Wednesday, November 30, 2022

Aria Automation and Azure Devops better together

 In an always-evolving world, companies of all sizes are constantly looking for ways to increase their agility in providing services and solutions.


One of those services is Azure DevOps, a platform that supports a collaborative culture surrounded by a toolset of pipelines, version control, reporting, release management, automated builds, and testing, bringing together developers, project managers, and contributors to improve products at a faster pace.

That's all great, but everything has a start! Before anyone can begin to contribute and create new things, you need to first set up such an environment of work.

Of course, you don't want to rely upon ticketing systems and manual tasks, which take days to provide such environments, while keeping your developers idle and angry to start creating those new unique solutions.

That's where VMware Aria Automation comes to the rescue, this outstanding multi-cloud platform that can deliver self-service repeatable, and standardized solutions at your fingertips, just like Azure DevOps projects.

Leveraging the Terraform provider for Azure DevOps, it did not take me more than 40 minutes to create its initial implementation, let me show you how.

Aria Automation has been built in a way you don't have to provide your credentials on the Terraform configuration file, instead, it would leverage its project's constructs to look into your cloud account credentials just using the provider section on the cloud template. Unfortunately, Aria Automation just supports aws, azurerm, google, and vsphere at this moment.

So, how do we make use of azuredevops provider?

Luckily, this provider allows us to add the Org URL and the personal token directly on the Terraform configuration file, then we just need to remove the provider section entirely from the cloud template and let the Terraform configuration file do its job.

Now, my developers and project managers can order new Projects, select the features they desire, like Boards, Artifacts, Pipelines, TestPlans, and Repositories to start working in a matter of minutes.


 

New Project has been created as requested.

 

This code sample can be found at my Github repository.



 

Thursday, October 13, 2022

SaltStack firewall rules

Recently I've been working with a customer to showcase de security capabilities of Aria Automation for Secure Hosts (formerly SaltStack SecOps) which I could define into two distinct modules:


Vulnerability:  

Allows the Security and IT team to scan and detect security advisories that reference the Common Vulnerabilities and Exposures (CVE), upon those finds you can easily remediate those systems with a click of a button.





Compliance:

Leveraging best practices and hardening Guides, such as CIS and NIST, allows you to define policies based on those benchmarks or even create your own custom policy. After policy definition you can asses your environment to find non-compliant systems and remediate them instantly, enhancing the secure posture of your environment.




















I'm almost getting to the point of this post;

Where Aria Automation for Secure Hosts gets all this information from?


To make sure the solution has the most up-to-date security information, the RaaS service checks daily for the latest benchmarks, and security advisories along with the software packages or versions to fix them.


Luckily VMware consolidates the CVEs from multiples vendors into a central location, that way you don't need to open access to several locations: So you only want to allow access to:


https://enterprise.saltstack.com/secops_downloads - for Compliance content.

https://enterprise.saltstack.com/vman_downloads - for Vulnerability Management content


you can double-check that on the RaaS configuration file: /etc/raas/raas


One caveat, RaaS service itself does not know about system-wide proxy settings, so if you have to use proxies, don't forget to configure the RaaS service to do so. it's pretty good documented in the section Ingesting content via http(s) proxy


That's all, keep your environment safe folks !!!

 

Monday, September 26, 2022

Demystifying Aria

A few weeks ago Raghu, during his general session at VMware Explore, unveiled VMware Aria in the center of the main stage exploring how it can bring peace to the Cloud Chaos caused by the great but still disorganized cloud adoption during the past few years, leading companies from every size to live with a disparate set of tools, siloed teams, miss-configurations, lack of compliance and even high unnecessary expends. You can still catch the replay here.



First and foremost what Aria means?
It has a musical meaning; the word is used to describe a piece for voice. That piece could be an instrumental accompaniment or be solo, and is usually part of a longer work, like an opera. Sing with One Voice

It makes perfect sense because VMware Aria is all about bringing everything together, from cost, and performance to configuration into a single central management console, something that has never been seen before.

