vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli

Automating vCenter Single Sign-On (SSO) Users creation and management was not possible in prior releases of vSphere and this operation had to be performed manually using the vSphere Web Client.

sso-user-management-using-dir-cli-4
With vSphere 6.0, you can now easily create and manage SSO Users using a new command-line utility that is included within the Platform Services Controller (PSC) called dir-cli. Below are the paths to the dir-cli utility on both Windows VC and VCSA.

Windows VC 6.0:

  • C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

VCSA 6.0:

  • /usr/lib/vmware-vmafd/bin/dir-cli

Below are a few examples on using the dir-cli command and you can find more information in the vSphere 6.0 Documentation here. If you wish to automate the dir-cli operations without needing to specify an SSO Administrator password, just specify the --password option. You can also change the SSO Administrator username by specifying the --login option.

Creating a new SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli user create --account william --first-name william --last-name lam --user-password 'VMware1!'

sso-user-management-using-dir-cli-0
Adding new user to SSO group called "Administrators":

/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add william

sso-user-management-using-dir-cli-2
List users in an SSO group:

/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators

sso-user-management-using-dir-cli-1
Reset the password for an SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli password reset --account william --new 'VMware1!!'

sso-user-management-using-dir-cli-3

ghettoVCB VIB & offline bundle for ESXi

It is still amazing to see that the number of contributions and suggestions from the community continues to grow for my free and simple VM backup solution called ghettoVCB. I created ghettoVCB almost 8 years ago which now has over 1.2 million views, pretty insane if you ask me! Although I am quite busy these days which includes a new born, I still try to find time to update the script as time permits. A couple of weeks back I received an email from one of my readers who came across ghettoVCB and was quite happy with the free solution. He also had some feedback asking why I did not provide an installable VIB for ghettoVCB?

A totally valid question and the answer was quite simple. When I had first created ghettoVCB back in the classic ESX 3.x days, the concept of a VIB had not existed yet. With the release of ESXi 5.0, the idea of the VIB was introduced but it was only recently in 2012 did VMware publish a method for customers to create custom VIBs for ESXi using the VIB Author Fling. I do have to admit at one point I did think about providing a VIB for ghettoVCB, but I guess I never went through with it for whatever reason. Looking back now, this was a no-brainer to provide a simplified user experience and not to mention the benefit of having ghettoVCB installed as a VIB is that it will automatically persist on ESXi after reboots which was a challenge for new users to ESXI.

So without further ado, here is ghettoVCB provided in either a VIB or offline bundle form:

To install the ghettoVCB VIB, you just need to download the VIB and run the following ESXCLI command and specifying the full path to the VIB:

esxcli software install -v /vghetto-ghettoVCB.vib -f

Once installed, you will find all ghettoVCB configuration files located in:

/etc/ghetto/ghettoVCB.conf
/etc/ghettovcb/ghettoVCB-restore_vm_restore_configuration_template
/etc/ghettovcb/ghettoVCB-vm_backup_configuration_template

Both ghettoVCB and ghettoVCB-restore scripts are located in:

/opt/ghettovcb/bin/ghettoVCB.sh
/opt/ghettovcb/bin/ghettoVCB-restore.sh

One additional thing I would like to point out is that you can also quickly tell which version of ghettoVCB is running by inspecting the installed VIB by using the following ESXCLI command:

esxcli software vib list -n ghettoVCB

Screen Shot 2015-05-26 at 1.28.13 PM
If you look at the screenshot above, I have highlighted two important pieces of information in green. The first is the "Description" property which includes the Github commit hash of the particular revision of ghettoVCB and the "Creation Date" property which contains the date of that commit. This can be handy if you want to compare it to the latest ghettoVCB repository found on Github here. Thanks again Markus for the suggestion!

For those of you who are interested in the details for creating your own ghettoVCB VIB, the next section is specifically for you. Earlier this week I blogged about a Docker Container that I have created to help build custom ESXi VIBs and as you can see now, that was the basis for us to be able to quickly create ghettoVCB VIB based on the latest revision of the script.

Step 1 - Create a new Docker Machine following the steps outlined here.

Step 2 - Login to the Docker Machine and create a new Dockerfile which contains the following:

Step 3 -  Next we need to build our new Docker Container which will use the VIB Author Container by running the following command:

docker build -t lamw/ghettovcb .

