Pools 101–Horizon View

Its been quite a while I blogged. However during this big pause I learnt one thing about myself. I don’t publish unless I’m convinced information which I’m posting is not found or neatly explained. I have been always confused on persistent desktops, stateful desktops, stateless desktops, Full cloned, linked clone. I have only heard of linked clone, other terms are interchangeably used. This is post is aimed at clarifying these doubts.

Pools are basically collections of desktops. These desktop are either pre-created or can be created on the fly or can be created as demand increases.

Why we create pools?

Pool is like a group policy. If you define it once and it applies to group of users and computers. Similarly in pools you can defined various settings to control deployment of desktops, logoff action, provisioning style sysprep/quickprep.

Types of Pools

Automatic Pool

Desktops are automatically created. You can specify total number of virtual machines you wish pool to provision at any given time. With automatic pool you also have option to keep minimum number of VM to Spare for new users. This will allow you to control how frequently VMs should be provisioned, there by controlling load on the view composer/vCenter servers. Setting also ensures desktops are available for immediate use. Please note horizon view licenses are based on current users. Once you know the number of concurrent users, you can designed this parameter accordingly. If you are purchasing 1000 concurrent user licenses, then you should never put more than 1000 as maximum number of VM per pool.

Manual Pool

Manual is used when Desktop VM is already provisioned and available in vcenter. Or it is not managed by vCenter (e.g. Hyper-V, SCVMM) or it is physical desktop. Very limited use case.

RDSH Pool

It is terminal service now renamed by Microsoft as Remote Desktop Services (RDS).Primarily used to publish session based desktops and applications. However in RDSH pool, You can only create a session based desktops for users. Remember this is not pool of desktops. User can log into RDSH simultaneously. RDSH based desktop pools only supports Windows Based desktops. Again, very limited use case for desktops. In fact RDSH real power is to publish applications on RDSH servers and make it accessible from any device.

Decision on which one to use

Simplest way to select the type of pool is to find if you are using only view based VMs? If yes, answer is automated pool.

Are you going to use some 3rd party desktop management software and User profile management software? If answer is Yes, think of RDSH based pool.

Note: RDSH based pool do not support persona management. So decision is primarily around user profile management and operations. RDSH based desktops pools use case is very limited. Use cases which RDSH based desktop can solve are already covered and over lapping with Automated pool

1. Roaming profile management (Automated Pool)

2. Image management (Automated Pool)

3. Users don’t want to buy software licenses per desktop (RDSH Based Desktop)

e.g. MS Office, Windows OS license and other software products which support CAL types.

4. User must get same desktop every time he logs in (Automated Pool)

5. User need custom application installed on his desktop (Automated Pool)

# [4] RDSH you don’t have floating desktops or dedicated desktop pools.

What else users work profile would be? It is major driving factor to choose Automated over RDSH Pool.

In next post we discuss Types of Assignments and Types of Deployments how they further impact the pool selection type.

vCAC 6.1 (vRA) Distributed Architecture Installation Guide Made easy –[Part –02]

Certificates for Identity Appliance

High level procedure to install and configure identity appliance

1. Deploy Identity appliance
2. Power ON appliance
3. Configure Timezone
4. Configure Time server
5. Initialize SSO
6. Import CA signed certificates
7. Add Identity appliance to Active directory

After certificate steps are followed, Insert the private key which is rui.key in to RSA Private Key and insert RUI.PEM which is certificate chain.

NB: You must entire the password for Pass Phrase. This is almost forgotten if you are using a small screen.

Configure vCAC App as vPostgresSQL Database

Deploy vCAC Appliance and Power On the appliance.

Configure Timezone

Configure Timeserver

Continue reading →

vCAC 6.1 (vRA) Distributed Architecture Installation Guide Made easy –[Part –01]

I should start using official rename now. It is vRealize Automation (vRA). This blog post is an attempt to make distributed architecture of vRA 6.1 simpler to install and configure. Please note this tested in lab. Recommendation is purely for lab testing before you try out in production

Below slide explains the high level procedure you must follow for successful installation of distributed architecture

I’m not including vCenter SSO and Postgres SQL database installation and configuration procedure, as they have been very well document.