Another common mistake is to think it's a simple rebrand of vRealize Suite. Not the case !!
Although VMware Aria will benefit from several solutions that you already own and love, meaning you can leverage everything you have built so far, including the knowledge you acquired along the road, also brings to the table new groundbreaking technology such as Aria Hub and Aria Graph:

Let me give you an overview of the entire VMware Aria portfolio:

Aria Hub: That's the centralized multi-cloud management portal where you can see and manage your entire fleet of apps, from Cloud Native to on-prem workloads. Along with your App details, you will see dependencies/relationships, cost, performance metrics, security information, and more without the need to jump from screen to screen;



Aria Graph: the database powering Aria Hub. Designed for the challenges of the cloud world, being able to ingest billions of data points from different sources, and correlate and federate them in a way to make consumption much easier.

Aria Guardrails: a high-level policy definition to enforce your desired state on your environment, network, cloud accounts, organizations, and more. But also to be able to remediate your settings as drift occurs;

Aria Business Insights: dozens of events and alerts coming these days from different sources, Which one is critical ? Which one is relevant? Which one is simple noise ? That's the goal of this AI, leveraging ML to present you the relevant insights so you can take actions to remediate your app, which could be a performance anomaly or a suddenly cost increase, or even a security vulnerability;

Aria Migration: designed to help migrate your workloads to the cloud taking into consideration cost, performance impact, and dependencies,  allowing you to schedule when the migration will occur. All of this with a rich set of pipelines for you to customize adding extra steps and approvals along the way;

Aria Cost (formerly CloudHealth): a complete FinOps platform that simplifies financial management, streamlines operations and improves cross-organization collaboration across multi-cloud environments;

Aria Automation (formerly vRealize Automation): Modern automation platform allowing self-service cloud consumption with governance and Dev-Ops based infrastructure management;

Aria Automation Assembler (formerly Cloud Assembly): part of Aria Automation in charge of the creation and design of end-to-end services and offers to be consumed by end-users;

Aria Automation Consumption (formerly Service Broker): part of Aria Automation responsible for Catalog presentation, approval policies and governance;

Aria Automation Pipelines (formerly Code Stream): part of Aria Automation providing pipelines services for CI/CD activities;

Aria Automation Config (formerly SaltStack Config): It's VMware's configuration management solution to configure systems, install products on-demand, enforce policies and guidelines, remediation, Vulnerability and compliance checks remediations;

Aria Automation Orchestrator (formerly Orchestrator): it's a long-time VMware veteran in charge of extensibilities beyond what's provided out of the box, with hundreds of plugins available so you can extend your solution far beyond;

Aria Operations (formerly vRealize Operations): enables self-driving IT Operations delivering continuous performance, capacity and cost optimization;

Aria Operations for Applications (formerly Tanzu Observability and before that Wavefront): provides unified observability for your applications covering metrics, logs, traces, and events from a single source of truth for greater business agility with unmatches scalability in the millions of points per second;

Aria Operations for Logs (formerly vRealize Log Insight): Centralized log management with deep operational visibility and intelligent analytics for troubleshooting and auditing;

Aria Operations for Networks (formerly vRealize Network Insight): Manage your network at scale with intelligent application discovery, analytics and troubleshooting to help you identify trends, patterns and even not allowed traffic;

Aria Operations for Integrations (formerly vRealize True Visibility Suite):  Extend Aria Operations to data depth and context to additions solutions, like physical datastore, applications, networks and more;

Aria Operations for Secure Clouds (formerly CloudHealthSecure State): Find risks and misconfiguration by visualizing and correlating resources for faster response and remediation to protect your cloud environments;


If you got this far, thanks a lot. 

I'm sure now you understand how all those details can be brought together for a comprehensive understanding of your applications, making your life much easier !!


Tuesday, September 6, 2022

Beacons as States

Beacons at VMware Aria Automation Config (AKA vRealize Automation Saltstack Config) is a key enabler to creating a self-healing, healthy and stable environment. It allows you to continually monitor events on the minions, like logins, disks and processes usage, services, and much more, once a defined activity occurs the beacon will notify the system, and then you can trigger a Reactor, which is the piece that does the remediation/configuration, but Reactor is a topic for another post, today let's focus on the beacon itself.

There are a few methods to enable beacons, through the use of config files, Pillars, or with the use of state modules.

Here's come the first challenge, if you look at tutorials and blogs out there, you will only find examples of config file manipulation, local to the minions or through the use of the file state module.

Second challenge; complexity and scalability:
IMHO, using the file state module is a little complex and requires some extra attention as the solution scales;
Let's take an example of 3 behaviors you wanna monitor; A, B, and C (for this example it does not matter what those beacons are).