Screen Shot 2015-05-26 at 2.14.52 PMThe output will be quite verbose, but what you will be looking for is text highlighted in green as shown in the screenshot above. You should see the successful build of both the VIB and offline bundle as well as Docker Container showing a successful build.

Step 4 - After a successful build of our Docker Container, we can now launch the container by running the following command:

docker run --rm -it lamw/ghettovcb

Screen Shot 2015-05-26 at 2.16.58 PM
Once logged into the Docker Container, you will see the generated VIB and the offline bundle for ghettoVCB as shown in the screenshot above.

If you wish to copy the VIB and offline bundle out of the Docker Container into the Docker Host, you can use Docker Volumes. I found this useful thread over on Stack overflow which I have modified to include the copying of the ghettoVCB VIB and offline bundle out to Docker Host by running the following command:

docker run -i -v ${PWD}/artifacts:/artifacts lamw/vibauthor sh << COMMANDS
cp vghetto-ghettoVCB* /artifacts
COMMANDS

Finally, to copy the ghettoVCB VIB from the Docker Host to your desktop, we first need to identify the IP Address given to our Docker Machine by running the following command:

docker-machine ip osxdock

Currently, Docker Machine does not include a simple "scp" command so we will need to use regular scp command and specify the private SSH keys which you can find by running "docker-machine inspect [NAME-OF-DOCKER-HOST]" and connecting to our Docker Host to copy the ghettoVCB VIB by running the following command:

scp -i /Users/lamw/.docker/machine/machines/osxdock/id_rsa [email protected]:artifacts/vghetto-ghettoVCB.vib .

Quick Tip - Using HTTP(s) proxy for connecting to 3rd party Content Library in vSphere 6.0

A couple of weeks back I was asked by a customer who was interested in subscribing to my 3rd Party Content Library which hosted several of my Nested ESXi and VSAN OVF Templates. The problem was that in his environment, like many others, he did not have direct access internet access from within vCenter Server for the Content Library subscription to be created. The customer was wondering if the Content Library feature supported a proxy server which is a very common method for Enterprise customers to provide access to external sites requiring internet access.

Content Library itself does not provide a way to configure a proxy server, but it can use a proxy server if one has been configured within vCenter Server which is really an OS level configuration. Below are the details for configuring a proxy server for both the VCSA and vCenter Server for Windows.

vCenter Server Appliance (VCSA)

If you are using the VCSA, the proxy configuration file is located under /etc/sysconfig/proxy

First, you will need to add the following entry to enable the use of a proxy server on the VCSA:

PROXY_ENABLED=yes

Next, you can then set either the HTTP_PROXY or HTTPS_PROXY variable depending if you have a HTTP or HTTPs proxy server. There are support for other proxy types but usually HTTP(s) proxy is what I have normally seen used in most Enterprise customer environments including ones I used to manage. Once you have saved your changes, the proxy server will now be used and assuming the proper ACL's have been added on the proxy server itself to allow traffic from your vCenter Server to the appropriate destination site, you should now be able to use the Content Library to subscribe to my 3rd Party Content Library.

vCenter Server for Windows

If you are using the vCenter Server for Windows, a generic global proxy configuration does not exists like does for *nix systems. There are two ways of configuring a proxy server for Windows. The first is using the Java control panel to configure a proxy server for any Java applications running on the system itself, you can find more details here.

Screen Shot 2015-05-27 at 9.11.29 AM
The other option is to configure a proxy server by using the default browser's proxy settings and you can perform a quick search online for the browser you have defaulted to use within the vCenter Server for Windows. If there are no special configurations, Content Library will just use the default proxy settings from your browser and is the easiest method.

Screen Shot 2015-05-27 at 9.14.41 AM
Similar to the instructions for the VCSA, no service restart is required and you should be able to subscribe to my 3rd Party Content Library assuming the ACL's have been setup correctly on the actual proxy server itself.

A Docker Container for building custom ESXi VIBs

I recently had a need to create a custom ESXi VIB using the VIB Author Fling for a project that I was working on. As part of the project's deliverables, I wanted to also provide an ESXi VIB which would need to be built against any new updates for the project. Given this would be an infrequent operation, I thought why not use a Docker Container for this operation? I could just spin up a Docker Container on-demand and not have to worry about managing a local VM for just running this particular task.

