What's New in vSphere 8 Update 2?
It's that time again to announce the latest vSphere release. Introducing vSphere 8 Update 2. See our latest vSphere announcement blog article. For what's new in vSphere+ check out this article. View our video on what's new in vSphere with vSphere+ and vSphere 8 U2 or continue reading this article for details on vSphere 8 U2.
What's New in Previous Releases?
In case you missed all the great new features and enhancements already released in vSphere 8, check out the following articles.
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 58)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 206)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2627 259)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard (2 columns)%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Enhance Operational Efficiency
Doing maintenance operations in vSphere can be tedious and often required downtime of vCenter for up to one hour or sometimes even longer. When some activity requires downtime, customers may be reluctant to perform the task in their preferred timeline.
In vSphere 8 Update 2, we are making significant improvements to several areas of maintenance to reduce and in some cases eliminate this need need for downtime so vSphere administrators can make those important maintenance changes without having a large impact on the wider vSphere infrastructure consumers.
These enhancements include, reduced downtime upgrades for vCenter, automatic vCenter LVM snapshots before patching and updating, non-disruptive certificate management, and reliable network configuration recovery after a vCenter is restored from backup.
Reduced Downtime Upgrade
First, let’s talk about patching and updating. We’ve all patched vCenter instances and we know that task can often take a long time to complete, and during that time, vCenter services are offline. We introduced Reduced Downtime Upgrade as a new method to update vCenter instances with vSphere+. We’re bringing that same functionality to on-premises vCenter instances that are not connected to vSphere+.
What’s different about this method of updating?
Reduced Downtime Upgrade uses a migration-based approach for going from one build of vCenter to a newer build of vCenter. It’s not unlike the existing method to do a major vCenter upgrade, from version 7 to version 8 for example, but does have a significant difference.
Using a migration-based method, a new vCenter appliance is deployed and all vCenter data and configuration is copied from the current vCenter to the new vCenter, again similar to a major vCenter upgrade. The key difference is that during this data and configuration copy phase, the current vCenter and all its services remains online and vCenter can continue its productivity. The only vCenter service downtime that is incurred is a few short minutes when the current vCenter services are stopped, and the new vCenter services are started. This typically takes less than 5 minutes.
vCenter reduced downtime upgrade is supported for single self-managed vCenter instances initially. It does not support vCenter instances enabled with vCenter HA or vCenter instances participating in Enhanced Linked Mode (ELM). vCenter reduced downtime upgrade is supported to update vCenter instances running version 8.0 or 8.0 U1 to 8.0 U2 and will support updating 8.0 U2 to future versions.
Let’s take a deeper look at each of the 5 steps during a reduced downtime upgrade.
- Mount ISO
- Mount the target version vCenter installation media to the source vCenter appliance. This is the full installation ISO and not the patch ISO.
- Backup
- Confirm that a backup of the source vCenter has been taken.
- Update Plugin
- The vCenter lifecycle service is updated in-place on the source vCenter. This is to allow for the orchestration of the target vCenter version and is the only active change made to the source vCenter.
- Configure new vCenter
- Configure the target vCenter appliance. This includes VM name, temporary root password, temporary network identity, and VM compute and storage placement. You can easily choose to inherit the compute and storage placement of the source vCenter, but you also have the option to customize the placement. During the final phase of the upgrade, the target vCenter will inherit the source vCenter’s root password and network identity.
- Upgrade & Switchover
- The new vCenter appliance is deployed and configured and both appliances remain online and the source vCenter can continue to be used as normal. Data and configuration replication will continue indefinitely between the source and target vCenter appliances.
- Lastly, the administrator initiates the Switchover from the source vCenter to the target vCenter. This is is the only instance of downtime for vCenter services and typically will last less than 5 minutes. Switchover can be done immediately, a day later, a week later there is no hard requirement.
Check out this demo video for a look at vCenter Reduced Downtime Upgrade in action.
