SCP to a vCenter Server Appliance (VCSA)

For some this may be a rare situation but from time to time I find that I’m needing to copy files to and from a vCenter Server Appliance (VCSA).  I had one of these situations recently on vCenter 6.  I needed to move some log files off a VCSA box.

I’ve found the easiest way to do this is via SCP -- Secure Copy, which uses the SSH protocol.  It’s a relatively simple process to enable the VCSA to accept SCP connections.  It’s a two step process which first requires enabling SSH on the VCSA and then switching the default Shell.

Step 1, involves enabling SSH  

I’ve written a previous post on how to enable SSH on a VCSA here.  Since that post VMware have re-released the VAMI on vCenter Server Appliance V6 U2.  So I thought I might show this new method to enable SSH.  Only if using VCSA 6 U2 or greater else use my previous post steps.

Connect to the VAMI URL of your vCenter on port 5480 using HTTPS.  In my case it was https://vc.ukoticland.local:5480/login.html

vami-000298

Login with your VCSA root account and password.  Then navigate to Access and click Edit on the far right.  Select Enable ssh login and to make life a little easier also Enable bash shell and click OK.  The timeout refers to how long the Bash shell will stay enabled.  The default is fine.

vami-000299

Step 2, changing the default shell

Even though we enabled the bash shell above the default shell is still the VMware appliance shell which prevents us from connecting to the VCSA via SCP.  So we need to SSH to the VCSA and change the default Shell from the Appliance Shell to Bash.

In my case I used Putty.  Logged in with my root account and type shell.

putty-000300

Now i can change the default shell for the root user to bash using the below command.

chsh -s /bin/bash root

putty-000301

We’re now ready to SCP to our VCSA with the ability to transfer files to and from the VCSA.  I use the simple Windows app, WinSCP.  I change the File Protocol to SCP.  I enter in my vCenter as my host and my root credentials.

winscp-000302

When you’re complete just reverse the changes you made.   In the SSH Putty session type the below to permanently switch the Bash shell back to the default Appliance Shell.  Then log back into the VAMI as above.  In Access deselect SSH and Bash.

chsh -s /bin/appliancesh root

References

Toggling the vCenter Server Appliance 6.x default shell (2100508)

PowerShell on Linux

The big news out of Microsoft last month making headlines is the open sourcing of PowerShell.  Along with this comes the ability to now run PowerShell not just in Windows but also Linux and Mac OS X.  For people close to the PowerShell community this wasn’t unexpected, but make no mistake this is huge news.

I’m really liking this new Microsoft.  They are really embracing this open source stuff.  On first thought it’s not obvious how Microsoft will make money with PowerShell going open source.  But Microsoft isn’t stupid, this is no doubt part of a larger master plan.  With PowerShell so tightly linked to their products they are opening the door to a whole new demographic of users.  I can see PowerShell going open source being a key to getting a new mix of Linux Developers working in Azure.  Something close to my heart is VMware have also announced plans to port over PowerCLI to work with PowerShell for Linux.  As a PowerCLI tragic myself I’ve seen first hand how frustrated Mac users have been that they can’t manage their VMware infrastructure using PowerShell / PowerCLI directly from a Mac.

Microsoft have made it clear this is very early stages of an Alpha release on GitHub.  They are looking for community help to further develop and refine using PowerShell on Linux.  There’s a large number of bug fixes, growing by the day, that they need to work through before we get anywhere close to a production release.

I decided to try it out myself and i’m impressed, the future looks awesome.  Apart from Windows currently the open source version is limited to Ubuntu 14.04 /16.04, CentOS 7, and Mac OS X 10.11.

