WilliamLam.com

Automating VCSA 5.1 (vCenter Server Appliance) Configurations

by // 15 Comments

If you have seen my previous article on Automating VCSA (vCenter Server Appliance) 5.0, you will notice the existing script will not work on latest VCSA 5.1, without a minor tweak. The reason for this is due to the new vCenter SSO (Single Sign-On) configuration that is now part of the initial setup.

Note: If you would like to learn more about the new vCenter SSO, I would recommend you take a look at the What's New vCenter Server 5.1 whitepaper.

Luckily, the change is quite simple and in the example below, you will be configuring vCenter Server SSO to run in the embedded mode on the VCSA. I have also enhanced the script to include the joining of an Active Directory domain if you wish to have the VCSA backed by AD.

Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.

Here is a script with the minimal commands needed for running an embedded configuration:

#!/bin/bash

# User Configurations
JOIN_AD=0
AD_DOMAIN=primp-industries.com
AD_USER=administrator
AD_PASS=mysupersecurepassword
VCENTER_HOSTNAME=vcenter51-1.primp-industries.com

## DO NOT EDIT BEYOND HERE ##

echo "Accepting EULA ..."
/usr/sbin/vpxd_servicecfg eula accept

if [ ${JOIN_AD} -eq 1 ]; then
        echo "Configuring vCenter hostname ..."
        SHORTHOSTNAME=$(echo ${VCENTER_HOSTNAME} |  cut -d. -f1)
        /bin/hostname ${VCENTER_HOSTNAME}
        echo ${VCENTER_HOSTNAME} > /etc/HOSTNAME
        sed -i "s/localhost.localdom/${VCENTER_HOSTNAME}/g" /etc/hosts
        sed -i "s/localhost/${SHORTHOSTNAME}/g" /etc/hosts

        echo "Configuring Active Directory ..."
        /usr/sbin/vpxd_servicecfg ad write "${AD_USER}" "${AD_PASS}" ${AD_DOMAIN}
fi

echo "Configuring Embedded DB ..."
/usr/sbin/vpxd_servicecfg db write embedded

echo "Configuring SSO..."
/usr/sbin/vpxd_servicecfg sso write embedded

echo "Starting VCSA ..."
/usr/sbin/vpxd_servicecfg service start

Note: By default the script will not join an AD domain, you will need to change the JOIN_AD variable to 1 and ensure you specify all the Active Directory configurations including the FQDN of your vCenter Server as this is required for properly join your VCSA to your AD domain. If you choose to join an AD domain, make sure you have proper forward/reverse DNS configured on the VCSA and you will also need to reboot the VCSA for the changes to take effect.

To run the script remotely (you do not need to copy it to VCSA), use the following command:

# ssh root@[vcsa-ip] < configureVCSA.sh

You can now quickly deploy and configure your VCSA in just minutes versus spending 5-10 minutes clicking around and waiting for the web interface. Once you have tried this script, you will never go back to manually configuring the VCSA using the web interface!

Forwarding vCenter Server Logs to a Syslog Server

by // 24 Comments

I was recently asked if it was possible to forward vCenter Server logs to a regular syslog server and if so, how difficult would it be to setup? I had researched this topic several years back, but did not find an ideal solution as vCenter Server was only available on the Windows platform and vCenter Server itself did not provide any syslogging capabilities. With the release of vSphere 5.0, VMware introduced the VCSA (vCenter Server Appliance) and realized I never revisited this question for the VCSA.

After a bit of digging, I found that the VCSA comes installed with syslog-ng by default which is used to provide the vSphere Syslog Collector functionality as well as the local syslog client for the VCSA itself. Given this information, it was pretty trivial to source the local /var/log/vmware/vpx/vpxd.log (symlink to latest vCenter Server log as well as other important vCenter logs) and automatically forward that to a remote syslog server.

VCSA Syslog Configuration

You will need to edit the following configuration file on the VCSA - /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

# vpxd source log
source vpxd {
       file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse));
};

# Remote Syslog Host
destination remote_syslog {
       udp("172.30.0.45" port (514));
};

# Log vCenter Server vpxd log remotely
log {
        source(vpxd);
        destination(remote_syslog);
};

Note: If you are interested in more details about "sourcing" a local log, take a look at this article here which I used as a reference.

Once you have saved the configuration file, you just need to restart the syslog client by running the following command:

service syslog restart

If you login to your remote syslog server, you should now see that your VCSA is forwarding it's vpxd logs over. Pretty simple, right? 🙂 You can of course forward over other vCenter Server logs by adding additional source files. The main key is that there is a symlink that automatically points to the latest log file which you map as the source file.

I am sure many of you are probably asking what about vCenter Server for Windows? Well, I did also looked into a similar solution but it's a bit more complex than just adding a few configuration entries.

Windows vCenter Server Syslog Configuration

Disclaimer: This is not supported by VMware, please use at your own risk.

There are a few challenges with the Windows version, by default there are no syslog clients installed and there is no automatic symlink to the latest vCenter Server log. Having said that, you can still get the above solution working using the free syslog-ng, but it takes a few more steps. The solution will be leveraging Cygwin, so we can run the free version of syslog-ng on a Windows system.

