Query vCloud Director for Storage Profile Usage

Often times an organization will have multiple Storage Profiles, different class fo storage, etc. The simple command of:

Get-OrgVDC

Returns a summary or cummulative view of the storage profile usage. To get the actual usage for each profile, execute this command:

$OrgVdc = get-orgvdc (Org VDC Name)

search-cloud -querytype AdminOrgVdcStorageProfile | where { $_.VdcName -eq $orgvdc } | get-ciview

Find Broken Catalog Items in vCloud 5.x

Sometimes when uploading content into vCloud there is a chance that the content can be broken. This can cause programs to have errors. To find these items, run the following in PowerShell as the a ‘system administrator’.

search-cloud -QueryType AdminCatalogItem | Where-Object { $_.Status -eq “Unknown” }

You can now remove them utilizing the API or vCO and the ‘Remove Catalog Item’ workflow.

Monitoring Compute Performance of a VM

Even when using vC Ops from VMware, vCenter metrics, vCloud Metrics, and Hyperic Montoring there are things that can be missed.

What if the datastore shows 1ms latency on the vSphere host, the CPU usage is low, the Memory is not being swapped, but a user insists it is just ‘slow’. What would you check?

In our cloud deployment (25,000 VMs in a single vCloud instance, and we have 4); I have deployed 4 – 6 VMs per vCenter across differnet datastores, on different hosts. These VMs are 512MB of RAM, 16GB of Hard Drive, and 1 vCPU. On these VMs I installed CentOS, MySQL and sysbench.

sysbench for those that do not know runs artificial tests against the HDD, RAM, CPU and MySQL. Since we have the CPU, RAM and HDD monitored by other products, I configured it to only point at the MySQL server. The MySQL test will test every portion of the compute stack. While the RAM and CPU may report within acceptable ranges, they maybe high in those ranges. Combinded that may cause a performance impact.

My script runs every 5 minutes via a cron job, and logs the data to a SQL database, for later reporting and analysis.

I won’t cover how to install sysbench or MySQL here, since that can be found else where on the internet. sysbench & MySQL

You will also need to install iSQL for CentOS, to write your data to a SQL server (if that is your target), those instructions can be found here.

After you have the above installed and ready, you can run the following to get a report on the status of your VMs performance:

sysbench –num-threads=16 –max-requests=10000 –test=oltp –oltp-table-size=500000 –mysql-socket=/var/lib/mysql/mysql.sock –oltp-test-mode=complex –mysql-user=root –mysql-password=VMware1! run > mysql.sysbench

$testvaule = cat mysql.sysbench | egrep ” cat|transactions:” | awk {‘print substr($3,2) ‘}

$date = date -u “+%F %R”

$machine = ifconfig eth0 | grep inet | awk ‘{ print substr($2,6) }’

$hostname = hostname

inssql=”insert into TABLENAME VALUES (‘$date’, ‘$machine’, ‘$testvalue’,’$hostname’)”

echo $inssql | isql HOSTNAME USERNAME PASSWORD

The above will insert the data in to a SQL table, for later reporting.

Keep in mind you do not want to make a ‘monster’ VM, the smaller the better, you want to tax all of the components. If you give it 4GB of RAM, then MySQL will cache all of the disk I/O in RAM and not report an accurate number. If you give it 4 vCPU’s you may actually artificially lower your score by causing the hypervisor to schedule 4 vCPUs worth of tasks. In this case smaller is most definitely better.

This will not replace the other monitoring solutions you may have, but it will help to augment those solutions.

Ejecting CD ISO’s in vCloud Director

With vCloud Director 5.1 every once in a while a CD will refuse to eject, or worse it will say it ejected the CD but it will not make the change in vCenter.

