Configuration Management using vSphere Configuration Profiles
With vSphere 7.0, VMware launched a feature called vSphere Lifecycle Manager Images (vLCM), which uses a declarative model, to holistically define the desired state of the ESXi host image, including the target ESXi version, firmware & drivers. This feature enables all the ESXi hosts, to adhere to the desired state; by enforcing consistency across the cluster. When a host drifts from the desired state, the host is remediated to be compliant to the desired state.
With vSphere Configuration Profiles, we are extending the declarative model to managing ESXi host configurations.
Requirements for vSphere Configuration Profiles
vSphere Configuration Profiles requires the following:
- Cluster lifecycle must be managed with vSphere Lifecycle Manager Images (vLCM).
- All hosts in the cluster must be on version ESXi 8.0 or newer.
- Cluster hosts must be licensed with Enterprise Plus license.
Limitations in vSphere 8.0: In vSphere 8.0, vSphere Configuration Profiles is being launched as a supported Technology Preview feature. The reason for this is, there is no support for managing vSphere Distributed Switch (VDS) configurations yet. Enablement of vSphere Configuration Profiles on clusters that have NSX and VDS will be blocked. Therefore, during the Technology Preview phase, the use of this feature is limited to customers that use vSphere Standard Switch (VSS).
About vSphere Configuration Profiles
Managing ESXi configurations across hundreds of hosts, is a challenge. Example, if an admin accidentally reduces the required password complexity on a host, that host, becomes a security target. It is desirable to manage the configurations of all hosts to be compliant with the company’s desired host configuration.
vSphere Configuration Profiles is a new capability in vSphere 8.0, that allows Administrators to manage the host configuration at a cluster level. This capability allows administrators to
- Set desired configuration at the cluster in form of a JSON document.
- Check that hosts are compliant with desired configuration.
- If non-compliant, remediate hosts to bring them into compliance.
The configuration document is a JSON document that is backed by a schema, which makes it easily editable using any JSON editor tool. It is human-readable and is not unwieldy since it only captures the changes to the default configuration. Customers can choose to either create the JSON document from scratch; or simply extract the configuration from a reference host. An example of a configuration document is below:
Figure 1 shows an example configuration JSON document.
- The profile section of the document contains configuration applicable to all hosts in the cluster
- The Host-specific section contains configurations that need to be specified per host. Example: Host name needs to be specified per host.
- The Host-override section is used to override the cluster configuration, for specified hosts. Example: If the cluster configuration requires that the firewall be enabled; but certain hosts need to have firewall disabled.
Note: BIOS-UUID is used as the host identifier, for the host-override and host-specific sections.
Once the configuration documented is finalized, vSphere Configuration Profiles can enforce compliance to this specification, for all hosts in the cluster. The same document can also be used across multiple clusters.
Using vSphere Configuration Profiles
The general process to enabling and using vSphere Configuration Profiles to manage cluster configuration, is shown below.
Figure 2 shows the process flow for using vSphere Configuration Profiles
Let’s consider a specific scenario where a user wants to create a new cluster, whose lifecycle is managed with Images (vLCM); and whose configuration is managed with vSphere Configuration Profiles (VCP).
Create a New Cluster
Create a new cluster inside a datacenter or folder.
Figure 3 shows the New Cluster option
Activate Cluster Level Lifecycle Options
In the new cluster wizard, select “Manage all hosts in the cluster with a single image” and “Manage configuration at a cluster level”
Figure 4 shows the new cluster lifecycle options
Note: You must activate single image management to be able to activate cluster level configuration
Select the ESXi version
vSphere Configuration Profiles is only supported on ESXi host with version 8.0 or later. Select an ESXi version with a 8.0 build. Optionally, select any Vendor Addon you may require.
Figure 5 shows the compose ESXi image view.
Finish the new cluster wizard as desired. Now we have a cluster whose lifecycle is managed with Images (vLCM); and whose configuration is managed with vSphere Configuration Profiles (VCP). However, the newly created cluster simply uses the default configurations. We have not yet specified a desired cluster configuration.
Navigate to the Cluster Desired State Settings
Select the newly created cluster and select Configure > Desired State > Configuration > Settings.
Figure 6 shows the Desired State Configuration view.
The desired configuration can be set either by using a reference host approach or using an existing JSON document. The next steps outline how to use a reference host to specify the cluster configuration.
Generate Desired Configuration from a Reference Host
Generate desired configuration document from a reference host:
Add host to the cluster and configure the reference host using any existing configuration APIs/CLIs/UI workflows.
Go to Cluster > Configure > Desired State > Configuration > Settings > … > “Extract from Reference host”
Figure 7 shows the extract from reference host option.
Select the reference host in the cluster.
Figure 8 shows choosing the reference host.
Finish the workflow by downloading the extracted configuration document in JSON format. This document will contain all configurations done on that reference ESXi host.
Setting the Desired Configuration
Setting the desired configuration for the cluster.
Use the document extracted from the reference host or an existing document. Goto Cluster > Configure > Desired State > Configuration > Settings > Import.
Figure 9 shows the import configuration from file option.
Finish the workflow. Once the document is successfully validated, it will be imported into the cluster and the desired configuration of the cluster is set.
Figure 10 shows configuration compliance.
Now that the desired configuration is set, vSphere Configuration Profiles can monitor compliance to this specification, and allows users to remediate drift.
We realize managing ESXi configurations to be compliant to a specified desired configuration is a challenge in customer environments. vSphere Configuration Profiles is a new capability in vSphere 8.0, that addresses this challenge.
Customers that use vSphere Standard Switch (VSS); can use this capability now. We will continue to evolve this feature in upcoming releases, to support vSphere Distributed Switch (VDS) as well.