VMware vSphere 5.0 User guide

  • Hello! I am an AI chatbot trained to assist you with the VMware vSphere 5.0 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
vSphere Management Assistant Guide
vSphere 5.0
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000570-00
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2008–2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
vSphere Management Assistant Guide
VMware, Inc. 3
Contents
AboutThisBook 5
1 IntroductiontovMA 7
vMACapabilities 7
vMAComponentOverview 8
vSphereAuthenticationMechanism 8
vMASamples 9
vMAUseCases 9
WritingorConvertingScripts 9
WritingorConvertingAgents 9
2 GettingStartedwithvMA 11
HardwareRequirements 12
SoftwareRequirements 12
RequiredAuthenticationInformation 12
DeployvMA 13
ConfigurevMAatFirstBoot 13
vMAConsoleandWebUI 14
ConfigurevMAforActiveDirectoryAuthentication 14
ConfigureUnattendedAuthenticationforActiveDirectoryTargets 15
TroubleshootingUnattendedAuthentication 16
EnabletheviuserAccount 16
vMAUserAccountPrivileges 16
AddTargetServerstovMA 17
RunningvSphereCLIfortheTargets 19
Reconfigurea
TargetServer 19
RemoveTargetServersfromvMA 20
ModifyingScripts 20
ConfigurevMAtoUseaStaticIPAddress 21
ConfigureaStaticIPAddressfromtheConsole 21
ConfigureaStaticIPAddressfromtheWebUI 22
ConfigurevMAtoUseaDHCPServer 22
ConfigurevMAtoUseaDHCPServerfromtheConsole 22
ConfigurevMAtoUse
aDHCPServerfromtheWebUI 22
SettingtheTimeZone 22
SettingtheTimeZonefromtheConsole 23
SettingtheTimeZonefromtheWebUI 23
ShutDownvMA 23
DeletevMA 23
TroubleshootingvMA 24
UpdatevMA 24
ConfigureAutomaticvMAUpdates 25
3 vMAInterfaces 27
vMAInterfaceOverview 27
vifptargetCommandforvifastpassInitialization 27
vSphere Management Assistant Guide
4 VMware, Inc.
vifpTargetManagementCommands 28
vifpaddserver 28
vifpremoveserver 29
vifprotatepassword 30
vifplistservers 31
vifpreconfigure 32
TargetManagementExampleSequence 32
UsingtheVmaTargetLibLibrary 33
VmaTargetLibReference 33
EnumeratingTargets 33
QueryingTargets 33
ProgrammaticLogin 34
ProgrammaticLogout 34
Index 35
VMware, Inc. 5
ThevSphereManagementAssistantGuideexplainshowtodeployandusevMAandincludesreference
informationforvMACLIsandlibraries.
Toviewthecurrentversionofthisbook,aswellasallVMwareAPIandSDKdocumentation,goto
http://www.vmware.com/support/pubs/sdk_pubs.html.
Revision History
Thisbook,thevSphereManagementAssistantGuide,isrevisedwitheachreleaseoftheproductorwhen
necessary.Arevisedversioncancontainminorormajorchanges.Table 1summarizesthesignificantchanges
ineachversionofthisbook.
Intended Audience
ThisbookisforadministratorsanddeveloperswithsomeexperiencesettingupaLinuxsystemandworking
inaLinuxenvironment.AdministratorscanusethevMAautomatedauthenticationfacilitiesandthesoftware
packagedwithvMAtointeractwithESXihostsandvCenterServersystems.Developerscancreateagentsthat
interactwith
ESXihostsandvCenterServersystems.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
About This Book
NOTEThetopicsinwhichthisdocumentationusestheproductnameʺESXiʺareapplicabletoallsupported
releasesofESXandESXi.
Table 1. Revision History
Revision Description
20JAN2012 Chapter2,section“ConfigureUnattendedAuthenticationforActiveDirectoryTargetsisupdated.
24AUG2011 vMA5.0release.
13JUL2010 vMA4.1release
16NOV2009 Chapter1isenhancedtoprovide detailsaboutvMAsenhancedcapabilities,authenticationmechanisms
andthechangestothesamples.
Chapter2providesinformationaboutconfiguringvMAforActiveDirectory.Italsoexplainshow
to
reconfigureatargetserver.
Chapter3providesinformationaboutthenewvifptargetandvifp reconfigurecommands.Italso
describestheVmaTargetLiblibrary.
21MAY2009 vMA4.0documentation
27OCT2008 VIMA1.0documentation
vSphere Management Assistant Guide
6 VMware, Inc.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Sendyourfeedbackto
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversions
ofotherVMwarebooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,
build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc. 7
1
ThevSphereManagementAssistant(vMA)isaSUSELinuxEnterpriseServer11basedvirtualmachinethat
includesprepackagedsoftwaresuchasthevSpherecommandlineinterface,andthevSphereSDKforPerl.
vMAallowsadministratorstorunscriptsoragentsthatinteractwithESXihostsandvCenterServersystems
withouthaving
toauthenticateeachtime.
