vCloud Director 9.1 – Tenant Portal displays “No Datacenters are Available” after upgrade

vCloud Director 9.1 continues to strengthen the functionality of the tenant portal and introduces new functionality including upload of OVA/media without the Client Integration plugin. I ran into an issue immediately after the upgrade however with the Tenant Portal displaying “No Datacenters are available”.

If you are using certificates signed by an internal CA when you upgrade you may run into this issue. The issue is due to changes in enforcement of certificates in the API/Tenant Portal. The fix is pretty straight forward; you must configure the Public Key certificate chain in Base64 format against the API/Tenant portal Public Address settings if you haven’t done this (like me).

Process

Step 1. Using a Browser navigate to your vCloud Director instance and view the Public Key for the SSL Certificate (in Chrome Developer Tools > Security > View Certificate) that is assigned against the Installation and select Details > Copy to File

Step 2. Click Next and select Base-64 encoded X.509 (.CER) and click Next and save the certificate file.

Step 3. Next select the Certificate Path and repeat this process for any certificates in the Certificate Path

Step 4. Open the .cer files generated in Notepad and copy and paste all of the Certificates into one certificate chain.

Step 5. Logon to vCloud Director as a System Administrator (via the FlexUI) and select Administration > Public Addresses, under the API (and if relevant the Tenant Portal sections) paste the certificate chain created in Step 4 into the Certificate Chain and click Apply

Step 6. Now refresh the Tenant Portal and everything should be in order.

Thanks to jm13 on the VMTN forums and Daniel Paluszek from VMWare for the information regarding this issue and resolving it. Hopefully a KB article will be published by VMWare soon.

Configuring Storage IO Control IOPS Capacity for vCloud Director Org VDC Storage Profiles

Recently I began a small project to expose and control Storage IO Control in vCloud Director 8.20+. In order to leverage the capabilities there are a few things that need to be configured/considered. Before you begin you need to determine the capabilities (IOPS) of each of your datastores which is set as a custom attribute on each datastore and is exposed to vCloud Director as the “Available IOPS” for a data store. There are a few things to note before you begin:

  1. You cannot enable IOPS support on a VMware Virtual SAN datastore
  2. You cannot enable IOPS support if the Storage Profile contains Datastores that are part of a Storage DRS Cluster; all of the datastores in the Storage Profile must not be part of a Cluster; if any datastores are in a SDRS cluster you can’t leverage the SIOC in vCloud Director
  3. Each Datastore can have a value set between 200-4000 (IOPS)
  4. You need to have vSphere Administrator rights on the vCenters hosting the datastores to complete the below
  5. The tagged datastores must be added to a SIOC enabled Storage Policy which is mapped to vCloud as a Provider VDC Storage Profile
  6. The Organisational VDC Storage Profile can then have SIOC capabilities set against it using the REST API (or Powershell using my vCloud Storage Profile Module

Step 1. Set the iopsCapacity Custom Attribute

In order to expose SIOC in vSphere to vCloud Director custom attributes have to be added to the Datastores using the vSphere Manage Object Browser (MOB) as outlined in VMWare KB2148300 however it’s much easier to do this through the vSphere Client or vSphere Web Client.

  1. Logon to the vSphere H5 Client (https://<vCenter>/ui) and select the Tags & Custom Attributes from the menu and select Custom Attributes and click Add
  1. Enter the attribute iopsCapacity and select the Type Datastore and click Add
  1. Next select Storage from the main menu and select each Datastores which you wish to set SIOC capabilities to be exposed in vCloud and from the Actions menu select Tags & Custom Attributes > Edit Custom Attributes 
  1. Set the value for iopsCapacity and click OK
  1. Next; tag the datastores with a relevant tag and create a new Storage Profile with VMWare Storage IO Control provider for the SIOC enabled datastores