I had an Ubuntu 14.04 Linux VM that I used testing.  The first thing is to download the appropriate package over at GitHub. https://github.com/PowerShell/PowerShell

Once downloaded and depending on what OS you’re running you may need to install a few additional libraries first.  In my case it was libnuwind8 and libicu52 using apt-get. After which i was able to install the PowerShell Debian package. 

mukotic@ubuntu:~/Downloads$ sudo apt-get install libunwind8 libicu52
mukotic@ubuntu:~/Downloads$ sudo dpkg -i powershell_6.0.0-alpha.9-1ubuntu1.14.04.1_amd64.deb

Believe it or not that’s all that is required.  Whatever your Shell of choice is just type ‘powershell

mukotic@ubuntu:~/Downloads$ powershell
PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS /home/mukotic/Downloads> 

So what can we do.  Well, it’s still early days.  The first thing i did was just check the version.  I can see we’re running the .Net Core release of PowerShell which comes with Nano Server.

PS /home/mukotic/Downloads> $psversiontable 

Name Value 
---- ----- 
PSVersion 6.0.0-alpha 
PSEdition Core 
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} 
BuildVersion 3.0.0.0 
GitCommitId v6.0.0-alpha.9 
CLRVersion 
WSManStackVersion 3.0 
PSRemotingProtocolVersion 2.3 
SerializationVersion 1.1.0.1

Looking at what’s available to us it’s still limited to a handful of modules.

PS /home/mukotic/Downloads> Get-Module -ListAvailable 


 Directory: /opt/microsoft/powershell/6.0.0-alpha.9/Modules


ModuleType Version Name ExportedCommands 
---------- ------- ---- ---------------- 
Manifest 1.0.1.0 Microsoft.PowerShell.Archive {Compress-Archive, Expand-Archive} 
Manifest 3.0.0.0 Microsoft.PowerShell.Host {Start-Transcript, Stop-Transcript} 
Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Content, Clear-Content, Clear-ItemProperty, Join-Path...} 
Manifest 3.0.0.0 Microsoft.PowerShell.Security {Get-Credential, Get-ExecutionPolicy, Set-ExecutionPolicy, ConvertFrom-SecureString...
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Format-List, Format-Custom, Format-Table, Format-Wide...} 
Binary 1.0.0.1 PackageManagement {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...} 
Script 3.3.9 Pester {Describe, Context, It, Should...} 
Script 1.0.0.1 PowerShellGet {Install-Module, Find-Module, Save-Module, Update-Module...} 
Script 0.0 PSDesiredStateConfiguration {StrongConnect, IsHiddenResource, Write-MetaConfigFile, Get-InnerMostErrorRecord...} 
Script 1.2 PSReadLine {Get-PSReadlineKeyHandler, Set-PSReadlineKeyHandler, Remove-PSReadlineKeyHandler, G...

So those traditional Windows cmdlets will now work against the local Linux box.  Things like Get-Process will return the local running Linux processes.

PS /home/mukotic/Downloads> Get-Process


Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName 
------- ------ ----- ----- ------ -- -- ----------- 
 0 0 0 0 0.400 1331 549 accounts-daemon 
 0 0 0 0 0.350 1111 111 acpid 
 0 0 0 0 0.000 2248 205 at-spi-bus-laun 
 0 0 0 0 0.040 2264 205 at-spi2-registr 
 0 0 0 0 0.000 147 0 ata_sff

Another thing that’s also worth checking out is Visual Studio Code.  This is another great open source project Microsoft has going.  If you’ve used PowerShell ISE in Windows, think of a stream lined version of that, just more powerful leveraging extensions.  Head over to https://code.visualstudio.com/docs/setup/linux and download the package.

Installation was also super simple.

PS /home/mukotic/Downloads> sudo dpkg -i code_1.4.0-1470329130_amd64.deb.deb

Then run by typing ‘code’

PS /home/mukotic/Downloads> code

Ubuntu 14.04 - VMware Workstation-000296

I recommend getting the PowerShell extension right off the bat.  Click the Extensions icon on the left, search for PowerShell, and click Install

Ubuntu 14.04 - VMware Workstation-000297

Now we have all the wonders of Intellisense that we are use to in the Windows PowerShell ISE.  I really see Visual Studio Code becoming a future replacement for the Windows PowerShell ISE, which while still in development, has been quite stagnated in recent years.