Thechapterincludesthefollowingtopics:
“vMACapabilities”onpage 7
“vMAComponentOverview”onpage 8
“vMAUseCasesonpage 9
TogetstartedwithvMArightaway,goto“GettingStartedwithvMA”onpage 11.
vMA Capabilities
vMAprovidesaflexibleandauthenticatedplatformforrunningscriptsandprograms.
Asadministrator,youcanaddvCenterServersystemsandESXihostsastargetsandrunscriptsand
programsonthesetargets.Onceyouhaveauthenticatedwhileaddingatarget,youneednotloginagain
whilerunningavSphereCLIcommandoragentonanytarget.
Asadeveloper,youcanusetheAPIsprovidedwiththeVmaTargetLiblibrarytoprogrammatically
connecttovMAtargetsbyusingPerlorJava.
vMAenablesreuseofserviceconsolescriptsthatarecurrentlyusedforESXiadministration,though
minormodificationstothescriptsareusuallynecessary.
vMAcomespreconfiguredwithtwouseraccounts,namely,viadminandviuser.
Asviadmin,youcanperformadministrativeoperationssuchasadditionandremovaloftargets.
You canalsorunvSphereCLIcommandsandagentswithadministrativeprivilegesonthe
added targets.
Asviuser, youcanrunthevSphereCLIcommandsandagentswithreadonlyprivilegesonthe
target.
YoucanmakevMAjoinanActiveDirectorydomainandloginasanActiveDirectoryuser.Whenyourun
commandsfromsuchauseraccount,theappropriateprivilegesgiventotheuseronthevCenterServer
systemortheESXihostwouldbeapplicable.
vMAcanrunagentcodethatmakeproprietaryhardwareorsoftwarecomponentscompatiblewith
VMwareESX.ThesecodecurrentlyrunintheserviceconsoleofexistingESXhosts.Youcanmodifymost
oftheseagentcodetoruninvMA,bycallingthevSphereAPI,ifnecessary.Developersmustmoveany
agentcodethatdirectlyinterfaceswithhardwareintoaprovider.
Introduction to vMA
1
vSphere Management Assistant Guide
8 VMware, Inc.
vMA Component Overview
WhenyouinstallvMA,youarelicensedtousethevirtualmachinethatincludesallvMAcomponents.
vMAincludesthefollowingcomponents.
SUSELinuxEnterpriseServer11SP1vMArunsSUSELinuxEnterpriseServeronthevirtualmachine.
YoucanmovefilesbetweentheESXihostandthevMAconsolebyusingthevifsvSphereCLIcommand.
VMwareToolsInterfacetothehypervisor.
vSphereCLICommandsformanagingvSpherefromthecommandline.SeethevSphereCommandLine
InterfaceInstallationandReferenceGuide.
vSphereSDKforPerlClientsidePerlframeworkthatprovidesascriptinginterfacetothevSphereAPI.
TheSDKincludesutilityapplicationsandsamplesformanycommontasks.
JavaJREversion1.6RuntimeengineforJavabasedapplicationsbuiltwithvSphereWebServicesSDK.
vifastpass‐Authenticationcomponent.
vSphere Authentication Mechanism
vMAsauthenticationinterfaceallowsusersandapplicationstoauthenticatewiththetargetserversusing
vifastpassorActiveDirectory.Whileaddingaserverasatarget,theAdministratorcandetermineifthetarget
needstousevifastpassorActiveDirectoryauthentication.Forvifastpassauthentication,thecredentialsthat
auser
hasonthevCenterServersystemorESXihostarestoredinalocalcredentialstore.ForActiveDirectory
authentication,theuserisauthenticatedwithanActiveDirectoryserver.
WhenyouaddanESXihostasafastpasstargetserver,vifastpasscreatestwouserswithobfuscated
passwordsonthetarget
serverandstoresthepasswordinformationonvMA:
viadminwithadministratorprivileges
viuserwithreadonlyprivileges
ThecreationofviadminandviuserdoesnotapplyforActiveDirectoryauthenticationtargets.Whenyouadd
asystemasanActiveDirectorytarget,vMAdoesnotstoreanyinformationaboutthecredentials.Tousethe
ActiveDirectoryauthentication,theadministratormustconfigure
vMAforActiveDirectory.Formore
informationonhowtoconfigurevMAforActiveDirectory,see“ConfigurevMAforActiveDirectory
Authentication”onpage 14.
Afteraddingatargetserver,youmustinitializevifastpasssothatyoudonothavetoauthenticateeachtime
yourunvSphereCLIcommands.Ifyou
runavSphereCLIcommandwithoutinitializingvifastpass,youwill
beaskedforusernameandpassword.
Youcaninitializevifastpassbyusingoneofthefollowingmethods:
Runvifptarget.Formoreinformationaboutthisscript,see“vifptargetCommandforvifastpass
Initialization”onpage 27.