References

1. Postgres SQL database in distributed model is very well explained by Brian here
2. vCenter SSO is explained in detailed in this white paper here

Primary intention I’m posting this blog is

1. Help me remember and refer in future
2. Detailed documentation is missing on this and available at many places. This is an attempt to collate all information in this blog post

Continue reading →

How to use Reservation Policy to place VMDKs across different datastores

Reservation policy is often unused feature and to some extend not fully understood. Primary reason could be that reservation policy creation process very simple and during policy creation we don’t glue pieces together. That being said there are very valid use cases for using reservation policy and comes very handy in VM Placement. One of the core principles of Software Defined Datacenter (SDDC) suggests we need to have policy based automation and common management platform across the entire infrastructure.

With reservation policy we address this requirement. It is my personal belief that features in any products are aimed to solve some or other business problems. All we should attempt is to find those relevant business case or help someone find them. In this blog I aim for later.

Continue here

Start to end tenant configuration in vCAC

After going through the FAQ post, I thought it is easier to construct a flow chart based on my understanding. I’m happy I can cover most of the tenant configurations using below flow chart.

First : You create tenant (right hand side by name HR Tenant). While creating tenant you must create Tenant and Infrastructure Administrator

Second: Infrastructure Administrator creates fabric. In simple words he maps ESXi cluster/s inside vCAC. On left hand side, I have a cluster dedicated for HR Business Unit (HRBU) by name HR Cluster.  While creating fabric you must create fabric administrator.

Third:  HR Fabric Admin creates reservation and assigns that to HR Business group. He also creates Machine Prefix. Machine prefix is pre-requisite to create business group. He also can optionally create network profiles and reservation policies. These can be mapped to blueprints

Fourth: Tenant Administrator creates business group but unless machine prefix is created business group cannot be created. NB: There is option for Tenant administrator to create machine prefix. Tenant administrator then creates Blueprints. He publishes blueprints. Published blueprint is referred as catalog item. He creates service and assign catalog item to service. Assign entitlements to service, catalog items and Entitled actions to catalog items.

Briefly it looks like below

Lets do the above exercise using example as it would be more relevant to us. In below flowchart blueprints, catalog item, services and Entitlements are shown

Left hand side –Blueprints will be published and they become catalog items (the middle light blue). You then create service. Add catalog to the service. Finally you put the entitlements around Catalog items, Services and entitlements needed.

Next post I will talk about naming conventions in vCAC.

Roles FAQ of vCAC –For Myself

Before I start on main topic of I would like to highlight vCAC as product has three main components which needs to be explore, blogged or documented very well

Reason we don’t see much on this yet, as it is evolving field. Not one person knows or have these skill sets. These components makes perfect orchestration layer but expects broad skill sets which are difficult to find. I’m mostly blogging on vCAC core stuff. But people expect a lot from vCAC Extensibility. It is skill which needs attention, understanding and has huge scope.

Below are frequently asked questions about various roles available in vCAC or I asked myself. This question helps me define Role Based Access control model for vCAC. Hope it also helps you too.

Who has rights to create blueprint?

It is Tenant Administrator role and Business group manager has rights to create blueprint

Who has rights to create reservations?

Fabric Administrator has rights to create reservation. Reservation can be shared between the tenant BUT only if the fabric is shared.

Below is the example of shared fabric. I created a single fabric (i.e. mapped three different cluster to it) which will allow fabric administrator to choose from the cluster (i.e. compute resources) and assign them to tenants.

In such model, reservations are visible across the tenants. It means Fabric administrator plays shared role in managing fabric.

Who has rights to create prefix?

Machine prefix are created by Fabric Administrator, can be created by tenant administrator.

Who has rights to create network profile?

Network profiles are created by Fabric Administrator

Who has rights to create business groups?

Business groups are created by Tenant Administrator

Who has rights to create fabric group?

Only Infrastructure administrator can create fabric group

Who has rights to create reservation policies?

Fabric administrator creates reservation policies

Who has rights to create & Published blueprints (a.k.a Catalog items)?

Tenant Administrator can create and publish blueprints.

Business group manager can only create blueprints

Who has rights to create services?

Only Tenant Administrator can create services

Who can creates approval policies?

Only tenant administrator can create approval policies

Who can create entitlements?