So there you have it.  Jeffrey Snover, a Technical Fellow, in the Microsoft Enterprise Cloud Group has a great post and video discussing PowerShell going open source that should be checked out.

https://azure.microsoft.com/en-us/blog/powershell-is-open-sourced-and-is-available-on-linux/

The next thing I’m hanging out for is PowerCLI on Linux.  A demo is shown in a video in the above link running inside a Docker container.  Expect to soon see a VMware Fling release for us to try out.

Meetups, PowerShell, Expanding My Horizons

20160714_184947

I’m not sure what it’s like in other major cities around the world.  But currently Melbourne is going through an IT meetup boom.  On any given week you can find at least one if not multiple meetups going on somewhere in Melbourne.  A big change of years past where we would have only a couple major conferences a year to look forward to.  It’s really quite an exciting period for meetups we’re going through.

So what is going on with all these meetups  —Meetup being the new buzz word we’re seeing slowly replacing the traditional User Group we’re all probably use to.  I think it’s in small part to do with the website meetup.com.  Sure, many of these User Groups have existed well before meetup.com became a thing.  But to find them you had to be part of the right Facebook group, follow the right twitter user, or just learn of it through some word of mouth.  I lost count before meetup.com on how many User Group meetings I missed by learning about it the next day.

We now have a common place we can visit to find all these User Groups and meetups.  Type in DevOps, PowerShell, VMware and dozens of meetups pop up in your local area.  RSVP and see all the other local users also going, not sure what the meetup is about, post a quick question and receive an answer right back.  There’s an update to a meeting, receive an email notification immediately.  I see it as a symbiotic relationship between a globally accepted meetup site and the user group.  We at the Melbourne VMware User Group have even started using it in conjunction with the traditional VMUG website to extend our community base.

CnUF-fZUsAEfGWd

This is how I found out about the recent PowerShell meetup I attended in Melbourne.  With all the scripting I’ve recently been doing in PowerCLI and PowerShell I wanted to expand my horizons a little further and find out how the wider PowerShell community works.  The group has only existed since the start of the year and this was their fourth meetup held in the seek.com.au offices.  The setting for the meetup was very casual and devoid of any advertising or marketing.  That is if you can overlook the office seek logos all over the place.  But considering the worst seek can actually do is find me a new job I’m more than happy to tolerate this 🙂   Of course there was the obligatory Beer and Pizzas which we all know elevates a good meetup to an awesome meetup.

sccm2012A found the format and atmosphere of this PowerShell meetup very appealing.  Heavy on practical content & demos and light on PowerPoint slides.  The setting around a large boardroom table with beer and pizza in hand also lead to a more comfortable environment to engage with community and presenters.  The meetup tended to have a slant towards DevOps practices using PowerShell rather than using PowerShell.  So less about how to connect to this server or use that cmdlet and more around processes and integration.  I was also lucky enough to receive a copy of the book, Learn System Center Configuration Manager in a Month of Lunches, from its author James Bannan.

Due to work commitments of the organiser, the PowerShell meetup was pushed out a day which turned out conflicted with an Azure meetup on the same night.  With so many IT meetup groups current listed and running in Melbourne.  There’s bound to be a small culling, a kind of survival of the fittest, happen.  So whether this PowerShell meetup group succeeds or not only time will tell.  I certainly hope it does and they continue to find that DevOps centric content it aims for.

Until the next meetup…

Melbourne VMUG Meetup Group

VCP 6, My Last VCP

VMW-LGO-CERT-PRO-6-DATA-CTR-VIRT

Ok, so I say this every time but this time I mean it… well, at least I think I do.  This is my last VCP exam.  I took the VCP 5.5 Delta a few years back now.  Before that were a few VCP 5s.  There might have even been a VCP 4 thrown in there somewhere.  I’ve taken this exam more times than I want to think about.