CalltheLoginmethodinaPerlorJavaprogram.Formoreinformationaboutthismethod,see
“VmaTargetLibReference”onpage 33.
Aftersettingupatargetusingthevifptargetcommand,youcanrunvSphereCLIcommandsorscriptsthat
usevSphereSDKforPerlwithoutprovidinganyauthenticationinformation.Torun
commandsagainstan
ESXihostthatismanagedbyavCenterServer ,youcanusethe--vihostoption.
EachtimeyoulogintovMA,youmustrunthevifptargetcommandortheLoginmethodonce.Thetarget
thatyouspecifyinthevifptargetcommandisthedefaulttarget.Targetservers
remaintargetsacross
reboots.Youcanoverrideitbyusingthe--serveroptionofthevSphereCLIcommandsasshowninthe
followingexample:
vifptarget -s esx1.foo.com
vicfg-nics -l #lists the nics on esx1.foo.com
vicfg-nics -l --server esx2.foo.com #lists the nics on esx2.foo.com
VMware, Inc. 9
Chapter 1 Introduction to vMA
vMA Samples
vMAsamplesillustratethevMACLIsandtheVmaTargetLiblibrary.ThesamplesareavailableinvMAat
/opt/vmware/vma/samples.
bulkAddServers.plPerlsamplethataddsmultipletargetstovMA.
mcli.plPerlsamplethatrunsavSphereCLIcommandonmultiplevMAtargetsspecifiedinafile
suppliedasanargument.Youmustrunvifptargetbeforerunningthisscript.
listTargets.pl ‐PerlsamplethatretrievesinformationandversionofvMAtargetsusing
VmaTargetLib.
listTargets.sh ‐JavasamplethatdemonstratesuseofVmaTargetLib.
vMA Use Cases
Thissectionlistsafewtypicalusecases.
Writing or Converting Scripts
YoucanrunexistingvSphereCLIorvSphereSDKforPerlscriptsfromvMA.Tosettargetserversandinitialize
vifastpass,thescriptcanusetheVmaTarget.login() methodofVmaTargetLib.
Writing or Converting Agents
PartnersorcustomerscanusevMAtowriteorconvertagents.
ApartnerorcustomerwritesanewagentinPerl.
WhenapartnerorcustomerwritesanewagentinPerl,thePerlscriptmustimporttheVmaTargetLib
PerlmoduleandallvSphereSDKforPerlmodules.InsteadofcallingthevSphereSDKforPerlsubroutine
Util::Connect(targetUrl, username, password),theagentcalls
VmaTargetLib::VmaTarget.login().
ApartnerorcustomerrunsanagentwritteninPerlorJavaintheserviceconsoleandwantstoportthe
agenttovMA.
TheagentusescodesimilartothefollowingPerllikepseudocodetologintoESXihosts:
LoginToMyEsx() {
SessionManagerLocalTicket tkt = SessionManager.AcquireLocalTicket(userName);
UserSession us = sm.login(tkt.userName, tkt.passwordFilePath);
}
Thepartnerchangestheagenttousecodesimilartothefollowingpseudocodeinstead:
LoginToMyEsx(String myESXName) {
VmaTarget target = VmaTargetLib.query_target(myESXName);
UserSession us = target.login();
}
ThispseudocodeassumesonlyonevMAtarget.Formultipletargetservers,thecodecanspecifyany
targetserverorloopthroughalistoftargetservers.
ApartnerorcustomerrunsanagentwritteninPerloutsidetheESXihostandportstheagenttovMA.
InsteadofcallingthevSphereSDKforPerlmethodUtil::Connect(),theagentcallsthevifplibrary
methodVmaTargetLib::VmaTarget.login().
vSphere Management Assistant Guide
10 VMware, Inc.
VMware, Inc. 11
2
YoushouldhavesomeexperiencesettingupaLinuxsystemandworkinginaLinuxenvironment.This
chapterexplainshowtodeployandconfigurevMA,howtoaddandremovetargetservers,andhowto
prepareandrunscripts.Thechapteralsoincludestroubleshootinginformation.
ReadChapter 1,“IntroductiontovMA,”on
page 7forbackgroundinformationonvMAfunctionalityand
availablevMAcomponents.
