Enabling the vCenter Server permissions required to modify virtual machine network settings

Posted on August 28, 2019 by pkremer

We had a customer question regarding KB1020934. The customer wants to assign specific people the ability to change the portgroup of a VM, and only the portgroup. The KB article says that you must assign permissions at the Datacenter level. In my 6.7 U3 lab, I will show that you can do granular permissions at both the VM and portgroup level.

First I add a test user

Then I create a group called Network Team and add testuser to the group

Now I create a role called VM Network Admins and grant it the specific privileges as outlined in the KB article.

This screen shows that I’ve granted the permission in the following locations

A folder called Network Team
Distributed portgroup PG_VM_VLAN203
Standard portgroup VLAN200

Note that the screenshot also shows standard portgroup VLAN203, I removed this permission from that portgroup but forgot to update the screenshot.

I log in as testuser. I cannot see anything in Hosts and Clusters because the user has no permissions there.

I can see the folder paths leading to folder Network Team, and I can see VMs under that folder. I cannot see any other folders or VMs.

I can’t see any storage

I can only see portgroups that I’ve been granted permissions to.

Now I try to change the VLAN for my network adapter. Note that if I don’t have permissions to whatever portgroup the VM is currently on, the dropdown box is blank.

I browse for portgroups to switch to and I’m presented with only a list of the portgroups I have permissions for (I have other portgroups in my lab)

I put the VM on VLAN 200 and it drops off the network.

Then I put it back on 203 and it works.

Ubiquiti – Home Lab & WiFi

Posted on July 25, 2019 by pkremer

I wanted to put up a quick post on my Ubiquiti environment at home.

At the edge I have a UniFi Security Gateway 4P. I have 2 24 port POE-250W switches, one serving the homelab and one serving Production WiFi.

I had a difficult time getting ethernet run into the basement, so I ran only a single CAT-6 cable. This feeds a UniFi 8-port POE-60W switch. The switch powers one AP-AC-Pro for basement WiFi, then I have the kids game consoles and Roku boxes directly connected to the 8-port. I used the U-PRO-MP kit to hang the AP-AC-Pro in the basement. We have a drop ceiling and I didn’t want to cut holes in the tiles. The Pro mounting kit has two connectors that work great for mounting it to the metal support rails for the drop ceiling.

On the main floor I have an AP-AC-Pro serving my home office. I have 2 mesh units on the main floor – one is an AP-AC-Mesh in the Sunroom, on the complete opposite side of the house and nearly impossible to get a cable run over there. It’s connected wirelessly to another access point and works just fine – it’s obviously not as fast as the other access points, but it does the job. I have another mesh unit, an AC-MESH-PRO, in the living room. It’s directly wired and is just serving as an access point at the moment. I intend to add another mesh unit outdoors eventually to extend some solid WiFI signal out there, but I don’t have it working at the moment.

Upstairs I have 3 AP-AC-Pro units, each with their own CAT-6 home run to the switch. One serves the master bedroom, one is in the main hallway serving the other bedrooms, and the last one is in the loft. For ethernet runs I had a local company install 3.5″ round electric boxes in the ceiling, then I had them run electric conduit from my office on the first floor all the way up to the attic. Then it was just a matter of fishing 3 CAT-6 runs. I used the Pro mounting kit to easily attach the AP-AC-Pros to the electric boxes.

Xfinity Stream – Roku

Posted on March 2, 2019 by pkremer

I was trying to get a Roku working with my xfinity service. The app is in beta.

The list of supported devices is in this article: https://www.xfinity.com/support/articles/activate-xfinity-tv-app-on-roku

It listed the Roku Ultra 4660 as a supported device. However, Roku no longer makes the 4660, it’s been replaced with the 4661. I was hesitant to try something off the supported list, even though the 4661 is basically the same hardware as the 4660 and they throw in a pair of headphones. The Ultra 4661 works just fine.

I ran into another issue – I’m in the middle of a move and I had 2 xfinity accounts linked to a single username, one at my old property and one at my new property. I only kept internet service, not TV service at the old property. The xfinity authorization link at xfinity.com/authorize isn’t smart enough to understand multiple accounts, unless both accounts have TV service. I had to have xfinity customer service unlink the accounts, then the Roku worked.

Disable ‘Send Feedback to the Client Team’ in the H5 client

Posted on August 17, 2018 by pkremer

In highly secured environments, customers generally don’t want any type of ‘phone home’ behavior. In the vCenter HTML5 client, we have a ‘Send Feedback to the Client Team’ button. Some customers want that functionality to be disabled. Here’s how to do it:

root@vcenter [ /etc/vmware/vsphere-ui ]# vi webclient.properties

#DisableFeedbackTool Properties
feedbackTool.enabled=false

The reboot the service:

service-control --stop vsphere-ui
service-control --start vsphere-ui

AWS DeepLens – First Look

Posted on June 16, 2018 by pkremer

I had the opportunity to attend Amazon re:Invent 2017, and as part of attending a bootcamp I received a discount code for a free DeepLens! It arrived today.

The box

32GB micro SD card and power supply. Amazon made a single power brick with interchangeable prongs.

