Configuring Storage IO Control IOPS Capacity for vCloud Director Org VDC Storage Profiles

Recently I began a small project to expose and control Storage IO Control in vCloud Director 8.20+. In order to leverage the capabilities there are a few things that need to be configured/considered. Before you begin you need to determine the capabilities (IOPS) of each of your datastores which is set as a custom attribute on each datastore and is exposed to vCloud Director as the “Available IOPS” for a data store. There are a few things to note before you begin:

  1. You cannot enable IOPS support on a VMware Virtual SAN datastore
  2. You cannot enable IOPS support if the Storage Profile contains Datastores that are part of a Storage DRS Cluster; all of the datastores in the Storage Profile must not be part of a Cluster; if any datastores are in a SDRS cluster you can’t leverage the SIOC in vCloud Director
  3. Each Datastore can have a value set between 200-4000 (IOPS)
  4. You need to have vSphere Administrator rights on the vCenters hosting the datastores to complete the below
  5. The tagged datastores must be added to a SIOC enabled Storage Policy which is mapped to vCloud as a Provider VDC Storage Profile
  6. The Organisational VDC Storage Profile can then have SIOC capabilities set against it using the REST API (or Powershell using my vCloud Storage Profile Module

Step 1. Set the iopsCapacity Custom Attribute

In order to expose SIOC in vSphere to vCloud Director custom attributes have to be added to the Datastores using the vSphere Manage Object Browser (MOB) as outlined in VMWare KB2148300 however it’s much easier to do this through the vSphere Client or vSphere Web Client.

  1. Logon to the vSphere H5 Client (https://<vCenter>/ui) and select the Tags & Custom Attributes from the menu and select Custom Attributes and click Add
  1. Enter the attribute iopsCapacity and select the Type Datastore and click Add
  1. Next select Storage from the main menu and select each Datastores which you wish to set SIOC capabilities to be exposed in vCloud and from the Actions menu select Tags & Custom Attributes > Edit Custom Attributes 
  1. Set the value for iopsCapacity and click OK
  1. Next; tag the datastores with a relevant tag and create a new Storage Profile with VMWare Storage IO Control provider for the SIOC enabled datastores

Step 2. Configure Storage Profiles in vCloud Director

  1. After this has been set on all the relevant data stores; logon to vCloud Director and select vCenters > Refresh Storage Policies 
  1. Add the Storage Profile to the relevant Organizations (Organizations > Organisational VDCS > Storage Policies)
  1. Review the Provider VDC and confirm that the IopsCapacity value shows a non-zero value when using the Get-ProviderVdcStorageProfile cmdlet (Open PowerShell and connect to vCloud Director and import the module Module-vCloud-SIOC.psm1 available from here)
  1. Set the Storage IO Control settings using the Set-OrgVdcStorageProfile cmdlet

$objOrgVDCStorageProfile = Get-OrgVdcStorageProfile -OrgName “PigeonNuggets” | ? {$_.Name -eq “SIOC”}
$objOrgVDCStorageProfile | Set-OrgVdcStorageProfile -SIOCEnabled $true -DiskIopsMax 1000 -DiskIopsDefault 100 -DiskIopsPerGBMax 100

The OrgVDC Storage Profile is configured for SIOC which is implemented in vSphere. SIOC as implemented in vCloud Director needs further work (manually tagging the datastores with capabilities and API only exposure is a bit rough) however the capabilities are beginning to be exposed; further configuration can be made on individual Virtual Disks via the API (hopefully I will get to this in the near future). Hopefully this is of some value for you. #LongLiveVCD

SIOC and Provider/Organization VDC Storage Profile Management in vCloud Director with PowerShell

Long time since my last post due to some major life events however thanks to some annoying Jet Lag I have managed to get some work done on a project I have been working on slowly over the past couple of months; development of some PowerShell cmdlets to expose and add support for updating VDC and Provider Storage Profiles/Policies in vCloud Director 8.20/9.0

The rationale for creating these cmdlets was twofold;

  1. There is currently no way to set the Storage I/O control parameters in vCloud Director outside of the API
  2. The Org VDC/Provider Storage Profiles are not readily exposed in PowerCLI which makes them a bit difficult to work with (need to combine API calls and vCloud Views)

Why would you want to use these cmdlets ? Two main use cases that I have;

