vCenter Event Broker Appliance – Part II – Sample Code Prereqs

In Part I of this series, we explored how to deploy the VEBA appliance. In Part II, we look at setting up a Windows workstation with the prereqs for interacting with VEBA. As of the 0.3 release of VEBA, we support 2 different event processors – OpenFaaS is built right into the appliance, and we also support AWS EventBridge as an external processor. The content in this post doesn’t apply if you’re using AWS EventBridge – you set it up, VEBA forwards events to EventBridge, and you write code in native AWS to respond to events.

We begin with the Function Deployment section of the Getting Started Guide shown on the VEBA Fling instructions page. The guide lists 3 prereqs to getting started: git, faas-cli, and govc. Going into this I have no idea what any of that means. I know what git is, meaning I know the definition of source control and that git is one of many choices for source control. But I’ve never used it, and don’t know anything about faas-cli or govc

I start with the git download page. As I go through this, I seem to find myself at a disadvantage trying to do code on Windows – everything seems to be focused around Mac and Linux. But I successfully installed the Windows binary on my laptop.

I leave the defaults here

I know the basics of getting around vi, but spend a lot more time in Notepad++, so I switch to it here.

This seems to be an OK option – I’m not sure what people typically use. Through the sample code deployment I was only calling git from the Git Bash anyway, so I guess it doesn’t make a difference.

I don’t think I have a need to use Windows CAs so I kept OpenSSL.

I leave this default since it was the recommended Windows setting

I don’t like the Windows default console windows, I figured MinTTY couldn’t be any worse – I select it.

I leave all these default.

The next preqeq is faas-cli. I have no idea what this is, so I click on the link and read about it. faas-cli is a command line interface for OpenFaaS – a serverless functions framework for Docker and Kubernetes. OpenFaaS is built into the VEBA appliance – it is how you publish your custom code to run when an event happens.

For Windows, all I did is go to the releases page and download faas-cli.exe.

I decide to create a specific folder for any executables related to this project, so I created a folder and added that folder to my PATH variable. This way I can invoke the executable no matter where I am in the filesystem.

The final prereq is something called govc, part of govmomi. govmomi is a Go library for interacting with the vSphere APIs. govc is a CLI interface to the library. I did not know why govmomi existed when I started documenting my work with VEBA – thanks to Michael Gasch for explaining “govmomi is a library many VMware products and OSS projects use to provide a vSphere API library for the Go programming language.”

I was able to find and download govc_windows_386.exe at the govmomi releases page. I put it in the same folder as faas-cli.exe

We have now installed all of the prereqs for running our first sample function. In Part III, we will set up vCenter tags for the sample function and download the VEBA sample code to our local workstation with git.

VMware Employee Count

We have an internal tool in Slack where you can see how long you’ve been employed relative to other VMware employees i.e. X-employee account created on yyyy-mm-dd and has been here longer than XY% of employees. After looking at that, I wondered just how quickly we’ve grown over the years. So I grabbed employee counts reported in our 10-K filings at and graphed them. We just keep growing!

Enabling the vCenter Server permissions required to modify virtual machine network settings

We had a customer question regarding KB1020934. The customer wants to assign specific people the ability to change the portgroup of a VM, and only the portgroup. The KB article says that you must assign permissions at the Datacenter level. In my 6.7 U3 lab, I will show that you can do granular permissions at both the VM and portgroup level.

First I add a test user

Then I create a group called Network Team and add testuser to the group

Now I create a role called VM Network Admins and grant it the specific privileges as outlined in the KB article.

This screen shows that I’ve granted the permission in the following locations

  • A folder called Network Team
  • Distributed portgroup PG_VM_VLAN203
  • Standard portgroup VLAN200

Note that the screenshot also shows standard portgroup VLAN203, I removed this permission from that portgroup but forgot to update the screenshot.

I log in as testuser. I cannot see anything in Hosts and Clusters because the user has no permissions there.

I can see the folder paths leading to folder Network Team, and I can see VMs under that folder. I cannot see any other folders or VMs.

I can’t see any storage

I can only see portgroups that I’ve been granted permissions to.

Now I try to change the VLAN for my network adapter. Note that if I don’t have permissions to whatever portgroup the VM is currently on, the dropdown box is blank.

I browse for portgroups to switch to and I’m presented with only a list of the portgroups I have permissions for (I have other portgroups in my lab)

I put the VM on VLAN 200 and it drops off the network.


Then I put it back on 203 and it works.


Ubiquiti – Home Lab & WiFi

I wanted to put up a quick post on my Ubiquiti environment at home.

At the edge I have a UniFi Security Gateway 4P. I have 2 24 port POE-250W switches, one serving the homelab and one serving Production WiFi.

I had a difficult time getting ethernet run into the basement, so I ran only a single CAT-6 cable. This feeds a UniFi 8-port POE-60W switch. The switch powers one AP-AC-Pro for basement WiFi, then I have the kids game consoles and Roku boxes directly connected to the 8-port. I used the U-PRO-MP kit to hang the AP-AC-Pro in the basement. We have a drop ceiling and I didn’t want to cut holes in the tiles. The Pro mounting kit has two connectors that work great for mounting it to the metal support rails for the drop ceiling.

