vcloud director

CoreOS is now available as OVA in Alpha channel

01.08.2015 by William Lam // 11 Comments

It looks like the folks over at CoreOS have now also produced an OVA image which can be easily imported into a vSphere or even vCloud Air environment. Previously, it took a few addition steps to convert the "hosted" disk image originally meant for VMware Fusion/Workstation to properly work in a vSphere/vCloud Air based environment. The CoreOS OVA is currently only available in the CoreOS Alpha channel for the "Production" image which also includes VMware's open-vm-tools and the latest release as of today is CoreOS 554.0.0.

You can using either the vSphere C# or vSphere Web Client to import the OVA or you can automate this simply by using command-line via ovftool. Here's an example snippet that you can run directly against an ESXi host:

/Applications/VMware\ OVF\ Tool/ovftool \
        --name=CoreOS \
        "--net:VM Network=VM Network" \
        --datastore=mini-local-datastore-2 \
        --diskMode=thin \
        'http://alpha.release.core-os.net/amd64-usr/554.0.0/coreos_production_vmware_ova.ova' \
        'vi://root:*protected email*'

You can also import the CoreOS OVA into vCloud Air's but you will need to connect into the vCloud Director interface to upload or you can also use ovftool. For more details on how to import using ovftool, check out their documentation here.

Here's a screenshot of deploying CoreOS from a vCloud Air Catalog:

The "Production" CoreOS image does not contain insecure SSH keys as the "insecure" image and so you will still need to create a Cloud Config ISO if you wish to further customize the image including login credentials. You can take a look at the script I had created for deploying CoreOS from the Stable channel and for more details check out the Cloud Config documentation as well.

Configuring a "Whitelist" for VM advanced settings in vCloud Director

05.10.2014 by William Lam // 3 Comments

The ability to preserve a Virtual Machine's "virtual hardware personality" during an export has been around since the release of vSphere and vCloud Director 5.1 also known as a Lossless OVF Export. However, when it comes time to import that Virtual Machine back into your environment, will it be a "lossless" import? For vSphere, the answer is yes as long as you click on the "Accept extra configuration options" during the import of your OVF/OVA in the vSphere Web Client.

For vCloud Director however, the answer is sadly no. If you try to import an OVF/OVA that contains additional VM advanced settings, vCloud Director will automatically strip away these parameters before importing the Virtual Machine. As annoying as this is for end users, there is a very good reason why this happens.

In a public cloud you do not know who your users are and whether they have malicious intentions. Since the "Extra Configuration" of a Virtual Machine can not be validated, the safest way to guard against this type of a security risk is by sanitizing the content prior to upload.

Although I have known about this default behavior in vCloud Director for some time now, it was only in a recent meeting with some of our internal folks managing our OneCloud environment did I realize how annoying this behavior was for "private" clouds as well. I was looking to import an existing OVF that contains several VM Advanced settings, but realized this would not be supported due to the sanitization of the OVF.

The other issue is that vApps within OneCloud are also exported/re-imported into other vCloud Director environments. Even if our Cloud Administrator were to make a one time exception and manually add these these VM Advanced Settings, they would automatically be stripped away the next time they were re-imported into another environment. After our meeting, I thought there had to be a better way! (at least I hope)

Disclaimer: This may or may not be officially supported by VMware, please use at your own risk.

In doing a quick bit of research, it turns out this is actually a pretty elegant solution that allows you to create a "Whitelist" of trusted VM advanced settings that would be accepted as part of the import process in vCloud Director. To configure this "Whitelist", you will need to add a new category called ExtraConfigWhitelist into the vCloud Director Database for each and every VM advanced setting that you wish to allow.