Last week I took the VCP6-DCV Delta.  I could have held off a few more months before my VCP 5 expired but i had some spare capacity to study so I committed to retake the exam.  Work was kind enough to give me two dedicated study days to prepare.  I used them as well as I could have.  I had also hoped to get in some solid study in the weeks leading up to the exam but unforeseen personal issues got in the way which wrote that off.  So I really wasn’t feeling confident going into this exam.  To my surprise, though, I actually passed with a decent mark.

The VCP is a real solid exam for its type, it always has been.  Personally I think one of the harder ones out there too.  Of course exams like the VCAP are on a different level but as for the standard multiple choice exam it’s right up there.  VCP exams really require that you have solid experience with the technology, especially the VCP-DCV focusing on vCenter, along with vSphere Replication, a little vCloud Air thrown in, vSAN features, and the new PSC.  it has really become quite broad.

The Delta I took was comprised of 65 questions over 75 minutes, 20 questions less then the full VCP exam thankfully.  As a guide I usually work out how many questions 70% is and treat that as what’s required to pass.  It’s usually treated me well as a format for passing.  So when I scribbled down 15 questions I was uncertain with at the end of the exam I felt it could have gone either way.  I was quite worried.  So seeing that I passed in the high 400’s out of a possible 500 was quite pleasing.

I think the community has finally gotten over and accepted this 2 year expiration with VMware certifications.  I’ve never really had an issue with it.  I’ve known this is where the industry has been heading with certifications for a while now.  It doesn’t mean it’s not frustrating though.  Which is why I’m hoping I won’t have to do another one again.  Now it’s not to say that I won’t do another VMware cert.  I just have to be a little smarter and play the game a little better by upgrading to the new VCIX cert.

In any case, it’s done, it’s out the way.  I get to use the new little logo.  And, well, that’s about it 😛

Get-View | Show-Object

I was recent watching a PowerShell presentation where they mentioned a cool module called PowerShellCookbook and in particular discussed a cmdlet in it called Show-Object by Lee Homes.  I instantly knew how perfect and powerful it would be with VMware’s PowerCLI Get-View.

Bare with me for a minute while I lay the ground work with Get-View.  If you’ve ever used Get-View in PowerCLI you’ll know that it brings back a ridiculous wealth of information.  When you run a cmdlet like Get-VMHost it’s really only bringing back a small subset of information back on that object.  Sometimes this is fine but sometimes we need that little bit extra to reach our objective.

For example you can run Get-VMHost esxi01.ukoticland.local

Windows PowerShell ISE-000282

What you get is a default formatted table view displaying only a few key values.  A trick some of us do is then pipe this out to a list.  Get-VMHost esxi01.ukoticland.local | Format-List

Windows PowerShell ISE-000283

Heaps more information right, but it’s still not the full picture.  There’s still a lot of information on this object that we’re missing.  Take the original cmdlet we ran above and this time let’s pipe it to Get-View.  Let’s also store it in a variable called $myHost, just so we can work with it.

$myHost = Get-VMHost esxi01.ukoticland.local | Get-View

Windows PowerShell ISE-000284

Okay, on first glance it doesn’t look like much.  But all those values that start with VMware.Vim are properties that can be drill down into.  For example $myHost.Config and $myHost.Config.Capabilities

Windows PowerShell ISE-000288

So it’s pretty cool right.  We can now start retrieving a huge amount of new information that wasn’t available to use before.  But this is like finding a needle in a haystack.  I know I’ve wasted so much time typing $something dot something dot something in the hopes of finding a value I can work with.

Well finally this brings us to Show-Object.  This is an awesome cmdlet that will let you display the object retrieved with Get-View in a grid view window that you can navigate through similar to a directory in File Explorer.  Using it is as simply as piping our variable to Show-Object.

