Timo Sugliani

Last week I’ve released a small monitoring/stats script for vCloud Director 1.5+

You can find it here

Here is a small screenshot of how the output looks like:

Lately I’ve been working on some monitoring stuff, and I was trying to fetch some metrics from the vCloud Director MBeans through JMX that the following KB depicts : VMware KB 1026065

You can find amazing information through JMX, especially when you are running a multi-cell setup.

A colleague was trying to setup a monitoring lab, and I found out that he couldn’t connect to the JMX connector using JConsole for some unknown reason, so I investigated the issue.

As vCloud Director starts the JMX connector on port 8999 of the HTTP vNic of the cell, you should be able to login using vCloud Administrator credentials (The highest role within vCloud Director).

JMX connections aren’t crypted in vCloud so depending on your Design/Implementation, you might want to check the vCloud Director Security Hardening Guide for additional information.

Symptoms : Using JConsole and the associated vCloud Director credentials were leading to this not very explicit message :

Checking on the cell, you could easily see that port 8999 TCP was listening, and a java process was backing this up :

I tried to understand what was wrong between the non working lab and my personal working setup, and I spotted a very tricky setting that is usually misconfigured, which is the Linux System hostname networking configuration, but this has also to do on how the JMX is implemented, it’s probably using some socket call, such as “gethostbyaddr(gethostname())” to fetch the local IPv4 address, and it was probably leading somewhere to “127.0.0.1″ within the code, where something goes wrong. (For those who knows Oracle, this looks like a tnsnames.ora/listener issue)

I’ve reproduced this issue on my setup quite easily, just changed my hostname and fqdn to 127.0.0.1 (localhost)

/etc/hosts Faulty configuration :

To fix this issue, simply use the following format for your hosts file.

/etc/hosts Working configuration :

PS: Don’t forget to relaunch the vCloud Director service using the following command :

Verify that everything starts properly :

Then you should be able to easily login using JConsole, here are some sample screenshots :

Happy monitoring …

References :
http://en.wikipedia.org/wiki/JMX

http://oreilly.com/openbook/debian/book/ch10_02.html

As a small introduction, what is the reason I’m writing this post ?

For now, There is no mechanism for authentication without credentials in vCloud Director. Only HTTP Basic authentication is supported. If you intend to add additional layers of security (two-factor authentication for example), you might need what’s following, to integrate a more advanced authentication solution to cope with your customer requirements, (Can be a new portal, or just adding this additional layer of security to your vCloud Director infrastructure)

I’ll now explain, how to authenticate into the vCloud Director Portal generating a cookie using the vCloud API.

Here is the basic workflow of what happens when you login using your Web Browser to the vCloud Director Portal.

Steps:

1. User logs into the vCloud Director portal (UI).
2. User enters a username and password in the vCloud Director portal (UI) and gets back a session ID.
3. The vCloud Director portal sets the vcloud_session_id cookie for its domain to that session ID.

 
NOTE: The vCloud Director portal (UI) itself does not use the REST API.
 
I have many customers that asked me the following question :

is there any way to setup a intermediate security solution to avoid using the only current basic vCloud Director username/password authentication system ?

With some automation, you can achieve this, here is the process that illustrates the overall mechanism to connect using the vCloud API, and then generating a cookie for the vCloud Director Portal :

Steps:

1. Client uses the vCloud REST API and issues a POST request to login
   using your username / password.
2. If the request is successful, vCloud Director returns a HTTP response
   code 200 (OK), and then issues a vcloud-token that includes an authorization header in the form of:
   x-vcloud-authorization: <vcloud_token>

   and

   set-cookie: vcloud-token=<vcloud_token>; Secure; Path=/
3. Client receives the vCloud answer, and retrieves the token.
4. Client generates a cookie for the web browser to login without entering anything.

I’m using Mozilla Firefox in this example with the following extension to generate the cookie : Cookies Manager+

Now I’m generating the vcloud_session_id cookie, using the Cookies Manager+ extension, with my vcloud-token value. I’ve also highlighted the other options to generate the cookie.

Now you’ve added the new “generated” cookie, just reload your Web Browser :

That’s it ! (You are now automatically logged in)

I’ve demonstrated this ability with manual steps, but you can easily integrate this process into another orchestration workflow to enable for example other ways to login/authenticate against vCloud Director, like integrating a 2 factor authentication solution.

