WilliamLam.com

Automating the configuration of new logon banner for the vSphere Web Client in 6.0 Update 2

by // 1 Comment

The ability to display a logon banner prior to logging into the vSphere Web Client UI is a new capability that was introduced with the release of vSphere 6.0 Update 2. In addition to the logon banner message, customers can also configure a mandatory consent check box requiring all users to accept prior to logging in. Below is a screenshot of the new logon banner in the vSphere Web Client, prior to login.

vsphere-web-client-logon-banner-1
The configuration of the logon banner is only available in the Platform Services Controller (PSC) Administrator UI which can be accessed by opening a browser to the following URL: https://[PSC-HOSTNAME]/psc

vsphere-web-client-logon-banner-0
Although there is currently not an API for administrating the various PSC configurations (being worked on for a future release of vSphere), it is still possible to automate the different aspects of the PSC. There are several options depending on your personal reference as well as environmental configurations.

Option 1: Use the /opt/vmware/bin/sso-config.sh utility on the PSC itself which is the simplest method but it does require either SSH or local shell access.

You first need to create a file that contains the message you wish to display in the logon banner. In this example I have created a filed called banner.txt that contains an example logon message. You can then run the following command which will allow you to set the banner as well as the title and whether to enable the consent check box:

/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt -title 'Logon Disclaimer' -enable_checkbox N

If you wish to only configure the consent check box, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner -enable_checkbox Y

If you wish to only configure the title, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner -title 'vGhetto Disclaimer'

If you wish to only configure the banner message, you can just run the following command:

/opt/vmware/bin/sso-config.sh -set_logon_banner /root/banner.txt

If you wish to disable the logon banner feature, you can run the following command:

/opt/vmware/bin/sso-config.sh -disable_logon_banner

Option 2: Use the ldapmodify utility either locally on the PSC itself or from a remote system which I have previously written about here.

Disclaimer: Please take extreme caution when connecting to the vmdird database. You should take extreme care in making changes while in the database else you can negatively impact your environment.

In this example, I will be remotely connecting to the PSC from my desktop which is a Mac OS X system, but it can be any system which contains the ldapsearch and ldapmodify commands.

To query for the logon banner configurations, run the following ldapsearch command (specifying your environment details):

/usr/bin/ldapsearch -h 192.168.1.140 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"

vsphere-web-client-logon-banner-2
From the output, we can see there are three properties which control the logon banner feature:

  • vmwSTSLogonBannerEnableCheckbox
  • vmwSTSLogonBannerTitle
  • vmwSTSLogonBanner

To configure the new logon banner, we first need to create a file that contains our configuration changes. To do so, create a file called change.ldif which contains the following (replace with your settings):

dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local
changetype: modify
replace: vmwSTSLogonBannerEnableCheckbox
vmwSTSLogonBannerEnableCheckbox: TRUE
-
replace: vmwSTSLogonBanner
vmwSTSLogonBanner: You void all warranty/safety by logging into vGhetto Datacenter, you have been warned :-)
-
replace: vmwSTSLogonBannerTitle
vmwSTSLogonBannerTitle: vGhetto Disclaimer

To apply the configuration, run the following ldapmodify command (specifying your environment details):

/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

To completely disable the logon banner feature, create a new file called change2.ldif which contains the following (replace with your settings):

dn: cn=vghetto.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local
changetype: modify
delete: vmwSTSLogonBannerEnableCheckbox
-
delete: vmwSTSLogonBanner
-
delete: vmwSTSLogonBannerTitle

To apply the configuration, run the following ldapmodify command (specifying your environment details):

/usr/bin/ldapmodify -f change.ldif -h 192.168.1.140 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

If you are interested in automating other aspects of the PSC admin configurations, be sure to check out these two articles here and here.

New method of enabling Multiwriter VMDK flag in vSphere 6.0 Update 1 (UI + API)

by // 22 Comments

Prior to vSphere 6.0, in order for multiple Virtual Machines to share a VMFS-backed VMDK, the Multiwriter VMDK flag must be enabled, which is accomplished by adding a specific VM Advanced Setting as shown in this VMware KB 1034165. For customers who were accustomed to this old method, you may have found that this option no longer works. This was true regardless if you had used the vSphere Web/C# Client or the vSphere API to apply the configuration.

