vSphere 6.0 – Page 4

Automating Cross vCenter vMotion (xVC-vMotion) between the same & different SSO Domain

05.26.2016 by William Lam // 79 Comments

In the last couple of months, I have noticed an increase in customer interests in using the Cross vCenter vMotion (xVC-vMotion) capability that was introduced back in vSphere 6.0. In my opinion, I still think this is probably one of the coolest features of that release. There is no longer the limitation of restricting your Virtual Machine mobility from within a single vCenter Server, but you can now live migrate a running VM across different vCenter Servers.

The primary method to start a xVC-vMotion is by using the vSphere Web Client which requires your vCenter Servers Servers to be part of the same SSO Domain and will automatically enable the new Enhanced Linked Mode (ELM) feature. ELM allows you to easily manage and view all of your vCenter Servers from within the vSphere Web Client as shown in the example screenshot below.

However, the vSphere Web Client is not the only way to start a xVC-vMotion, you can also automate it through the use of the vSphere API. In fact, there is even an "Extended" capability of xVC-vMotion that is not very well known which I have written about here which allows to live migrate a running VM across two different vCenter Servers that are NOT part of the same SSO Domain. This Extended xVC-vMotion (unofficially I am calling it ExVC-vMotion) is only available when using the vSphere API as the vSphere Web Client is unable to display vCenter Servers that are part of another SSO Domain. Below is a quick diagram to help illustrate the point in which VM1 can be seamlessly migrated between different vCenter Servers from within the same SSO Domain as well as between different vCenter Servers that are not part of the same SSO Domain.

Note: For additional details and requirements for Cross vCenter vMotion, please have a look at this VMware KB 210695 and this blog post here for more information.

UPDATE (06/15/17) - I have added a few minor enhancements to the script to support migrating a VM given a vSphere Resource Pool which enables the ability to migrate to and from VMware's upcoming VMware Cloud on AWS (VMC). There is also an additional UppercaseUUID parameter which seems to be required for some xVC-vMotions where the vCenter Server's InstanceUUID must be provided as all upper case or the operation will fail. I have still not identified why this is needed for some migrations, but for now there is a nice flag that can be used to enable this if you are hitting this problem.

UPDATE (04/08/17) - In vSphere 6.0 Update 2, there is a known limitation which prevents a VM that has multiple VMDKs stored across different datastores to be xVC-vMotion (compute only) using the vSphere Web Client. This limitation no longer exists in vSphere 6.0 Update 3 but does require customers to upgrade. If you need to perform a compute-only xVC-vMotion where the VM has multiple VMDKs across different datastores, the vSphere APIs does not have this limitation and you do not necessary need to upgrade to be able to perform this operation. Huge thanks to Askar Kopayev who discovered this and also submitted an enhancement to my xMove-VM PowerCLI script to support this functionality.

Given the amount of interest recently and some of the feedback on my original ExVC-vMotion script which I had written about here, I figured it was time to refactor my code so that it could easily support both ExVC-vMotion as well as standard xVC-vMotion. In addition, I have also added support for migrating to and from a Distributed Virtual Switch (VDS), where as previously the example only supported Virtual Standard Switch (VSS). Lastly, the script now also supports migrating a VM that is configured with multiple vNICs.

The new script is now called xMove-VM.ps1 and is even more simpler than my original script. You will need to edit the script and update the following variables:

Variable	Description
vmname	Name of the VM to migrate
sourceVC	The hostname or IP Address of the source vCenter Server in which the VM currently resides in
sourceVCUsername	Username to the Source vCenter Server
sourceVCPassword	Password to the Source vCenter Server
destVC	The hostname or IP Address of the Destination vCenter Server in which to migrate the VM to
destVCUsername	Username to the Destination vCenter Server
destVCpassword	Password to the Destination vCenter server
datastore	Name of the vSphere Datastore to migrate the VM to
cluster	Name of the vSphere Cluster to migrate the VM to
resourcepool	Name of the vSphere Resource Pool to migrate the VM to
vmhost	Name of the ESXi host to migrate the VM to
vmnetworks	Name of the vSphere Network(s). in the order in of the vNIC interfaces to migrate the VM to
switch	Name of the vSphere Switch to migrate the VM to that is comma separated and ordered by vNIC
switchtype	The type of vSphere Switch (vss or vds)
xvctype	Whether this is a Compute-only Cross VC-vMotion (1=true or 0 = false)
UppercaseUUID	There cases where the vCenter Server InstanceUUID must be all caps ($true or $false)

Here is a screenshot of running the script:

Note: When changing the type of vSphere Switch, the following combinations will are supported by the script as well as using the vSphere Web Client: VDS to VDS, VSS to VSS and VSS to VDS. VDS to VSS is not supported using the UI or API and neither are 3rd party switches supported.