Step 1 - Install Cygwin and configure syslog-ng service on your vCenter Server as described in this article. You will need to add an additional package which is "Admin/Cron" that will be used in the subsequent steps. In the example, I ran syslog-ng under default system account, but if you need to run it under a different user, you may find these two articles to be helpful

  • http://linux.subogero.com/894/cron-on-cygwin/
  • http://www.davidjnice.com/articles/cygwin_cron-service.html

Step 2 - Just as before, we will need to edit /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

# vpxd source log
source vpxd {
       file("/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs/vpxd.log" follow_freq(1) flags(no-parse));
};

# Remote Syslog Host
destination log_additional_remote_syslog {
       udp("172.30.0.45" port (514));
};

# Log vCenter Server vpxd log remotely
log {
        source(vpxd);
        destination(log_additional_remote_syslog);
}; 

You will notice this time, we are accessing the Windows C drive by using the /cygdrive path

Step 3 - As mentioned earlier, there is no symlink that points to the latest vCenter Server log, which makes it difficult to map to static log file. What we can do is basically identify the latest vpxd-#.log and automatically create a symlink and that is what is being monitored by syslog-ng to forward the log. We will be using a cronjob and a very simple shell script.

You can place the script in the current home directory /home/Administrator (or whatever default user you happen to have installed Cygwin on)

Here is the shell script which I have called latest.sh:

#!/bin/bash

VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs"
LATEST=$(ls -tr "/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs/" | grep "vpxd-[0-9]*.log" | grep -v ".gz" | tail -1)

if [ ! -e "${VC_LOG_PATH}/vpxd.log" ]; then
        touch "${VC_LOG_PATH}/vpxd.log"
fi

ln -sf "${VC_LOG_PATH}/${LATEST}" "${VC_LOG_PATH}/vpxd.log"

Make sure to set the script to be executable: chmod +x latest.sh

Step 4 - Create a cronjob which will run every minute (you might be able to set a longer delay depending on your environment and it's rotation frequency) by editing the following file /var/cron/tabs/Administrator or using crontab -e
Step 5 - Start or restart syslog-ng by running one of the following commands:

Start - cygrunsrv -S syslog-ng
Restart - cygrunsrv -E syslog-ng;cygrunsrv -S syslog-ng

If everything was successful, you should start seeing your vCenter Server logs from your Windows system forward to your remote syslog server. When the latest vpxd-#.log changes, the cronjob will automatically take care of re-linking to the latest vpxd-#.log to ensure you continue forwarding your vCenter Server logs.

As you can see, it is not trivial to set this up for the Windows vCenter Server as it is for the VCSA, but you now have a way to centrally store all your important vCenter Server logs for archival or analysis purposes without having to manually copy them off to a remote volume.

Few additional notes:

  • I believe the paid version of syslog-ng supports file globbing, so you do not need to setup a cronjob and just watch for all vpxd-*.log, but in this example, I went with a completely free solution
  • You might also be able to leverage Splunk to monitor vCenter Server logs as noted in this Splunkbase entry, but I have not verified and I am not sure if you have to pay for this feature in Splunk
  • Here is an easier way of forwarding vCenter Server logs on Windows using Snare by Raphael Schitz.

Automating vCenter Server Appliance 5.0 (VCSA) Configurations

by // 2 Comments

I recently had a need to deploy half a dozen or so vCenter Server Appliance (VCSA) in my home lab and even though it is one of the easiest appliances to setup, going through the web management interface can still be time consuming. I was looking to see if there was a way to automate some of the configurations and while digging in some of the vCenter logs I came across /var/log/vmware/vpx/vpxd_cfg.log which provided the answer I was looking for.

If you watch the log as you configure the VCSA through the web management interface, you will see a series of commands calling /usr/sbin/vpxd_servicecfg. This utility is actually just a shell script wrapper for the configuration of vpxd (vCenter Server Daemon) and it's respective services.

As you can see there is a warning message about the use of the tool, so I will also re-iterate with my own disclaimer:

Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.

For my lab, this was exactly what I was looking for to quickly spin up VCSA and configure all the necessary services to start the vCenter Service. In my lab, I was able to get the VCSA booted up via DHCP and execute a simple shell script remotely via SSH to VCSA and then connect to vCenter Server after the process was completed.

Here is script with the minimal commands needed for running an embedded configuration:

#!/bin/bash

echo "Accepting EULA ..."
/usr/sbin/vpxd_servicecfg eula accept

echo "Configuring Embedded DB ..."
/usr/sbin/vpxd_servicecfg db write embedded

echo "Configuring SSO..."
/usr/sbin/vpxd_servicecfg sso write embedded

echo "Starting VCSA ..."
/usr/sbin/vpxd_servicecfg service start

To run the script remotely (you do not need to copy it to VCSA), use the following command:

# ssh root@[vcsa-ip] < configureVCSA.sh

The script accepts the EULA, configures the database as embedded configuration and then starts up the vCenter service. A return code is provided upon each command execution which has VC_CFG_RESULT=N where N can be 0 which is a successful execution and any other value means there is an error. To figure out what the code means, there is a section in the shell script that lists all the codes and their meaning. In general, you should be getting 0 for all commands

Here are some other useful commands that I tested with:

Configure Active Directory:

/usr/sbin/vpxd_servicecfg ad write [AD_USERNAME] [AD_PASSWORD] [AD_DOMAIN]

Re-initialize vCenter DB *** PLEASE BE VERY CAREFUL WHEN USING THIS COMMAND, AS DB IS WIPED***

ensure vpxd has stopped

vpxd_servicecfg stop

re-init DB

vpxd_servicecfg db initialize

You can also configure an external database for vCenter, NIS directory service and even replace SSL certificates but I will leave that to the reader for some exploration.