To get it to work on every possible combination you will need to create 7 different config files to distribute for your minions depending on the combination of activities you want them to monitor.

file 1: only a
file 2: only b
file 3: only c
file 4: a+b
file 5: a+c
file 6: b+c
file 7: a+b+c

To summarize, to monitor only 3 behaviors you will need 7 config files, you can imagine how complex it would be if you have dozens of individual behaviors to monitor. Plus, when you are manipulating the config file you need to restart the salt-minion service for the new beacon to take effect (would that be another challenge?).

Now comes my preferred method;  the use of state modules;
You can write individual beacons for the behaviors you want to monitor and apply them whenever you want without having to worry about previous beacons or a combination of the desired config file, It will just add up to the beacons that are already applied, and because it's applied through the states it's automatically enabled, no need to restart the service.
Taking the A, B, and C example, you will end up with only 3 state files.
 
But now here's come another challenge, there are not many beacon examples of state files out there;

even though they look pretty much the same for other states, I usually have a hard time getting them right, so I decided to share its syntax.




1 - It's the ID, can be anything you want, or the name of the module;
2 - this one is self-explained, right ?! it's a beacon;
3 - the name of the module you want t monitor;
4 - it saves the beacon to the local minion's config file,  it will persists upon reboots, otherwise it will just monitor available during the actual session;
5 - enable, means enable, right...why create something if you will keep it disabled;
6 - extra parameters the module might require;

if you are looking for some other examples, check my GitHub repository.

Now, it's your turn, tell me how you manage beacons in your environment.

 

Monday, August 22, 2022

VMware Explore recommended sessions



 
VMware Explore is right around the corner, from August 29th to September 01st, if you are like me, you are planning your time to take the best from the event by attending sections and talks that most align with your challenges and interests.
 
Content Catalog is already available, but sometimes it's hard to find the session you need among so much great content.
You wont miss the General Sessions, right... right ?!?
That's why I'm sharing the best Cloud Management sessions out there, enjoy it !!!
 
Tuesday, Aug 30
 
Wednesday, Aug 31
 
Thursday, Sep 01
 
 
If you still have some free slots, here's a list of some nice Hand-on labs you can practice the cool stuff:

 
It's not a definitive guide, of course there are so many other great content available, it will really depends on where your are on your cloud adoption journey and the level of knowldge you already have.
 
Share on the comments other sessions we cannot miss !!!



Monday, June 13, 2022

Cloud Assembly - Kubernetes EXITED

 For the past few days my vRealize Automation Cloud has been broken, mainly because there was an error with my Cloud Proxy preventing it to connect back to my on-premise vCenter.

Checking the Cloud Proxy details I could see Cloud Assembly - Kubernetes (cloudassembly-cmx-agent) had an EXITED status.



Even though the UI logs provides a clear error message: "Error generating auth token, status code: 400" I still had no idea on how to fix i.

Checking the container's log directly on the cloud proxy provides a consistent message.




I was running out of ideas since my searches resulted in nothing, no public KB, internal stuff, documentation blogs out there... nothing related to this error and how to fix it.

Of course I tried to start the container again, reboot the appliance even provisioned a few extra cloud proxies, all with the same error.

At this point it made me to think it was something extra, maybe environmental.... that's when it strike me, my whole lab leaves inside a bubble, including my internal NTP server.

Checking this baby I realized it was 5 hours behind it... which havent cause any issue with my systems, but since the Cloud Proxy connects back to the external world... it might be it. With so little hope I adjusted ajusted my NTP server time and syncronized everything back to it.

As you might guess, cloudassembly-cmx-agent was back to run.

Yeah I know.... sometimes it's the basics, the whole point of this post is to document that such an unusual error message could be simply your time settings and hopefully it would save you some precious troubleshoot hours.

See you guys


Friday, April 1, 2022

vRealize Automation fails to remove machines from Ansible Inventory

 Recently I've been working with one of my customers to create a fully automated offering on their Cloud Management Portal for their end-users to consume.
vRealize Automation (vRA) is their cloud management choice, not only because it's mult-cloud, governance and ease of use capabilities, but also because it's powerfull extensibility options providing all the integrations and automation to deliver fully compliant and customized workloads ready for production.

In charge of their configuration management they decided to use Ansible Playbooks, not a problem for vRA and it's native integration. So when a VM gets created  some playbooks will run to hardening the VM and make some configuration, so far so good.