$myHost | Show-Object

Windows PowerShell ISE-000287

Now we can explore and click around at everything available to us.  As you navigate the object in the top pane for results you’ll get member data in the bottom pane.  I see this becoming a great reference tool to help find what you’re looking for.  Not only that but it will give you the syntax to retrieve the information selected in the view pane.

So how do you get Show-Object?  Well, it’s not in PowerShell by default but can easily be obtained from the PowerShell Gallery, which, if new to you, is basically a public repository for PowerShell content.  If you’re using Windows 10 you’re half way there.  If not go get yourself the Windows Management Framework (WMF) 5. This will give you the latest version of the PowerShellGet module.  Then it’s just a matter of typing Install-Module -Name PowerShellCookbook.

Once the module is installed from the PowerShell Gallery, Show-Object is now available to use.  It’s worth noting that PowerShellCookbook comes with a huge array of extra cmdlets also worth exploring.

Finally if you do try out Show-Object and like it, there’s a “jacked up” version of it over at PoshCode by Justin Rich

 

Melbourne VMUG, Stronger Than Ever!

Held this week was the quarterly Melbourne VMUG.  The location was sponsored by Telstra, as it has been for a little while now, in one of their conference facilities in the CBD.  Telstra have shown to be a great supporter of the Melbourne VMUG with the continual use of their facilities.

I’ve been semi regular attendee to the local Melbourne VMUG for quite a number of years.  So it’s a great privilege to have now become a committee member.  I’m still very green to the role and learning the ins and outs.    What I can say so far is that it’s run by a great bunch of guys committed to putting on the best event possible.

The Melbourne VMUG is an awesome event, hands down.  Where as other user groups run very regular meetups (monthly).  The Melbourne VMUG has taken a quality over quantity approach.  We run a large annual UserCon at the beginning of the year plus another three regular meetups throughout the year.  In between the meetups we run vBeers where like minded people can just sit and chat over some drinks (Beer).

We’ve now reach a point in the Melbourne VMUG where we can comfortably run two tracks side by side at our regular meetups.  Our May meetup had some great sponsors and some of the best content I’ve seen -with some great prizes to boot.  Our first session had vendors HP and Runecast presenting.  I sat in on Runecast and was really impressed on what they have to offer.  Our second session was VMware.  We had Chris Garrett talking about everything new in vSphere 6.0 Update 2 and Kevin Gorman talking containers.  I sat in on Kevin’s preso.  Kevin puts on a great talk and is a really great guy to listen to. The last session of the night was allocated to community speakers.  We had the leader of the Melbourne Docker User Group, @benitogriffin, present and an awesome Panel Session on Home Labs.  Okay, I may be a little bias on this last one.  I was one of the four panelists.  That’s me on the far right.

CiQB3WQU4AA8KAf

The night didn’t end there.  We had vendor sponsored vBeers and pizza at Troika Bar.  A cool little bar around the corner covered in what looked like aluminum foil that made you feel like you in a satellite or something.  A great end to the night where everyone could wind-down and talk about that awesome Home Labs panel session that I was in 😛

CiQC8gtU4AA8bKN

Recently on social media there was discussion going around on how to make VMUG great again.  People comparing VMUG of the past to what it is today.  I was a little disappointed to read some of the comments.  VMUG certainly isn’t what it use to be.  That doesn’t make it worse… just different.  Just like in IT things change and we have to adapt and change with it.  If you feel you need to make VMUG great again look no further than the Melbourne VMUG.  Best VMUG  Ever

Links

VMUG Homepage
Melbourne VMUG Workspace

 

Cannot validate host customizations for host ‘fqdn’. null

I’ve been doing a lot of work recently with Auto Deploy and Host Profiles in vCenter.  I feel both of these technologies are very underrated in vCenter.  With Host Profile, prior to using Auto Deploy, I always felt they were just a little more trouble then it was worth.  Trying to get every host compliant at the same time seemed like this loosing battle I was facing.  But Auto Deploy and Host Profiles go hand in hand so it was an opportunity to get it right.