Step 2. Configure Storage Profiles in vCloud Director

  1. After this has been set on all the relevant data stores; logon to vCloud Director and select vCenters > Refresh Storage Policies 
  1. Add the Storage Profile to the relevant Organizations (Organizations > Organisational VDCS > Storage Policies)
  1. Review the Provider VDC and confirm that the IopsCapacity value shows a non-zero value when using the Get-ProviderVdcStorageProfile cmdlet (Open PowerShell and connect to vCloud Director and import the module Module-vCloud-SIOC.psm1 available from here)
  1. Set the Storage IO Control settings using the Set-OrgVdcStorageProfile cmdlet

$objOrgVDCStorageProfile = Get-OrgVdcStorageProfile -OrgName “PigeonNuggets” | ? {$_.Name -eq “SIOC”}
$objOrgVDCStorageProfile | Set-OrgVdcStorageProfile -SIOCEnabled $true -DiskIopsMax 1000 -DiskIopsDefault 100 -DiskIopsPerGBMax 100

The OrgVDC Storage Profile is configured for SIOC which is implemented in vSphere. SIOC as implemented in vCloud Director needs further work (manually tagging the datastores with capabilities and API only exposure is a bit rough) however the capabilities are beginning to be exposed; further configuration can be made on individual Virtual Disks via the API (hopefully I will get to this in the near future). Hopefully this is of some value for you. #LongLiveVCD

SIOC and Provider/Organization VDC Storage Profile Management in vCloud Director with PowerShell

Long time since my last post due to some major life events however thanks to some annoying Jet Lag I have managed to get some work done on a project I have been working on slowly over the past couple of months; development of some PowerShell cmdlets to expose and add support for updating VDC and Provider Storage Profiles/Policies in vCloud Director 8.20/9.0

The rationale for creating these cmdlets was twofold;

  1. There is currently no way to set the Storage I/O control parameters in vCloud Director outside of the API
  2. The Org VDC/Provider Storage Profiles are not readily exposed in PowerCLI which makes them a bit difficult to work with (need to combine API calls and vCloud Views)

Why would you want to use these cmdlets ? Two main use cases that I have;

  1. For orchestrating dynamic updates to the Org VDC Storage Profile limits; for example if you want to prevent Organisations from consuming all of your backend storage in a short period of time (and have limits set) but don’t want to have to manually update the limits/have clients calling asking why they can’t create a new VM or expand a disk these cmdlets can be used to adjust the Org VDC limits based on the available storage in the backend Provider Storage Profile as space is consumed/reclaimed
  2. If you wish to implement SIOC in vCloud in an Organization VDC Storage Policy, limit the IOPS available globally to that Storage Policy etc. and if there is “peak”/”off-peak” arrangement with a customer whereby there Storage Policies adjust based on Time of Day (e.g. Test Tier is throttled during 9am-9pm) this might assist
The code is available on GitHub here or below. The documentation in the PowerShell (get-help cmdlet -full) is more complete however below are a quick summary of the main user functions and how to use them;
  • Get-OrgVdcStorageProfile : Returns the Storage Policies/Profiles which are defined on the target Organisation Virtual Datacenter object.
  • Set-OrgVdcStorageProfile : Sets the properties of a provided Org VDC Storage Policies/Profiles.
  • Get-ProviderVdcStorageProfile : Returns the Provider VDC Storage Profile objects for the target organisation.
  • Set-ProviderVdcStorageProfile: Allows the settings to be adjusted on a Provider VDC Storage Profile

These cmdlets are a big rough and more work to do when time permits but have been tested on PowerCLI 6.5.1 and vCloud Director 8.20.1 and 9.0; I hope you get some value from these cmdlets and #LongLiveVCD

 

vCloud Director 9 Tenant Portal will not load – Don’t forget to set your Public Addresses !

One issue you may run into deploying vCloud Director 8.20/9.0 is that the Tenant Portal will not load if you browse to it (https://<vcd>/tenant/orgname) with anything other than the Cell IP address. This will occur if you have not set the Public Endpoints (System > Administration  > Public Addresses) for the API Service to the DNS name of your Load Balancer VIP for vCloud Director.

The UI for the tenant portal is built using the VMWare Clarity project and the HTML5 client is making direct API calls to build the responses for the user. When the browser makes the requests to the vCloud API Service it includes a Request Header “Referer:” which is used by the API service when responding to requests.