To provide for a better user experience, this behavior was changed in vSphere 6.0 and a new API was introduced for enabling and disabling the Multiwriter VMDK flag. In vSphere 6.0, there is now a new sharing attribute on the Virtual Disk backing property which accepts one of two values: sharingMultiWriter or sharingNone for specifying the Multiwriter flagIn my opinion, this is a positive change as we too often rely on the VM Advanced Setting as a generic "catch all" for enabling or configuring various settings versus adding proper APIs to a VM.

Although there is now a proper API which will can help enable new Automation use cases, one thing that was still lacking was an easy way to enable the Multiwriter VMDK flag using the UI. In vSphere 6.0 Update 1, we have now introduced a new UI dropdown option called "sharing" in the vSphere Web Client for configuring the Multiwriter VMDK flag which can be found in the Virtual Disk section when editing a VM as shown in the screenshot below.

Screen Shot 2015-10-16 at 10.19.05 AM
Note: The new Sharing property is only available in the vSphere Web Client UI and is not available in the vSphere C# Client. If you need to configure the Multiwriter VMDK flag and do not have access to the vSphere Web Client, you can use the vSphere API to help automate this configuration change.

UPDATE (06/27/16) - Created two scripts which now cover scenarios where VM is online and/or offline.

For those interested in Automating the Multiwriter VMDK flag, I have created two PowerCLI scripts called: configureMultiwriterVMDK.ps1 (offline VM configuration) and addMultiwriterVMDK.ps1 (online VM configuration) which demonstrates this new vSphere API.

The first script configureMultiwriterVMDK.ps1 allows you enable the Multiwriter Flag for an existing VMDK that has already been added to a VM. This operation must be done while the VM is powered off and to use the script you will need to specify the name of the VM as well as the label of the VMDK in which you wish to enable the Multiwriter VMDK flag (e.g. Hard disk 2). Below is an example of running the script.

Screen Shot 2015-10-16 at 8.24.46 PM
The second script addMultiwriterVMDK.ps1 allows you to hot-add a new VMDK and enables the Multiwriter Flag to a VM. This operation is done while the VM is powered on which is a common workflow for customers needing to hot-add storage to an existing Cluster solution such as Oracle RAC for example all while the system is running. To use the script, there are a few variables you will need to edit:

  • vmName - The name of the VM you wish to perform th operation on
  • vmdkFileNamePath - This is the full datastore path to the name of the underlying VMDK. See the script for more information but the syntax will look like "[datastore-name] vm-home-dir/vmdk-name.vmdk"
  • diskSizeGB - The capacity of the VMDK to add (GB)
  • diskControllerNumber - The SCSI controller number (0-3)
  • diskUnitNumber - The Unit number (0-16)

Erasing existing disk partitions now available in the vSphere Web Client (vSphere 6.0 Update 1)

by // 9 Comments

One of the primary challenges when trying re-purpose existing storage devices is ensuring that all data and existing partitions have been completely removed. Often times, customers end up resorting to third-party tools like GParted which requires you to boot your server into the LiveCD before you can remove the existing partitions. This is less than ideal, especially if you need to perform this operation across multiple systems.

For customers who wish to re-purpose their existing storage devices for other use, including VSAN, there is now a new UI option in the vSphere Web Client introduced in vSphere 6.0 Update 1 to help assist with this procedure. I had not seen anyone talk about this feature yet and figure I would share some details as this is something I have heard customers ask for in the past. You can find this new option (icon with disk and eraser) by clicking onto a specific ESXi host and then selecting the Manage->Storage Adapters and then highlighting the specific storage device you wish to erase as seen in the screenshot below.

erase-disk-partition-in-vsphere-web-client-0
Once the erase partition icon or action is selected, you will then be presented with a summary of the existing partitions on the disk and then prompted to confirm that you wish to delete ALL partitions on the disk.

erase-disk-partition-in-vsphere-web-client-1
After the operation has successfully completed, you can now re-purpose the storage device for other use like VSAN!

For those of you who are interested from an Automation standpoint, this UI operation actually makes use of an existing vSphere API that has been for quite some time called updateDiskPartitions() under the StorageSystem manager of an ESXi host. To erase all partitions, you simply pass in an empty spec to the API method.

In addition, I also want to quickly mention that you will also have the ability to edit and erase existing disk partitions using the ESXi Embedded Host Client Fling which will be available in a future update. Below is a quick screenshot on what that would look like. 

erase-disk-partition-in-vsphere-web-client-2