Resilient vCenter Patching
You’ll notice since vSphere 8 and more so now in vSphere 8 U2, that the product displays clearer and more obvious guidance that a vCenter backup should be taken and checkboxes that indicates the administrator acknowledges that a backup was taken. Frequent vCenter backups are a key aspect of any vSphere environment and if you don’t have a backup procedure in-place today, I would strongly advise implementing one. Disasters and accidents happen – be prepared.
One such activity where it is crucial to take a backup before performing is patching and updating vCenter. You will now see a pre-check message indicating 1) if the native file-based backup feature is not being used or 2) if file-based backup is being used, the message will tell you how old the last back is. Giving you information that you may want to take a more recent backup.
In addition to these expanded pre-check messages, vCenter 8 Update 2 will automatically perform a LVM (logical volume manager) snapshot before a patch/update task. It’s important to understand that this is not a VM-level snapshot, nor is it an automatic file-based backup. It is an OS-level snapshot.
LVM Snapshots are space-efficient point-in-time copies of LVM volumes. It works only with LVM volumes and consumes the space only when changes are made to the source logical volume compared to snapshot volume.
In the event of a vCenter patch failure, you now have the option to rollback to the last vCenter backup version. Using this function will restore to vCenter to the LVM snapshot point-in-time that was taken before any patching attempt took place.
This functionality is not a replacement for full file-based vCenter backups or a VM-level snapshot of the vCenter appliance. It is strongly advised to take frequent file-based vCenter backups – use the automatic backup scheduler and let it do the job for you.
Check out this demo video for a look at vCenter Resilient Patching in action.
Non-disruptive Certificate Management
vSphere 8 Update 2 introduces non-disruptive certificate management. This means vSphere administrators can renew and replace the vCenter SSL/TLS certificate without requiring service restarts. External solutions, like VMware NSX, may require re-authentication to vCenter after a certificate is changed. With industry best practice encouraging the reduction in the maximum validity of TLS certificates, vSphere administrators can adhere to these best practices and perform annual certificate renewals without impacting vCenter productivity.
Check out this demo video for a look at vCenter Non-disruptive Certificate Management in action.
Reliable Network Configuration Recovery
We mentioned earlier that disasters and accidents happen – be prepared. vCenter backups are a point-in-time and when you restore from a backup, you are going back to that point-in-time. This reinforces the advice to implement frequent backups. vSphere environments can be very dynamic. VMs being created, hosts being added or removed, and virtual networks being created or deleted.
In vSphere 8 Update 2 we are expanding the Distributed Key-Value Store to include vSphere Distributed Switch configuration, including vSphere Distributed Switch instances used by VMware NSX. (In addition to the host-cluster membership from vSphere 8).
Now, when a vCenter is restored from a backup, the most current vSphere Distributed Switch information residing in the ESXi cluster will be pushed up to and reconciled with the vSphere Distributed Switch information in the vCenter database. The best way to understand this enhancement is to see it in action. In the following video we show the result of vCenter going back-in-time and the context of vSphere 8 U1 to show the inconsistency in the vSphere Distributed Switch and then the exact same operation in vSphere 8 U2 to show that the vSphere Distributed Switch information is reconciled.
Check out this demo video for a look at vCenter Reliable Network Configuration Recovery in action.
vSphere Identity Federation with Azure AD
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Identity management and multi-factor authentication is a big part of security nowadays. We are adding direct support for cloud identity providers. In vSphere 8 Update 1 we started with Okta, and in vSphere 8 Update 2 we are expanding our identity provider support to Azure Active Directory.
Support for Azure AD will be a boon to many organizations, but VMware still supports several authentication services into the future. Good old AD over LDAPS is sticking around, as is support for ADFS. Okta Identity was added in vSphere 8 Update 1, too. Federated identity means that vSphere never sees user credentials, which helps both security and compliance efforts. It works just like most web authentication services everyone is used to, where you are redirected to the service, and redirected back once you authenticate.