Thischapterincludesthefollowingtopics:
“HardwareRequirements”onpage 12
“SoftwareRequirements”onpage 12
“RequiredAuthenticationInformation”onpage 12
“DeployvMA”onpage 13
“ConfigurevMAatFirstBoot”onpage 13
“vMAConsoleandWebUI”onpage 14
“ConfigurevMAforActiveDirectoryAuthentication”onpage 14
“ConfigureUnattendedAuthenticationforActiveDirectoryTargetsonpage 15
“EnabletheviuserAccount”onpage 16
“vMAUserAccountPrivileges”onpage 16
“A d d TargetServerstovMA”onpage 17
“RunningvSphereCLIfortheTargetsonpage 19
“ReconfigureaTargetServeronpage 19
“RemoveTargetServersfromvMA”onpage 20
“ModifyingScripts”onpage 20
“ConfigurevMAtoUseaStaticIPAddress”onpage 21
“ConfigurevMAtoUseaDHCPServeronpage 22
“SettingtheTimeZone”onpage 22
“ShutDownvMA”onpage 23
“DeletevMA”onpage 23
“TroubleshootingvMA”onpage 24
Getting Started with vMA
2
IMPORTANTYoucannotupgradeapreviousversionofvMAtovMA5.0.YoumustinstallafreshvMA5.0
instance.
vSphere Management Assistant Guide
12 VMware, Inc.
“UpdatevMA”onpage 24
“ConfigureAutomaticvMAUpdates”onpage 25
Hardware Requirements
TosetupvMA,youmusthaveanESXihost.BecausevMArunsa64bitLinuxguestoperatingsystem,the
ESXihostonwhichitrunsmustsupport64bitvirtualmachines.
TheESXihostmusthaveoneofthefollowingCPUs:
AMDOpteron,revEorlater
IntelprocessorswithEM64TsupportwithVTenabled.
Opteron64bitprocessorsearlierthanrevE,andIntelprocessorsthathaveEM64Tsupportbutdonothave
VTsupportenabled,donotsupporta64bitguestoperatingsystem.Fordetailedhardwarerequirements,see
theHardwareCompatibilityListontheVMware
Website.
Bydefault,vMAusesonevirtualprocessor,andrequires3GBofstoragespaceforthevMAvirtualdisk.The
recommendedmemoryforvMAis600MB.
Software Requirements
YoucandeployvMAonthefollowingsystems:
vSphere5.0
vSphere4.1orlater
vSphere4.0Update2orlater
vCenterApplication5.0
YoucandeployvMAbyusingavSphereClientconnectedtoanESXihostorbyusingavSphereClient
connectedtovCenterServer5.0,vCenterServer4.1orlater,vCenterServer4.0Update2orlater,orvCenter
Application5.0.
YoucanusevMAtotargetESX/ESXi
3.5Update5,ESX/ESXi4.0Update2orlater,ESX/ESXi4.1orlater,ESXi
5.0,vCenterServer4.0Update2orlater,vCenterServer4.1orlater,andvCenterServer5.0systems.
Atruntime,thenumberoftargetsasinglevMAinstancecansupportdependsonhowitisused.
Required Authentication Information
BeforeyoubeginvMAconfiguration,obtainthefollowingusernameandpasswordinformation:
vCenterServersystemIfyouwanttouseavCenterServersystemasthetargetserver,youmustbeable
toconnecttothatsystem.
IfyouareusingavCenterServertarget,youdonotneedpasswordsfortheESXihoststhatthevCenter
Serversystemmanages,unlessyou
runcommandsthatdonotsupportvCenterServertargets.
ESXihostYoumusthavetherootpasswordortheusernameandpasswordforauserwith
administrativeprivilegesforeachESXihostyouaddasavMAtarget.Youdonotneedtheauthentication
informationwhenyouremoveatargethost.
vMAWhenyoufirstconfigurevMA,vMApromptsforapasswordfortheviadminuser.Specifya
passwordandrememberitforsubsequentlogins.TheviadminuserhasrootprivilegesonvMA.
I
MPORTANTTherootuseraccountisdisabledonvMA.Torunprivilegedcommands,typesudo
<command>.Bydefault,onlyviadmincanruncommandsthatrequiresudo.
VMware, Inc. 13
Chapter 2 Getting Started with vMA
Deploy vMA
YoucandeployvMAbyusingafileorfromaURL.Ifyouwanttodeployfromafile,downloadandunzipthe
vMAZIPfilebeforeyoustartthedeploymentprocess.
To deploy vMA
1UseavSphereClienttoconnecttoasystemthatisrunningthesupportedversionofESXiorvCenter
Server.
2IfconnectedtoavCenterServersystem,selectthehosttowhichyouwanttodeployvMAintheinventory
pane.
3 SelectFile>DeployOVFTemplate.
TheDeployOVFTemplatewizardappears.
4 SelectDeployfromafileorURLifyouhavealreadydownloadedandunzippedthe
vMAvirtual
appliancepackage.
5ClickBrowse,selecttheOVF,andclickNext.
6ClickNextwhentheOVFtemplatedetailsaredisplayed.
7AcceptthelicenseagreementandclickNext.
8Specifyanameforthevirtualmachine.
Youcanalsoacceptthedefaultvirtualmachinename.
9 Selectaninventorylocationforthevirtual
machinewhenprompted.
IfyouareconnectedtoavCenterServersystem,youcanselectafolder.
10 IfconnectedtoavCenterServersystem,selecttheresourcepoolforthevirtualmachine.
Bydefault,thetoplevelrootresourcepoolisselected.
