The content of this section includes information to help you configure the vsphere provisioning adapter job, which authenticates to a VMware hypervisor environment and then discovers VMs in that environment.
The information is organized in the following sections:
Before you can provision and manage VMs with the vsphere provisioning adapter job, you must perform some initial steps to configure it in order to get it running.
Make sure that the Orchestration Agent is installed and started on a supported host.
For more information, see Section 2.0, Installing Cloud Manager Orchestration Components.
If you are installing the agent to a vSphere environment, you can install the agent either locally on the vCenter Server (the vCenter appliance is not supported), or on a dedicated system (virtual or physical) as long as the OS in that system is supported for the Orchestration Agent.
In the Cloud Manager Orchestration Console, log in to the Orchestration Server that you want to use to manage vSphere VMs.
In the Explorer tree of the Orchestration Console, select the Orchestration Server or “grid” object, then select the tab in the admin view to open the Authentication page.
Create a credential to authenticate to the vCenter Server. In most cases, the credential is for “administrator” account of the Windows machine where the vCenter Server is running.
On the Authentication page, scroll to the Credential Manager (consisting of the panel and the panel), then click to display the dialog box.
Fill in the fields of the dialog box:
Name: Enter a value in that identifies the vCenter Web service to log in to.
User: Enter the user name used to connect to the vCenter Web service.
Secret: Enter the password of the vCenter Web service user.
Type: (Optional) Enter any string that lets you categorize similar credentials into a category or group. For example, for the vsphere provisioning adapter you might enter a “type” called vsphere.
For more information, see Authentication Page
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference.
Click .
In the Explorer tree, expand the container, then expand the container to expose all of the provisioning adapter jobs.
In the Explorer tree, select the job to open the Admin view.
In the Admin view, select the tab to open the Job Configuration page, then expand the Accounts table on this page.
On the Accounts table, select to open the Add a New Account dialog box.
Fill in the fields of the dialog box:
Account Name: Enter the name you wish to use to refer to this vCenter serveras within Orchestrator. This name can be any value, but once selected, it should not be changed.
vSphere Webservice URL: Enter the URL of the vCenter Web Service server.
Credential Name: Enter the name of the credential from the Credential Manager that you want to use for logging in to the vCenter Web service server.
Auto Portgroup Creation: (Optional) If selected and the vsphere_ignoreNetwork policy is used, port groups are automatically created on a host if it does not have access to the specified network.
Auto Portgroup Disconnect: (Optional) If selected, the vNIC on a VM is disconnected when it is shut down.
Auto Portgroup Deletion: (Optional) If selected, when the VM is shut down, it checks for port groups on the VM host that has no VMs associated with it and deletes them, if possible. This setting is best used with and .
Associate the vsphere_client policy to the resource that will access the vCenter Server.
When the vsphere provisioning adapter job starts, this policy constrains the resource for the job to run the Web service commands.
In the Explorer tree, expand the group, select the client resource that is to access the vCenter Web Service server, then select the tab in the admin view to open the page.
On the Policies page, click to open the Policy Selection dialog box, then in the list, select the policy, click , then click to associate this policy with this resource. For more information, see Resource Policies Page
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference.
If you want to connect multiple vCenter Servers, refer to Section 6.1.2, Discovering Enterprise Resources in Multiple vSphere Environments.
Discover the VM images on the vCenter Server and populate the Orchestration Console Explorer tree.
From the main menu, select > to display the Discover VM Hosts and Repositories dialog box.
In the Discover VM Hosts and Repositories dialog box, select the job, then click .
HINT:Ensure that this job completes before proceeding to Step 10.c: Repositories where VMs might reside must be discovered prior to any attempt to discover VM images residing there.
From the main menu, select > . to open the Discover VM Images dialog box.
In the Source Repositories table of the Discover VM Images dialog box, select the repositories where vSphere images are stored, click to move the repositories to the Target Repositories table, then click to run the image discovery.
The following table provides detailed information about other policies associated with the vSphere provisioning adapter that are used to manage the vSphere hosts and the VMs in the grid. The policy settings are applied to all the VMware VMs in the grid.