While deploying Host Profiles to our Cloud environment I ran into a few interesting errors.  One of these were the below.

Cannot validate host customizations for host x.x.x.x. null

host_profile_null

The error was generated in the vSphere Web Client while trying to validate the Host Profile and apply.  This error was very non-descriptive and provided little in the was of help.  As much as I tried not to I defaulted back to the C# Client and tried to apply the Host Profile once again to the host.  This time I received a much more informative error message.

Host Profile execution failed: ‘Balanced’ CPU policy not supported by system

Now this was now much clearer.  What had happened was that I generated the Host Profile on a physical host with slightly different hardware.  I was able to quickly fix the issue by deselecting Power System in the Host Profiles configuration.

The interesting take-away here was not what caused the error but having to revert to the C# Client to get some meaningful information on the error.  So it’s worth trying both the vSphere Web Client and C# Client when facing similar errors.

References

Applying the Host Profile settings on an ESXi host using vSphere Auto Deploy fails with the error: Host Profile execution failed: ‘Balanced’ CPU policy not supported by system

ESXi Host Client Officially Released

A few days ago ESXi 6.0 Update 2 was released.  Quietly added in was version 1 of the ESXi Embedded Host Client.  I’ve spoken a few times about the Host Client.  It started out as a VMware Fling by VMware engineers Etienne Le Sueur and George Estebe.  Since then it has gained a hugely positive response from the community that it has finally found its way into ESXi.

If you’ve recently upgraded or installed ESXi 6.0 Update 2 you can access the host client via a browser connecting over standard SSL (https:/myesxi-host/ui/).   You can login with the host’s root account.  If you’ve never seen the Embedded Host Client before you’re in for a huge surprise.  You’ll be amazed at how similar it looks to the vSphere Web Client.  Not only that but it’s extremely snappy and fast built upon HTML5.

I recently upgraded my NUC home lab hosts to Update 2 to check out the production build.  It looks and feels just like the Tech Preview.  It’s going to be a great replacement to the C# Client.  If you’re running a previous Tech Preview release of the fling there’s a few things to note before you upgrade to Update 2.  Initially I did an upgrade of a host with an old Tech Preview 5 fling installed.  Update 2 left that version of the fling in place.  So on my subsequent hosts I removed the Tech Preview fling before upgrading the host.  That resolved the issue and installed the v1 production release.

Below are the steps to remove the Tech Preview fling before upgrading a host.  The -f represents a force removal just in case you have any third party vibs that may conflict with the uninstall as I did.

[root@esxi03:~] esxcli software vib remove -f -n esx-ui
Removal Result
Message: Operation finished successfully.
Reboot Required: false
VIBs Installed:
VIBs Removed: VMware_bootbank_esx-ui_0.0.2-0.1.3357452
VIBs Skipped:
[root@esxi03:~]

If, like me, you upgraded a host before removing the Tech Preview version of the fling. You can download the official Host Client from the VMware download portal.  List with the ESXi 6.0 U2 Zip and ISO images is the Host Client VIB and Offline Bundle.  Then just run through the steps to remove and install the VIB.

There is a newer build also available up on the flings page --Tech Preview v6.   I chose to upgrade to this build as it’s just my home lab.  The process is simple, I outlined the steps to update the Embedded Host Client to a new build in a previous post.

Latest v1 Production Build

host-client_v1

Latest Tech Preview Build

host_client_tp6

References

Embedded Host Client Fling Page

VMware Host Client Release Notes

Auditing and Alerting on vCenter Permissions – Part 2

In my previous post I discussed auditing permissions in vCenter via PowerCLI.  Going through the process of identifying account and group permissions and what objects they have been set on.  In this second of a two part post, I look at creating a vCenter Alarm in PowerCLI that will trigger when a permission is Added / Removed / or Modified which will then show up in vCenter Alarms.

