WilliamLam.com

How to generate a pre-authenticated HTML5 VM console link in vSphere 5.5 that works on all OSes!

by // 79 Comments

One of the coolest feature that I have been personally looking forward to is the ability to access a virtual machine's remote console on a Mac OS X system which is now available as part of the vSphere 5.5 release. When you launch the VM's remote console using the vSphere Web Client on a Mac OS X system, instead of using the regular VMRC, it launches an HTML5 based console for your VM.

One thing that you might have noticed when performing this same action on a Windows desktop using the vSphere Web Client is that VMRC is used instead of the HTML5 console (notice the generated URLs are different). My understanding is that the VMRC is currently more performant than the HTML5 console and hence it is preferred when possible. I have been using the HTML5 based console for quite sometime now and I have not had any issues with it. I really hope to see us use the HTML5 console as the default console in the future!

Having said all this, there is a way for all users can benefit from this new HTML5 based VM console which is to automatically generate the URL which can then be loaded into any HTML5 supported web browser on either a Mac OS X, Windows or even Linux system. I used a similar method in generating the VM Remote Console for the vSphere Web Client which is VMRC specific.

UPDATE (07/26/17): I have just published a PowerCLI script called GenerateVMConsoleURL.ps1 which runs against a vSphere 6.5 environment and supports generating the HTML5 VM Console, Standalone VMRC and WebMKS URLs. As noted by several folks in the comments below, the pre-auth mechanism no longer works post-6.0, so you will need to have logged already for the console to automatically load OR you will be prompted to login before being re-directed. For those that wish to generate VM Console URLs for older vSphere versions, you can modify the script to handle those other scenarios.

The really cool part about this solution is that you can provide a one time pre-authenticated HTML5 based VM console URL that can then be given to your end users to access their VM. This of course can be automatically generated through a custom portal without needing to provide direct access to the vSphere Web Client.

Here is an example of what the HTML5 VM console URL looks like in vSphere 5.5:

http://reflex.primp-industries.com:7331/console/?vmId=vm-23&vmName=VCSA&host=reflex.primp-industries.com&sessionTicket=cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07&thumbprint=4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07

In vSphere 5.5 Update 2, the HTML5 VM Console now defaults to a secure connection and the two components of the URL that needs to be modified is from HTTP to HTTPS and from port 7331 to port 7343. The script has been updated to support a new command-line option called isvSphere55u2 which by default is set to false but can be set to true to generate an updated URL if you are running vSphere 5.5 Update 2

There are basically seven important components to the URL:

  • Hostname of the vCenter Server - reflex.primp-industries.com
  • The HTML5 console port, default is 7331 but can automatically change depending on available ports on the system (for vSphere 5.5 Update 2 the port has changed to 7343 for a secure connection)
  • The MoRef ID of the virtual machine - vm-23
  • The virtual machine name - VCSA
  • The vCenter Server advanced setting "VirtualCenter.FQDN" - reflex.primp-industries.com
  • The session ticket generated from vCenter Server - cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07
  • The vCenter Server SHA1 SSL Thumbprint - 4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07

Disclaimer: The HTML5 VM console URL format/behavior is not guaranteed and may change in the future. The only officially supported method of accessing the console is by launching it through the vSphere Web Client.

Here is a vSphere SDK for Perl script called generateHTML5VMConsole.pl that given a VM name as input, will automatically generate a one-time pre-authetnicated HTML5 VM console URL that can be loaded into any supported web browser.

Note: To ensure the URL is valid, you will need to make sure your application is setup to run like a daemon or agent. To simulate this in my sample script, I just sleep for 60 seconds before disconnecting the session. I also used the openssl utility to extract the SHA1 thumbprint, so you will need a system that has that installed along with the vSphere SDK for Perl if you wish to use the script. The quickest way is to leverage vMA.

To load the HTML5 VM console, take the URL that is generated and point it to a browser:

Since this is an HTML5 based VM console, I can even load this into my iPad!

Hopefully this article will give you new ideas on how you can leverage and integrate the new HTML5 VM Console within your environment and hopefully this will be the defacto console in the future!

