ESXi 7.0 Update 1c中加入的systemMediaSize启动选项

本周VMware发布了ESXi 7.0 Update 1c更新,查看Release notes,发现有一段比较有意思.

With ESXi 7.0 Update 1c, you can use the installer boot option systemMediaSize to limit the size of system storage partitions on the boot media. If your system has a small footprint that does not require the maximum 138 GB system-storage size, you can limit it to the minimum of 33 GB. The systemMediaSize parameter accepts the following values:

  • min (33 GB, for single disk or embedded servers)
  • small (69 GB, for servers with at least 512 GB RAM)
  • default (138 GB)
  • max (consume all available space, for multi-terabyte servers)

The selected value must fit the purpose of your system. For example, a system with 1TB of memory must use the minimum of 69 GB for system storage. To set the boot option at install time, for example systemMediaSize=small, refer to Enter Boot Options to Start an Installation or Upgrade Script. For more information, see VMware knowledge base article 81166.

对于这个启动选项,我的理解是之前ESXi 7.0默认最大会占用138GB左右硬盘,就是上文中提到的default(其中包括BOOTBANK1, BOOTBANK2, 还有OSDATA, 当硬盘为HDD时,OSDATA不会被当作虚拟闪存使用,此时OSDATA类型为VMFS-L. 当硬盘为SSD时,OSDATA会被同时当作虚拟闪存,此时OSDATA类型为VFFS.) 之前写过我们可以通过设置autoPartitionOSDataSize来调整OSDATA的大小. https://virtualtips.info/?p=42 ,但该方法并非官方提供的解决方案.

此次systemMediaSize参数可以理解官方为此提供了几种预设值(min, small, default, max). 我们可以在安装启动前Shift+O来加上参数systemMediaSize=min,或者在安装介质的boot.cfg文件中的kernelopt=runweasel这行后面加上诸如systemMediaSize=min的参数,让此安装程序自动设置参数.

kernelopt=runweasel systemMediaSize=min

此时,安装好以后的硬盘空间大致情况如下图,系统空间占用大概是33GB.

Custom Thumbprints for Horizon 7

Custom thumbprints allow the use of separate certificates for Blast TCP and VMware Tunnel connections since VMware Unified Access Gateway 3.4, the configuration can be done in the UAG administrative console or through PowerShell INI, according to https://techzone.vmware.com/blog/whats-new-vmware-unified-access-gateway-34.

Before this improvement, Horizon native client would encounter certificate thumbprint mismatch issue if you are using Nginx to reverse proxy to an Unified Access Gateway for Horizon View.

Here’s an example:

Reverse Proxy: nginx.bj.st

UAG: 10.117.43.230 gateway-04.uag.com (and the backend interface is in 172.16/16 subnet which connect to Horizon Connection Server)

Horizon Connection Server: 172.16.1.104 rp-01.uag.com

Disable Tunnel and BSG on Horizon Connection Server.

Enable Tunnel and BSG on UAG, external url using nginx.bj.st

Nginx configuration:

Create a configuration file for Nginx as /etc/nginx/endtoendencryption.conf:

stream {
    upstream UAGserverGroup {
        # Please make sure the correct IP of the UAG is entered here
        server 10.117.43.230:443;
    }
        upstream ABSGservergroup {
        # Please make sure the correct IP of the UAG is entered here
        server 10.117.43.230:8443;
    }
 
    server {
        listen 443 ssl;
        # This is the internet to nginx traffic SSL termination related data
        ssl_certificate   /etc/nginx/keys/nginx.crt;
        ssl_certificate_key /etc/nginx/keys/nginx.key;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers   ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers  off;
        ssl_session_cache    shared:SSL:1m; # a 1mb cache can hold about 4000 sessions,
        ssl_session_timeout  24h;
        #keepalive_timeout 300; # up from 75 secs default
   
        # This is nginx traffic new SSL session between nginx and backend server
        proxy_ssl  on;
        proxy_pass UAGservergroup;
    }
    server {
        listen 8443 ssl;
        # This is the internet to nginx traffic SSL termination related data
        ssl_certificate   /etc/nginx/keys/nginx.crt;
        ssl_certificate_key /etc/nginx/keys/nginx.key;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers   ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers  off;
        ssl_session_cache    shared:SSL:1m; # a 1mb cache can hold about 4000 sessions,
        ssl_session_timeout  24h;
        #keepalive_timeout 300; # up from 75 secs default
   
        # This is nginx traffic new SSL session between nginx and backend server
        proxy_ssl  on;
        proxy_pass ABSGservergroup;
    }
}

Notice that both 443 and 8443 have been configured, ssl_certificate and key also located.

Edit /etc/nginx/nginx.conf, add “include /etc/nginx/endtoendencryption.conf;” to the end of http block.

http {
...
...
}
include /etc/nginx/endtoendencryption.conf;

Try “nginx -t” to validate the configuration and “service nginx reload” to reload it.

UAG configuration:

Try connect Nginx hostname from Horizon native client and launch VDI or application via Blast Protocol, issue should be resolved.