Script to answer question: On how many hosts my VMs can run after HTAware Mitigation

Posted: December 12, 2018/Under: VMware, VMware | CLI/By: vNote42

Script to answer question: On how many hosts my VMs can run after HTAware Mitigation

When enabling the ESXi Side-Channel-Aware Scheduler (L1 Terminal Fault vulnerability CVE-2018-3646) for a cluster or single hosts, you should use VMware HTAware Mitigation Tool for resource analyzing and enabling.

There are a few limitations after applying and enabling VMware L1TF patches on ESXi hosts (starting in august 2018). One of them is that a VM configured with n vCPUs can only run on hosts with >=n physical cores. It is also no good practice to run a VM with n vCPUs on a host with n physical cores.

There is an important limitation of VMware Mitigation Tool. When analyzing a cluster, the tool just checks if VMs could run on current host after mitigation. If not, VM is red-coded in report. Makes sense. But, when the current host is the only host in cluster a VM can run after mitigation: VM is marked as green!

You can use my PowerCLI function to show on how many hosts VMs can run. For every VM you get the number of hosts in the cluster, the VM can run after enabling Side-Channel-Aware Scheduler.

Input

Before using the function, a connection to a vCenter has to be established.

Parameters:

  • ClusterPattern
    No input means to take all clusters into account.
    All other inputs are takes as part of cluster name.
  • HTAwareMitigationAnalysis
    When set to $true (default) and your current directory contains unzipped VMware HTAware Mitigation Tool, Get-HTAwareMitigationAnalysis is triggered for selected clusters.
  • TopVMs
    Number of Top-VMs configured with most vCPUs. Default is 10.

Output

Output is a html-file for each cluster. Name: cluster-name + “_vCPUReport.html”.
When HTAwareMitigationAnalysis is set, these files – named after cluster – are output too. All files are generated in current directory.

function Get-vCPUAnalysis ($ClusterPattern='', [switch]$HTAwareMitigationAnalysis=$true, [int]$TopVMs=10)  {

    # .NOTES
    # ===========================================================================
    # Blog:           vnote42.net
    # Twitter:        @vnote42
    # Version:        1.0
    # ===========================================================================
    # .SYNOPSIS
    #     Function shows on how many hosts in a cluster top VMs can run after L1 Terminal Fault vulnerability is mitigated. 

    # .DESCRIPTION
    #     Function gerates an html file for each cluster and shows on how many hosts in a cluster top VMs can run after L1 Terminal Fault vulnerability is mitigated.
    #     When in your current directory VMware HTAware Mitigation Tool is unzipped, the function used the tool to
    #     show current mitigation status. Furthermore HTAware Mitigation Tool can be used to performance-analyze selected cluster. 

    # .PARAMETER ClusterPattern
    #     No input means to take all clusters into account.
    #     When using the exact name, just this cluster is analyzed.
    #     All other inputs are takes as part of cluster name. 

    # .PARAMETER HTAwareMitigationAnalysis
    #     When set to true and your current directory contains unzipped VMware HTAware Mitigation Tool, Get-HTAwareMitigationAnalysis
    #     is triggered for selected clusters.
    #     Default: $true

    # .PARAMETER TopVMs
    #     Number of Top-VMs configured with most vCPUs.
    #     Default: 10

    # .OUTPUTS
    #     Output is a html-file for each selected cluster. Name: cluster-name + "_vCPUReport.html".
    #     When HTAwareMitigationAnalysis is set, these files - named after cluster - are output too. All files a gerated in current directory.

    # .EXAMPLE
    #     Get-vCPUAnalysis
    #     All clusters of current connection are analyzed.

    # .EXAMPLE
    #     Get-vCPUAnalysis -ClusterPattern Cluster
    #     Clusters, containing "cluster" are analyzed, including VMware HTAware Mitigation Tool, if available.

    # .EXAMPLE
    #     Get-vCPUAnalysis -HTAwareMitigationAnalysis:$false
    #     All clusters are analyzed, without VMware HTAware Mitigation Tool.