Part 2 -- Generating a custom alarm on a vCenter permission change

The objective here is not to catch someone out (though you could see how it could help).  The Alarm is by no means meant to be as a deterrent or even used for auditing.  Where it’s useful is as an identifier that a permission add / remove / modification as taken place.  Once triggered a person can review the new permissions and acknowledge the alarm.

Working with vCenter Alarms in PowerCLI hasn’t reached the maturity as many other Cmdlets.  So creating new alarms with PowerCLI is not as straight forward as using a Cmdlet.  To create a new alarm ww have to use the powerful Get-View Cmdlet which exposes us to all the richness of the SDK APIs of vCenter.

Creating an alarm requires a few pieces of information.  First we create the alarm object, give it a name, description, and set its state.

Next we create our Triggers or expressions.  Creating the expression is where the magic lays.  The key piece is the EventTypeID.  This is the specific vCenter event that will trigger the alarm.  I found finding this information through VMware was extremely difficult.    With a little searching though, and playing around, I found the information I was after with Get-View eventManager.

$event = get-view eventManager
$eventman.description.eventinfo | Where-Object {$_.key -like "*permission*"}

Running the above without any filters returned a huge amount of information with possible events to trigger on.  Using the Where-Object Cmdlet I was able to filter the results to anything with the word ‘permission’.  This narrowed down the results to just four.  The key three being  PermissionAddEvent,  PermissionRemoveEvent, and PermissionUpdatedEvent.  Of course if you want to see everything just remove the pipe and everything after it.

With these events and a little more research I had enough information to now create a script for an alarm.  Below I created three expressions.  One for each Permission event and set it’s status to Yellow if triggered.  The alarm is created in the root of vCenter and will propagate down to all objects.

$alarmMgr = Get-View AlarmManager

# Create AlarmSpec object
$alarm = New-Object VMware.Vim.AlarmSpec
$alarm.Name = "Permission Modification"
$alarm.Description = "Track permission changes"
$alarm.Enabled = $TRUE

# Event expression 1 - Permission Added
$expression1 = New-Object VMware.Vim.EventAlarmExpression
$expression1.EventType = "EventEx"
$expression1.EventTypeId = "vim.event.PermissionAddedEvent"
$expression1.ObjectType = "VirtualMachine"
$expression1.status = "Yellow"

# Event expression 2 - Permission Removed
$expression2 = New-Object VMware.Vim.EventAlarmExpression
$expression2.EventType = "EventEx"
$expression2.EventTypeId = "vim.event.PermissionRemovedEvent"
$expression2.ObjectType = "VirtualMachine"
$expression2.status = "Yellow"

# Event expression 3 - Permission Modified
$expression3 = New-Object VMware.Vim.EventAlarmExpression
$expression3.EventType = "EventEx"
$expression3.EventTypeId = "vim.event.PermissionUpdatedEvent"
$expression3.ObjectType = "VirtualMachine"
$expression3.status = "Yellow"

# Add event expressions to alarm
$alarm.expression = New-Object VMware.Vim.OrAlarmExpression
$alarm.expression.expression += $expression1
$alarm.expression.expression += $expression2
$alarm.expression.expression += $expression3

# Create alarm in vCenter root
$alarmMgr.CreateAlarm("Folder-group-d1",$alarm)

# Add action to email alarm
#Get-AlarmDefinition $alarm.Name | New-AlarmAction -Email -Subject "vCenter Permission Modification Occurred" -To me@mydomain.local
#Get-AlarmDefinition $alarm.Name | Get-AlarmAction | New-AlarmActionTrigger -StartStatus 'Green' -EndStatus 'Yellow'

Commented out is also the ability to email a notification out when an event occurs.  This just feels a little overkill but never the less is a notification option.

The beauty of this script is that it can also easily be modified to alarm on any trigger-able event in vCenter.  Whether you need one expression or multiple expressions it’s easily modifiable.

Virten.net has a good article on how to create custom alarms and find events that I used for a reference.  If you don’t want to search for your own events to alarm on.  Virten maintains a database of all events that can be alarmed on.  I’m not sure how current it is but it’s a good starting point.

