April 25, 2021

Achieve Consistent Configuration across vCenter Servers - vCenter Server Profiles

vCenter Server Profiles offers better management of multi-vCenter Server architectures, reducing the risk associated with configuration drift in these environments. It creates a template from a known-good vCenter Server from which vCenter Server profiles may be created and applied.

Introduction 

vCenter Server Profiles offers better management of multi-vCenter Server architectures, reducing the risk associated with configuration drift in these environments. It creates a template from a known-good vCenter Server from which vCenter Server profiles may be created and applied.

Why vCenter Server Profiles?

Big enterprise and service-provider customers often employ multiple vCenter Servers(VCs) to manage their distributed vSphere environment. With the rise of Edge deployments to support 5G and branch use cases, deploying multiple VCs has become common. 

In a multi-VC environment, complications in adhering to the desired state configuration is a significant challenge that customers experience. Apart from compliance concerns, the following are further significant challenges encountered by customers in a multi-VC environment: 

  • Provisioning and installing multi-VC setup involves repeated steps: 

Post VC deployment (Day-0 config), customers run setup and admin-related tasks (NTP configuration, DHCP configuration, DNS configuration, assigning permissions/privileges, etc.) repeatedly, making the deployment process slow and sometimes inefficient.  

  • Tracing VC config changes can be overly complicated: 

With multiple VI admins, it is quite difficult for customers to track-down and monitor VC config changes. This slows down the RCA (Root Cause Analysis) procedure in the event of failure/misconfiguration.  

  • No mechanism to alert about VC config drift: 

In a multi-VC environment, customers struggle to detect drift in a VC configuration. Failure to detect drift leads to a non-compliant VC, possibly leaving it vulnerable.  

Some customers use in-house developed automation and orchestration solutions to manage a multi VC environment. These solutions, however, may not perform as expected and require a considerable amount of time and skill to work with.   

What is the Solution?  

"vCenter Server Profiles", introduced in vSphere 7.0, can address many of the challenges and pain points that a customer experiences in a multi-VC environment.  

The vCenter Server Profiles feature empowers customers to capture a compliant VC's configuration details in a JavaScript Object Notation (JSON) based file, which acts as a template. JSON is a minimal, readable format for structuring data. It is very easy to learn and is widely accepted in various automation solutions.  

The captured JSON file can be copied to the target VCs, ensuring that they all inherit the same configuration settings, in a similar fashion to the host profile feature. After capturing and extracting compliant VC configuration settings in a JSON based file, customers can choose and edit the configuration settings that should be propagated to the target VCs. This enables customers to ensure that while the target VC adheres to the desired state configuration, they can still customize the deployment as per the business requirement.  

Customers can also use a versioning approach to examine config changes over a timeline for audit purposes. 

vc gif

vCenter Server Profiles in Detail  

With vCenter Server Profiles feature VMware has introduced the following REST-ful APIs 

  • List 
  • Export 
  • Import 
  • Validate 

vc profiles

These REST-ful APIs can be accessed from the "Developer Center" present under the API explorer in the vSphere client. 

Dev Center API

There is no GUI (Graphical User Interface) equivalent for vCenter Server Profiles for the initial release: The REST APIs can be consumed with PowerCLI, or other automation and config management tools (Salt, Ansible, Puppet, etc.). 

vCenter Server Profiles Example Work-Flow 

Let us look at an example scenario to understand vCenter Server Profiles. 

Rebecca is a VI-Admin and works for an organization – a large bank. Her organization has decided to roll out 10 new branches with dedicated vSphere environments.  From the compliance perspective it is mandatory for Rebecca to ensure that branch vCenter Servers must have same Roles and Privileges and network settings (NTP, etc.) as the head office vCenter Server. 

Let us quickly look at the step by step workflow and corresponding APIs that Rebecca will fire to ensure that branch vCenter Servers are adhering to the desired state configuration. 

Step: 1 List all the configuration settings 

List API can be fired to find out the vCenter Server configuration settings that can be exported. 

curl -X GET 'https://vc_fqdn_or_ip/api/appliance/infraprofile/configs' -H 'vmware-api-session-id: session_id'

Step: 2 Export the desired state configuration 

The export API is fired to obtain the desired vCenter Server profile details in a JSON based file. This JSON file can be saved and edited as per the business requirement.  

curl -X POST 'https://vc_fqdn_or_ip /api/appliance/infraprofile/configs?action=export' -H 'vmware-api-session-id: 89eaa85fc704b1e6bacf2472f4d8b6e0' -H 'Content-type: application/json'

Step: 3 Validate the profile (In case exported profile was edited) 

The validate API performs a syntax check to validate that the edited vCenter Server profile is error free. 

curl -X POST 'https:// vc_fqdn_or_ip /api/appliance/infraprofile/configs?action=validate&vmw-task=true' -H 'vmware-api-session-id: session_id' -H 'Content-type: application/json' -d { 

‘config_spec’: ‘json_output_obtained_from_the_previous_step’ 

}

Step: 4 Import the desired state configuration 

After editing the file which we obtained from the previous, it can be fed to the import API. Import API imports the desired state configuration on to the target VCs. 

curl -X POST 'https://target_vc_ip_fqdn/api/appliance/infraprofile/configs?action=import&vmw-task=true' -H 'vmware-api-session-id: session_id' -H 'Content-type: application/json' -d { 

‘config_spec’: ‘json_output_obtained_from_the_step_2’ 

}

Note: The config_spec represents desired state config. It accepts JSON object as a string. 

Logging 

All the activities pertaining to vCenter Server profiles are logged under infraprofile-svcs.log, present under /var/log/vmware/infraprofile directory in the vCenter Server Appliance( VCSA) . 

 

Demo Video

 

Conclusion 

Provisioning and managing vCenter Server in multiple vCenter Servers is a challenging task. Ensuring that every vCenter Server is compliant further complicates the situation.  

As always, VMware is committed to devising innovative ways to help customers and make their life easy. vCenter Server Profiles feature ensures that customers can deploy and configure multiple vCenter Servers at a rapid pace. Apart from expediting vCenter Server deployment, the vCenter Server Profile ensures that security compliance is always a priority and is never compromised. 

 

 

 

 

Filter Tags

Compliance Lifecycle Management Security vCenter Server vCenter Server 7 vSphere vSphere 7 Blog Best Practice Technical Overview Intermediate Deploy Manage

Aditya Sahu

Read More from the Author

Aditya Sahu works as a Senior Technical Marketing Manager for VMware in the Cloud Platform Business Unit. In his role he covers core vSphere and vSphere with Tanzu. You can also reach out to him on twitter @ adityasahu_29