On the main floor I have an AP-AC-Pro serving my home office. I have 2 mesh units on the main floor – one is an AP-AC-Mesh in the Sunroom, on the complete opposite side of the house and nearly impossible to get a cable run over there. It’s connected wirelessly to another access point and works just fine – it’s obviously not as fast as the other access points, but it does the job. I have another mesh unit, an AC-MESH-PRO, in the living room. It’s directly wired and is just serving as an access point at the moment. I intend to add another mesh unit outdoors eventually to extend some solid WiFI signal out there, but I don’t have it working at the moment.

Upstairs I have 3 AP-AC-Pro units, each with their own CAT-6 home run to the switch. One serves the master bedroom, one is in the main hallway serving the other bedrooms, and the last one is in the loft. For ethernet runs I had a local company install 3.5″ round electric boxes in the ceiling, then I had them run electric conduit from my office on the first floor all the way up to the attic. Then it was just a matter of fishing 3 CAT-6 runs. I used the Pro mounting kit to easily attach the AP-AC-Pros to the electric boxes.

Xfinity Stream – Roku

I was trying to get a Roku working with my xfinity service. The app is in beta.

The list of supported devices is in this article:

It listed the Roku Ultra 4660 as a supported device. However, Roku no longer makes the 4660, it’s been replaced with the 4661. I was hesitant to try something off the supported list, even though the 4661 is basically the same hardware as the 4660 and they throw in a pair of headphones. The Ultra 4661 works just fine.

I ran into another issue – I’m in the middle of a move and I had 2 xfinity accounts linked to a single username, one at my old property and one at my new property. I only kept internet service, not TV service at the old property.  The xfinity authorization link at isn’t smart enough to understand multiple accounts, unless both accounts have TV service. I had to have xfinity customer service unlink the accounts, then the Roku worked.

Disable ‘Send Feedback to the Client Team’ in the H5 client

In highly secured environments, customers generally don’t want any type of ‘phone home’ behavior. In the vCenter HTML5 client, we have a ‘Send Feedback to the Client Team’ button. Some customers want that functionality to be disabled. Here’s how to do it:

root@vcenter [ /etc/vmware/vsphere-ui ]# vi

#DisableFeedbackTool Properties

The reboot the service:

service-control --stop vsphere-ui
service-control --start vsphere-ui

AWS DeepLens – First Look

I had the opportunity to attend Amazon re:Invent 2017, and as part of attending a bootcamp I received a discount code for a free DeepLens! It arrived today.

The box

32GB micro SD card and power supply. Amazon made a single power brick with interchangeable prongs.

The front of the DeepLens

Rear view of the DeepLens


After unpacking, the package insert directed me to

I did not have any of the IAM roles so I clicked Create Roles

The setup created this role for me

I connected to the DeepLens’ wireless network

Connected the DeepLens to my WiFi

I clicked the install and reboot button; it disappeared with no progress indicator.

I watched for the device to come back up, and connected again to the device’s wireless. The install and reboot button appeared again, so I clicked it again. It finished this time

Now I needed to upload the certificate .zipfile that I downloaded earlier in the setup.

The streaming certificate is required to view video from the camera

I set a device password and enabled SSH.


For my first project, I thought I’d add what looked to be one of the simplest ones, object detection.

After creating the project, I need to deploy it to the camera.

After a few minutes, the project was ready for use. 

That’s all for now – next post will be my first attempt to run the project.

vRealize Suite Lifecycle Manager – Part II – Deploying Log Insight

In Part I, I showed how to deploy the Lifecycle Manager appliance.

For my first product deployment, I decided on a quick win with Log Insight.

When you log in to vRealize Suite Lifecycle Manager the first time, it takes you through a tour of the UI.

First I generated a certificate


Then I clicked to create a new environment

If you have a My VMware account with acccess to vRealize Suite, you can poined LCM directly to My VMware as a download source, you won’t have to manually download bits.

Changing passwords forced a logoff and login.

Enter your My VMware credentials here to allow for direct download

Click on the items you want to download


Add a new datacenter for LCM to manage


Now adding a new vCenter to the datacenter


Starting the wizard to deploy Log Insight


I’m only installing Log Insight at this time, so check the box.

Now you get a short Log Insight wizard.

I’m only doing a standalone LI host but note you could do a load balanced config as well as add worker nodes.

The job after it’s submitted.

The deployment failed because it wants to put 16 vCPU on my LI VM, but my little lab only has 4 cores per host. The vCenter error said “No host is compatible with the virtual machine.” All I had to do was edit the deployed VM, change it to two cores (I also decreased the RAM), power it on and the LCM deployment continued without issue.

I now have a running Log Insight instance, I connected it to vCenter and I’m done!