PS: Don’t worry, we are evaluating a security framework that will include controlling identities enterprise-wide, supporting more secure authentication methods and providing interoperability for our next releases.

References : vCloud API Programming Guide v1.5

Hope this helps,

EDITED: 29 Nov 22:25 CET, Included feedback from Michael Haines

vCloud Director 1.5 evaluator guide has been released : Download

vCloud Director Appliance has been released : Download

vCloud Connector 1.5 has been released : Announcement

vCenter Orchestrator news by my colleague Christophe Decanini :

• vCO Appliance has been released : Announcement
• vCO plugin for vCloud Director 1.5 has been released : Announcement
• Code Snippets : Use the API explorer to write your own custom workflows

Interesting posts on vShield Manager REST API for starters from my colleague Michael Haines :

• Getting Started with the vShield API
• Automation Tools with vShield App for scalability though REST APIs Part 1
• Automation Tools with vShield App for scalability though REST APIs Part 2
• Beginning to work with the vShield Edge REST API
• Stopping and Starting the vShield Edge Security Services

Post about Linked Clones/Fast Provisioning in vCloud Director 1.5 from Cormac Hogan : Article

Very good articles by my colleague Kamau Wanguhu on VXLAN :

• VXLAN Primer Part 1
• VXLAN Primer Part 1 – Clarifications

Multiple posts from my colleague David Hill :

• HowTo enable elastic virtual datacenters in vCloud Director : Article
• BrownBag – vCloud Architecture Deep Dive recording available : Article
• VMware vCloud KB articles released this week : Article
• vCloud vApp name character length : Article
• vCloud Ecosystem components explained : Article

 
Another great article from Duncan Epping summarizing his vCloud Director posts :

• Doing a vCloud Director Proof of Concept ?

And last but not least, a series of posts of my colleague Chris Colotti on 2/3 important topics :

• HowTo upgrade vCloud Director in detail : Part 1 – Part 2 – Part 3 – Part 4
• vCloud Director Clone Wars : Part 1 (Overview) – Part 2 (Deep Dive) – Part 3 (Design considerations)
• Disabling VMware DRS with vCloud Director : Article

Hope this helps anyone working on vCloud Director and the growing ecosystem around it !

EDITED: 18 Nov 14:25 CET, Added Duncan Epping Post, and Michael Haines typo fixes.

EDITED: 23 Nov 10:04 CET, Added new articles from Michael Haines, Christophe Decanini

Many people are wandering why sometime ssh takes forever to ask for a password after the user login.

Simple answer is sshd tries to resolve the ip/hostname by default.

You can change this setting in /etc/ssh/sshd_config (if this line isn’t present just append it somewhere)

Extract from the sshd_config man page.

UseDNS Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is yes.

I just came across this issue at a customer site, so I will share the solution for those who might get into this bug.

Symptoms : Cannot change license on the HP ESXi 5.0 Aug 2011 ESXi HD-USB-SDImgeInstlr (Z7550-00204.iso), and once you try, the connection to vCenter is highly unstable, going into a “Not Responding” behavior.

Solution : HP has currently documented the process to fix this behavior.

1) Download the VIB file here : http://vibsdepot.hp.com/hp-esxi-5.0-license/hp-esx-license-1.0-5.zip

wget is available in ESXi 5 (small download utility), so if your host is connected to internet, you can get it quite easily.

2) Login into the local console on the affected host.

3) Copy the VIB to a temporary location on the affected host.

4)  Apply the new license VIB by executing the command

5) Reboot the host

Source : http://g1w0134.austin.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03005742

HP will soon rebuild a new build with this fix included.

Edited 03/10/2011:
You can also encounter this issue, on the be2net network adapter driver : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2007397.

I’ve seen many people facing this issue so I thought I would write a small post about why this is happening.

Symptom: When trying to upload something (media file, OVF) on a multiple cell setup behind a LB (Load Balancer), you get the following error : “Error: Transfering files“.

Solution and Explanation: Solution is quite easy, you just need to setup properly the following item as a vCloud Admin, on the System / Administration / Public Addresses and input your “public” IP for the VCD public REST API base URL.