Tenant Administrator and Business group manager can create entitlements

Disclaimer: This above post based on my observation in my lab. I might be wrong. More than happy to be correct, from mistakes we learn

Case of Multiple tenants in vCAC

Before I start on the topic I wish to thank my readers. I’m blogging after more than four months, however I see my post is hitting consistently around 6000 hits per month. I’m surprised and pleased.

Disclaimer: This blog and any blog posts do not represent my current organization in any form.

 

Hope these are all genuine readers and getting most out of my blog.

When I thought about this post, I asked myself why we need multiple tenants. What are the use cases for the multiple tenants. Before we dive into use case, let’s first understand few roles and what they can do (a.k.a privileges).

1. Tenant Administrator
2. Infrastructure Administrator
3. Fabric Administrator

When you first create tenant, you have to create two roles. Tenant Administrator and Infrastructure Administrator. At first thought I felt both these roles are unique to the tenant and responsible for managing tenants under which they are created. However it is not completely true. Tenant administrator controls tenant for which he is assigned but Infrastructure Administrator can control every other tenant’s infrastructure tab irrespective if he is infrastructure administrator for the tenant, all Infrastructure Administrators (of all tenants) can control infrastructure. In simple words, infrastructure administrator of any tenant can modify anything inside infrastructure tab.

However it is different discussing as to whether Infrastructure should do cross tenant administration. My first thoughts on this – Please do not mess with this one, however totally understand human errors behind this exposure. We make mistakes.

Another role we create is fabric Administrator, Fabric administrator again see infrastructure Tab and same principle applies as for infrastructure administrator.

Infrastructure Administrator role and Fabric Administrator role see common elements across the tenants

 

It is worth to note, Infrastructure tab is coming from IIS Web server of vCAC infrastructure.

Lets see what are these common elements are

For Infrastructure Administrators

1. Under Endpoints –All endpoints you create/configure are visible to all infrastructure Administrator irrespective of tenants
2. Under Endpoints -Endpoints Credentials – All endpoint credentials are visible all Infrastructure Administrator irrespective of tenants
3. Monitoring (logs, Audit, Workflows) –Monitoring tab is visible across tenants to all infrastructure administrators
4. Under Groups – Fabric is visible across tenants to all infrastructure administrators

Below is sample view of Infrastructure tab a Infrastructure administrator sees

Below flow chart I’m trying to explain where Infrastructure administrator spends most of the time

 

 

For Fabric Administrators

1. Reservations are visible across the tenants to all infrastructure administrators but you can do a little trick. Do no share fabric and it will give isolation at reservation level as well.

2. Machine Prefix – Machine prefix is visible across all the tenants to all infrastructure administrators. In below figure company-A fabric administrator can see company-B’s machine prefix and vice versa.

3. Manual Data collection requests option. This option is needed when you wish to update inventory of your vCenter into vCAC.

4. Network Profiles. These policies are visible across the tenants to all infrastructure administrators. It also means network policy created for company-A can be edited/deleted by fabric administrator of company-B

  5. Reservation Policies. I will explain the actual use of reservation policy in future posts

Below is sample view of Infrastructure tab a fabric administrator sees

 

Below flow chart I’m trying to explain where Fabric Administrator spends time

 

Everything after this is very specific to tenants. Following things are controlled by Tenant Administrators

1. Tenant Administrator creates Blueprints
2. Tenant Administrator creates Business groups
3. Tenant Administrator creates services
4. Tenant Administrator creates entitlement
5. Tenant Administrator creates catalog
6. Tenant Administrator creates Approval Policy
7. Tenant Administrator creates & configure email servers (SMTP)

In below flow chart I’m trying to explain where tenant administrator spends most of this time

In below screen show Tenant A and Tenant B is controlled by Fabric, Tenant  and Infrastructure Administrators

Fabric Administrator and Infrastructure Administrator at both the ends can configure & control Tenants A & B and have full privileges across the tenants. Tenant A and Tenant B Administrator controls individual tenant configurations.

                                                                                                                                                                                                                                                                           When you publish blueprint it become catalog. When you create service you add this catalog (published blueprint) to the service. Service can contain multiple catalog (published blueprints). Use firefox browser for better results with vCAC.