Table 6-1 Virtual Machine Management Policies for vSphere
|
Policy Name |
Description |
Additional Details |
|---|---|---|
|
vsphere |
Contains the constraints used to select the vCenter Server resources. |
Do not modify this policy. |
|
vsphere_assignPool |
If you need to assign the VMs to a certain cluster (for example, a cluster root pool), or if you want to assign VMs to pools “owned” by your customers, use this policy. |
When applied this policy allows the VM to reside only on VM hosts that have access to the assigned resource pool (resource.vm.pool). |
|
vsphere_client |
Contains the settings used to run the vsphere job on the associated vSphere resource. |
You need to associate the vsphere_client policy to a vSphere resource before the discovery works. For more information, see Step 9. |
|
vsphere_ignoreNetwork |
Includes special facts that allow VMs to consider a VM host despite a missing required Network. |
If ignoreNetworkCheck is set, a vBridge (portgroup) can be dynamically created on a VM power-on event. This works in conjunction with the auto_portgroups_creation fact found in the vpshere.policy. Make sure that you set the auto_portgroups_creation fact to true or else the portgroup will not be created during the VM power-on event. |
|
vspherePA |
Includes the basic constraints for the vsphere provisioning adapter. |
Do not modify this policy. |
|
vSphereUpdate |
Includes settings for the vsphereUpdateDaemon job. The policy can be modified directly or the user can edit job args in the schedule that is created by default installation of the Cloud Manager Orchestration Server. |
For more information, see Configuring the vSphere Update Client. |
|
vsphereVmHostVnc |
Includes port settings to identify a range of ports to be used for remote connections on a specified VM host. |
When applied, this policy defines a range of port numbers to be used for remote connections. As VMs are provisioned, they are assigned a port number within the configured range for remote access. This applies only when the VNC mode is (the default) as defined in the vsphereVnc policy. |
|
vsphereVnc |
Includes a setting to allow remote desktop connections to vSphere VMs. |
For more information, see Setting Up Orchestration VNC for a VM Managed by vSphere. |
All VMs managed by vSphere are assigned to either the default (named “Resources”) or a named resource pool. When vSphere VM images are discovered by the Orchestration Agent, the resource.vm.pool fact for each VM is set with what is known by vSphere as a “pool assignment.”
If you do not need to restrict VMs based on resource pool assignment, then no policy configuration is necessary and you can provision the VMs as usual, but if you need to assign the VMs to a certain cluster (for example, the cluster root pool), or if you want to assign VMs to pools “owned” by your customers, you can configure the vsphere_assignPool policy to accomplish this.
Use the following steps to ensure that the Orchestration Server always provisions a VM to the resource pool where that VM resides.
Assign the vsphere_assignPool policy to the VM or a group of VMs. No changes to the actual policy file are necessary.
During provisioning of the VM, the Orchestration Server verifies and relocates the VM (as necessary) to maintain the validity of the pool assignment.
(Conditional) If the VM does not reside in the correct resource pool, look up the ID of the resource pool in vCenter and modify the resource.vm.pool fact to reflect the correct pool assignment. The Orchestration Server relocates the VM to the specified resource pool at the next provision.
Alternatively, use vSphere to move the resource to the proper pool and re-run the VM discovery process.
When you right-click a VM resource, you have the option of launching a remote virtual network computing (VNC) session console of that VM’s desktop. This section provides information about setting up the Orchestration Server to accommodate a VNC session for a VM.
ESX 4.x servers managed by vSphere might have a firewall in place to protect some ports from being open or closed. The vsphere provisioning adapter opens the appropriate ports to accommodate VNC connections from a remote console. These ports are opened when the Orchestration Server discovers the servers. This is not true for ESX 5.x servers managed by vSphere, where the ports require manual opening. For more information, see Section D.0, Enabling VNC Access to vSphere 5 VM Guest Consoles.
Use the following steps to set up VNC session connectivity for the VM managed by the vsphere provisioning adapter job.
NOTE:Although you can change these settings at any time, they take effect for a vSphere VM after a non-running VM is provisioned, or after you perform an action on a running VM.
In the Explorer tree of the Orchestration Console, select the Grid Server object where you are logged in, then select the tab to open the server’s authentication page.
