lstool.py

Generating vCenter Server & Platform Services Controller deployment topology diagrams

05.02.2016 by William Lam // 16 Comments

A really useful capability that vCenter Server used to provide was a feature called vCenter Maps. I say "used to" because this feature was only available when using the vSphere C# Client and was not available in the vSphere Web Client. vCenter Maps provided a visual representation of your vCenter Server inventory along with the different relationships between your Virtual Machines, Hosts, Networks and Datastores. There were a variety of use cases for this feature but it was especially useful when it came to troubleshooting storage or networking connectivity. An administrator could quickly identify if they had an ESXi host that was not connected to the right datastore for example with just a few clicks.

Although much of this information can be obtained either manually or programmatically using the vSphere API, the consumption of this data can sometimes be more effective when it is visualized.

I was recently reminded of the vCenter Maps feature as I have seen an increase in discussions around the different vSphere 6.0 deployment topology options. This is an area where I think we could have leveraged visualizations to provide a better user experience to help our customers understand what they have deployed as it relates to install, upgrade and expansion of their vSphere environment. Today, this information is spread across a variety interfaces ranging from the vSphere Web Client (here and here) as well as across different CLIs (here and here) and there is nothing that aggregates all of this dispart information into an easy to consume manner. Collecting this information can also be challenging as you scale up the number of environments you are managing or dealing with complex deployments that can also span multiple sites.

Would it not be cool if you could easily extract and visualize your vSphere 6.0 deployment topology? 🙂

Well, this was a little side project I recently took up. I have created a small python script called extract_vsphere_deployment_topology.py that can run on either a Windows Platform Services Controller (PSC) or a vCenter Server Appliance (VCSA) PSC and from that system extract the current vSphere deployment topology which includes details about the individual vCenter Servers, SSO Sites as well as the PSC replication agreements. The result of the script is outputted in the DOT format, a popular graph description language which can then be used to generate a diagram like the example shown below.Requirements:

vSphere 6.0 environment
Access to either a Windows or VCSA PSC as a System Administrator
SSO Administrator credentials

Step 1 - Download the extract_vsphere_deployment_topology.py python script to either your Windows vCenter Server PSC or vCenter Server Appliance (VCSA) PSC.

Step 2 - To run on a vCenter Server Appliance (VCSA) PSC, you will need to first set the script to an executable by running the following command:

chmod +x extract_vsphere_deployment_topology.py

To run on a vCenter Server for Windows PSC, you will need to first update your environmental PATH variable to include the python interpreter. Follow the directions here if you have never done this before and add C:\Program Files\VMware\vCenter Server\python

Step 3 - The script requires that you provide an SSO Administrator username and password. You can specify everything in the command-line or you omit the password in which you would then be prompted to enter.

To run the script on a VCSA PSC, run the following command specifying your credentials:

./extract_vsphere_deployment_topology.py -u *protected email* -p VMware1!

To run the script on Windows VC PSC, run the following command specifying your credentials:

python C:\Users\primp\Desktop\extract_vsphere_deployment_topology.py -u *protected email* -p VMware1!

Here is an example output from one of my environments.

graph vghetto_vsphere_topology_extraction {
   graph [fontsize = 20,label = "\nSSO Domain: vsphere.local"];
   subgraph cluster_0 {
      style=filled;
      node [style=filled];
      "vcenter60-5.primp-industries.com" -- "psc-06.primp-industries.com"
      label = "Site: East-Coast";
    }
   subgraph cluster_1 {
      style=filled;
      node [style=filled];
      "vcenter60-4.primp-industries.com" -- "psc-05.primp-industries.com"
      "psc-05.primp-industries.com";
      label = "Site: West-Coast";
    }
   "psc-06.primp-industries.com" -- "psc-05.primp-industries.com"
   "vcenter60-4.primp-industries.com" [color="0.578 0.289 1.000"]
   "vcenter60-5.primp-industries.com" [color="0.578 0.289 1.000"]
   "psc-06.primp-industries.com" [color="0.355 0.563 1.000"];
   "psc-05.primp-industries.com" [color="0.355 0.563 1.000"];
}

Step 4 - Save the output from the script and then open a browser that has internet access to the following URL: http://www.webgraphviz.com Paste the output and then click on the "Generate Graph" which will generate a visual diagram of your vSphere deployment. Hopefully it is pretty straight forward to understand and I have also colorized the nodes to represent the different functionality such as Blue for a vCenter Server and Green for Platform Services Controller.

