WilliamLam.com

Automating the configuration of new logon banner for the vSphere Web Client in 6.0 Update 2

by // 1 Comment

The ability to display a logon banner prior to logging into the vSphere Web Client UI is a new capability that was introduced with the release of vSphere 6.0 Update 2. In addition to the logon banner message, customers can also configure a mandatory consent check box requiring all users to accept prior to logging in. Below is a screenshot of the new logon banner in the vSphere Web Client, prior to login.

vsphere-web-client-logon-banner-1
The configuration of the logon banner is only available in the Platform Services Controller (PSC) Administrator UI which can be accessed by opening a browser to the following URL: https://[PSC-HOSTNAME]/psc

vsphere-web-client-logon-banner-0
Although there is currently not an API for administrating the various PSC configurations (being worked on for a future release of vSphere), it is still possible to automate the different aspects of the PSC. There are several options depending on your personal reference as well as environmental configurations.

Option 1: Use the /opt/vmware/bin/sso-config.sh utility on the PSC itself which is the simplest method but it does require either SSH or local shell access.

You first need to create a file that contains the message you wish to display in the logon banner. In this example I have created a filed called banner.txt that contains an example logon message. You can then run the following command which will allow you to set the banner as well as the title and whether to enable the consent check box:

/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt -title 'Logon Disclaimer' -enable_checkbox N

If you wish to only configure the consent check box, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner -enable_checkbox Y

If you wish to only configure the title, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner -title 'vGhetto Disclaimer'

If you wish to only configure the banner message, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt

If you wish to disable the logon banner feature, you can run the following command:

/opt/vmware/bin/sso-config.sh -disable_logon_banner

Option 2: Use the ldapmodify utility either locally on the PSC itself or from a remote system which I have previously written about here.

Disclaimer: Please take extreme caution when connecting to the vmdird database. You should take extreme care in making changes while in the database else you can negatively impact your environment.

In this example, I will be remotely connecting to the PSC from my desktop which is a Mac OS X system, but it can be any system which contains the ldapsearch and ldapmodify commands.

To query for the logon banner configurations, run the following ldapsearch command (specifying your environment details):

/usr/bin/ldapsearch -h 192.168.1.140 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"

vsphere-web-client-logon-banner-2
From the output, we can see there are three properties which control the logon banner feature:

  • vmwSTSLogonBannerEnableCheckbox
  • vmwSTSLogonBannerTitle
  • vmwSTSLogonBanner

To configure the new logon banner, we first need to create a file that contains our configuration changes. To do so, create a file called change.ldif which contains the following (replace with your settings):

dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local
changetype: modify
replace: vmwSTSLogonBannerEnableCheckbox
vmwSTSLogonBannerEnableCheckbox: TRUE
-
replace: vmwSTSLogonBanner
vmwSTSLogonBanner: You void all warranty/safety by logging into vGhetto Datacenter, you have been warned :-)
-
replace: vmwSTSLogonBannerTitle
vmwSTSLogonBannerTitle: vGhetto Disclaimer

To apply the configuration, run the following ldapmodify command (specifying your environment details):

/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

To completely disable the logon banner feature, create a new file called change2.ldif which contains the following (replace with your settings):

dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local
changetype: modify
delete: vmwSTSLogonBannerEnableCheckbox
-
delete: vmwSTSLogonBanner
-
delete: vmwSTSLogonBannerTitle

To apply the configuration, run the following ldapmodify command (specifying your environment details):

/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

If you are interested in automating other aspects of the PSC admin configurations, be sure to check out these two articles here and here.

Getting started with the new VSAN 6.2 Management API

by // 4 Comments

As I have previously written, with the release of VSAN 6.2 (vSphere 6.0 Update 2), a new VSAN Management API has been introduced which allows developers, partners and administrators to automate all aspects of VSAN functionality including: complete lifecycle (install, upgrade, patch), monitoring (including RVC and VSAN Observer capabilities), configuration and troubleshooting. Simply put, anything that you can do from the vSphere Web Client UI or the RVC CLI from a VSAN standpoint, you will be able to completely automate using one of the four new VSAN Management SDKs: Python, Ruby, Java and C#.