  1. For orchestrating dynamic updates to the Org VDC Storage Profile limits; for example if you want to prevent Organisations from consuming all of your backend storage in a short period of time (and have limits set) but don’t want to have to manually update the limits/have clients calling asking why they can’t create a new VM or expand a disk these cmdlets can be used to adjust the Org VDC limits based on the available storage in the backend Provider Storage Profile as space is consumed/reclaimed
  2. If you wish to implement SIOC in vCloud in an Organization VDC Storage Policy, limit the IOPS available globally to that Storage Policy etc. and if there is “peak”/”off-peak” arrangement with a customer whereby there Storage Policies adjust based on Time of Day (e.g. Test Tier is throttled during 9am-9pm) this might assist
The code is available on GitHub here or below. The documentation in the PowerShell (get-help cmdlet -full) is more complete however below are a quick summary of the main user functions and how to use them;
  • Get-OrgVdcStorageProfile : Returns the Storage Policies/Profiles which are defined on the target Organisation Virtual Datacenter object.
  • Set-OrgVdcStorageProfile : Sets the properties of a provided Org VDC Storage Policies/Profiles.
  • Get-ProviderVdcStorageProfile : Returns the Provider VDC Storage Profile objects for the target organisation.
  • Set-ProviderVdcStorageProfile: Allows the settings to be adjusted on a Provider VDC Storage Profile

These cmdlets are a big rough and more work to do when time permits but have been tested on PowerCLI 6.5.1 and vCloud Director 8.20.1 and 9.0; I hope you get some value from these cmdlets and #LongLiveVCD

 

vCloud Director 9 Tenant Portal will not load – Don’t forget to set your Public Addresses !

One issue you may run into deploying vCloud Director 8.20/9.0 is that the Tenant Portal will not load if you browse to it (https://<vcd>/tenant/orgname) with anything other than the Cell IP address. This will occur if you have not set the Public Endpoints (System > Administration  > Public Addresses) for the API Service to the DNS name of your Load Balancer VIP for vCloud Director.

The UI for the tenant portal is built using the VMWare Clarity project and the HTML5 client is making direct API calls to build the responses for the user. When the browser makes the requests to the vCloud API Service it includes a Request Header “Referer:” which is used by the API service when responding to requests.

If the vCloud Director configuration does not have the Public Addresses values set the browser sends a Referer header that is not recognized and you will end up with a blank page being returned. So if you intend to provide different URI endpoints for the vCloud Tenant Portal (eg. You may wish to direct customers to a new URL for using the Tenant Portal to avoid confusion with the Web Portal); make sure that you set the Tenant Portal URIs or it won’t work.

The 2 minute fix:

  1. Logon to the System VDC
  2. Select Administration > Public Addresses
  3. Set the values to the external URI of the deployment and click Apply

Immediately after the settings have been amended the Tenant Portal will begin to function as expected. 

Setting Organization VDC Permissions in vCloud Director 8.X with PowerShell

First vCloud Director post in a while (been busy trying to organize a move across the world and getting married) but I had a requirement recently to look at having two Org VDC’s (Test and Production) and having two sets of users within a vCloud Organization; both sets with Organization Administrator but each group with the ability to modify only one Org VDC.

VMWare has been improving the granularity of the User Access Control in vCloud Director over the 8.X release introducing new mechanism for delegating roles and access rights at each level of abstraction (Organization Level, Org VDC level) however the 8.20 interfaces still haven’t quite caught up (I imagine this is resolved in vCloud 9.0 which is fast approaching) and it’s a little tricky to get visibility of and make changes to these roles as it is all exposed in the API only.

After reviewing the article by Tom Fojta’s and the API documentation I extended my some PowerShell vCloud Rights Management Powershell module to make control a bit easier.

The module is available on Github.

The documentation in the PowerShell is more complete however below are a quick summary of the main user functions and how to use them;

Get-OrgVdcAccessRights : Returns an object which represents the Access Controls for a provided Organisation Virtual Datacenter object.

Set-OrgVdcAccessRightSharedToEveryone : This cmdlet sets an Organisation Virtual Datacenter as visible or hidden for all users who have rights to the organisation. By default an Org VDC is visible to all members of the containing organization; if the -Visible:$false is provided the org VDC will be hidden from all users by default. If -Visible:$true is set it will be visible to all users by default.

Add-OrgVdcAccessRights : This cmdlet adds a CIUser to the Access Control for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users added using this cmdlet can access/view the Organisational VDC.

Remove-OrgVdcAccessRights : This cmdlet removes a CIUser from the Access Control List for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users removed using this cmdlet will no longer have rights to access/view the Organisational VDC.