Here are some additional xVC-vMotion and vMotion articles that may also useful to be aware of:

Generating vCenter Server & Platform Services Controller deployment topology diagrams

05.02.2016 by William Lam // 16 Comments

A really useful capability that vCenter Server used to provide was a feature called vCenter Maps. I say "used to" because this feature was only available when using the vSphere C# Client and was not available in the vSphere Web Client. vCenter Maps provided a visual representation of your vCenter Server inventory along with the different relationships between your Virtual Machines, Hosts, Networks and Datastores. There were a variety of use cases for this feature but it was especially useful when it came to troubleshooting storage or networking connectivity. An administrator could quickly identify if they had an ESXi host that was not connected to the right datastore for example with just a few clicks.

Although much of this information can be obtained either manually or programmatically using the vSphere API, the consumption of this data can sometimes be more effective when it is visualized.

I was recently reminded of the vCenter Maps feature as I have seen an increase in discussions around the different vSphere 6.0 deployment topology options. This is an area where I think we could have leveraged visualizations to provide a better user experience to help our customers understand what they have deployed as it relates to install, upgrade and expansion of their vSphere environment. Today, this information is spread across a variety interfaces ranging from the vSphere Web Client (here and here) as well as across different CLIs (here and here) and there is nothing that aggregates all of this dispart information into an easy to consume manner. Collecting this information can also be challenging as you scale up the number of environments you are managing or dealing with complex deployments that can also span multiple sites.

Would it not be cool if you could easily extract and visualize your vSphere 6.0 deployment topology? 🙂

Well, this was a little side project I recently took up. I have created a small python script called extract_vsphere_deployment_topology.py that can run on either a Windows Platform Services Controller (PSC) or a vCenter Server Appliance (VCSA) PSC and from that system extract the current vSphere deployment topology which includes details about the individual vCenter Servers, SSO Sites as well as the PSC replication agreements. The result of the script is outputted in the DOT format, a popular graph description language which can then be used to generate a diagram like the example shown below.Requirements:

vSphere 6.0 environment
Access to either a Windows or VCSA PSC as a System Administrator
SSO Administrator credentials

Step 1 - Download the extract_vsphere_deployment_topology.py python script to either your Windows vCenter Server PSC or vCenter Server Appliance (VCSA) PSC.

Step 2 - To run on a vCenter Server Appliance (VCSA) PSC, you will need to first set the script to an executable by running the following command:

chmod +x extract_vsphere_deployment_topology.py

To run on a vCenter Server for Windows PSC, you will need to first update your environmental PATH variable to include the python interpreter. Follow the directions here if you have never done this before and add C:\Program Files\VMware\vCenter Server\python

Step 3 - The script requires that you provide an SSO Administrator username and password. You can specify everything in the command-line or you omit the password in which you would then be prompted to enter.

To run the script on a VCSA PSC, run the following command specifying your credentials:

./extract_vsphere_deployment_topology.py -u *protected email* -p VMware1!

To run the script on Windows VC PSC, run the following command specifying your credentials:

python C:\Users\primp\Desktop\extract_vsphere_deployment_topology.py -u *protected email* -p VMware1!

Here is an example output from one of my environments.

graph vghetto_vsphere_topology_extraction {
   graph [fontsize = 20,label = "\nSSO Domain: vsphere.local"];
   subgraph cluster_0 {
      style=filled;
      node [style=filled];
      "vcenter60-5.primp-industries.com" -- "psc-06.primp-industries.com"
      label = "Site: East-Coast";
    }
   subgraph cluster_1 {
      style=filled;
      node [style=filled];
      "vcenter60-4.primp-industries.com" -- "psc-05.primp-industries.com"
      "psc-05.primp-industries.com";
      label = "Site: West-Coast";
    }
   "psc-06.primp-industries.com" -- "psc-05.primp-industries.com"
   "vcenter60-4.primp-industries.com" [color="0.578 0.289 1.000"]
   "vcenter60-5.primp-industries.com" [color="0.578 0.289 1.000"]
   "psc-06.primp-industries.com" [color="0.355 0.563 1.000"];
   "psc-05.primp-industries.com" [color="0.355 0.563 1.000"];
}

Step 4 - Save the output from the script and then open a browser that has internet access to the following URL: http://www.webgraphviz.com Paste the output and then click on the "Generate Graph" which will generate a visual diagram of your vSphere deployment. Hopefully it is pretty straight forward to understand and I have also colorized the nodes to represent the different functionality such as Blue for a vCenter Server and Green for Platform Services Controller.