With that I have created a VIB Author Docker Container which can be used to author custom ESXi VIBs. I have also made this container available on the Docker Registry for others to use which you can find more details here: https://registry.hub.docker.com/u/lamw/vibauthor/

If you already have a Docker host running, you can pull down the VIB Author Docker Container by jumping to Step 5 in the instructions below. If you do not and you are running Mac OS X like I am, you can follow the instructions below using Docker Machine and VMware Fusion to try out my VIB Author Docker Container.

Step 1 - Install the Docker client by running the following command:

brew install docker

Step 2 - Download and install Docker Machine by running the following commands:

curl -L https://github.com/docker/machine/releases/download/v0.2.0/docker-machine_darwin-amd64 > /usr/local/bin/docker-machine
chmod +x /usr/local/bin/docker-machine

Step 3 - Create Docker Machine using the VMware Fusion driver by running the following command:

docker-machine create --driver vmwarefusion osxdock --vmwarefusion-memory-size 1024
eval "$(docker-machine env osxdock)"

docker-container-vib-author-esxi-vib-0
Note: Thanks to Omer Kushmaro for his blog post here on how to quickly get started with Docker Machine with VMware Fusion

Step 4 - Once the Docker Machine is booted up, we can now connect to it using SSH by running the following command:

docker-machine ssh osxdock

docker-container-vib-author-esxi-vib-3
At this point, we are now logged into our Docker Machine which has both the Docker client/server running and we are now ready to pull down the VIB Author container from the Docker registry.

Step 5 - To pull down the VIB Author Docker Container that I have built, run the following command within the Docker Machine:

docker pull lamw/vibauthor

docker-container-vib-author-esxi-vib-1
Step 6 - Once the Docker Container has been successfully downloaded, you can now run the VIB Author Container by running the following command:

docker run --rm -it lamw/vibauthor

docker-container-vib-author-esxi-vib-2
Once logged into the VIB Author Container, you confirm that the VIB Author Fling has been installed by running the "vibauthor" command as shown in the screenshot above. In the next blog post, I will go through an example of building a custom ESXi VIB using the VIB Author Container as well as transferring the outputted files from the Docker host back onto your desktop. Stay tuned!

Log filtering capability in ESXi 6.0

When it comes to troubleshooting, something that you can never have too much of are logs! However, you can have excessive logs in the form of repeated log entries for a particular event which not only adds to the amount of logs you must sift through but it also adds unnecessary load and processing to the network. This is especially problematic if you these repeated entries also being forwarded from multiple sources to a centralized syslog server.

With earlier release of ESX (yes, classic ESX), it was possible to filter out specific log entries from the host side and prevent them from showing up in the local logs stored on the filesystem after N-occurrences and would also prevent them from being forwarded to a syslog server. However, when ESXi was first introduced, this particular capability wast not ported over which I can only assume was based on usage from our customer base. In speaking with GSS, this is usually something they require for troubleshooting purposes, although I have also seen a few customers ask about this capability on several occasions in the past.

Having said that, I was pleasantly surprised to learn from Alan Castonguay (former GSS Engineer, now working over in our MBU) that ESXi 6.0 actually now includes a new log filtering capability or rather I should say, it has re-introduced the log filtering capability :)

To enable log filtering, you will need to add the following parameter to /etc/vmsyslog.conf

enable_logfilters = true

To add a specific log filter, you will need to add an entry to /etc/vmware/logfilters using the following format: numLogs | ident | logRegexp

  • numLogs - Number of times the log entry can appear in the log before it is then filtered and ignored
  • ident - The ident source of the log, you can find all ident by looking in /etc/vmsyslog.conf.d/*.conf
  • logRegexp - regular expression confirming to the Python regular expression syntax

Below is an example where I only want the log entry "SOCKET connect failed, error 2: No such file or directory*" to show up only two times in the logs before it is filter and ignored and the source of this log entry is from the hostd logs.

2| hostd | SOCKET connect failed, error 2: No such file or directory*

Once you have created all your log filters, you will need to reload the syslog service by running the following ESXCLI command:

esxcli system syslog reload

One thing to be aware of is that once a log entry has been filtered out and the local logs have been rotated out, that particular entry will no longer show up in future logs. It is definitely recommended that you use the log filtering feature sparingly and ensure that you are also forwarding your logs to a centralized syslog server like Log Insight for example so that you have all log entries at your disposal for both troubleshooting and auditing purposes. There is already a request to add this to our official VMware documentation so that it customers can easily find this in the syslog configuration section of the ESXi documentation, but for now I have documented it here so others can benefit from this capability if needed.