In the panel (also known as the “Credential Manager”) of the Authentication page, click to open the Add Credential dialog box.
In the Add Credential dialog box, specify a credential that includes the VNC password you want to use, then click . List the credential type as vnc.
Although a user is required when you create the credential, this value is not used in the remote session. Only the field is used when making the connection.
Configure the vsphereVNC policy.
In the Explorer tree, expand the Policies folder to display the list of policies, then select policy to open the Policy Editor.
In the Policy Editor, modify the vnc.credential fact value to be the name of the credential you created in Step 3, then click the icon.
Modifying this policy is not necessary unless you want to assign the same credential to every vSphere VM or groups of vSphere VMs. Otherwise, you can select the credential on a per-VM basis from the drop-down list on the Resource Information panel of the VM’s Info/Groups page.
(Conditional) Configure the vsphereVmHostVnc policy for a VM host.
Modifying this policy is not necessary unless the resource.vnc.mode fact of the vsphereVNC policy is set to . When the ports defined in this range have been consumed, further vSphere VM provisioning fails.
The default port range in the policy is 5900-5964. If you want to provide remote capabilities to more than 65 VMs on a host or cluster, you need to alter the policy configuration to add more ports to the range. You can also reconfigure the policy to use a different range of ports.
In the Explorer tree, expand the Policies folder to display the list of policies, then select policy to open the Policy Editor.
In the Policy Editor, modify the vpshere.port.min fact value as the lower end of the range of ports you want to be used as remote connections for this VM host.
In the Policy Editor, modify the vpshere.port.max fact value as the upper end of the range of ports you want to be used as remote connections for this VM host, then click the icon.
Associate the vsphereVNC policy to a VM Resource Group or VM.
In the Explorer tree, select the VM Resource Group (or an individual VM) managed by the vsphere provisioning adapter, then in the admin view, select the tab to open the Policies page for this group.
On the Policies page, select to open the Policy Selection dialog box.
In the list of the Policy Selection dialog box, select the policy, click to move it to the associated list, then Click .
Associate the vsphereVmHostVnc policy to a VM host.
In the Explorer tree, select the VM host managed by the vsphere provisioning adapter, then in the admin view, select the tab to open the Policies page for this group.
On the Policies page, select to open the Policy Selection dialog box.
In the list of the Policy Selection dialog box, select the policy, click to move it to the associated list, then Click .
On the Orchestration Console Menu Bar, click > .
In vSphere 4.x environments, this action opens or closes the firewall on the VM hosts to allow VNC access. This access is based on the vsphere.openVncFirewallPort fact in the vsphere policy.
For ESX 5.x servers managed by vSphere, the ports require manual opening. For more information, see Section D.0, Enabling VNC Access to vSphere 5 VM Guest Consoles.
(Conditional: For VMs that are running) From the Explorer tree, right-click a vSphere-managed VM, then select .
If the VM for which you want to open a VNC session is not running, simply reprovision the VM.
If the vSphereUpdate Client is running for your vCenter server, refresh the Orchestration Console.
or
If the vSphereUpdate Client is not running for your vCenter server, right-click the VM object and select .
If you don’t want to resync before using the VNC console, make sure you configure the vSphere Update Client beforehand. For more information, see Configuring the vSphere Update Client.
Right-click the VM object and select to open the login dialog box for the VNC session.
In the login dialog box, enter the VNC password that you created in the Credential Manager in Step 3.
The following table lists the VNC-related facts in the vsphere provisioning adapter and provides a description of each of those facts.
Table 6-2 vSphere VNC Facts
|
Fact Name |
Description |
|---|---|
|
resource.vnc.ip |
The IP address of the VM host where the VM is running |
|
resource.vnc.port |
The port currently assigned to the VM. The value is -1 if VNC is disabled for the VM. |
|
resource.vnc.credential |
The credential containing the VNC password. This is the name of the credential itself, not the username or the password contained in the credential. |
|
resource.vnc.mode |
Determines how VNC port assignments are handled. This value must be automatic, manual, or off.
|
|
resource.remotedesktop |
Controls enabling or disabling the Launch Remote Desktop action in the Orchestration Console. |
NOTE:With the vSphere 5 release, VMware removed as a service than can be directly administered by using the VMware Client or the VMware Client libraries and APIs. Although the VNC functionality still works on ESXi servers, the firewall must be opened to allow access.