In addition, if you have deployed an Embedded vCenter Server which is replicating with an External PSC (which is considered a deprecated topology and will not be supported in the future), you will notice the node is colored Orange instead as seen in the example below.

This is pretty cool if you ask me! 😀 Just imagine the possibilities if you could use such an interface to also manage operations across a given vSphere deployment when it comes to install, upgrade and expansion of your existing environment. What do you think, would this be useful?

I have done a limited amount of testing across Windows and the VCSA using a couple of deployment scenarios. It is very possible that I could have missed something and if you are running into issues, it would be good to provide some details about your topology to help me further troubleshoot. I have not done any type of testing using load balancers, so it is very likely that the diagram may not be accurate for these scenarios but I would love to hear from folks if you have tried running the script in such environments.

Automating the configuration of new logon banner for the vSphere Web Client in 6.0 Update 2

03.22.2016 by William Lam // 1 Comment

The ability to display a logon banner prior to logging into the vSphere Web Client UI is a new capability that was introduced with the release of vSphere 6.0 Update 2. In addition to the logon banner message, customers can also configure a mandatory consent check box requiring all users to accept prior to logging in. Below is a screenshot of the new logon banner in the vSphere Web Client, prior to login.

The configuration of the logon banner is only available in the Platform Services Controller (PSC) Administrator UI which can be accessed by opening a browser to the following URL: https://[PSC-HOSTNAME]/psc

Although there is currently not an API for administrating the various PSC configurations (being worked on for a future release of vSphere), it is still possible to automate the different aspects of the PSC. There are several options depending on your personal reference as well as environmental configurations.

Option 1: Use the /opt/vmware/bin/sso-config.sh utility on the PSC itself which is the simplest method but it does require either SSH or local shell access.

You first need to create a file that contains the message you wish to display in the logon banner. In this example I have created a filed called banner.txt that contains an example logon message. You can then run the following command which will allow you to set the banner as well as the title and whether to enable the consent check box:

/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt -title 'Logon Disclaimer' -enable_checkbox N

If you wish to only configure the consent check box, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner -enable_checkbox Y

If you wish to only configure the title, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner -title 'vGhetto Disclaimer'

If you wish to only configure the banner message, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt

If you wish to disable the logon banner feature, you can run the following command:

/opt/vmware/bin/sso-config.sh -disable_logon_banner

Option 2: Use the ldapmodify utility either locally on the PSC itself or from a remote system which I have previously written about here.

Disclaimer: Please take extreme caution when connecting to the vmdird database. You should take extreme care in making changes while in the database else you can negatively impact your environment.

In this example, I will be remotely connecting to the PSC from my desktop which is a Mac OS X system, but it can be any system which contains the ldapsearch and ldapmodify commands.

To query for the logon banner configurations, run the following ldapsearch command (specifying your environment details):

/usr/bin/ldapsearch -h 192.168.1.140 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"

From the output, we can see there are three properties which control the logon banner feature:

vmwSTSLogonBannerEnableCheckbox
vmwSTSLogonBannerTitle
vmwSTSLogonBanner

To configure the new logon banner, we first need to create a file that contains our configuration changes. To do so, create a file called change.ldif which contains the following (replace with your settings):

dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local
changetype: modify
replace: vmwSTSLogonBannerEnableCheckbox
vmwSTSLogonBannerEnableCheckbox: TRUE
-
replace: vmwSTSLogonBanner
vmwSTSLogonBanner: You void all warranty/safety by logging into vGhetto Datacenter, you have been warned :-)
-
replace: vmwSTSLogonBannerTitle
vmwSTSLogonBannerTitle: vGhetto Disclaimer

To apply the configuration, run the following ldapmodify command (specifying your environment details):

/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

To completely disable the logon banner feature, create a new file called change2.ldif which contains the following (replace with your settings):

dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local
changetype: modify
delete: vmwSTSLogonBannerEnableCheckbox
-
delete: vmwSTSLogonBanner
-
delete: vmwSTSLogonBannerTitle

To apply the configuration, run the following ldapmodify command (specifying your environment details):

/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

If you are interested in automating other aspects of the PSC admin configurations, be sure to check out these two articles here and here.