In addition, if you have deployed an Embedded vCenter Server which is replicating with an External PSC (which is considered a deprecated topology and will not be supported in the future), you will notice the node is colored Orange instead as seen in the example below.

This is pretty cool if you ask me! 😀 Just imagine the possibilities if you could use such an interface to also manage operations across a given vSphere deployment when it comes to install, upgrade and expansion of your existing environment. What do you think, would this be useful?

I have done a limited amount of testing across Windows and the VCSA using a couple of deployment scenarios. It is very possible that I could have missed something and if you are running into issues, it would be good to provide some details about your topology to help me further troubleshoot. I have not done any type of testing using load balancers, so it is very likely that the diagram may not be accurate for these scenarios but I would love to hear from folks if you have tried running the script in such environments.

Configuring VCSA 6.0 as vSphere Web Client Server for vSphere 5.5

04.22.2015 by William Lam // 11 Comments

The vSphere 6.0 Web Client has been greatly improved with the release of vSphere 6.0 which includes a number of performance and UX enhancements. If you are interested in some of the details, be sure to check out this blog post by Dennis Lu, Product Manager of the vSphere Web Client. To really get the best possible user experience and to take advantage of all the new performance enhancements, it is recommend that you upgrade your entire vSphere environment which includes vCenter Server to vSphere 6.0. Having said that, I know this may not be possible for everyone immediately and it will take some time depending on your organizations software upgrade cycles and procedures, qualifications, burn in time, comfort left, etc. with vSphere 6.0 before completely moving over.

Over the last couple of weeks, I have seen quite a few requests from customers who have expressed interest in being able to just use the new vSphere 6.0 Web Client with their existing vSphere 5.5 environment as they make their transition over to vSphere 6.0. I can definitely understand where these customers are coming from and honestly, the vSphere Web Client should just be that, a UI Client. We should be able to decouple it from vCenter Server and be able to iterate on it based on feedback from our customers and partners. I did some investigation and I actually discovered that we in fact support something called Mixed-Version Transitional Environment in vCenter Server for Windows Upgrade. This is a bit of a mouth full but basically you can have a hybrid vCenter Server environment that consists of both vSphere 5.5 and 6.0 as you upgrade to full a full vSphere 6.0 environment.

I spent a couple of days researching this topic a bit more to see if I can come up with a solution that would ideally reduce number of changes introduced to a customers existing vSphere 5.5 environment while being able to leverage the new vSphere 6.0 Web Client. After many discussions, prototyping, snapshot reverts and with the help of one of my good GSS buddy G. Blair Fritz, we have come up with a very cool solution using the VCSA 6.0 as a "thin" vSphere 6.0 Web Client Server. The overall goal is to provide a period of time in which customers can use the new vSphere 6.0 Web Client with their existing vSphere 5.5 environment and when the time comes for a complete vSphere 6.0 upgrade, this "thin" vSphere 6.0 Web Client can be decommissioned and removed.

Disclaimer: Though this hybrid configuration is supported, using the VCSA as a "thin" vSphere Web Client Server is not officially supported. Please use at your own risk. It is still recommended that you upgrade your existing vSphere 5.5 environment to vSphere 6.0 as soon as possible to get the full benefits of the enhancements made to the vSphere 6.0 Web Client.

Requirements:

vSphere 5.5 running Windows using an External SSO Server
At least one vCenter Server 5.5 pointing to the External SSO Server

Here is the high level workflow as well as a diagram to help you visualize the process:

Step 1 - Upgrade your external SSO from vSphere 5.5 to new PSC 6.0
Step 2 - Deploy VCSA 6.0 and configure it to point the newly upgraded PSC 6.0
Step 3 - Running a configuration script within the VCSA 6.0 to optimize it as a "thin" vSphere Web Client Server

In my test environment, I have deployed a vCenter Server 5.5 which points to an external SSO (also running vSphere 5.5).

Step 1 - The first step is to upgrade the SSO server to the new PSC 6.0, you will follow the existing procedure by mounting the ISO and going through the guided installation. At this point, you can continue logging into the existing vSphere 5.5 Web Client and access your vCenter Server and its hosts and VMs.

Step 2 - Next, you will need to deploy a new Embedded VCSA 6.0 using either the Guided or Scripted Installation. You will need to make sure that it is joining to an existing SSO Domain by specifying the upgraded Windows PSC that you performed in step one. The SSO Domain Name should be vsphere.local as this was not a configurable option in earlier vSphere releases. At this point, you can now login to the VCSA 6.0 which provides the vSphere 6.0 Web Client but you will notice that you only see an empty inventory of the new vCenter Server 6.0 as well as an error message stating "Login failed due to invalid credentials for one or more vCenter Server systems"

The reason for this is that you need to restart the vpxd service on your vCenter Server 5.5 for it to be visible in the new vSphere 6.0 Web Client.

