A few noticeable changes to vROps 6.6 and Log Insight 4.5

With the recent releases of VMware vRealize Operations Manager 6.6 and Log Insight 4.5, VMware has made some changes to its products. They are as follows:

  • vRealize Operations Manager Plugin for vSphere Web Client should be removed after upgrading to vROps 6.6.vROps Plugin - 01
    In KB 2150394, VMware provides detailed instructions on how to do it for both vCenter for Windows and vCenter Virtual Appliance.
  • Native support for Active Directory in vRealize Log Insight is now deprecated.Log Insight - AD Integration - 01
    As per KB 2148976, VMware Identity Manager (VIDM) should be configured as an alternative. It is not confirmed yet whether VIDM is available for free for Log Insight users. More information will be posted on this thread on VMware Technology Network.I understand that this change widens the business scenarios for the product. However, for those of us who use Log Insight purely for collecting and analysing vSphere logs, it would be great to have Active Directory replaced with vCenter Single Sign-On (vCenter SSO). It sounds more logical.You can vote for the Log Insight integration with vCenter SSO on this link. It will be great if more people request this feature.

21/06/2017 – Update 1: VMware Identity Manager for Log Insight has been officially released and it is free! The VIDM virtual appliance is available on the Log Insight 4.5 download page.

27/06/2017 – Update 2: VMware has changed its policy and continues to provide support for the Active Directory integration in Log Insight 4.5. However, “it may be removed in a future version” (and probably will).

vSphere 6.x: The beauty and ugliness of the Content Library – Part 2

In part 1 of this mini-series, I wrote about some technical problems that I had had with the Content Library and provided the workable solutions for them.

Here I am going to touch the security aspect of this technology. Fortunately, there are no complications with restricting the virtual machine provisioning. It is just not as straightforward, as I or some of the readers would expect.

Issue #3 – Preventing users from provisioning the virtual machine from the Content Library

Affected platform: vSphere 6.0 and 6.5, all versions.

In vCenter, permissions are assigned to objects in the object hierarchy called vSphere Inventory Hierarchy. The individual permissions are called privileges. They are combined into roles which then allocated to the users.

The Content Library has its own set of privileges under All Privileges > Content Library. They designed to manage different settings related to the configuration of the object. There is a predefined role in vSphere called Content Library Administrator. The primary purpose of it is to give a user privileges to monitor and manage a library and its contents.

However, if you would like to restrict the VM provisioning from the Content Library and look at the long list, there is no privilege which can help to achieve this task there.

After doing some testing and discussing this subject with VMware GSS, the only solution we were able to come up was removing all Content Library privileges from the role and assigning it to the users on the vCenter Server level. In this case, users won’t be able to get access to the items in the Content Library. I was a bit frustrated with this limitation and even contacted the engineering team at VMware directly about the issue.

Coincidentally, I was working on restricting the VM provisioning from other sources: vApps and OVA/OVF Templates. It was then I realised it was actually possible to implement the complete solution to my problem.

As you might know, the Content Library keeps the VM template objects in OVF format.

CL-02

So I decided to play with the privileges that control deploying process from OVF templates. Surprisingly, it was a vApp import that helped me to achieve my goal. Happy days!

CL-03

Resolution: Remove All Privileges > vApp > Import privilege from the user role, as described in VMware KB 2105932.

Configuring static network in Photon OS

As more virtual appliances from VMware come with Photon OS, I would like to share a few simple workarounds to assign a static IP address and other network parameters to the virtual machines based on this operating system.

In Photon OS, the process systemd-networkd is responsible for the network configuration. You can check its status by executing the following command:

[ ~ ]# systemctl status systemd-networkd -l

It should give you an output similar to one in the picture below.

PhotonOS-Net-01

 

By default, systemd-networkd receives its settings from the configuration file 10-dhcp-en.network located in /etc/systemd/network/ folder. It has the following format:

[Match]
Name=e*

[Network]
DHCP=yes

I would recommend renaming this file to 10-static-en.network. So it will be easy to troubleshoot network issues in the future.

The file syntax is similar to what is used in Arch Linux. With few additional lines in the file, the network configuration can be set to our requirements. They are as follows:

  • In section [Network]
    • Address – the IP address and subnet mask in the format of XXX.XXX.XXX.XXX/YY
    • Gateway – an IP address of the default gateway
    • DNS – IP addresses of one or more DNS servers (space-separated values)
    • Domains – domain name(s) in FQDN format (space-separated values)
    • NTP – IP addresses or FQDNs of NTP sources (space-separated values).

An example of the static network configuration is shown below.

[Match]
Name=e*

[Network]
DHCP=no
Address=192.168.1.101/24
Gateway=192.168.1.1
DNS=192.168.1.21 192.168.1.1
Domains=testorg.local
NTP=0.au.pool.ntp.org 1.au.pool.ntp.org

The hostname of the system can be added to /etc/hostname file in FQDN format.

All changes should apply after rebooting the virtual machine. To test the results, we can use the following commands:

  • ip a – shows the IP addresses of the network interfaces

PhotonOS-Net-02

  • ip route – shows the routing table,

PhotonOS-Net-03

  • systemctl status systemd-timesyncd -l – shows time synchronisation status.

PhotonOS-Net-04

vCenter Support Assistant 6.5: This type of network adapter is not supported by {0}Other Linux (64-bit)

VMware has just released a new version of vCenter Support Assistant 6.5 which officially supports vSphere 6.5 and has a few noticeable improvements comparing to the previous release.

In this appliance, SUSE Linux has been replaced with Photon OS. The shift looks quite logical, as VMware pushes their own Linux flavour to more and more new products. Not only is it help to maintain a holistic approach when distributing virtual appliances, but it also promises an improved performance of the operating system, as VMware heavily invested into making it lightweight and fast.