For information about enabling VNC access for ESXi 5 servers, see Section D.0, Enabling VNC Access to vSphere 5 VM Guest Consoles.
The Orchestration Server supports the discovery of VMware vSphere clusters used for high availability in a VMware environment or managed by the VMware Distributed Resource Scheduler (DRS) after an Orchestration Agent has been deployed into such an environment. In this scenario, Cloud Manager Orchestration also allows you to verify when actions have taken place outside of Cloud Manager, such as when DRS moves a VM to an alternate host in the cluster or when an administrator moves a VM into a different resource pool.
Any vSphere clusters discovered by Cloud Manager and managed by DRS are listed in the Orchestration Console as members of a convenience group (for example, a group named clusters_vsphere).
You can learn about the read-only cluster-related facts for these discovered clusters in the following Orchestration documentation references:
Orchestration Server Facts in a VM Host Residing in a Cluster
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference
Orchestration Server Facts in the VM Host Cluster Object
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference
Orchestration Server Facts in VMs Hosted in Clusters
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference
The Cloud Manager Orchestration update infrastructure consists of two main components:
A vSphere Update Client component, which is executed by the Orchestration Agent
The vSphereUpdate monitor job, which starts the Update Client component and ensures that it runs when necessary
To configure the vSphere Update Client:
Create a proxy user:
In the Orchestration Console, click > to open the Create a New User dialog box.
In the list, select administrators, then click to move the administrators user group to the list.
In the field, specify a user name, click , then click .
This is the proxy user. The username must contain the word “proxy,” for example, my_proxy, or proxy1.
Modify the vSphereUpdate.policy (or modify the jobargs in the scheduler) so that zos.proxy.user contains the name of the user created in Step 1.c:
In the Explorer Tree, select the group to expand the list of policies included on this grid.
Select the policy to open the Policy Editor view.
Find the zos.proxy.user fact in the policy, then specify the name of the proxy user you created in Step 1.c as the value for this fact.
Run the vSphereUpdate schedule and job:
In the toolbar of the Orchestration Console, select to open the Orchestration Server Job Scheduler.
Select the schedule, click , then click .
(Optional) Verify that the update job has run.
In the Orchestration Console main menu, select to open the Jobs admin view.
In the admin view, locate the VsphereUpdate job that ran last, then select its tab.
You should see something similar to the following in the log:
[vrack-vc] checking pid: 5276
[vrack-vc] pid '5276' is still alive
The “pid” reference in the log refers to the javaw.exe process running on the resource that accesses the vCenter software. You can verify that this process is running in the Windows Task Manager on the VCenter host machine.
The vSphereUpdate monitor job is located in the “all” jobs group. It is associated with both the vsphere policy (for VCenter configuration information) and the vSphereUpdate policy. The vSphereUpdate policy specifies the following cluster-related facts. You can modify these facts to accommodate your environment.
Table 6-3 Cluster-Related Facts in the vSphereUpdate Policy
|
Fact Name |
Type |
Description |
|---|---|---|
|
jobargs.zos.proxy.user |
String |
An administrative user used by the Orchestration Console to log in to the Orchestration Server in order to perform update operations there. You must create an administrative user for this purpose, if you have not already done so. The name of this user must contain the word “proxy,” for example, my_proxy, or proxy1. When you change the value of this fact, you must restart the Orchestration Server. For information about configuring the vSphere Update Client, see Configuring the vSphere Update Client. |
|
jobargs.zos.proxy.passwd_validity |
Integer |
The amount of time (measured in seconds) that the zos.proxy.user password is valid. Example: 86400 (1 day). Although the default value (-1) implies that the password is valid forever, the actual validity time is limited to the uptime of the Orchestration Server. When the password expires, the Orchestration Console is automatically restarted with a new password the next time that the monitor job runs. |
|
jobargs.debug |
Boolean |
Specifies whether you want extra verbose debug logging sent to a job log. NOTE:The client logs its output to the log.txt and err.txt files located in <agent_install_dir>/node.default/.vSphereUpdate/<hostname>/<vcenterId>. |
|
jobargs.verbose |
Boolean |
Specifies whether you want verbose logging sent to a job log. This fact is implicitly set when jobargs.debug is set. |
|
jobargs.mode |
String |
The value for this fact can be optionally set to “clear.” This resets the passwd_validity and forces a restart on the next invocation where the mode is not set. The value can also be set to “stop” to stop all running update clients. |
If you want to limit the number of datastores (that is, Repositories that are modeled in the Orchestration Server) that are available to a vSphere cluster, you can assign a policy similar the policy below to the undesired repository or repositories:
<policy>
<repository>
<fact name="enabled" type="Boolean" value="False" />
<fact name="provisioner.jobs">
<array type="String">
</array>
</fact>
</repository>
</policy>
This disables the repository for use with the cluster.