11 Ifprompted,selectthedatastoretostorethevirtualmachineonandclickNext.
12 SelecttherequireddiskformatoptionandclickNext.
13 SelectthenetworkmappingandclickNext.
14 ReviewtheinformationandclickFinish.
ThewizarddeploysthevMAvirtualmachinetothehostthatyouselected.The deployprocesscantake
severalminutes.
NextyouconfigureyourvMAvirtualmachine.YouperformthistaskwhenyoulogintovMAthefirsttime.
Configure vMA at First Boot
WhenyoustartthevMAvirtualmachinethefirsttime,youcanconfigureit.
To configure vMA
1InthevSphereClient,rightclickthevirtualmachine,andclickPowerOn.
2 SelecttheConsoletab.
3Answerthenetworkconfigurationprompts.
I
MPORTANTYoucannotupgradeanearlierversionofvMAtovMA5.0.YoumustinstallafreshvMA5.0
instance.
I
MPORTANTEnurethatvMAisconnectedtothemanagementnetworkonwhichthevCenterServer
systemandtheESXihoststhatareintendedvMAtargetsarelocated.
vSphere Management Assistant Guide
14 VMware, Inc.
4Whenprompted,specifyahostnameforvMA.
Thenamecancontain64alphanumericcharacters.YoucanchangethevMAhostnamelaterbymodifying
the/etc/HOSTNAME and/etc/hostsfiles,asyouwouldforaLinuxhost.YoucanalsousethevMA
consoletochangethehostname.
Fora
DHCPconfiguration,thehostnameisobtainedfromtheDNSserver.
5Whenprompted,specifyapasswordfortheviadminuser.
Ifpromptedforanoldpassword,pressEnterandcontinue.
ThenewpasswordmustconformtothevMApassword policy.Thepasswordmusthaveatleast:
Eightcharacters
Oneuppercasecharacter
Onelowercasecharacter
Onenumeralcharacter
Onesymbolsuchas#,$
YoucanlaterchangethepasswordfortheviadminuserusingtheLinuxpasswdcommand.
Thisuserhasrootprivileges.
vMAisnowconfiguredandthevMAconsoleappears.TheconsoledisplaystheURLfromwhichyoucan
accesstheWebUI.
vMA Console and Web UI
vMAprovidestwointerfaces,theconsole,whichisacommandlineinterfaceandthebrowserbasedWebUI.
Fromtheconsole,youcandothefollowingtasks:
Loginasviadmin
AddserverstovMA
RuncommandsfromthevMAconsole
Configurethenetworksettingsandproxyserversettings
Configurethetimezonesettings.
ThewebUIenablesyoutodothefollowingtasks:
Loginasviadmin
Configurethenetworksettingsandproxyserversettings
Configurethetimezonesettings.
UpdatevMA
Configure vMA for Active Directory Authentication
ConfigurevMAforActiveDirectoryauthenticationsothatESXihostsandvCenterServersystemsaddedto
ActiveDirectorycanbeaddedtovMAwithouthavingtostorethepasswordsinvMAscredentialstore.This
isamoresecurewayofaddingtargetstovMA.
EnsurethattheDNSserverconfiguredfor
vMAisthesameastheDNSserverofthedomain.Youcanchange
theDNSserverbyusingthevMAConsoleortheWebUI.
EnsurethatthedomainisaccessiblefromvMA.Also,ensurethatyoucanpingtheESXiandvCenterserver
systemsthatyouwanttoadd
tovMAandthatpingingresolvestheIPaddressto
<targetservername.domainname>,wheredomainnameisthedomaintowhichvMAistobeadded.
VMware, Inc. 15
Chapter 2 Getting Started with vMA
To add vMA to a domain
1FromthevMAconsole,runthefollowingcommand:
sudo domainjoin-cli join <domain-name> <domain-admin-user>
2Whenprompted,providetheActiveDirectoryadministratorʹspassword.
Onsuccessfulauthentication,thecommandaddsvMAasamemberofthedomain.Thecommandalso
addsentriesinthe/etc/hostsfilewithvmaHostname.domainname.
3RestartvMA.
Now,youcanaddanActiveDirectorytargettovMA.Forstepstodothis,see“A d d TargetServersto
vMA”onpage 17.
To check vMA's domain settings
FromthevMAconsole,runthefollowingcommand:
sudo domainjoin-cli query
ThecommanddisplaysthenameofthedomaintowhichvMAhasjoined.
To remove vMA from the domain
FromthevMAconsole,runthefollowingcommand:
sudo domainjoin-cli leave
ThevMAconsoledisplaysamessagestatingwhethervMAhaslefttheActiveDirectorydomain.
Configure Unattended Authentication for Active Directory Targets
Toconfigureunattendedauthentication(authenticationfromviadminorrootcontext)toActiveDirectory
targets,youmustrenewtheKerberosticketsforthedomainuserusingwhichthetargetisadded.Unattended
authenticationissupportedforESXi4.1Update3andlater.YoumustensurethattheActiveDirectoryissetup
forunattendedlogin.