If the vCloud Director configuration does not have the Public Addresses values set the browser sends a Referer header that is not recognized and you will end up with a blank page being returned. So if you intend to provide different URI endpoints for the vCloud Tenant Portal (eg. You may wish to direct customers to a new URL for using the Tenant Portal to avoid confusion with the Web Portal); make sure that you set the Tenant Portal URIs or it won’t work.

The 2 minute fix:

  1. Logon to the System VDC
  2. Select Administration > Public Addresses
  3. Set the values to the external URI of the deployment and click Apply

Immediately after the settings have been amended the Tenant Portal will begin to function as expected. 

Setting Organization VDC Permissions in vCloud Director 8.X with PowerShell

First vCloud Director post in a while (been busy trying to organize a move across the world and getting married) but I had a requirement recently to look at having two Org VDC’s (Test and Production) and having two sets of users within a vCloud Organization; both sets with Organization Administrator but each group with the ability to modify only one Org VDC.

VMWare has been improving the granularity of the User Access Control in vCloud Director over the 8.X release introducing new mechanism for delegating roles and access rights at each level of abstraction (Organization Level, Org VDC level) however the 8.20 interfaces still haven’t quite caught up (I imagine this is resolved in vCloud 9.0 which is fast approaching) and it’s a little tricky to get visibility of and make changes to these roles as it is all exposed in the API only.

After reviewing the article by Tom Fojta’s and the API documentation I extended my some PowerShell vCloud Rights Management Powershell module to make control a bit easier.

The module is available on Github.

The documentation in the PowerShell is more complete however below are a quick summary of the main user functions and how to use them;

Get-OrgVdcAccessRights : Returns an object which represents the Access Controls for a provided Organisation Virtual Datacenter object.

Set-OrgVdcAccessRightSharedToEveryone : This cmdlet sets an Organisation Virtual Datacenter as visible or hidden for all users who have rights to the organisation. By default an Org VDC is visible to all members of the containing organization; if the -Visible:$false is provided the org VDC will be hidden from all users by default. If -Visible:$true is set it will be visible to all users by default.

Add-OrgVdcAccessRights : This cmdlet adds a CIUser to the Access Control for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users added using this cmdlet can access/view the Organisational VDC.

Remove-OrgVdcAccessRights : This cmdlet removes a CIUser from the Access Control List for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users removed using this cmdlet will no longer have rights to access/view the Organisational VDC.

An example, we will have three users; one a Full Organizational admin (pigeon.admin), one with rights to one of the Org VDCs (testuser.test) and one with rights to the other Org VDC (testuser.production) ;

  1. Logon to vCloud Director and clone the Organization Administrator role for the Organization and remove the right Allow Access to All Organization VDCs
  1. Create Org Users and assign them the role created in Step 1. Note that at this point the users can still view all of the Org VDCs in the Organization.
3. Next we can set each of the Org VDCs to be hidden by default using the Set-OrgVdcAccessRightSharedToEveryone cmdlet: (Set-OrgVdcAccessRightSharedToEveryone -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC” -Visible $false) as can be seen below the users with the Org Admin right can no longer see the Org VDCs however the Full Organizational Administrator can still view all Org VDCs

4. Now to add individual users rights to the Org VDC you can use the Add-OrgVdcAccessRights cmdlet : Get-CIUser testuser.test | Add-OrgVdcAccessRights -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC (Test Pool)” which will grant testuser.test access to the Org VDC

5. To remove the rights for the user simply execute Get-CIUser testuser.test | Remove-OrgVdcAccessRights -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC (Test Pool)”

And finally to make the Org VDC visable to all users again just execute the Set-OrgVdcAccessRightsSharedToEveryone with the $true switch: Set-OrgVdcAccessRightSharedToEveryone -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC” -Visible $true

These cmdlets are a big rough but have been tested on PowerCLI 6.5.1 and vCloud Director 8.20.0 and 8.20.1; hopefully they will save you some time. Enjoy.