To assign the VMs to a certain cluster (for example, the cluster root pool), or if you want to assign VMs to a pool “owned” by your customers, configure the vsphere_assignPool policy to to a VM or a group of VMs.
In the Orchestration Console tree view, select the VM or Group of VMs that you wish to constrain to their assigned resource pool.
In the admin view, select to open the Policies page.
On the Policies page, select to display the Policy Selection dialog box.
In the Source Policies list, select , click to move it to the Associated Polices list, then click .
A data center administrator running VMware products might organize the virtual resources in his or her enterprise into several different vSphere environments. The Cloud Manager Orchestration Server lets you discover and manage all of these enterprise VMs, discovering each relevant VM host, network, repository, and VM within the several vSphere environments and modeling them as objects in the Orchestration Console.
In the Explorer tree, select the provisioning adapter job to open the Admin view of this job.
Select the tab to open the Job Configuration page, then expand the Accounts table on this page.
On the Accounts table, select to open the Add a New Account dialog box.
Fill in the fields of the dialog box:
Account Name: This should match the name of the VCenter environment you are connecting to.
vSphere Webservice URL: Enter the URL of the vCenter Web Service server.
Credential Name: Enter the name of the credential from the Credential Manager that you want to use for logging in to the vCenter Web service server.
Auto Portgroup Creation: (Optional) If selected and the vsphere_ignoreNetwork policy is used, port groups are automatically created on a host if it does not have access to the specified network.
Auto Portgroup Disconnect: (Optional) If selected, the vNIC on a VM is disconnected when it is shut down.
Auto Portgroup Deletion: (Optional) If selected, when the VM is shut down, it checks for port groups on the VM host that has no VMs associated with it and deletes them, if possible. This setting is best used with and .
Repeat Step 3 for every vCenter Server you want to connect to for VM discovery in that vSphere environment.
When you have created Orchestration accounts for each of the vCenter servers in your enterprise, you can continue with Configuring the vsphere.vcenters Fact to Include All Accounts Representing a vCenter Server.
The vsphere.vcenters fact can be set to include the definition for all the vCenter server accounts that you identified in Creating Accounts for Each vCenter Environment. This is required to ensure that only certain agents communicate with certain vSphere accounts. You can set this fact in the vsphere_client policy of the vsphere provisioning adapter or by using a policy to apply to the individual Orchestration Agents you installed in your respective vSphere environments.
When you have used one of these methods, continue with Optionally Specifying an Authentication Certificate for Each vCenter Server.
You can associate the vsphere.vcenters fact in the vsphere_client policy to the resources that access the respective vCenter Servers. When the vsphere provisioning adapter job starts, the policy applies the vsphere.vcenters fact to constrain the identified resources for the job to run the Web service commands.
Use these steps to configure the vsphere.vcenters fact:
In the Explorer tree, expand the group, then select the policy to open the page in the admin view.
In the Policy Editor, scroll to or search for the vsphere.vcenters fact, then uncomment it and enter a string value in the array, using the for each vCenter Server (identified in Creating Accounts for Each vCenter Environment) as a string value.
In the Explorer tree, expand the group, select the client resource that is to access the vCenter Web Service server, then select the tab in the admin view to open the page.