Here is an example of what the URL looks like for vSphere 5.1 & 5.5:

https://reflex.primp-industries.com:9443/vsphere-clien/vmrc/vmrc.jsp?vm=urn:vmomi:VirtualMachine:vm-1506:EE26E7F6-591B-4256-BD7A-402E5AC9E0A8

There are basicallythree important components to the URL:

  • Hostname of the vCenter Server - reflex.primp-industries.com
  • The vCenter instanceUUID which used to uniquely identify a vCenter Server - EE26E7F6-591B-4256-BD7A-402E5AC9E0A8
  • The MoRef ID of the virtual machine - vm-1506

Quick Tip - Useful ovftool debugging options

by // 7 Comments

This morning I needed perform several OVF uploads using ovftool and provide that information to engineering to investigate some performance issues. I tend to error on the side of providing more information than requested. The ovftool provides some really useful debugging options that are really handy in these situations but are un-documented. I can never seem to remember the exact syntax and hence I am documenting them here. I will also file a documentation bug to ensure these get added 🙂

UPDATE (08/19/13) - Thanks to one of the OVF engineers, it turns out you can see all the debug options and their definitions by running ovftool --help debug

The two options that I am referring to are:

--X:logFile=
--X:logLevel=

The first option allows you to log the entire ovftool session to a file which you can then send off to someone and the second option allows you to control the verbosity of the logs which I normally set to use verbose.

Here is an example of how you would use these ovftool options:

/Applications/VMware\ OVF\ Tool/ovftool --X:logFile=upload.log --X:logLevel=verbose -ds=mini-local-datastore-2 '--net:Network 1=VM Network' VMware-vCenter-Server-Appliance-5.1.0.10200-1235310_OVF10.ova vi://root@mini

Once the ovftool has completed its operation, you can take a look at the log and you will see quite a bit of information including some additional ovftool options that can be specified on the command-line which start with /X:

--> /X:httpTimeout = "0"
--> /X:imageReadSize = "262144"
--> /X:logFile = "upload.log"
--> /X:logLevel = "verbose"
--> /X:maxNumberOfTermSignals = "5"
--> /X:maxRedirects = "256"
--> /X:maximalDeltaConfSize = "8"
--> /X:maximalDeltaTreeSize = "6"
--> /X:progressSmoothing = "60"
--> /X:useMacNaming = "true"
--> /X:vCloudEnableGuestCustomization = "false"
--> /X:vCloudKeepTemplate = "true"
--> /X:vCloudTimeout = "3600"
--> /X:vimSessionTimeout = "600"

Note: I would not recommend tweaking the other options as the defaults should be sufficient, but logging to a file or upping the verbosity can be useful for troubleshooting

Quick Tip - Marking an HDD as SSD or SSD as HDD in ESXi

by // 9 Comments

This was a neat little trick that I picked up in one of our internal storage email distribution groups which I thought was quite interesting. Some of you may recall an article I wrote a few years back on how to trick ESXi 5 in seeing an SSD device which relied on adding an SATP rule for a particular storage device. The actual use case for this feature was that not all real SSD devices would automatically be detected by ESXi and this allowed a user to manually mark it as an SSD.

The other "non-official" use case for this feature allows a user to basically "simulate" an SSD by marking a regular HDD as an SSD and I this actually helped me test the new Host Cache (Swap-to-SSD) feature which was part of the vSphere 5 release. Recently there was a customer inquiry asking for the complete reverse, in which you could mark an SSD as an HDD. I am not sure what the use case was behind this request but I did learn it was actually possible using a similar method of adding a SATP rule to a device.

Note: If you are running Nested ESXi, a much simpler solution for simulating an SSD is to use the following trick noted here.

Before you begin, you will need to identify the storage device in which you wish to mark as an SSD or HDD. Use the following ESXCLI command to do so:

esxcli storage core device list

In the screenshot above, we can see for our device mpx.vmhba1.C0:T2:L0 shows "Is SSD" parameter as false. After running two commands below, we should then see that property change to true.

Marking HDD as SSD:

esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d mpx.vmhba1:C0:T2:L0 -o enable_ssd
esxcli storage core claiming reclaim -d mpx.vmhba1:C0:T2:L0

 

Marking SSD as HDD:

esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d mpx.vmhba1:C0:T1:L0 -o disable_ssd
esxcli storage core claiming reclaim -d mpx.vmhba1:C0:T1:L0

To perform the opposite, you simply just need to add the disable_ssd option. If you receive an error regarding a duplicate rule, you will need to first remove the SATP rule and then re-create with the appropriate option.

Another useful tidbit is that if you are running Nested Virtualization and the virtual disk of that VM is stored on an actual SSD, that virtual disk will automatically show up within the guestOS as an SSD so no additional changes are required.