Note: It is important that if your external PSC is joined to an Active Directory Domain that you ensure the NTP Server specified in the VCSA 6.0 deployment also points to the same AD Server for the time source to be synchronized else you will run into problems later.

Step 3 - Login to your vCenter Server 5.5 and restart the vCenter Server service using the Services utility.

Step 4 - Once the vCenter Server service has restarted, you can now open a browser to the Hostname/IP Address of the VCSA 6.0 and you will see both vCenter Servers. You can now manage your vSphere 5.5 environment using the vSphere 6.0 Web Client.

I was pretty happy when I got this solution working but I was still not content. The smallest deployment size for an Embedded VCSA requires 8GB of memory, which is still a considerable amount of resources in my opinion. I wanted to optimize it further by turning off unnecessary services, modify the memory requirements for the unused services as well as un-registering the vCenter Server 6.0 endpoint so that you only see your vSphere 5.5 vCenter Servers only. Surprisingly, this took up the bulk of our research to figure out what could be turned off, how to properly turn it off and then un-registering the VC endpoint.

I have created the following shell script called setup_vcsa_as_webclient_client.sh which needs to be uploaded to the VCSA (need to enable Bash shell on the VCSA). The following three variables must be updated prior to running:

PSC_SERVER - The Hostname/IP Address of your external PSC
SSO_USERNAME - The SSO Administrator account
SSO_PASSWORD - The SSO Administrator password

Once everything completes successfully, you should turn off your VCSA and modify the memory from 8GB to 3GB. From my limited amount of testing, the overall memory utilization was sitting around ~2-2.5GB of memory, so I think configuring it to 3GB should be plenty and you can always adjust accordingly. Since we have disabled all the unnecessary services, the VCSA boot time should be pretty quick and now when you login to the vSphere Web Client, you should only see your vSphere 5.5 vCenter Servers and nothing else.

When the time comes and you are ready to fully upgrade your vSphere 5.5 environment to vSphere 6.0, you can decommission and remove this "thin" vSphere Web Client Server by following the procedure outlined in this VMware KB 2106736. I think it would be really nice to be able to update the vSphere Web Client outside of updating vCenter Server and truly providing a "client" that is decoupled. What do you think?

vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?

04.07.2015 by William Lam // 27 Comments

When deploying an Embedded vCenter Server or an external Platform Services Controller, one of the configurations you will be asked for is the vCenter Single Sign-On Domain Name and Site Name as seen in the screenshot below.

In addition to troubleshooting, you will also need to know about the SSO Domain Name + Site Name if you plan on deploying additional Platform Services Controller for replication purposes or additional vCenter Servers. It is important to note that you do not need to know this information explicitly when deploying using the new Guided UI Installation. You just need to know the hostname/IP Address of your PSC as the rest of the information will automatically be obtained by the tool.

The issue only arises when you are trying to perform a Scripted Installation and this is where you will need to provide both the SSO Domain Name and Site Name and below are the instructions on retrieving this information.

First off, you will need to login to your Platform Services Controller whether that be on a Windows Server or the VCSA.

SSO Domain Name

You will find it in the following two configuration files:

Windows:

C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.domain-name

VCSA:

/etc/vmware/install-defaults/vmdir.domain-name

VCSA 6.0u2:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

For more details, check out my previous blog post: vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?

SSO Site Name

First, you will need to identify where your Lookup Service is running on which is located on your PSC or your Embedded VC instance. What we are ultimately looking for is Lookup Service URL which is in the following format: https://[SERVER]/lookupservice/sdk If for whatever reason you do not know where your PSC is, then you can login to your vCenter Server and find the Lookup Service URL by running the following command:

Windows:

"C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-ls-location --server-name localhost

VCSA:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost

Once we have the Lookup Service URL, we can then find the SSO Site Name by running the following command:

Windows:

"C:\Program Files\VMware\vCenter Server\python\python.exe" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\lstool.py" get-site-id --url https://vcenter60-6.primp-industries.com/lookupservice/sdk"

VCSA:

/usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url https://vcenter60-6.primp-industries.com/lookupservice/sdk 2> /dev/null

VCSA 6.0u2:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost

As you can see the process to find the SSO Site Name is not really intuitive, but I know Engineering is aware of this and has plans to simplify this in the future.