When you upload/download an item, you are not using the portal anymore, but executing a third party java applet to perform this task, and it interacts with vCloud Director using the vCloud API, so if you didn’t setup this field, the vCloud API will return the internal (HTTP interface) for the current vCloud Director cell. (and that explains why it doesn’t work from an external location)

Source : http://communities.vmware.com/thread/327221

Hope this helps,

Here are some links on the most new interesting things I’ve seen during VMworld 2011 in Las Vegas. (My opinion and no particular preference order)

Octopus

An enterprise dropbox like storage collaboration suite.

AppBlast

A new way of delivering applications remotely using HTML5, (Imagine running whatever application on any type of device supporting a compatible browser …)

vFabric Data Director

Bringing DB as a Service to VMware, Chad has written a nice article with the following youtube video demonstrating it.

Source : http://virtualgeek.typepad.com/virtual_geek/2011/08/vfabric-data-director-dbaas.html

 

VXLAN Announcement

VMware has collaborated with Cisco and other industry leaders to develop an innovative solution to these challenges called “VXLAN” (Virtual eXtensible LAN).
You can find more on the official blog post here : http://blogs.vmware.com/console/2011/08/towards-virtualized-networking-for-the-cloud.html
The IETF submitted draft can be found here : http://www.ietf.org/id/draft-mahalingam-dutt-dcops-vxlan-00.txt

VMworld Hands-on-Lab !

VMware has shown what a true cloud can produce in less than 50 hours, 150k VMs, with a peak at more 4000 VMs concurrently during the 2/3 days of this event.
Chad has also covered this with many videos showing different aspects of this amazing setup.

Source : http://virtualgeek.typepad.com/virtual_geek/2011/09/vmworld-2011-hands-on-lab-10-billion-ios-served.html

vSphere 5 (08/24/11)

I won’t be able to do a better post than Duncan Epping, so here is the best link to get all the binaries, associated documentation and the complete vSphere Product Line :

• http://www.yellow-bricks.com/2011/08/25/download-it-now-vsphere-5/

vCloud Director 1.5 (09/01/11)

Here is the brand new version of vCloud Director, that brings many additional/refined/enhanced features, such as :

• VMware vSphere 5 support
• Fast Provisioning
• Network features (static routing, 5 tuples firewall rules, IPSec VPN)
• Cisco Nexus 1000v support (requires Nexus 1000v version 1.5 that should be available soon)
• vCloud API 1.5
• VMware vCloud messages (AMPQ Message bus for notifications/messages)
• MS SQL Server support
• vAPP Custom Guest Properties (OVF Metadata)
• Elastic vDC
• Localization

Note: Some features require VMware vSphere 5 such as Fast Provisioning.

Here are some very useful links :

• Product Page : VMware vCloud Director overview
• Download : VMware vCloud Director 1.5
• Technical White Paper : What’s new in VMware vCloud Director 1.5
• Documentation : (English | French | Italian | German | Spanish | Japanese | Chinese)
• vCAT 2.0 Homepage : vCloud Architecture Toolkit 2.0
• Blog Post : Create your own virtual vCloud Lab (Part 1)

EMC Backup integration (work in progress) :

• http://virtualgeek.typepad.com/virtual_geek/2011/08/next-gen-backup-for-vmware-chads-world-episode-7.html
• http://virtualgeek.typepad.com/virtual_geek/2011/08/tech-preview-avamar-vcloud-protector.html

PS : I’ll update those links whenever new things come out (NetApp, etc)

You want to train/learn on vCloud Director, test multiple scenarios, develop an application using the vCloud API on the latest VMware cloud product ?

Here is a overall guide to build a complete environment which will allow you to test many features of the product.
Take into account that it’s not meant to be a “light” portable lab (It was built for my everyday use/tests, and such, and even though, you will be able to tune some items like activating/disabling some VMware Clusters & attached Provider vDCs (PvDCs) on the vCloud Director side)

It will include lots of Screenshots of the overall vCloud setup, but I didn’t explain the complete vSphere steps as you can find many on Internet already, so if you are missing something, or cannot get it to work, use the comments for questions :-)

Here is how the vApp looks on my setup, lets see how did I setup everything. Continue Reading