    [Switch]$HTAwareMitigationInstalled = $false
    if (Test-Path -Path .\HTAwareMitigation.psd1) {
        Import-Module .\HTAwareMitigation.psd1 -ErrorAction Ignore
    }
    if ((Get-Module HTAwareMitigation) -ne $null) {$HTAwareMitigationInstalled = $true}

    $ClusterPattern = '*'+$ClusterPattern+'*'

    foreach ($Cluster in (Get-Cluster $ClusterPattern)) {
        $VMsCPU = @()
        $VMhostsCPU = @()

        foreach ($VM in ($Cluster | Get-VM)) {
            $NewEntry = [PScustomObject] @{
                VMname = $VM.Name
                NumCPUCores = $VM.ExtensionData.config.hardware.NumCPU
                NumCoresPerSocket = $VM.ExtensionData.config.hardware.NumCoresPerSocket
                NumCPUSockets = $VM.ExtensionData.config.hardware.NumCPU / $vm.ExtensionData.config.hardware.NumCoresPerSocket
                NumHostsToRun = 0
            }
            $VMsCPU += $NewEntry
        }

        foreach ($VMhost in ($Cluster | Get-VMHost)) {
            $NewEntry = [PScustomObject] @{
                VMhost = $VMhost.Name
                NumCPUCores = $VMhost.ExtensionData.hardware.cpuinfo.NumCpuCores
                NumCoresPerSocket = $VMhost.ExtensionData.hardware.cpuinfo.NumCpuCores / $VMhost.ExtensionData.hardware.cpuinfo.NumCpuPackages
                NumCPUSockets = $VMhost.ExtensionData.hardware.cpuinfo.NumCpuPackages
                NumCPUCoresHT = $VMhost.ExtensionData.hardware.cpuinfo.NumCpuThreads
                HTAwareMitigationSetting = "N/A"
            }
            if ($HTAwareMitigationInstalled) {
                $NewEntry.HTAwareMitigationSetting = (Get-HTAwareMitigationConfig -VMHostName $VMhost.Name).ConfiguredHTAMSetting
            }
            $VMhostsCPU += $NewEntry
        }
        $VMhostsCPUGrp = $VMhostsCPU | Group-Object NumCPUCores

        $VMOut = @()
        foreach ($VM in ($VMsCPU | Sort-Object NumCPUCores -Descending | Select-Object -First $TopVMs) ) {
            $VM.NumHostsToRun = ((($VMhostsCPUGrp | Where-Object {($_.name)/1 -ge ($VM.NumCPUCores)/1}) | Measure-Object -Property count -Sum).Sum)/1
            $VMOut += $VM
        }

        $VMhostHtml = $VMhostsCPU | Sort-Object VMhost | ConvertTo-Html -Fragment
        $VMhtml = $VMOut | ConvertTo-Html -Fragment
        ConvertTo-Html -Body "$VMhostHtml $VMhtml" -Title "vCPU Report" | Out-File ($Cluster.Name+ "_vCPUReport.html").ToString()
    }

    if ($HTAwareMitigationInstalled -and $HTAwareMitigationAnalysis) {
        Get-Cluster $ClusterPattern | ForEach-Object {Get-HTAwareMitigationAnalysis -ClusterName $_.Name -OutputHTML ($_.name+".html").ToString()}
    }
}

Notes

  • Before enabling ESXi Side-Channel-Aware Scheduler, I strongly recommend to analyze you cluster using VMware Mitigation Tool.
  • Needed module is VMware.VimAutomation.Core.
  • If you want to get Get-Help functionality to work for this function, replace per-line comment to block-comment (<# … #>) from .NOTES to last .EXAMPLE. This notation did not work in wordpress-plugin.

2 responses to “Script to answer question: On how many hosts my VMs can run after HTAware Mitigation”

  1. William says:
    April 16, 2019 at 12:16 pm

    Thanks for writing this up. Quick question though, I can’t see how to download HTAwareMitigation.zip from KB 56931. I’m possibly missing something. Do you know if VMware have removed the tool?

    Reply
    • woifgaung says:
      May 2, 2019 at 12:17 am

      Hi William! Thanks for your response and sorry my late one. VMware added a new feature in 6.7 U2 to reduce performance penalty at cost of security. For this reason VMware talks about a new version of the tool. New Version: 1.0.0.19. To be honest I could’t find it too. But at least now its online again: https://kb.vmware.com/s/article/56931.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Veeam Vanguard

Veeam Legend

VMware vExpert

Follow me

RSS
Twitter