But when deleting the VM we got an error; not being able to delete it beucase it was not possible to remove the VM from Ansible inventory first.
Checking vRA deployment logs we can see: Unable to parse inventory to obtain existing groups JSON for host : "hostname" in inventory "invetory_path" . ​​Ensure inventory is valid and host exists.. Refer to logs located at: var/tmp/vmware/provider/user_defined_script/<Deployment ID> on Ansible Control Machine for more details.


Checking the Ansible Inventory we confirmed the VM is still in there and vRA Deployment could not proceed to delete the VM.

First we made sure all the requirements were there. They were !!

But what stood up was the message that it could not parse the JSON, is there anything wrong with the JSON ?

So we went back to Ansible and ran some callbacks to make sure it's returning the right information
we ran: ANSIBLE_STDOUT_CALLBACK=json ANSIBLE_LOAD_CALLBACK_PLUGINS=true ansible "VM"-m debug -a var=group_names -i "inventory_path_file"

To our surprise, there was an extra line outside of the JSON with the timer information.




It might be something on the Ansible's configuration !!!
After some seriously analisys and tests we find out a configuration section about callback plugins and one of them had the timer option.



So we removed the timer option from callback_whitelist option



Running the callback command again we confirmed  the JSON comes clear and vRA deletion just worked as expected.


Curious enough this requirement is not on vRA Ansible requirements documentation, To be honest I'm not sure if it was something specific with this customer implementation or Ansible version but I'll mention this internally, possibly for a bugfix. either way now you know how to fix it.

A shout-out to my buddy Sean Leahy working with us all the way on this jorney.




Wednesday, February 16, 2022

Tanzu Kubernetes Cluster creation stucks

 

I've been playing with Tanzu Kubernetes Cluster (TKC) on vSphere with Tanzu since vSphere 7.0 GA, recently, to be honest, have been a few months I could not create any Guest Clusters anymore, it does not matter if I'm using v1alpha1 or the new v1alpha2 API, it does not matter if my environment is based on NSX or vDS.

When I try to create my Guest Cluster the control plane got provisioned successfully, customized, but nothing else happens, my worker nodes are never provisioned and the cluster status remains on the creating phase.
 


The only message I see is on vCenter: error creating client and cache for remote cluster. Error creating dynamic rest mapper for remote cluster. Get "https://10.40.14.67:6443/api?timeout=10s"dial tcp 10.40.14.67:6443 connect: connection refused.
 


I did countless tests until I finally found the issue.
On my descriptor file, I was using a custom VM Class, You might remember, I wrote about it too.
It turns out, there's a bug when using the Custom VM Class within Guest Clusters, when I went back using the built-in ones, my cluster got created successfully.
 

 
Until this bug is not fixed, make sure you are using the built-in VM Class instead of custom ones.
I hope this post helps someone, it took me literally months to figure this out.

See you next


Friday, February 4, 2022

VMware Identity Manager and Delegate IP

While working with one of my customers to deploy a new automation platform (vRealize Automation), which will provide and manage multi-cloud resources, like on AWS, Google, and vSphere for hundreds of end-users providing real self-service portal to give them freedom and agility we decided it was a good idea to consider high-availability to this solution.

You might recall when I talked about scale-out VMware Identity Manager, vIDM, to provide high availability. At that time I covered most about load balancer health checks for the services, but there's an extra requirement;  delegate IP.

First thing first, what is delegate IP ?

When you have your vIDM in cluster mode, it will also cluster their internal Postgres database, the delegate IP is the Active IP receiving the request and will fluctuate between the nodes when needed.

So far so good, but what's the problem ?

What was not clear is if this delegate IP needs an external load balancer or not, in fact, the documentation points to Identity Manager load balancing Documentation... and to your surprise, there's no mention about requirements to set up this service.

A more detailed documentation about vIDM load balancing needs shows no evidence of the need for it.

So, to solve anyone's doubt.

There's NO need for an external load balancer for the delegate IP, the nodes themselves will manage it.

You still need an extra free IP on the same segment where your vIDM nodes are provisioned.

be safe people !!!


Tuesday, January 18, 2022

VMware on the Road - Janeiro 2022

 There's not doubt VMware is an innovation machine, releasing new features, functionalities and products one a scale that's no possible to keep up closely, so every couple of months I create a kind of newsletter with what I believe to be most relevant to share with my customers.