However, when I completed provisioning vSA 6.5 in my environment and checked the virtual machine settings; to my surprise, it was a warning message shown in the screenshot below.

vsa-issue-01

It is not problematic to understand a root cause of this issue and eliminate it completely.To keep backwards compatibility with previous versions of vCenter Server, the VM hardware was set to version 8 (ESXi 5.0 and later).

To keep backwards compatibility with earlier versions of vCenter Server, the VM hardware was set to version 8 (ESXi 5.0 and later).

vsa-issue-02

This choice of the OS is entirely unexpected, as ‘Other Linux (64-bit)‘ was classified as a Legacy operating system by the vendor.

vsa-issue-03

It is until the VM hardware version 10 when it is possible to change the guest operating system to ‘Other 3.x or later Linux (64-bit)‘ to resolve the problem. So the workaround would be upgrading the VM to at least hardware version 10, and then chose the compatible OS type.

My suggestion to VMware would be to introduce a new Guest OS version called ‘Linux / Photon OS’ with the compatible hardware profile to prevent similar warnings in the future.

vSphere 6.x: Force the datastore capability sets update

When a new datastore provisioned to the vSphere environment, it might be a delay in updating the information about the capability sets, and the datastore would be incompatible with a storage policy.

storage-provider-01

The vCenter Server periodically updates storage data in its database. I couldn’t find the exact time intervals when it occurs. Fortunately, it is possible to force the datastore capability sets update in the vSphere Web Client.

To complete this task, go to the vCenter Manage tab and choose ‘Storage providers’ option. A rescan button is available from the storage system settings.

storage-provider-02

Clicking on that icon initiates rescan and updates the storage capabilities of the datastore.

storage-provider-03

Now it is able to place the virtual machines on the datastore.

Configuring PERC H730/730p cards for VMware vSAN 6.x

One of the necessary steps to create a new VMware vSAN cluster is to configure the RAID controller.

I have found Joe’s post about setting up Dell PERC H730 cards very informative and easy to follow. However, the latest generation of Dell’s PowerEdge servers has a slightly different configuration interface. So I decided to document configuration process using the BIOS graphical interface.

You can get into it either pressing an F2 key during the server boot or choosing a BIOS Setup option in the Next Boot drop-down menu in the iDRAC Virtual Console.

step-00

The next step is to click on the Device Settings and select the RAID controller from the list of available devices.

step-01

Step-02.png

There are two configuration pages that we should be interested in, as follows:

  • Controller Management > Advanced Controller Management
  • Controller Management > Advanced Controller Properties.

The former gives us ability to switch from RAID mode to HBA mode.

Step-03.png

The latter allows disabling the controller caching and setting the BIOS Boot mode.

Step-04.png

Please note the system reboot is required for the change to take effect. It is always a good idea to double check that the parameters above were setup correctly.

vSphere HTML5 Web Client (Fling): installation tips

VMware has officially introduced vSphere Client (HTML5) in the release 6.5 of the platform. The company is working hard to make it a real replacement for vSphere Web Client (Flash/Flex client) and to deliver seamless functionality to the former one.

The vSphere Client released in vSphere 6.5 GA is using vSphere HTML5 Web Client (Fling) v2.7. Although it lacks many features of the old brother, the whole HTML5 experience should be a real benefit for many of us.

Meanwhile, it is interesting to test features available in the new versions of the Fling. Even if it is unsupported, some people are ready to go further and use it in the production environment with vSphere 6.0.

I doubt VMware has any plans to include this functionality in vSphere 6.0. However, for those who delay upgrading to version 6.5, playing with the Fling helps to get a better understanding of the new interface.

vsphere-client-fling-01

Current documentation for the Fling is a bit clunky. So I would like to clarify some steps that are required to setup this software correctly.

According to the documentation, the Fling setup has been tested with the following configurations:

  • GUI and CLI setup
    • vCenter Server Appliance with an embedded Platform Services Controller
    • vCenter Server Appliance with an external Platform Services Controller
  • CLI setup only
    • vCenter Server for Windows with an embedded Platform Services Controller
    • vCenter Server for Windows with an external Platform Services Controller.

In the paragraphs below, I describe the configuration process for the vCenter Server Appliance with an embedded Platform Services Controller.

After you downloaded the OVA file and provisioned the VM, a few steps below help to pair it with the vCenter Server.

Firstly, we need to enable SSH login (if disabled) and bash shell on the Platform Services Controller (PSC). The easiest way to do it is to use the Appliance Management User Interface at https://<PSC-FQDN-or-IP>:5480. Both options can be found in the Access settings window.

amui-access-settings

The next step is to change the default shell for PSC. You should create the SSH session to the virtual appliance and run the following command to complete this task:

/usr/bin/chsh -s “/bin/bash” root

Using the default username root and the password demova, log in to the Fling Appliance Management Interface (FAMI) at https://<Fling-FQDN-or-IP>:5490.

vsphere-client-fling-02

Starting from here, the configuration process is straightforward:

  1. Add PSC FQDN or IP address, username, and the password.
  2. Optionally, you can add NTP servers.
  3. Click on Configure to initiate the configuration process.

vsphere-client-fling-03

After approximately one and a half minute the setup finishes and the application will be up and running.

vsphere-client-fling-04

For those who prefer SSH connection and a command line interface (CLI), the following command does the magic:

/usr/local/bin/vsphere-client-config-ui configure –vc <PSC-FQDN-or-IP> –user root –ntp <NTP-FQDN-or-IP>

In this case, you need to start the Web Server manually after it is all done:

/usr/local/bin/vsphere-client start

Open the web browser on https://<Fling-FQDN-or-IP>/ui. It is time to explore a true HTML5 client, yay!