To get around this with PowerCLI connected to the vCenter use this command:

get-folder | get-VM | Get-CDDrive | Set-CDDrive -NoMedia -Confirm:$false

This will allow the CD to be ejected without having to Deploy, Eject, Re-Capture the vApp Template. To use for a normal vApp use the vApp Name/UUID.

vCloud Director and VMware Horizon Intergration

Requirements for SSO in vCloud Director

The SAML process and parties using them have formal roles and responsibilities:

  • Service Provider – An entity that receives the SAML Message from an Idenity Provider (vCloud Director )
  • Identity Provider – An entity that authenticates an user (Horizon)

The Identity provider must provide these fields in the response (case sensitive):

  • UserName
  • EmailAddress
  • FullName
  • Groups

While the only required field is UserName it is recommended that all fields be returned with proper information to allow for ease of management and administration of the users and their rights.

Configuring vCloud Director

In vCloud director you will first need to enable the use of a SAML Identity provider.

  1. Once logged in as a Organization Administrator or System Administrator go to the organization Administration page, click on Federation, then enable the ‘Use of SAML Identity Provider’

  2. The XML metadata file that you got from your SAML/SSO provider should be downloaded to the machine these actions are running from. Due to the use of special characters and copy/paste issues it is not recommended to paste in a value into the field. Instead use the upload function to upload the XML file in whole.

In the case of VMware’s Horizon Product the metadata can be found here: https:///SAAS/API/1.0/GET/metadata/idp.xml

  1. Now close the organization tab or log out and back into the UI to get the ‘Groups’ and Import from SAML options in the UI. After that is completed you can now import users into vCloud Director.

Since SAML users and groups are not searchable users will have to be added one per line for each role. Another option for granting access to the organization is through the use of groups.

At this point the configuration of vCloud Director is complete.

Exporting XML Metadata from vCloud Director

We now need to export a file much like what we imported from the SAML provider, so that the SAML provider will trust and validate requests coming from vCloud Director. This file and related certificates are controlled on the Federation page where we imported the SAML XML file. At the bottom of the page click on the ‘Regenerate’ button to create a new certificate with a validity of 1 year.

It will prompt you with a warning about changing the certificate. If you have already setup a SAML provider relationship, changing this certificate will break that relationship until the SAML provider replaces their current information with the new certificate.
Once the certificate is generated you can download it via this weblink:
https://./cloud/org//saml/metadata/alias/vcd
Save this file as an XML file, then provide this to your SAML provider for the next section.

Configuring Horizon for vCloud Director SSO

First you will need to login to the administrator interface for Horizon and create a new Application, then follow these configuration items for that application.

  1. Configure the Login Redirection URL to be the organization URL in vCloud Director. This is required for vCloud Director to work properly, since the authentication sequence must start with vCloud Director and not Horizon.

  2. Check the ‘Include the Destination in the response’

  3. Check the Sign the entire response.
  4. Check the ‘Sign the assertion’
  5. Remove the ‘Include Cert’ checkbox
  6. Select the configure via Meta-data XML option. Then upload the certificate (copy/paste) the certificate in to the text box given.
  7. Click on ‘Populate Attribute Mapping’
  8. Configure the Attribute Mapping to match your deployment of Hoizon.

Enabling SAML Providers in vCloud 5.1

As a system or organization administrator head to the ‘Administration’ page, and then the federation tab. Paste or upload the SAML configuration XML. Ensure the certificate at the bottom of the page is recent, if not click re-generate certificate. It will produce a certificate for 1 year.

After the certificate is re-newed enter this URL in to the web browser: cloud/org/[orgName]/saml/metadata/alias/vcd ; save the XML file on that page. This is the file you will need to provide the SAML or 3rd party authentication service with in order to authenticate you.

Now you have SSO or SAML or 3rd authentication, enabled on your organization. Once configured/enabled the Org login page will now use the SAML provider, meaning any local users will be locked out.

vCloud Network Security 5.1.2a Release

Heads up… VMware released vCloud Network Security 5.1.2a this morning, it is a MUST upgrade if you are on 5.1.2. Fixes a pretty big show stopper bug where a vShield Manager can stop responding to requests without warning/error and the only fix is to bounce the entire vShield Manager.

Release notes here.

Doumentation here.

vCloud Network Security Product page here.

Browse Categories