An example, we will have three users; one a Full Organizational admin (pigeon.admin), one with rights to one of the Org VDCs (testuser.test) and one with rights to the other Org VDC (testuser.production) ;

  1. Logon to vCloud Director and clone the Organization Administrator role for the Organization and remove the right Allow Access to All Organization VDCs
  1. Create Org Users and assign them the role created in Step 1. Note that at this point the users can still view all of the Org VDCs in the Organization.
3. Next we can set each of the Org VDCs to be hidden by default using the Set-OrgVdcAccessRightSharedToEveryone cmdlet: (Set-OrgVdcAccessRightSharedToEveryone -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC” -Visible $false) as can be seen below the users with the Org Admin right can no longer see the Org VDCs however the Full Organizational Administrator can still view all Org VDCs

4. Now to add individual users rights to the Org VDC you can use the Add-OrgVdcAccessRights cmdlet : Get-CIUser testuser.test | Add-OrgVdcAccessRights -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC (Test Pool)” which will grant testuser.test access to the Org VDC

5. To remove the rights for the user simply execute Get-CIUser testuser.test | Remove-OrgVdcAccessRights -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC (Test Pool)”

And finally to make the Org VDC visable to all users again just execute the Set-OrgVdcAccessRightsSharedToEveryone with the $true switch: Set-OrgVdcAccessRightSharedToEveryone -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC” -Visible $true

These cmdlets are a big rough but have been tested on PowerCLI 6.5.1 and vCloud Director 8.20.0 and 8.20.1; hopefully they will save you some time. Enjoy.

 

vCloud Director 8.20.0.1 released

It’s been a big week of announcements and probably the most exciting for me is the release of vCloud 8.20.0.1 yesterday not because of any massive set of new features but because the maintenance release addresses a number of known bugs that have existed in the product for some time which I have previously written on this blog about. One notable new feature is support for VVol (Virtual Volume) datastores which is another great inclusion. The release of vCloud Director 8.20 increasing capability and a maintenance release within 3 months addressing a swagger of bugs is a very positive sign for the product allowing providers to remain competitive and hopefully greater integration between the vCloud product and the rest of the VMWare product suite. A full list of release notes is available here.

Upgrade:

  • Download vCloud Director for Service Providers 8.20.0.1
  • Review the release notes and upgrade guide
  • Review the VMware Product Interoperability Matrices for your environment (if your running 8.20 already there are no changes)
  • Take a backup of your vCloud Director database and cells
  • Change the permissions on the binary to allow execution (chmod +x vmware-vcloud-director-distribution-8.20.0-5515092.bin)
  • Stop user access to the cells by executing the /opt/vmware/vcloud-director/bin/vmware-vcd-cell maintenance command
  • Execute the installer to upgrade the cells
  • Stop the vCloud Director cells if they are running and run the database schema upgrade tool (/opt/vmware-vcloud-director/bin/upgrade) and walk through the wizard
  • Restart cells and monitor the cell start (tail -f /opt/vmware/vcloud-director/logs/cell.log) and once the load is complete log onto vCloud Director and check the version

#longlivevcd

PowerCLI module to manage Organisation Rights in vCloud Director 8.20

UPDATE: 16/09/2017 – Updated the Module and added new cmdlets and improved error checking. Tested on vCloud Director 8.20.01 and available from GitHub - see this post for new cmdlets.

Good day ! Today I wanted to quickly write up a post about some modules I have been working on for PowerCLI to expose/automate/simplify manipulation of the vCloud Organisation Rights. A really cool addition to vCloud Director 8.20 is the NSX feature parity and the HTML5 User Interface for Edge Gateways that comes with it and a change to how the vCloud Organisation roles work which is now granular for each Organisation (use to be rights enabled for all or none).

So presently if you wish to turn on Distributed Firewall and Advanced Networking Services Rights you have to do this via the API for each organisation in vCloud. (Presently no GUI access to turn these features On) which is described in VMWare KB2149016. These modules (available on GitHub) are designed to make this process a bit easier.

Some quick notes about enabling these Services:

  1. Check your licensing  – the Advanced Networking capabilities might be there but you might not be able to provide them to customers depending on your Service Provider entitlements
  2. The new features require an Edge to be upgraded to an Advanced Edge – you may for many reasons not want customers to be able to do this however by default customers have the ability to Convert Edges (Org Admin)

This code need work and I will be making a revision and extending these as I explore the new APIs and the gaps in the builtin cmdlets however please enjoy any bugs/feedback is appreciated. Load via “Import-Module Module-vCloud-RightsManagement.psm1″

Below are a quick summary of the main user functions;

Export-CIOrgRights
The cmdlet is designed to allow the Org Rights to be exported to a CSV for manipulation by other tools which can be later imported back into vCloud. This could be used for third party compliance/reporting or just for loading into Excel to enable/disable selected services in a nicer interface then direct API calls. The CSV is just in the format of the Role Name and if it is enabled (true) or disabled (False) for the Org.

Import-CIOrgRights
The cmdlet will replace the OrgRights with those set to enabled in the provided CSV (which should be generated from an Export-CIOrgRights cmdlet.

Get-CIOrgRights
Returns a collection of the available rights in the cloud and if they are enabled for the provided Organisation

Get-CIRights
Returns a collection of the available rights in the Global cloud infrastructure.

Add-CIOrgRight
Adds a single vCloud Director right to an Organisation

Remove-CIOrgRight
Removes a single vCloud Director right from an Organisation