WilliamLam.com

VM Storage Policy APIs aka Storage Profile APIs will be available in vSphere 5.5

by // 17 Comments

A frequently requested feature from customers and partners have been around the Storage Profile APIs and with the upcoming vSphere 5.5 release, it will now be possible to automate the management and consumption of Storage Profiles. In vSphere 5.5, Storage Profiles has been renamed to VM Storage Policy and they have been enhanced from the previous version of Storage Profile. VM Storage Policy introduces new concept of a rule set also known as a sub-profile or sub-policy from an API perspective.

A VM Storage Policy can contain multiple rule sets which describes a requirement for a virtual machine storage resource. Each rule can either be an underlying storage capability or a user defined vSphere Tag.

One important thing to note about the VM Storage Policy API (SOAP API), is that it is exposed as a separate API endpoint (similar to how the SMS API is exposed) on vCenter Server and it will not be accessible through the normal vSphere API. To consume this API, you will need to connect to the PBM (Policy Based Management) Server which requires an authenticated vCenter Server session. A great way to learn and explore the new SPBM API is to check out the SPBM MOB.

Here is the high level workflow for connecting to the PBM Server:

  1. Login to vCenter Server
  2. Extract the session cookie
  3. Add vCenter Server session cookie & connect to PBM Server

Once connected to the PBM Server, you will have access to PBM ServiceInstance with following three managed objects:

    • ProfileProfileManager (not a typo, repeat of Profile for some reason)
    • PlacementSolver
    • ComplianceManager

As mentioned earlier, a VM Storage Policy can be made up of several rule sets and each rule set contains a property rule. Here is the specification for what the VM Storage Policy looks like from an API perspective:

For managing and creating VM Storage Policies, you will need use the new VM Storage Policy API and for consuming and assigning VM Storage Policies to a virtual machine, you will need to use the vSphere API. When provisioning or cloning a virtual machine, there is a new profile property that denotes the MoRef ID for a particular VM Storage Policy.

As part of the VM Storage Policy API, there will be a Java SDK that includes a programming guide that goes over the VM Storage Policy API in greater detail as well as several sample programs exercising the various API methods. Since the VM Storage Policy API is a SOAP API similar to the vSphere API, the WSDL will also be available if you wish to generate your own language binding to the API.

Here is a screenshot of the available sample programs leveraging the new VM Storage Policy API:

Here is an example of one of the sample programs which lists all the VM Storage Policies for a given vCenter Server:

run.bat ListProfiles --vcurl https://[VC-IP]/sdk/vimService --ssourl https://[VC-IP]:7444/ims/STSService --spbmurl https://[VC-IP]/pbm --username *protected email* --password vmware --ignorecert

In the screenshot, you will see four VM Storage Policy being shown, one which I had created earlier and there others which are VM Storage Policies created by VSAN. You will notice that you will need three pieces of information when connecting: vCenter Server endpoint, SSO Server endpoint and PBM Server endpoint. You can find more details by referring to the VM Storage Policy Programming Guide and VM Storage Policy API reference.

My top 5 favorite enhancements to the new vSphere Web Client 5.5

by // 10 Comments

I have been using the vSphere Web Client more and more lately and though transitioning away from the familiar legacy vSphere C# Client is not the easiest thing to do or always possible for every single operation, there are definitely some nice benefits when using the vSphere Web Client. With the upcoming vSphere 5.5 release, there is even more cool new features in the vSphere Web Client!

Here are my top 5 favorite enhancements in the new vSphere Web Client 5.5 in no particular order. For a complete list of new features in the vSphere Web Client, I recommend you take a look at the What's New in vSphere 5.5 whitepaper.

Mac OS X Support for vSphere Web Client

Being a web application, the vSphere Web Client has always worked on a Mac OS X system, however you may have noticed a couple of things did not work such as OVA/OVF upload, remote device management such as mounting an ISO/Floppy and the biggest one of all is virtual machine console access! This has been one of the most requested feature that I can think of and I am personally excited to see this finally come to fruition. In addition to to the native VM console support (HTML5/WebSockets), there is also now a vSphere Client Integration package for Mac OS X that provides both OVA/OVF upload and remote device management support. This alone is enough for me to upgrade my vCenter Server to 5.5 to get these new feature!

Recently Visited & Created Objects

The recently visited objects is a pretty handy feature that came in vSphere 5.1 which allows you to see what objects you have been recently working with. However, this feature may not have been very well known due to its tiny icon. I am glad to see this feature get its own icon and is now located at the top of the vSphere Inventory Navigator between the navigator and pin icon. In addition to this change, it also now includes a list of the recently created vSphere objects which can come in handy when you are doing something new for the first time and would like a quick way to view the sequence of objects created.

vSphere Inventory Navigator History + Back/Forward Navigation

I am pretty sure our vSphere UE engineers have a more elegant name for this awesome feature, but  you can now view the history as you traverse through the vSphere Inventory Navigator and navigate both backwards as well as forward (which is new in vSphere 5.5). To view your current history, you simply just right click on the navigator bar at the top and you will get a drop down list of your history. You can go move forwards or backwards through your history which is a great if you are still getting familiar with the vSphere Web Client and forgot how you got to a particular object.

