PowerCLI – Page 44

PowerCLI module for Proactive HA (including simulation)

03.08.2017 by William Lam // 6 Comments

Proactive HA is a very cool new feature that was introduced in vSphere 6.5, which enables our hardware vendors to communicate their hardware specific health information directly into vSphere and specifically with vSphere DRS. This hardware health information can then be leveraged by vSphere DRS to take proactive actions to guard against potential hardware failures. Brian Graf, Product Manager for Proactive HA, DRS and overall vSphere Availability has a nice blog post here where he goes into more details on how Proactive HA works.

As Brian mentioned, a few of our select hardware vendors are already in the process of developing and certifying Proactive HA integrations for vSphere, so stay tuned for those announcements in the future by both VMware and our partners. In the meantime, there was an interesting comment from one of our field folks asking whether it would be possible to "simulate" the new Quarantine Mode operation for an ESXi host to be better understand how this feature might work?

Quarantine Mode is new mode for ESXi, which can only be triggered by Proactive HA. It functions similar to the Maintenance Mode operation, but instead of migrating all VMs off, it will allow existing VMs to continue to run but prevent additional new VMs to be placed on the host.

Proactive HA does provide a set of public vSphere APIs under the healthUpdateManager which is primarily targeted at our hardware vendors to consume. However, these APIs could also be used by our customers to get visibility into the current Proactive HA configuration as well as the health of the ESXi hosts from the Proactive HA provider standpoint. Going back to our initial question, it is possible to "register" a fake Proactive HA provider and manually generate health updates to simulate what a real Proactive HA solution could look like.

Disclaimer: This is for educational and lab purposes only. Creating a fake or simulated Proactive HA provider is not officially supported by VMware, please use at your own risk. The creation of Proactive HA providers as well as publishing health updates is for our hardware vendors to consume which in turn will provide native integrations that include customer visible interfaces within the vSphere Web Client.

[Read more...]

Automating vSphere Global Permissions with PowerCLI

03.06.2017 by William Lam // 6 Comments

vSphere Global Permissions was first introduced in vSphere 6.0, which provides a simple and consistent method for assigning permissions for individual users and/or groups across multiple vCenter Servers joined to the same vCenter Single Sign-On (SSO) Domain. Global permissions works in the same way as traditional vSphere Permissions, but rather than assigning a permission to a specific entity, the association is applied at the root level of the vCenter Server.

The other added benefit for customers who are using vCenter's Enhanced Linked Mode (ELM), the global permission will be available to all vCenter Servers which are part of that ELM configuration. Without global permissions, a customer would have to create and assign a new permission to each and every vCenter Server and ensure that they all match which can be very error prone.

One downside to using vSphere Global Permissions today is that there is currently not a public API for those wanting to automate the creation and deletion of global permissions. However, as quick workaround, I have found a way in which you can automate the global permission management using the vSphere MOB which would allow us to use PowerCLI or any other vSphere Automation toolkit for that matter.

UPDATE (04/07/25) - See this updated blog post for listing vSphere Global Permissions.

I have created a simple PowerShell script called GlobalPermissions.ps1 which contains two functions New-GlobalPermission and Remove-GlobalPermission which hopefully is self explanatory in what they do.

To create a new vSphere Global Permission, the function requires the following 6 parameters:

vc_server - Hostname or IP of the vCenter Server
vc_username - The VC username
vc_password - The VC password
vc_user - The vSphere User to assign the permission to
vc_role_id - The Role ID associated with the vSphere Role within vCenter Server (more on this later)
propagate - true or false on whether to propagate the permission

To retrieve the vc_role_id, you simply need access to a vCenter Server and run the following snippet along with the name of the vSphere Role to get its ID. In the example below, the Administrator role is called "Admin" using the vSphere API and the following will return the ID:

(Get-VIRole -Name Admin).ExtensionData.RoleId

Once you have retrieved the vSphere Role ID, here is an example of running the New-GlobalPermission function:

$vc_server = "192.168.1.51"
$vc_username = "*protected email*"
$vc_password = "VMware1!"
$vc_role_id = "-1"
$vc_user = "VGHETTO\lamw"
$propagate = "true"
New-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user -vc_role_id $vc_role_id -propagate $propagate

If the operation was successful, you should be able to login using the vSphere Web Client and refresh the global permissions view and you should see the new permission assignment as shown in the screenshot below.

To remove a global permission, you only need to provide the vCenter Server, its credentials and the user permission you wish to remove:

Remove-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user

Exploring new VCSA VAMI API w/PowerCLI: Part 9

03.02.2017 by William Lam // Leave a Comment

In Part 9, we were initially going to cover the new backup and restore capability that was introduced in vSphere 6.5 for the VCSA. However, it looks like Brian Graf has already created an awesome PowerCLI module (Backup-VCSA.psm1) that can be used to backup the VCSA, which you can find more details here.

While going through the VAMI APIs for the backup feature, I did notice there was one interesting backup VAMI API that Brian may not have looked at, at least I did not see a function consuming this API. Prior to initiating a backup for either a VCSA or PSC, you can query the expected size of the backup. This information can be pretty helpful beyond just for backups, but understanding the size of your system at any point in time.

VAMI UI Area of Focus

The backup and restore feature for the VCSA is located in the VAMI UI, but there is not a UI for retrieving the current expected backup size.

VAMI APIs Used

GET /appliance/recovery/backup/parts

PowerCLI Function

Get-VAMIBackupSize

Sample Output

The output is pretty straight forward, it provides the total expected backup size (MB) as well as the breakdown of the total size into "configuration" data and the "Stats, Events, Alarms and Tasks" (SEAT) data.

With this new API, you can now easily see how large your vCenter Server Database is and take appropriate action such as truncating the data or reducing the retention period which can especially help with the performance of vCenter Server as well as the time it takes during upgrades.