In this article, I will show you how to quickly get started with the new VSAN Management API by exercising two of the VSAN Management SDKs: Python and Ruby. Another must bookmark is the VSAN Management API Reference Guide which provides more details on the individual APIs and how they work.

Step 1 - Download the VSAN Management SDK of your choice. You can find the VSAN Management SDK downloads in either of two locations:

In this example, I will be using the VSAN Management for Python and Ruby.

Step 2 - Extract the VSAN Management SDK zip file which should give you a directory that contains a README on how to setup the SDK and three folders as shown in the screenshot below:

Screen Shot 2016-03-17 at 6.27.58 AM
The bindings directory contains the language specific library to the VSAN Management API. The docs folder contains the offline copy of the VSAN Management API Reference Guide and lastly the sample directory contains a basic sample to connect to VSAN Cluster as well as an individual ESXi host contributing to a VSAN Cluster.

Step 3 - Each of the VSAN Management SDKs extends the existing vSphere Management SDKs. This means that you will need to have the appropriate vSphere Management SDK installed on your system before you can proceed further. In our example, Python requires pyvmomi (vSphere SDK for Python) and Ruby requires rbvmomi (vSphere SDK for Ruby). If you are on Mac OS X, it is pretty easy to install these packages. Make sure you are running the latest version of these SDKs.

Installing pyvmomi:

pip install pyvmomi

Upgrading pyvmomi: (if you already have it installed)

pip install --upgrade pyvmomi

Installing rbvmomi:

gem install rbvmomi

Step 4 - Copy the VSAN Management SDK library file over to the samples directory.

VSAN Mgmt SDK for Python:

cp bindings/vsanmgmtObjects.py samplecode/

VSAN Mgmt SDK for Ruby:

cp bindings/vsanmgmt.api.rb samplecode/

Step 5 - At this point, we can quickly verify that everything was setup correctly by going into the samplecode directory and then run one of the following commands below. If everything is working as expected, then you should see the usage information being printed out. If you do not, the issue is most likely with vSphere Management SDK either not being the latest version or not configured in the default library path for the sample to access.

VSAN Mgmt SDK for Python:

python vsanapisamples.py

Screen Shot 2016-03-17 at 6.43.32 AM
VSAN Mgmt SDK for Ruby:

ruby vsanapisamples.rb

Screen Shot 2016-03-17 at 6.43.56 AM
Step 6 - Now that we have verified our VSAN Management SDK installation was successful, we can now connect to a real VSAN Cluster. To do so, run the following command and specify your vCenter Server along with the credentials as well as the name of the VSAN Cluster. If successful, you should see the status for each of your VSAN hosts and its current state as seen in the screenshot below.

VSAN Mgmt SDK for Python:

python vsanapisamples.py -s 192.168.1.139 -u '*protected email*' -p 'VMware1!' --cluster VSAN-Cluster

Screen Shot 2016-03-17 at 6.54.38 AM
VSAN Mgmt SDK for Ruby:

ruby vsanapisamples.rb -o 192.168.1.139 -u '*protected email*' -k -p 'VMware1!' VSAN-Cluster

Screen Shot 2016-03-17 at 6.56.34 AM
Step 7 - Each individual ESXi hosts that participate in the VSAN Cluster also exposes an VSAN Management API endpoint. We can use this exact same sample to connect to one of the hosts to get some additional information. To do so, run the following command and specify your ESXi hosts along with the credentials.