Enhanced vSphere Lifecycle Manager vSAN Witness Support
vSphere Lifecycle Manager has supported vSAN witness nodes since vSphere 7 Update 3. In that release, the vSAN witness node is automatically managed remediated alongside the vSAN cluster by vSphere Lifecycle Manager. In vSphere 8 Update 2, vSphere Lifecycle Manager is expanding vSAN witness node support to account for shared vSAN witness nodes. This allows you manage the image definition of the vSAN witness node independently of the vSAN cluster(s) it is a member of.
vSphere Configuration Profiles Draft Management
vSphere Configuration Profiles cluster configuration can be edited and applied from the vSphere Client. No requirement to export the configuration to a JSON document to make changes, although you can still do that if you choose or if you want to export and import configuration from one cluster to another.
Check out this demo video for a look at vSphere Configuration Profiles Draft Editing in action.
Streamlined Windows Guest Customization
Something quick and easy but a welcome improvement when deploying Windows VMs. You can now specify the OU path when creating customization specs and have Windows VMs deployed and customized using this specification to join Active Directory at the desired OU path.
Descriptive Error Messages when Files are Locked
Another small, but incredibly useful improvement is to the error message seen when VM files are locked. For example, in a scenario that a VM cannot be powered-on on the host it is currently registered to, the message will now detail the file being locked and the host which currently has the lock. VM files can become locked during unexpected disaster scenarios like a storage outage. Locked files are not common but can happen.
The message tells you the file being locked, the host (hostname) trying to access the file, the host (IP) with the lock and MAC address of a NIC on the host with lock.
Supercharge Workload Performance
vSphere is the best platform to run GPU intensive workloads, including large language models and generative AI. vSphere 8 Update 2 introduces support for even more GPU resources per virtual machine and makes better placement and migration decisions for GPU workloads.
Improved Placement for GPU Workloads
In previous releases, placement of vGPU enabled VMs can result in a fragmentation. The distribution of vGPU enabled VMs can result in a scenario where no single host can satisfy the vGPU profile of a new VM. For example, in the diagram, we have three ESXi hosts in a cluster, each with 4 physical GPUs. Each host currently has one VM where that VM is consuming 2 GPUs in its vGPU profile. A new vGPU enabled VM is deployed that intends to consume 4 GPUs using the assigned vGPU profile. Across the entire cluster we have available GPUs however no one host has 4 available GPUs to satisfy the VM requirements. In previous releases, the new VM would not be able to be automatically placed and powered on.
In vSphere 8 Update 2, DRS automatically “defragments” the vGPU enabled VMs to accommodate the new VM.
A vGPU enabled VM is migrated to make room for the new incoming VM (1) and the new VM is placed on the appropriate host that can satisfy the vGPU profile (2). In vSphere 8 Update 2, DRS makes better placement decisions for vGPU enabled VMs to avoid the above scenario from happening where possible and avoid a vGPU enabled VM needing to migrate. This functionality supports vGPU enabled VMs where entire physical GPUs are consumed by a single VM. It does not support vGPU enabled VMs that are using “slices” of a physical GPU.
Quality of Service for GPU Workloads
vGPU enabled VMs are more sensitive to vSphere vMotion stun times. vSphere 8 Update 2 makes a calculation based on the running environment to determine the estimated maximum stun time length a specific VM might experience during a migration. This allows administrators to understand the potential impact to the GPU workloads during migrations. It also allows administrators to define a maximum allowed stun time length (in seconds) and disallow migrations that exceed this value, enforcing a quality-of-service policy that disallows migrations that may interrupt workloads.
This quality-of-service maximum allowed stun time length can be defined at a cluster level or at an individual VM level.
More Vroooom for your VM with Hardware Version 21
Virtual Machine hardware version 21 (ESXi Compatibility 8.0 Update 2 and later) increases some virtual machine maximums for vGPU and vNVMe as well as the latest guest operating system support.