To configure unattended authentication for Active Directory targets
1OnanyWindowsServer2003computerthatispartofthedomaintowhichvMAisadded,downloadand
installtheKtpasstoolfromtheMicrosoftwebsite.
2Openthecommandpromptandrunthefollowingcommand:
ktpass /out foo.keytab /princ [email protected] /pass ca... /ptype KRB5_NT_PRINCIPAL
-mapuser <vma-dc>\<foo>
where,<vmadc>isthenameofthedomainandfooistheuserhavingpermissionsforthevCenter
administration.
Thiscommandcreatesafilecalledfoo.keytab.
3Movethefoo.keytabfileto/home/local/VMA-DC/foo.
YoucanuseWinSCPandloginasuservma-dc\footomovethefile.
4 (Optional)Makesurethat
theuservmadc\fooonvMAownsthefoo.keytabfilebyusingthefollowing
commands:
ls -l /home/local/VMA-DC/foo/foo.keytab
chown ‘vma-dc\foo’
/home/local/VMA-DC/foo/foo.keytab
5OnvMA,createascriptin/etc/cron.hourly/kticket-renewwiththefollowingcontents:
#!/bin/sh
su - vma-dc\\foo -c '/usr/bin/kinit -k -t /home/local/VMA-DC/foo/foo.keytab foo'
Thisscriptwillrenewtheticketfortheuserfooeveryhour.
Youcanalsoaddtheabovescripttoaservicein/etc/init.dtorefreshtheticketswhenvMAisbooted.
vSphere Management Assistant Guide
16 VMware, Inc.
Troubleshooting Unattended Authentication
IfyouarenotabletoauthenticatefromvMAorcannotaddvMAtothedomaincontroller,verifythefollowing
conditions:
YourDNSserversetupinvMAresolvestheIPaddressorhostnameofthevCenterservertoafully
qualifieddomainname(FQDN)andthattheFQDNcontainsthedomainnametowhichvMAisadded.
Thecommandvifp listserversshowsthenameofvCenterserverastheFQDNthatcontainsthe
domainnametowhichvMAisaddedasthesuffix.
ThedateandtimesettingsonvMA,thedomaincontrollerandthevCenterserverarethesame.Verifythe
timezoneaswell.Thetimemayvarybyanhour,butalargetimeskewmightcauseauthentication
problems.
Enable the vi-user Account
Aspartofconfiguration,vMAcreatesaviuseraccountwithnopassword.However,youcannotusethe
viuseraccountuntilyouhavespecifiedaviuserpassword.
To enable the vi-user account
1LogintovMAasviadmin.
2RuntheLinuxpasswdcommandforviuserasfollows:
sudo passwd vi-user
IfthisisthefirsttimeyouusesudoonvMA,amessageaboutrootuserprivilegesappears,andyouare
promptedfortheviadminpassword.
3Specifytheviadminpassword.
4Whenprompted,typeandconfirmthepasswordforviuser.
AftertheviuseraccountisenabledonvMA,
ithasnormalprivilegesonvMAbutisnotinthesudoerslist.
WhenyouaddESXitargetservers,vMAcreatestwousersoneachtarget:
viadminhasadministrativeprivilegesonthetargetsystem.
viuserhasreadonlyprivilegesonthetargetsystem.vMAcreatesviuseroneachtargetthatyouadd,
evenifviuserisnotcurrentlyenabledonvMA.
WhenauserisloggedintovMAasviuser,vMAusesthataccountontargetESXihosts,andthe
usercanrun
onlycommandsontargetESXihoststhatdonotrequireadministrativeprivileges.
vMA User Account Privileges
Table 21liststheprivilegesthatthedifferentuseraccountshaveforvCLIusageagainstdifferenttargets.
I
MPORTANTTheviuseraccounthaslimitedprivilegesonthetargetESXihostsandcannotrunany
commandsthatrequiresudoexecution.YoucannotuseviusertoruncommandsforActiveDirectorytargets
(ESXiorvCenterServer).ToruncommandsfortheActiveDirectorytargets,usethevi-adminuseror
login
asanActiveDirectoryusertovMA.
Table 2-1. Account Privileges for vCLI Usage
Target
Authentication
Policy vi-admin vi-user domain user
ESXifpauthYYN
ESXi adauth Y N Y
vCenterServer fpauth Y N N
vCenterServer adauth Y N Y
VMware, Inc. 17
Chapter 2 Getting Started with vMA
Add Target Servers to vMA
AfteryouconfigurevMA,youcanaddtargetserversthatrunthesupportedvCenterServerorESXiversion.
ForvCenterServerandESXisystemtargets,youmusthavethenameandpasswordofauserwhocanconnect
tothatsystem.
See“vifpaddserveronpage 28forthecompletesyntax.
To add a vCenter Server system as a vMA target for Active Directory Authentication
1LogintovMAasviadmin.