VSAN Mgmt SDK for Python:

python vsanapisamples.py -s 192.168.1.190 -u root -p vmware123

Screen Shot 2016-03-17 at 7.00.28 AM
VSAN Mgmt SDK for Ruby:

ruby vsanapisamples.rb -o 192.168.1.190 -u root -p vmware123

Screen Shot 2016-03-17 at 6.59.46 AM
As you can see, it is pretty straight forward on getting the new VSAN Management SDK up and running. The provided sample only scratches the surface of what is possible and for a complete list of capabilities within the new VSAN Management API, be sure to check out the VSAN Management API Reference document for more information. I am really looking forward to seeing what solutions our customers and partners develop using this new API. If you would like to contribute code samples back to the community or just find new samples be sure to check out the VMware Developer Center Sample Exchange

Applying Custom Attributes beyond just Host & Virtual Machine Objects

by // 5 Comments

I recently came to learn about a neat little tidbit from one of my readers, Ziad, regarding vSphere Custom Attributes. I had been a long time user of Custom Attributes when I was a customer and heavily used it in-conjunction with Automation. This is how many of our customers leveraged this capability, especially around provisioning and reporting use cases. Custom Attributes allows you to specify custom "keys" associated with either a Virtual Machine or an ESXi host object. Once these keys have been created, you can then assign object-specific metadata "values" to these objects. An example would be a Custom Attribute called "Application Owner" and for VM1 I can have a value of "Duncan Epping" and for VM2 I can have a value of "Alan Renouf".

Custom Attributes can be created using either the vSphere API or from the vSphere C# Client (currently not possible using the vSphere Web Client). The UI has already restricted Custom Attributes to either a Host, Virtual Machine or Global which means it applies to both objects as shown in the screenshot below. This has always been my understanding of how Custom Attributes work and has also been documented as such.

applying-custom-feilds-beyond-hosts-and-vms-0
Well, it turns out, this "restriction" was only a UI restriction. The actual Custom Attributes feature can actually be applied across variety of vSphere Objects and not just limited to Hosts and Virtual Machines when using the vSphere API. If we look at the Custom Attributes API which uses the customFieldsManager and specifically the AddCustomFieldDef() method which is used to create new custom fields. We can see that the moType property can accept any of the supported vSphere Objects such as the following:

I decided to quickly verify this by giving this a try in my lab and using PowerCLI (just one of the many options to the vSphere API) to exercise the Custom Attributes API against a Datacenter, Cluster, Datastore and Network object.

We start off by retrieving the CustomFieldsManager and then creating four new Custom Fields for each of the respective vSphere Objects that we want to associate with.

$customFieldMgr = Get-View ($global:DefaultVIServer.ExtensionData.Content.CustomFieldsManager)

# Custom Field Key names

$dcCFName = "DatacenterCF"
$clCFName = "ClusterCF"
$dsCFName = "DatastoreCF"
$netCFName = "NetworkCF"

# Create Custom Field Keys for Datacenter, Cluster, Datastore & Network objects

$customFieldMgr.AddCustomFieldDef($dcCFName,"Datacenter",$null,$null)
$customFieldMgr.AddCustomFieldDef($clCFName,"ClusterComputeResource",$null,$null)
$customFieldMgr.AddCustomFieldDef($dsCFName,"Datastore",$null,$null)
$customFieldMgr.AddCustomFieldDef($netCFName,"Network",$null,$null)

Next, we retrieve a Datacenter, Cluster, Datastore and Network object in our vSphere inventory and then call the setCustomValue() API which is used to set the value for a particular Custom Attribute that has been defined for that object.

# Set Custom Field for Datacenter, Cluster, Datastore & Network objects

$datacenterName = "Santa-Barbara"
$datacenterView = Get-View -ViewType Datacenter -Property Name -Filter @{"name"=$datacenterName}
$datacenterView.setCustomValue("$dcCFName","AB-123")

$clusterName = "Production"
$clusterView = Get-View -ViewType  ClusterComputeResource -Property Name -Filter @{"name"=$clusterName}
$clusterView.setCustomValue("$clCFName","BC-456")

$datastoreName = "datastore1"
$datastoreView = Get-View -ViewType Datastore -Property Name -Filter @{"name"=$datastoreName}
$datastoreView.setCustomValue("$dsCFName","CD-789")

$networkName = "VM Network"
$networkView = Get-View -ViewType Network -Property Name -Filter @{"name"=$networkName}
$networkView.setCustomValue("$netCFName","EF-012")

If we take a look at our vSphere Web/C# Client, we should see tasks being initiated on setting the custom value. So far, so good.

applying-custom-feilds-beyond-hosts-and-vms-1
Finally, it is time to retrieve these Custom Attributes to see if they were indeed properly set. We first need to build up a hash table of the key's name, so we can easily correlate the specific Custom Attribute name with the unique key ID. Next, we can then extract the Value property which extends CustomFieldStringValue and contains both the key which we can look up from our look up table and most importantly, the value which contains the data that we had set earlier.