- 16 vGPU devices per VM
- 256 vNVMe disks per VM (64 x 4 vNVMe adapters)
- NVMe 1.3 support for Windows 11 and Windows Server 2022
- NVMe support for Windows Server Failover Clustering (WSFC)
- Guest OS selection for RHEL 10, Oracle Linux 10, Debian 13 and FreeBSD 15
Accelerate Innovation for DevOps
vSphere 8 Update 2 makes it easier than ever to activate vSphere with Tanzu and expands the self-service capabilities for DevOps users.
Streamlining Supervisor Cluster Deployments
Since its introduction in vSphere, we have made steady improvements to the enablement of vSphere with Tanzu Supervisor Clusters. Another improvement we've added to simplify the enablement process in vSphere 8 U2 is the ability to export and import Supervisor configuration.
It is very easy to export the Supervisor Cluster deployment configuration to a simple JSON format export. You can re-use this JSON export to quickly deploy additional Supervisor Clusters hosted by vSphere 8 Update 2 using the same settings and changing the cluster specific values. The Supervisor Cluster deployment configuration can be imported into additional vCenter instances.
The Supervisor Cluster deployment configuration can be exported at the end of the deployment workflow, but it can also be exported from running Supervisor Clusters. In addition, there is a Clone Config option which provides a quick method to re-use the selected Supervisor Cluster’s configuration to deploy a new Supervisor Cluster in the same vCenter environment.
Check out this demo video for a look at Supervisor Cluster Import & Export in action.
Expanding NSX Advanced Load Balancer Support
Starting with NSX-T version 3.2.0, the NSX-T Load balancer is deprecated and, in upcoming releases, will be removed completely. VMware is encouraging its customers to migrate to NSX Advanced Load Balancer (NSX-ALB), VMware’s flagship load balancing product, as an alternative to NSX-T Load Balancer (NSX-T LB).
Support for the built-in NSX load balancer for customers using NSX-T Data Center 3.x will remain for the duration of the NSX-T Data Center 3.x release series. Support for the built-in NSX load balancer for customers using NSX 4.x will remain for the duration of the NSX 4.x release series. Details for both are described in the VMware Product Lifecycle Matrix. We do not intend to provide support for the built-in NSX load balancer beyond the last NSX 4.x release.
Starting with vSphere 8 Update 2, vSphere with Tanzu supports the use of the NSX ALB for environments using the NSX networking stack, instead of the deprecated NSX LB. vSphere with Tanzu already supports the NSX ALB when using the vSphere Distributed Switch networking stack.
Windows VM support for VM Service
vSphere 8 Update 1 introduced support for the VM Service to deploy and customize Linux based virtual machines from a content library. vSphere 8 Update 2 expands this functionality to Windows based virtual machines.
DevOps users can use kubectl to deploy and customize Windows VMs to their namespaces. Windows guest customization data, using the standard SysPrep format, is encapsulated as a secret and included in the VM deployment specification.
See https://vm-operator.readthedocs.io/en/latest/concepts/workloads/guest/ for more details on VM service guest customization.
Self-Service VM Image Registry
DevOps users can deploy VMs from a content library using the VM service. But what about publishing VMs to a content library? In previous releases, only a vSphere administrator could publish new templates to a content library. In vSphere 8 Update 2, the vSphere administrator can assign writable permissions on a content library assigned to a namespace.
This allows DevOps users to publish new VM templates to the assigned content library and the library acts as a VM registry for the namespace. More than one namespace can have writable permissions on a content library and more than one content library can be made available and writable from a namespace.
What's Next?
Check back right here at core.vmware.com for more in depth content on the latest vSphere features and functionalities. Don't forget to check out the VMware vSphere YouTube channel for additional content, including demo videos, breakroom chats and vSphere LIVE events.
vSAN Max™: VMware's new disaggregated storage offering that provides Petabyte-scale centralized shared storage for your vSphere clusters.