Monthly Archives: June 2015

vSphere 6, Clear state

Memory management in vSphere 5 happens with following 4 states.

High State: 100% of minFree available (<100% and >=64%, TPS is in action)
Soft State: 64% of minFree is available (<64% and >=32%, Ballooning is in action)
Hard State: 32% of minFree is available (<32% and >= 16%, Compression, Page Swapping)
Low State: 16% of minFree is available (<16%, Page Swapping)

ESXi 5.x Memory state chart

while in vSphere 6, this has changed, a new memory management state has been introduced called Clear state which is equivalent to previous High state. So now in ESXi 6 following are memory management states available.

High State: 300% of minFree available (<300% and >=64%, TPS is in action)
Clear State: 100% of minFree available (TPS is in action, this is previous version High State)
Soft State: 64% of minFree is available (<64% and >=32%, Ballooning is in action)
Hard State: 32% of minFree is available (<32% and >= 16%, Compression, Page Swapping)
Low State: 16% of minFree is available (<16%, Page Swapping)

ESXi 6 Memory states chart

In Short, an additional state which has been introduced called Clear state, and High State is tripled with compare to last version, now it’s 300% of minFree value of an esxi host, this is purely so TPS gets a chance to be triggered long before it hits Clear state and carry on acting on memory accordingly.

Reference: Duncan Epping’s blog about vSphere 6, Memory states & vSphere 6 Resource Management Guide


ESXi 6 – minFree value

minFree is associated with High Memory state of ESXi 6 or prior to it.

If you are wondering how ESXi is calculating minFree value, here is the math behind it.
Value of minFree is 899 MB for the ESXi host with upto 28 GB RAM.
host with more than 28 GB RAM, minFree is calculated as bellow
minFree = 899 MB (upto 28 GB RAM) + 1% of remaining capacity of RAM in that host.

Like an ESXi host with 100 GB RAM has minFree = 1619 MB
899 MB + 720 MB (1% of 72 GB)


Modify DCUI access list

In vSphere 6 or prior, by default ROOT is the user who has access to DCUI, even in the lockdown mode. If I wish to add additional users in this list, how to do it?

Using vSphere Web Client

Select your host, go to Manage->Settings->Advanced System Settings and try to locate DCUI.Access parameter as shown in following screen

Screen Shot 2015-06-06 at 8.12.32 am

now Click on EDIT button

it will bring  a screen like following where you use comma as separator to mention more usernames. when done, click on OK.
Screen Shot 2015-06-06 at 8.18.18 am


vSphere 6, Lockdown mode

What is Lockdown mode?

to improve security of ESXi host which is being managed by vCenter server, we enable lockdown mode on that host, that way it will restrict any operations to be carried out on that host directly but you will be forced to go via vCenter server only to be able to manage that host.

now what do I mean by doing something directly on that host?

  • Using vSphere client to connect to host directly and creating a new VM, removing an existing VM, powering on/off/suspending a VM, or making any configuration modification on host.
  • using vCLI to login directly into host to do any of the above activity
  • using ssh client to login directly into host and doing any of those activities listed in first bullet point.

Since the host is being managed to vCenter and vCenter has got it’s own central access and authentication mechanism in place. Why would I want above things to be done directly, I would like to use that vCenter server’s access and authentication mechanism to have centrally managed security. Where I create roles, and assign permissions on inventory objects of vCenter server to user/group accounts.

what vSphere 6 has to offer when it comes to enabling lockdown mode.

To reach upto this settings, Login in your vSphere Web client 6.0, Go to Host and Cluster Inventory, Select your Host, GO TO manage->Settings->Security Profile->Lockdown mode like it’s visible in following screenshot

Screen Shot 2015-06-05 at 4.19.04 pm


By Clicking on Edit button I can see following screen

Screen Shot 2015-06-05 at 4.19.21 pm

  1. Normal lockdown mode
  2. strict lockdown mode
  3. no lockdown mode (Disabled)

Along with that we have a discussion of Exception users list & users who have access to DCUI

  1. Normal Lockdown mode
  • this is same as we had in previous versions of vSphere prior to version 6.0, you enable lockdown mode, will leave vpxuser as only user account in host with full privileges on host and rest of the user account doesn’t have any privileges any more. Except root user who is part of DCUI.Access so root account still can access DCUI in case we lost connection to vCenter.

2) Strict Lockdown mode

  • This is where you will get DCUI service of host also being stopped, so now even people in DCUI.Access list will not have any control because DCUI is not running.

in above two case, Exception users list plays a specific role. Those uses will still have access to your SSH shell (Technical support mode). Like in following screenshot I have added root account as Exceptions users list. If I do that on all the esxi hosts than I don’t have to worry about disabling lockdown mode at the time when I want to connect to host directly via SSH etc.Screen Shot 2015-06-05 at 4.19.57 pm

VMware KB 1008077