Deploy vCenter Operations from vSphere Web Client

I thought this was a pretty cool enhancement by allowing you to deploy vCenter Operations Management from within the vSphere Web Client. You will notice a new vC Ops icon on the main dashboard and on the Getting Started page, there is a link at the bottom that will allow you to deploy the vC Ops appliance by first logging into your MyVMware account. I wonder if we will are going to start doing this for other VMware solutions and just making it easier to deploy the latest version without having to first download it onto your local system.

Configure Auto-Refresh & Disable Inventory Navigator Animation

A common piece of feedback that I have heard regarding the vSphere Web Client experience is that it does not automatically refresh the screen. This is a change from the vSphere C# Client where it will automatically refresh the inventory, but of course there is some overhead associated with this refresh as it needs to pull the latest data from the vCenter Server. However, with the latest vSphere Web Client 5.5, you can now enable auto-refresh using an advanced configuration (by default it is disabled). Before you enable this, do note that this can alter the performance of your environment and be aware this will prevent the session from automatically logging out if you have configured an idle session timeout.

UPDATE: (03/11/16) - In vSphere 6.0, the path to webclient.properties has changed to /etc/vmware/vsphere-client/webclient.properties

To enable auto-refresh, you will need to locate the following configuration file /var/lib/vmware/vsphere-client/webclient.properties on the VCSA (there should also be an equivalent on Windows version of vSphere Web Client Server)

By default the auto-refresh is disabled, to enable it, you will need to un-comment the following configuration parameter and set the number of seconds to auto-refresh:

refresh.rate = # of seconds

Another feature that I found interesting that can also be controlled in this configuration file is the sliding animation shown when clicking on the vSphere Inventory Navigator. This I assume is to reduce the amount of resources loading the animation, unless the animation was bothering some folks?

By default this is now disabled in vSphere 5.5 and if you wish to see that animation (default in vSphere 5.1), you can re-enable by un-commenting the following configuration parameter:

navigator.disableAnimation = true or false

There are few other settings that you can control in the webclient.properties, you can take a look at the file for more details.

There are definitely a few more new features in the vSphere Web Client 5.5 that I have not mention, but these were my my top five favorite enhancements. One more thing I would like to also mention is that vSphere Web Client in vSphere 5.5 release definitely feels much snappier than previous releases and this has made for a much better user experience in my opinion. When you get your hands on the new vSphere Web Client, what will be your favorite new feature?

How to recover VCSA 5.5 from an expired administrator account?

by // 9 Comments

Last week I wrote about a new security feature in the new VCSA 5.5 where the administrator account (root) password will now expire automatically after 90 days of powering on the VCSA if the password is not changed before then. This new enhancement is to ensures that administrative passwords are rotated routinely for good security practices. However, in the event that you forget to change the password before the expiration, you can still recover the VCSA and this article will walk you through that process.

As a lab exercise, I have configured my root password to expire in one day and purposely let it expire. If you try to login to the VAMI UI, you will get an "Unable to authenticate user" error and you will see something similar if you login to the SSH console. Ideally, this message should be a bit more descriptive to say something like the password has expired (which I have filed an internal bug for).

Requirements:

  • You will need console access to your VCSA
  • You will also need a Linux LiveCD, I personally like using KNOPPIX

Step 1 - Mount the Linux LiveCD to your VCSA and boot into the image. You will need to bring up a terminal shell. The version I am using has a menu and I just select the "shell" option.

Step 2 - Once you are in the terminal, you will need to switch to the root user by running the following command:

su -

Step 3 - Next, we need to mount the VCSA root partition which will be /dev/sda3 to /mnt directory by running the following command:

mount /dev/sda3 /mnt

Step 4 - We now need to edit /etc/shadow file on our VCSA which is located in /mnt/etc/shadow to disable the account lock. You will need to use an editor such as vi to open up the file.

You need to delete "x" in the 2nd field and the numeric value on the 5th field (if it exists, this should be the number of days for expiration, default is 90) for the root user account. The screenshot above shows what values needs to be deleted. Once you have made the changes, go ahead and save the file.

Step 5 - Reboot the VCSA and now you can login to both the VAMI UI interface as well as the SSH console.

Note: If you had the password expiration feature enabled, it has now been disabled for you to login. If you wish to re-enable it, you will need to configure it in the VAMI UI or through the CLI. Please refer to this article here for more details.