The front of the DeepLens

Rear view of the DeepLens

After unpacking, the package insert directed me to https://aws.amazon.com/DeepLens

I did not have any of the IAM roles so I clicked Create Roles

The setup created this role for me

I connected to the DeepLens’ wireless network

Connected the DeepLens to my WiFi

I clicked the install and reboot button; it disappeared with no progress indicator.

I watched for the device to come back up, and connected again to the device’s wireless. The install and reboot button appeared again, so I clicked it again. It finished this time

Now I needed to upload the certificate .zipfile that I downloaded earlier in the setup.

The streaming certificate is required to view video from the camera

I set a device password and enabled SSH.

Summary:

For my first project, I thought I’d add what looked to be one of the simplest ones, object detection.

After creating the project, I need to deploy it to the camera.

After a few minutes, the project was ready for use.

That’s all for now – next post will be my first attempt to run the project.

New VMware blog post – Addressing Spectre / Meltdown with vROps

Posted on January 21, 2018 by pkremer

Check out the blog post complete with new dashboards to import.

Passed the AWS Certified Solutions Architect – Associate

Posted on November 17, 2017 by pkremer

I sat and passed the AWS Certified Solutions Architect – Associate exam today. I couldn’t have done it without the excellent training provided by A Cloud Guru. I did also take formalized classroom training but based on the quality of A Cloud Guru and my first attempt pass results, I’m going to stick with them for future AWS exams.

vRealize Suite Lifecycle Manager – Part II – Deploying Log Insight

Posted on October 30, 2017 by pkremer

In Part I, I showed how to deploy the Lifecycle Manager appliance.

For my first product deployment, I decided on a quick win with Log Insight.

When you log in to vRealize Suite Lifecycle Manager the first time, it takes you through a tour of the UI.

First I generated a certificate

Then I clicked to create a new environment

If you have a My VMware account with acccess to vRealize Suite, you can poined LCM directly to My VMware as a download source, you won’t have to manually download bits.

Changing passwords forced a logoff and login.

Enter your My VMware credentials here to allow for direct download

Click on the items you want to download

Add a new datacenter for LCM to manage

Now adding a new vCenter to the datacenter

Starting the wizard to deploy Log Insight

I’m only installing Log Insight at this time, so check the box.

Now you get a short Log Insight wizard.

I’m only doing a standalone LI host but note you could do a load balanced config as well as add worker nodes.

The job after it’s submitted.

The deployment failed because it wants to put 16 vCPU on my LI VM, but my little lab only has 4 cores per host. The vCenter error said “No host is compatible with the virtual machine.” All I had to do was edit the deployed VM, change it to two cores (I also decreased the RAM), power it on and the LCM deployment continued without issue.

I now have a running Log Insight instance, I connected it to vCenter and I’m done!

vRealize Suite Lifecycle Manager – Part I – Initial Deployment

Posted on October 30, 2017 by pkremer

vRealize Suite Lifecycle Manager is designed to let you manage deployment and upgrades of vRealize Suite. In Part I of this series, I will show you the installation process in my lab.

Here is the OVF that I downloaded from My VMware

Deploy the OVF

Standard OVF deployment options here, setting the hostname and IP address information.

The console while the appliance configures itself

Main welcome screen – default credentials are admin@localhost / vmware

You will get asked to change the appliance password

All set, this is an easy, standard OVF deployment.

In Part II, I use vLCM to deploy Log Insight.

dvSwitch Migration

Posted on October 27, 2017 by pkremer

I was rebuilding my lab and decided to capture the process of moving machines from the standard switch to the distributed virtual switch

In these screenshots, I’ve already created the new distributed switch and added portgroups.

Adding my 2 lab hosts to the distributed switch

Now we need a physical uplink.

In my lab, vmnic1 and vmnic2 are carrying virtual machine traffic. Prior to this step, I disconnected vmnic2 from the standard switch. This is the part that has the most risk in that if you have a bunch of VLANs, it’s possible that vmnic1 doesn’t have all of them trunked. This is where you can cause an outage, so it’s important to check the physical switch configuration for all VLANs to ensure they’re all trunked.

I assign vmnic2 to Uplink 2 for no reason other than to keep the “2”s together. After the migration is done, you’d come back in here and assign vmnic1 to an uplink – I would assign it to Uplink 1 for consistency’s sake., but the name of the uplink doesn’t actually matter.

Repeat the process for host #2.

You get a summary of the changes before the changes are made

This screen will detect if you’re about to make a disastrous change

My VM traffic is VLAN 203

Now to migrate VMs to the distributed switch, I right click and click Migrate MVs to another network

My source network is the standard switch VLAN203 network

Destination is the DVS portgroup, still VLAN203

Here’s where it’s awesome. You could migrate every single VM on VLAN203 to the distributed switch by just selecting all here. I play it safe to start by only migrating one. You obviously would probably not want to start with a domain controller, but I like to live dangerously 🙂

Continous ping to the domain controller

I get a little blip but don’t drop a ping

VM is migrated. I can now migrate all of the VMs on VLAN203, then remove vmnic1 from the standard switch, then come back and add vmnic1 so I have redundant uplinks.

Patrick Kremer

Technical perspectives from a VMware Field Engineer