2AddaserverasavMAtargetbyrunningthe followingcommand:
vifp addserver vc1.mycomp.com --authpolicy adauth --username ADDOMAIN\\user1
Here,--authpolicy adauthindicatesthatthetargetneedstousetheActiveDirectoryauthentication.
Ifyourunthiscommandwithoutthe--usernameoption,vMApromptsforthenameoftheuserthatcan
connecttothevCenterServersystem.Youcanspecifythisusernameasshowninthefollowingexample:
Enter username for machinename.example.com: ADDOMAIN\user1
If--authpolicyisnotspecifiedinthecommand,thenfpauthistakenasthedefaultauthentication
policy.
3Verifythatthetargetserverhasbeenadded.
Thedisplayshowsalltargetserversandtheauthenticationpolicyusedforeachtarget.
vifp listservers --long
server1.mycomp.com ESX adauth
server2.mycomp.com ESX fpauth
server3.mycomp.com ESXi adauth
vc1.mycomp.com vCenter adauth
4Setthetargetasthedefaultforthecurrentsession:
vifptarget --set | -s <server>
5VerifythatyoucanrunavSphereCLIcommandwithoutauthenticationbyrunningacommandonone
oftheESXihosts,forexample:
esxcli --server <VC_server> --vihost <esx_host> network nic list
Thecommandrunswithoutpromptingforauthenticationinformation.
To add a vCenter Server system as a vMA target for fastpass Authentication
1LogintovMAasviadmin.
2AddaserverasavMAtargetbyrunningthe followingcommand:
vifp addserver vc2.mycomp.com --authpolicy fpauth
Here,--authpolicy fpauthindicatesthatthetargetneedstousethefastpassauthentication.
3Specifytheusernamewhenprompted:
Enter username for machinename.example.com: MYDOMAIN\user1
4Specifythepasswordforthatuserwhenprompted.
[email protected]'s password: <not echoed to screen>
5Reviewandacceptthesecurityriskinformation.
I
MPORTANTIfthenameofatargetserverchanges,youmustremovethetargetserverbyusingvifp
removeserverwiththeoldname,thenaddtheserverusingvifp addserverwiththenewname.
vSphere Management Assistant Guide
18 VMware, Inc.
6Verifythatthetargetserverhasbeenadded.
Thedisplayshowsalltargetserversandtheauthenticationpolicyusedforeachtarget.
vifp listservers --long
server1.mycomp.com ESX adauth
server2.mycomp.com ESX fpauth
server3.mycomp.com ESXi adauth
vc1.mycomp.com vCenter adauth
vc2.mycomp.com vCenter fpauth
7Setthetargetasthedefaultforthecurrentsession.
vifptarget --set | -s <server>
8VerifythatyoucanrunavSphereCLIcommandwithoutauthenticationbyrunningacommandonone
oftheESXihosts,forexample:
esxcli --server <VC_server> --vihost <esx_host> network nic list
Thecommandrunswithoutpromptingforauthenticationinformation.
To add an ESXi host as a vMA target
1LogintovMAasviadmin.
2RunaddservertoaddaserverasavMAtarget.
vifp addserver <servername>
Youarepromptedforthetargetserversrootuserpassword.
root@<servername>’s password:
3SpecifytherootpasswordfortheESXihostthatyouwanttoadd.
vMAdoesnotretaintherootpassword.Instead,vMAaddsviadminandviusertotheESXihost,and
storestheobfuscatedpasswordsthatitgeneratesforthoseusersintheVMwarecredentialstore.
InavSphere
clientconnectedtothetargetserver,theRecentTaskspaneldisplaysinformationaboutthe
usersthatvMAadds.ThetargetserversUsersandGroupspaneldisplaystheusersifyouselectit.
4Verifythatthetargetserverhasbeenadded:
vifp listservers
5Setthetargetasthedefaultforthecurrentsession.
vifptarget --set | -s <server>
6VerifythatyoucanrunavSphereCLIcommandwithoutauthenticationbyrunningacommand,forexample:
esxcli network nic list
IMPORTANTIfthenameofatargetserverchanges,youmustremovethetargetserverbyusingvifp
removeserverwiththeoldname,thenaddtheserverusingvifp addserverwiththenewname.
CAUTIONRemoveusersaddedbyvMAfromthetargetserveronlyifyoudeletedthevMAvirtual
machinebutdidnotremovethetargetservers.
IMPORTANTIfthenameofatargetserverchanges,youmustremovethetargetserverusingvifp
removeserverwiththeoldname,thenaddtheserverusingvifp addserverwiththenewname.
VMware, Inc. 19
Chapter 2 Getting Started with vMA
Running vSphere CLI for the Targets
Ifyouhaveaddedmultipletargetservers,bydefault,vMAexecutescommandsonthefirstserverthatyou
added.Youshouldspecifytheserverexplicitlywhenrunningcommands.