# Retrieve Custom Field for Datacenter, Cluster, Datastore & Network objects

# Create Custom Field & Name lookup table
# Borrowed from my buddy Alan Renouf http://www.virtu-al.net/2009/05/29/powercli-on-steroids-custom-attributes/
$customKeyLookup = @{}
$customNameLookup = @{}
$customFieldMgr.Field | % {
$customKeyLookup.Add($_.Key, $_.Name)
$customNameLookup.Add($_.Name, $_.Key)
}

# Print the Custom Fields property for each vSphere Object

$datacenterView = Get-View -ViewType Datacenter -Property Name,Value -Filter @{"name"=$datacenterName}
Write-Host "`nDatacenter:" $datacenterName "has Custom Field:" $customKeyLookup[$datacenterView.Value[0].Key] "with value:" $datacenterView.Value[0].Value "`n"

$clusterView = Get-View -ViewType  ClusterComputeResource -Property Name,Value -Filter @{"name"=$clusterName}
Write-Host "`Cluster:" $clusterName "has Custom Field:" $customKeyLookup[$clusterView.Value[0].Key] "with value:" $clusterView.Value[0].Value "`n"

$datastoreView = Get-View -ViewType Datastore -Property Name,Value -Filter @{"name"=$datastoreName}
Write-Host "`Datastore:" $datastoreName "has Custom Field:" $customKeyLookup[$datastoreView.Value[0].Key] "with value:" $datastoreView.Value[0].Value "`n"

$networkView = Get-View -ViewType Network -Property Name,Value -Filter @{"name"=$networkName}
Write-Host "`Network:" $networkName "has Custom Field:" $customKeyLookup[$networkView.Value[0].Key] "with value:" $networkView.Value[0].Value "`n"

Here is a screenshot of running the above PowerCLI code and we can see the values match up with what we had set earlier. This is pretty awesome if you ask me!

applying-custom-feilds-beyond-hosts-and-vms-2
Some of you might be thinking, if Custom Attributes can be applied across different vSphere Objects, then why should I use vSphere Tags? Well, there are definitely some differences between the two today and I highly recommend you give this article a read first before continuing further. Although Custom Attributes may provide similiar behaviors to vSphere Tags, there is a lot of limitations that come with Custom Attributes. I do believe vSphere Tags is the future and when we bring vSphere Tags to parity with some of the use cases that Custom Attributes can only cover today only, it will be an even more powerful feature.

There are several major benefits to vSphere Tags over Custom Attributes. One they are multi-vCenter Server aware when joined to the same SSO Domain, which means existing Tags/Tag Categories are automatically made available versus Custom Attributes which are bounded by a single vCenter Server. vSphere Tags is also deeply integrated with VM Storage Policy and Content Library for provisioning which is lacking with Custom Attributes and require custom Automation to leverage its metadata. A single vSphere Tag can support one or more groupings to a given vSphere Object, where as Custom Attribute must be tied to a single object. Lastly, being able to globally search across various tagged vSphere Objects is trivial with vSphere Tags. For Custom Attributes, you would need to first identity the object which means you must search through all objects unless you know the one you are looking for first and then iterate through the list of Custom Attributes looking for the specific key and then finally the value. There is definitely still room for improving vSphere Tags, but I think it is definitely the more superior metadata system that customers should be looking at going forward.

One final note which I thought was interesting is that PowerCLI also provides a few cmdlets for managing Custom Attributes and it looks like they did in fact support different vSphere Object types as documented here. The only issue is that it does not cover all vSphere Objects that is possible and if you still may want to consider calling into the vSphere API from PowerCLI and by-passing the default cmdlets.