To demonstrate this functionality, I have the latest vCloud Director appliance (I believe this should also work on 5.1 as well) running and I would like to add the following VM advanced settings to the whitelist:

scsi0:0.virtualSSD
scsi0:1.virtualSSD
scsi0:2.virtualSSD
disk.enableUUID

Before starting, you will need to SSH to our vCloud Director instance and stop the VCD service by running the following command:

/etc/init.d/vmware-vcloud stop

Next, you will need to switch over to the "oracle" user by running the following command:

su - oracle

sqlplus vcloud/VCloud

Once you have logged in, you will need to insert the following rows into the "config" table of VCD Database:

INSERT INTO config (config_id, cat, name, value, sortorder) VALUES (seq_config.NextVal, 'ExtraConfigWhitelist', 'scsi0:0.virtualSSD', 'true', 0);
INSERT INTO config (config_id, cat, name, value, sortorder) VALUES (seq_config.NextVal, 'ExtraConfigWhitelist', 'scsi0:1.virtualSSD', 'true', 0);
INSERT INTO config (config_id, cat, name, value, sortorder) VALUES (seq_config.NextVal, 'ExtraConfigWhitelist', 'scsi0:2.virtualSSD', 'true', 0);
INSERT INTO config (config_id, cat, name, value, sortorder) VALUES (seq_config.NextVal, 'ExtraConfigWhitelist', 'disk.enableUUID', 'true', 0);

Note: The syntax used here is for an Oracle database. You may need to tweak it if you are using MS SQL Server.

Finally, for the changes to go live you just need to start up your VCD instance:

/etc/init.d/vmware-vcloud start

Once the VCD service has returned, you can now import any OVF/OVA that contains a list of approved VM advanced settings and VCD will ensure these settings are preserved as part of the import. I hope this solution is something our OneCloud team will consider as it solves my immediate problem but I also think this can greatly benefit the overall use base, especially those building out content.

Note: Even though this "whitelist" option is available, I would still recommend you carefully determine which VM advanced setting is required for your environment and minimize the size of the list as much as possible from an operational perspective, especially when it comes to new installation or upgrades.

How To Run The SilverLining Fling Without Installing It In vCloud Director

02.26.2013 by William Lam // 5 Comments

A few weeks back the VMware Lab's team released a cool new fling called SilverLining which allows users to build a simplified user-interface for vCloud Director. This interface can be run from any modern web-browser that supports HTML5, CSS3 and Javascript. To access the SilverLining interface, you must first install it on a vCloud Director 5.1 Cell.

From a development or proof of concept perspective, it would be really nice to be able to run SilverLining locally from your desktop and point it to a valid vCloud Director 5.1 instance for testing. Well, this is exactly what Andrea Siviero, a Consulting Architect for VMware discovered while playing around with the SilverLining Fling.

UPDATE: 2/28 - For Safari, you can use open /Applications/Safari.app/ --args -disable-web-security

Disclaimer: The solution described here is specifically for Chrome running on Mac OS X or Windows. I have not looked into equivalent settings for other browsers.

Here are the steps required to make this work:

Step 1 - Download SilverLining and extract the contents to your local desktop

Step 2 - Under Silverlining->js directory, there is a file called main.js that needs to be modified. Add the following right under "$(document).ready(function() {" which should point to the base URL of your vCloud Director instance:

localStorage.server = "https://vcd.primp-industries.com";

Step 3 - Launch Chrome with the additional argument via the command-line and load the index.html in the SilverLining directory:

open /Applications/Google\ Chrome.app/ --args -disable-web-security

Note: For Windows version of Chrome just pass in the following either via command-line or shortcut to Chrome.exe -disable-web-security

If everything was successful, you should be able to login to the vCloud Organization of your choice and see all the vApps and Catalogs you have access to!

If you receive the "You are attempting to connect to a system no longer supported" shown in the screenshot below:

You may be pointing to a vCloud Director instance that is using a self-signed certificate and you will need to trust the site before proceeding. To do so, open up a new tab and enter the following URL (substituting your vCloud Director URL):

https://vcd.primip-industries.com/api/versions

Click on the "Proceed Anyway" and then reload the index.html page and you should now be able to login to vCloud Director.

I would like to thank Andrea for sharing this awesome tip! Now you can easily develop and test your own custom interface using the Javascript SDK provided by SilverLining all on your desktop. Best of all, you can now point this to any remote vCloud Director 5.1 instance whether that be private or public!