To run vSphere CLI for the targets
1AddserversasvMAtargets.
vifp addserver <server1>
vifp addserver <server2>
2Verifythatthetargetserverhasbeenadded:
vifp listservers
3Runvifptarget.
vifptarget -s <server2>
Thecommandinitializesthespecifiedtargetserver.Now,thisserverwillbetakenasthedefaulttargetfor
thevSphereCLIorvSphereSDKforPerlscripts.
4RunvSphereCLIorvSphereSDKforPerlscripts,byspecifyingthetargetserver.Forexample:
esxcli --server server2 network nic list
Reconfigure a Target Server
Youcanreconfigureatargetserverifyouwanttoperformanyofthefollowingtasks:
ChangetheauthenticationmodeofavMAtargetfromvifastpasstoActive Directoryorviceversa.
ChangetheconfigureduserfortheActiveDirectorytarget.
Recoverusersforthevifastpasstarget.AuserneedstoberecoveredifthecredentialstoreonvMAis
corruptedor ifthecredentialsofuserscorrespondingtovMAusersaremodifiedandnotreflectedinvMA.
To change the authentication policy
1LogintovMAasviadmin.
2Runreconfigure
vifp reconfigure <servername> --authpolicy <authpolicy>
3Whenprompted,provideyourcredentials.
IfyoureconfigureanActiveDirectorytargettovifastpassauthentication,thenspecifytheroot
passwordforESXitargetsandtherootusernameandpasswordforvCentertargets.
IfyoureconfigureavifastpasstargettoActiveDirectoryauthentication,thenspecifytheroot
usernameforthetarget.
To change the configured user or to recover users
1LogintovMAasviadmin.
2Runreconfigure.
vifp reconfigure <servername>
3Whenprompted,provideyourcredentials.
IfyoureconfigureanActiveDirectorytarget,specifyausernameforthetarget.
Ifyoureconfigureavifastpasstarget,specifytherootpasswordoftheESXitarget,andthepassword
forusernameusedtoaddthevCenterServertarget.
vSphere Management Assistant Guide
20 VMware, Inc.
Example 2-1. Adding and Reconfiguring a Target
vi-admin@example-dhcp:~> vifp addserver 90.100.110.120
Enter username for 90.100.110.120: administrator
[email protected]'s password:
This will store username and password in credential store which is a security risk. Do you want
to continue?(yes/no): yes
vi-admin@example-dhcp:~> vifp reconfigure 90.100.110.120
[email protected]'s password:
vi-admin@example-dhcp:~>
Remove Target Servers from vMA
BeforeyoudeleteavMAvirtualmachine,removealltargetserversfromvMA.Ifyoudonotremovetarget
ESXihosts,theviadminandviuserusersremainonthetargetservers.
To remove a vCenter Server system from vMA
1LogintovMAasviadmin.
2ToremoveatargetvCenterServersystemfromvMA,runthe
followingcommand:
vifp removeserver <servername>
ThevCenterServersystemisnolongeravMAtarget.
To remove an ESXi host from vMA
1LogintovMAasviadmin.
2ToremoveanESXihostthatisavMAtarget,runthefollowingcommand:
vifp removeserver <host>
TheRecentTaskspanelofthetargetserverdisplaysinformationabouttheviadminandviuserusersthat
arebeingremoved.TheUsersandGroupspanelofthetargetservernolongerdisplaystheusers.
Modifying Scripts
YoucanmodifyserviceconsolescriptstorunfromvMA.
LinuxcommandsScriptsrunninginvMAcannotuseLinuxcommandsinthewaythattheydoonthe
ESXserviceconsolebecausetheLinuxcommandsarerunningonvMAandnotontheESXhost.
AccesstoESXifilesIfyouneedaccesstofoldersorfilesonanESXihost,youcanmakethathostatarget
serverandusethevifsvSphereCLIcommandtoview,retrieve,ormodifyfoldersandfiles.
ReferencestolocalhostScriptscannotrefertolocalhost.
Ifvifastpassisinitialized,allcommandsthatdonotspecify--serverapplytothedefaulttarget.
Ifvifastpassisinitialized,allcommandsthatspecifyhostnameorIPofthetargetapplyto thetarget
specified.
ProgrammaticconnectionInPerlscriptsorJavaprograms,youcancallVmaTarget.login() method
of VmaTargetLibandspecifythehosttoconnectto.Thedirectory/opt/vmware/vma/samplescontains
examplesinPerlandJava.vMAhandlesauthenticationiftheserverhasbeenestablishedasatarget
server.ProgramscanuseVmaTargetLiblibrarycommands.See
“UsingtheVmaTargetLibLibrary”on
page 33.
NoprocnodesSomeserviceconsolescriptsstilluseVMwareprocnodes,whichwereofficiallymade
obsoletewithESXServer3.0andarenotavailableinESX/ESXi4.0andlater.Youcanextractinformation
thatwasavailableinVMwareprocnodesusingthevSphereCLIcommandsavailableonvMA.
TargetspecificationYoumustspecifythetargetserverwhenyouruncommandsorscripts.
/