WilliamLam.com

Auditing detailed operations within VMware Cloud on AWS using the Activity Log API

by // Leave a Comment

All operations (UI or API) that occurs within VMware Cloud AWS (VMC), including but not limited to SDDC creation, deletion, updates, network configurations, user authorization/access, etc. is all captured as part of the Activity Log in the VMC Console. Within the Activity Log, customers will be able view the type of operation, the time the operation occurred, the applicable SDDC as well the user of the operation and all of these fields can be filtered out further.


The UI is great for quickly looking up quick changes, however for customers who require auditing level logging, this may not be sufficient. This was actually a question that I had received from a customer who was interested in getting more details but also a way to send this information back to their on-premises environment for auditing purposes. Luckily, the Activity Log actually stores a lot more information than what is shown in the UI and all of this data is available through the VMC API.

All entries are scoped within a VMC Organization and you can use the following APIs to retrieve all activities or a specific activity given the VMC Task Id:

  • GET /orgs/{org}/tasks - List all tasks for organization
  • GET /orgs/{org}/tasks/{task} - Get task details

[Read more...]

Retrieving detailed per-VM space utilization on VSAN

by // 8 Comments

I was recently helping out my friend Paudie O'Riordan with a request from a customer who was looking for a way to collect detailed space utilization for their VMs (VM Home, VMDK & swap) running on VSAN. Today, this level of granularity is not available in the vSphere UI and the customer was interested in both the used and reserved capacity on a per-VM basis. Luckily, this information can be retrieved using the VSAN Management API.

To do so, we just need to use the VsanQueryObjectIdentities() API method, which I have used in the past to retrieve things like "thick" provisioned VM and translating VSAN Object IDs to their friendly VM display name. To retrieve space utilization information, we just need to set the includeSpaceSummary property to be true. While developing the PowerCLI sample script, I found that this specific property is currently not supported when querying vCenter Server and to retrieve this information, you must go directly to each ESXi host within the VSAN Cluster. I have already filed a feature request and it looks like this will be fixed in a future vSphere release.

[Read more...]

Using ESXi Kickstart %firstboot with Secure Boot

by // 6 Comments

If you install ESXi via a Kickstart script and make use of the %firstboot option to execute commands on the first boot of the ESXi host after installation, you should be aware of its incompatibility with the Secure Boot feature. If you install ESXi where Secure Boot is enabled, the Kickstart will install ESXi normally only execute up to the %post section. However, it will not execute the %firstboot scripts and if you look at the /var/log/kickstart.log after the host boots, you should see the following message:

INFO UEFI Secure Boot Enabled, skipping execution of /var/lib/vmware/firstboot/001.firstboot_001

If you have Secure Boot enabled, %firstboot is not supported. The reason for this is Secure Boot mandates only known tardisks which can hold executable scripts, and a kickstart script is an unknown source so it can not run when Secure Boot is enabled. If you wish to continue using %firstboot scripts, the only option is to disable Secure Boot and then re-enable it after the installation. A preferred alternative is to convert your %firstboot logic into an external script which can then be applied using the vSphere API (recommended method) and this way you can still customize your ESXi host after the initial installations. I have already filed an internal documentation bug to add a note regarding Secure Boot and %firstboot, hopefully that will roll out with the net documentation refresh.