On the Policies page, click to open the Policy Selection dialog box, then in the list, select the policy, click , then click to associate this policy with this resource. For more information, see Resource Policies Page
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference.
If you want to connect multiple vCenter Servers, make sure you modify the vsphere.vcenters fact of the vsphere_client policy as described in the policy comments.
You can use separate resources to connect to and manage the different vCenter environments that you have configured. To do this, create a custom policy for each vCenter that you want to manage and assign these policies to the resources that you designate to manage the respective vCenters.
The content of the policy should be similar to the following:
<policy>
<resource>
<fact name=”vsphere.vcenters”>
<array>
<string>VCENTER1_NAME</string>
</array>
</fact>
</resource>
</policy>
In this case, applying this policy along with the vsphere_client.policy to a resource would enable that resource to connect to and manage the vCenter with the name VCENTER1_NAME. This name must match the you configured in Creating Accounts for Each vCenter Environment.
The vsphere provisioning adapter job automatically enables a secure SSL connection between your Orchestration Agent and the vCenter Server. This involves some security risk if a malicious user is impersonating your vCenter Server. To avoid this risk, you can explicitly configure the SSL certificate that the Orchestration Agent accepts from the vCenter Server.
We recommend that you review VMware documentation regarding gathering the certificate used by your vCenter Server’s Web interface before you proceed further.
When you have gathered the certificate, use the following steps to explicitly configure the certificate:
Make sure that the Orchestration Agent is installed and started on a computer in each vCenter environment.
For more information, see Section 2.0, Installing Cloud Manager Orchestration Components.
If you are installing the agent to a vSphere environment, you can install the agent either locally on the vCenter Server (the vCenter appliance is not supported), or on a dedicated system (virtual or physical) as long as the OS in that system is supported for the Orchestration Agent.
In the Cloud Manager Orchestration Console, log in to the Orchestration Server that you want to use to manage vSphere VMs.
In the Explorer tree of the Orchestration Console, select the Orchestration Server or “grid” object, then select the tab in the admin view to open the Authentication page.
Create a credential to authenticate to a unique vCenter Server in your enterprise. In most cases, the credential is for “administrator” account of the Windows machine where the vCenter Server is running.
On the Authentication page, scroll to the Credential Manager (consisting of the panel and the panel), then click to display the dialog box.
Fill in the fields of the dialog box:
Identifier: Specify a value in that uniquely identifies the certificate associated with this unique vCenter Server. the identifier should be of the form vsphere_<YOUR_VCENTER_NAME>, where <YOUR_VCENTER_NAME> is the account name that you configured earlier for the vCenter Server.
Location: Specify the file location of the certificate you gathered previously.
Group: Enter vsphere as the group name.
For more information, see Authentication Page
in the NetIQ Cloud Manager 2.1.5 Orchestration Console Reference.
Click .
Repeat Step 4 for all of the vCenter Servers you want to connect to.
When you have completed the authentication configuration, continue with Running Discovery.
When the Orchestration Server is properly configured, you can use the following steps to discover the VM images on each vCenter Server and populate the Orchestration Console Explorer tree.
From the main menu, select > to display the Discover VM Hosts and Repositories dialog box.
In the Discover VM Hosts and Repositories dialog box, select the job, then click .
When you perform this discovery action, the Orchestration Server runs jobs that discover the VM hosts, repositories, and networks in each of the vSphere environments. On each discovered object, the server also generates a *.vsphere.vcenter fact that contains a vCenter ID from the hosting vSphere environment.
After the objects are discovered in the vSphere environments, you can use the Orchestration Server to discover existing VMs in those environments.
From the main menu, select > to open the Discover VM Images dialog box.
The Orchestration Agent discovers all of the VMs managed in the vSphere environments and places them in the Orchestration model for you to manage.
In the Source Repositories table of the Discover VM Images dialog box, select the repositories where vSphere images are stored, click to move the repositories to the Target Repositories table, then click to run the image discovery.
When a VM with a given name is discovered in two different vSphere environments, the second VM discovered is named in the form of VMNAME_VCENTERID, rather than named by appending an incremental number, as explained above. As with other such object names that are automatically generated, these VM names can be changed.