References

How to create custom vCenter Alarms from Events | Virten.net

Vmware Data Object -- EventAlarmExpression

Auditing and Alerting on vCenter Permissions – Part 1

In this two part post I discuss and cover how to audit vCenter permission using PowerCLI.  How to enumerate basic permissions and then expand it out and send it to a CSV file for further auditing.  In Part 2, I’ll discuss how to create custom alerts using PowerCLI to trigger an event on a vCenter permission modification.

Part 1 -- Auditing vCenter Permissions

Reviewing and auditing vCenter permissions has always been awkward at the best of times.  Unless you’re on top of permissions from day one, over time you can be left with a mess of vCenter permissions.  If you’re not explicitly looking for it you won’t know it either.  This is certainly what I found recently in one of my vCenter environments.

There are a few different ways to view permissions in the C# and Web Client.  You can click on an object and view the Permissions tab or you can go to Roles.  The Roles section is certainly much more useful but still far from ideal.  You have to click on each Role and there is no way to export that information.  Using PowerCLI on the other hand you can consolidate the above two methods into one view and have it exportable.  The quickest and easier way to get started is with Get-VIPermission once connected to a vCenter in PowerCLI.

Get-VIPermission | Format-Table -AutoSize

Get-VIPermission in its default form gives you a quick overview of all Principals / Users defined with explicit permissions along with their Role, whether it’s a group, and if it’s set to propagate down the tree .  Ideally you’ll only have a few groups listed here and nothing else.  Unlike myself, where I had a large amount of individual users explicitly listed on many different objects.

When using Format-Table we loss a little information on the screen. Namely, we can’t see on what objects these permissions are set on.  So we can work with the Get-VIPermission cmdlet to expand it out a little further.

 Get-VIPermission | sort | Format-Table Entity, EntityID, Role, Principal -AutoSize

The two extra values we are looking for here are Entity and EntityID.  In most cases Entity will aid in identifying the vCenter object that has the explicit permissions set on it so you can review.  The Entity could be a Virtual Machine, a Cluster, or a Datastore.  In some cases, though, you will find the Entity is blank.

Again, in my case I had a lot of permissions with a blank Entity.  Using EntityID I could see that the objects appeared to be networking related.  So in this case we need to get a little more creative with the querying of the SDK APIs using Get-View.

Get-VIPermission | sort | ft @{N=”ObjectName”;E={(get-view -Id $_.EntityID).name}}, Entity, EntityID, Role, Principal -AutoSize

This now gets us 95% of the way there.  We use Get-View using the EntityID as the Get-View ID to find the actual name of the vCenter object for that missing Entity value.  In the case of the networking objects we will now get the exact names of the networking switches.

get-vipermission01

Putting it all together.  In this last part I turn the one liner into a little script, make sure the correct snap-in is loaded, make it a little easier to read, and have it output to a CSV file that can be used to audit and review at a later stage.

# Import Snap-in
if ((Get-PSSnapin | where {$_.Name -ilike "Vmware*Core"}).Name -ine "VMware.VimAutomation.Core")

{
Write-Host "Loading PS Snap-in: VMware VimAutomation Core"
Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue
}

$Date = (get-date).tostring("yyyyMMddHHmm")
$result = Get-VIPermission | sort-object -Property Principal | Select @{N="ObjectName";E={(get-view -Id $_.EntityID).name}}, EntityID, Role, IsGroup, Principal

$result | Export-CSV -Path "$pwd\vCenter_PermissionAudit-$date.csv" -NoTypeInformation -UseCulture

In the above script the results are outputted to a CSV file appended with the date.  The benefit of doing this is you can schedule it to run and now have a history of the state of permissions over time.  Simple as it is, I think it’s really handy.

In the next post I will look at creating a basic Alarm in vCenter that will trigger when a permission is modified on an object.