPN 00098378 contains more details
5. Since openssl communication failure, Email feature with SSL support is not working in ESXi 7.0 U1. Note: Issue not seen in ESXi 7.0 U3c
Issues such as failing to download reports can occur if there is not enough free disk space on the ESXi host. In this case, user may requires to restart the LSA service to come out of download progress.
Below CVE fixes has been part of the OpenSLP that is bundled along with LSA/RWC3 though some of the Scan tools will still display the below CVE's
CVE-2016-4912
CVE-2016-7567
CVE-2019-5544
Due to lower layer limitation, in the case of offline FW update, LSA not updating the health message or icon regarding system reboot required
User can not clear the configuration when VD(s)/JBOD(s) with OS/FS/Unknown Boot partition (cannot be read). In this case, user has to go to specific VD(s) and delete them.
User is expected to refresh the browser on drive removal and insertion to see the updated data
After LSA uninstallation, delete the folder “LSIStorageAuthority” from the location “/opt/lsi”. This step can be ignored if the user reboots the server after LSA uninstallation.
User(s) might see the "FAULT" alert notification if there is any event pertaining to the "FAULT". GUI might not have the provision for the user(s) to Configure this option as part of Alert Delivery settings, but user(s) by default receive this notification.
User(s) will not be able to see the PBLP component image and it's version details, if user(s) is trying to flash/upgrade the fw using the Vision(vsn) package.

Самое интересное, что у нас здесь есть, это настройка почтовых уведомлений.

Если диск выйдет из строя, то мы получим сообщения на почту. Но есть некоторые минусы.

Исходящие на 25 порт и входящие на 2463 порт закрыты

Нужно или отключать Firewall или писать своё правило для Firewall, что не так просто, но возможно. В будущих статьях я расскажу как можно собрать свой VIB пакет и сделать новое правило для Firewall.

P.S. Собрал для этого VIB файл с правилами Firewall:

ESXi 7.0 Firewall — добавляем своё правило

После перезагрузки ваши настройки слетают

Нужно заново вносить изменения, это большая проблема. Её можно решить несколькими способами. Например, вручную или скриптом править конфигурационный файл /opt/lsi/LSIStorageAuthority/conf/monitor/config-current.json.