 

So you get true isolation/Multi-tenancy only at Blueprints, Services and catalog level. So answer to our main question is when we go for multiple tenants.

When we do NOT want Catalogs , blueprints and services to be shared.

vCloud Automation Center 6.0 and vCenter Orchestrator Advance Automation -Part03

Part1, Part2 are simple in some ways & parts. Next part is bit difficult to understand. At least it was for me. I will explain what I’m going to do at high level. I’ll get Machine Name. Then I will get Machine Property –> Machine Property will give me custom property ( VM Size which  user be selecting from drop down menu as referred here and Backup Selection referred here ) finally I will Invoke VCO workflow.  In this workflow which needs VM Name input and VM Size, Backup Choice as input – I will put VM Name which I get from Get Machine Name property and VM Size, Backup choice which I got from Get Machine Property

Now lets find where to do this and how to do this. Once you understand the basic concept it is way too simple. First open vCAC designer. In that first select load and then select “WFStubMachineProvisioned”. Why “WFStubMachineProvisioned”. Well, this workflow is called immediately when the status of VM is provisioned. More information is available in http://pubs.vmware.com/vCAC-60/topic/com.vmware.ICbase/PDF/vcloud-automation-center-60-extensibility.pdf guide

 

In below screen double click on “Machine Provisioned”

Scroll down till you find custom code and double click on the custom code

From left hand side “DynamicOps.Cdk.Activities” Drag “GetMachineName”

 

I have defined two variable for this custom code

1. vmname (to capture VM Name)
2. VMSize (to capture VM size e.g. Large, Medium and Small in string format)
3. VarBackupOption (To capture user selection Yes/No in string format)

Double click on GetMachineName

In Machine Id field put a pre-defined variable “VirtualMachineId”. This is standard value. Please do not change it. Under machine name put the variable vmname. This variable we have defined above.

Machine Name will pickup name from virtualmachineid and pass it to vmname. Finally variable vmname will hold the name of the vm. We are done with GetMachineName.

Click on the custom code as shown in above figure, it will take you back to custom code screen. Now from left hand side ”DynamicOps.Cdk.Activities” Drag “GetMachineProperty”

GetMachineProperty reads the custom property you have defined and the value associated with that property in vCAC. In our case I have defined custom property with name VMSize and it’s value will come from value select from drop down menu. This value (e.g. Large, Medium or Small) will be taken by variable VMSize

You will notice VMSize property name is in Quotes however Property Value is without quotes. It is because VMSize in property value is variable which will be captured from user interaction in vCAC and VMSize in property name is coming from custom property defined in vCAC.

Conceptually this is how it is related

 

I repeated the same procedure for Backup choice and here is how it looks below

VarBackupOption will hold the user selection string value which would be either Yes or No and pass it to vCO workflow

Now we have Virtual machine name captured in VMName variable, VMSize captured in VMSize variable and BackupOption capture in VarBackupOption we are ready for next drag and drop . Drag vCO workflow by name InvokeVcoWorkflow

Simply put VMName and VMSize as input to VCO workflow.

 

Now below is how entire workflow looks like

Now you are done with, simple Send and that updates the WFStubMachineProvisioned

This is all you need to do. Request Virtual Machine and you will get what you have configured.

Complete log of VM provisioning via vCAC and VCO is presented below with sequence of action.

vCloud Automation Center 6.0 and vCenter Orchestrator Advance Automation -Part02

If you have reached this post from Google, check this post first. That is where problem is discussed and this the second part of the solution. First thing you need is to pass three information from vCAC i.e. VM Name, Size of the VM and whether you need any backup. VM Name is parameter you will get from vCAC but for Backup Selection and VM Size selection I have created a custom property in build profile. Here is how I have created below

First go to infrastructure tab

In Infrastructure tab go to –> Blueprint –> Property Dictionary

Create a New Property Definition

Provide Name –VMSize

Display Name –Virtual Machine Size

Control Type – DropDownList

Please ensure Required check box is selected

Once done please click on green arrow.

Then click on Edit to edit Property Attributes

In the property attribute, select ValueList, Put same name “VM Sizes” and provide value as Large, Medium and Small which reflect the size of VM.

