March 17, 2024

vSAN Witness Appliance Updates in vSAN 6.7 P01

Stretched Cluster and 2 Node vSAN configurations require a vSAN Witness Host prevent split-brain scenarios when sites are isolated from each other due to loss of connectivity or other outage.

The Stretched Cluster Guide and 2 Node Guide state that any physical vSphere host with appropriate RAM and storage devices can be used, or the free vSAN Witness Appliance. The physical host approach will still require a licensed edition of vSphere, and the host must be capable of running the same build of vSphere as the vSAN Cluster it is joined to.

The vSAN Witness Appliance, not to be confused with a vSAN Witness Host, is a free virtual appliance that runs vSphere as the Guest OS, and does not require any licensing for itself. It does have to run on top of a vSphere 5.5 or higher installation, which could be either a licensed vSphere host, or a host running the free vSphere Hypervisor.

vSAN Witness Appliance Deployment

For vSAN Stretched Cluster configurations a single vSAN Witness Host is required. The same goes for 2 Node vSAN Clusters. Typically vSAN Witness Appliances are deployed during the creation of the cluster and they maintain the same lifecycle as the cluster.

Deploying a vSAN Witness Appliance typically consists of deploying an OVA, providing a password as well as selecting switch and storage parameters. Networking and adding the vSAN Witness Host to vCenter is accomplished post deployment. It has been a relatively simple, manual process.

Administrators who have desired to more easily deploy the vSAN Witness Appliance have used custom scripts, such as Vsan-WitnessDeploy.ps1, to streamline the deployment process.

Easier vSAN Witness Appliance Deployment in vSAN 6.7 P01

With the release of vSAN 6.7 P01, most of the manual steps have been added to the deployment workflow. Network settings are prompted for during deployment and configured during the initial boot process of the vSAN 6.7 P01 Witness Appliance.

vSAN Witness Properties

In addition to the previously prompted for root password and switch configuration, the OVA deployment also prompts for the following information:

  • System Configuration
    • root password
  • vSAN Traffic
    • Management network – For configurations where customers wish to use vmk0 for vSAN Traffic
      • Typically doesn’t require any static routing
    • Secondary network (Default) – Once called the Witness Network, this Secondary network is the default
      • Still requires static routing to be configured when addressing the vSAN Witness Host over Layer 3 configurations
  • Management Network
    • IP Address / Netmask / Gateway
    • Hostname, DNS Domain
    • DNS Search Order, DNS Server Addresses (comma separated)
    • NTP hosts (comma separated)
  • Secondary Network (previously known as WitnessPg)
    • IP Address / Netmask / Gateway (though gateway is not supported yet)

The inclusion of these additional settings being prompted for in the OVF Deployment, streamlines the deployment process. With the exception of setting any static routes, the vSAN Witness Appliance boots fully configured. It only needs to be added to vCenter and any static routes configured. What used to require approximately 15 steps, is now accomplished in roughly 3-4 steps.

Deploy vSAN Witness Appliances at any Scale Easily

What about use cases where multiple vSAN Witnesses need to be deployed quickly? Such as a use case where a large retail chain is rolling out vSAN Witness Appliances to 200 stores?

Because the vSAN 6.7 P01 Witness Appliance accepts OVF Properties, the OVF Tool or PowerCLI can be used to easily deploy multiple vSAN Witness Appliances from a command line or script.

Below is an example OVF Tool deployment of a vSAN 6.7 P01 Witness Appliance. *Note: Each argument is displayed on an individual line for clarity. The arguments should be on the same command line.

**Note: deploying the new vSAN Witness Appliance via the vSphere Client, OVF Tool, or PowerCLI does not automatically create any static routes, which may be required for some deployments.

The Vsan-WitnessDeploy.ps1 PowerCLI script found on the VMware Code site has also been updated to work with vSAN 6.7 P01 appliances, as well as previous releases. This custom PowerCLI script will deploy vSAN Witness Appliances old & new, as well as add them to vCenter so they may be used by 2 Node or Stretched vSAN Clusters. It will even add static routes if desired.

***Note: Never deploy a vSAN Witness Appliance with vmk0 and vmk1 on the same network when vSAN Traffic is tagged on vmk0 (Management). This creates a vSphere Multi-Homing issue, detailed in KB 2010877. This is not a supported configuration.

More information about using a vSAN Witness Appliance with 2 Node or Stretched Cluster vSAN can be found in the vSAN 2 Node Guide and the vSAN Stretched Cluster Guide respectively.

The vSAN 6.7 P01 Witness Appliance can be downloaded here.

This article was originally published on the VMware Virtual Blocks site here: https://blogs.vmware.com/virtualblocks/2019/11/07/vswa-67p01-update/