Similar exercise you follow for backup option

Here is how it looks when user selects the VM Size

For backup service selection this is how it looks below

Just ensure blueprint is updated as follows

This completes vCenter Automation Part at basic Level. Now comes the 3rd and final part. Follow third part here

18.567000 73.967000

vCloud Automation Center 6.0 and vCenter Orchestrator Advance Automation -Part01

This post is about extending vCAC in-built workflows. In last two post (Post1, Post2) I used vCenter Orchestrator (vCO) workflows and executed them using vCloud Automation Center’s (vCAC) advance service designer. It was like taking vCAC as front end to execute those workflows without taking any benefits of vCloud Automation Center’s product. vCAC was purely acting as front end.

Advance service designer doesn’t follow any reservation, policies configured for a particular tenant. It is purely taking inputs from whatever is configured in vCenter Orchestrator workflow and executing it. As I think of it is of help but then I miss all configuration, tracking ownership, multi-tenancy and metering in built in vCAC. In order to cover this I need to do additional scripting which is referred as day-2 operation. To cater this problem, vCAC provides you a way where you can modify in-built workflows. Basic details are provided into this document. I won’t repeat it here. But in order to understand this post you must read it.

To extend workflow you need vCAC designer. It is part of vCAC and can be downloaded from https://vCACAppliance.hostname.com:5480/installer/. Install it. (it is next-next-next-Finish thing).

Problem Statement

User should be able to provision VM by selecting VM size within vCAC interface. Users should be able to understand what compute, storage details are provisioned when they select VM Size.

Here I’m going to modify my existing workflow which I created in post here. If you see the workflow there are three inputs needed

1. VM name

2. VM size

3. IP Address for the VM

If you review this post, 3rd point is automatically taken care. So I have to just focus on how to take two input (VM Name and VM Size) from vCAC and put in the vCO workflow. It was bit simple, just two inputs.

Cloning part will be taken care by vCAC but post provisioning task will be taken care by vCO workflow. So we need to only focus on creating a vCO workflow which will do the following

1. Changing CPU count
2. Change RAM
3. Add Disk
4. Add Backup Network if selected

If you execute this workflow from vCO or vCenter  VC:VirtualMachine as input is needed. But vCAC do not understand VC:VirtualMachine, it can only understand string input or can provide string output.  VC:VirtualMachine input is referred as complex object type. In order to deal with this input we need to put a wrapper around the workflow. How to put a wrapper around a workflow is explained by VCOTEAM.INFO. Thanks to this post. It is key post.

That post is a where you can start but that isn’t sufficient. You need more. If you refer below return type is array.

We need a VC:VirtualMachine as return type. I added script section and then I have created a new parameter with VC:VirtualMachine type with name as vm01 (referred in below screen)

In the first line of the script I converted array type i.e. Array/VC:VirtualMachine into VC:VirtualMachine and sent that as output. This is the core piece. If you understood this, you don’t need worry further. Everything else is straight forward. I thought so

When I executed the VCO workflow from vCAC, it failed twice. First it failed with VMware tools not working and second time it failed with error “Hot add functionality” is disabled in VM.

First problem was when the provisioning activity was completed, my next workflow which was to shutdown the VM graceful was looking for VMware tools, it didn’t found vmware tools and abruptly failed. In order to shutdown VM gracefully VMware tools must be ready. So to address first problem I have to find a workflow which will check if VMware tools are ready. This can be easily checked by using “vim3WaitToolsStarted” action element. This workflow waits for VMware tools to be ready, as it is need to graceful shutdown VM.

Second problem was workflow didn’t wait for another workflow to be completed. After I shutdown VMs I have workflow which will change CPU count, then change RAM, Add Disk and finally powered ON the VM. So powered ON workflow didn’t wait to execute CPU count, Add Disk and RAM change workflow.  Therefore I use to get error about Hotplug not supported. It was like VM was started before even CPU and RAM change could be executed. So to solve this problem I added “vim3WaitTaskEnd” in-built workflow. This workflow checks previous tasks before executing next task.

With this additional work my final workflow was ready and shown below

NB: Except for the script section, everything in vCenter Orchestrator is in-built

Now next part is how to make vCAC to pick this VCO. I have discussed in next post here

18.567000 73.967000