I decided that I'll share it here fro easier access. There's one down size.... it's in Portuguese... yeah I know, this contet is more appropriate for my Brazilian readers ; )


É com grande esperança em dias melhores que começamos esse ano de 2022, assim como nos outros anos, cheios de desafios e oportunidades pela frente.

Espero que vocês tenham tido a oportunidade de passar as festas de final de ano com saúde e junto dos entes queridos e que 2022 seja de muita prosperidade para todos.

Continuem se cuidando e vamos pra cima que o ano já começou !!!


Log4J

Não poderia começar esse newsletter com assunto outro que não seja a vulnerabilidade no Log4j, um componente open-source do Java. Em Dezembro fomos todos pegos de surpresa com a divulgação dessa vulnerabilidade day-0, impactando diversos (para não dizer todos) fornecedores de tecnologia mundo a fora, sem falar nas aplicações construídas dentro de casa. O que começou com apenas uma vulnerabilidade (CVE-2021-44228), logo se desmembrou para outras vulnerabilidade (CVE-2021-45046 e CVE2021-45105).

A VMware se mobilizou rapidamente para fornecer informação relevante, medidas de contenção enquanto desenvolvia e testava correções para os produtos afetados. Caso ainda existam sistemas em seu ambiente sem a devida correção, recomendamos FORTEMENTE a correção dos mesmos o quanto antes, e para auxiliá-los deixo aqui os links mais relevantes sobre o assunto:

 


Novidades

Recentemente anunciamos a versão 3.2 do NSX-T, uma das maiores evoluções dos últimos tempos, melhorias que vão desde gerenciamento multi-cloud, escalabilidade e principalmente segurança.

Veja como Network Traffic Analysis (NTA) e sandboxing integrado ao distributed firewall identifica comportamentos anômalos e ataques na sua rede eliminando espelhamento de tráfego ou hairpins, além de provisionamento do NSX Advanced Load Balanced através do NSX Manager; veja todos as inovações no artigo.

 

VMware HCX , é um componente crucial na jornada para a nuvem de nossos clientes, permitindo a mobilidade de aplicações sem a necessidade de troca de endereçamento.

Além das melhorias em sua capacidade de migração, com uma previsão mais precisa do tempo de migração em blocos e no processo de recuperação de migrações falhas ou canceladas também foi lançado a funcionalidade de Mobility Optimized Networking que otimiza o roteamento do trafego eliminando hairpin ou trombone, veja o anuncio.

 

Horizon 8 2111 também já está disponível, e inclui novas funcionalidades para o provisionamento de serviços estendidos, melhorias de segurança, experiência do usuário. Dentre elas a incorporação do Fling Windows OS Optimization Tool for VMware Horizon agora como parte do produto oficial, gravação das sessões RDSH, otimização de experiência com Microsoft Teams entre outros, para uma lista completa veja o anuncio.

 

  Tanzu 

 

Em Setembro de 2021 a VMware anunciou a versão beta de sua nova plataforma baseada em Kubernetes, Tanzu Application Plataform, TAP para os íntimos. 

Após inúmeras melhorias durante esses últimos meses agora temos o prazer de anunciar que a ferramenta está oficialmente General Availability (GA).

 

Deem uma espiada como a experiência do desenvolver é melhorada desde a concepção de um novo projeto, criação do código, interação e debug até o momento de estar pronto para o check-in ou merge de seu código.

 

 


Não menos importante, o TAP também melhora drasticamente o dia a dia do time de plataforma (SecOps) ao integrar toda uma cadeia de suprimentos com Testes, escaneamento de vulnerabilidades, criação da imagem e provisionamento da aplicação.
 

  Multi-Cloud


Quando o assunto é multi-cloud, indiscutivelmente a VMware é a líder nesse quesito, pois é a única que consegue prover uma infraestrutura consistente, operacionalizar, modernizar e agilizar o provisionamento de aplicações modernas através de qualquer provedora de nuvem e o seu data-center de maneira simples como se fosse apenas uma.

Ainda tem dúvidas ?! Por que não testa você mesmo em sua provedora preferida (ou em todas elas) através um dos nossos laboratórios gratuitos ; )

 

Em Dezembro também participamos do evento da Amazon re:invente 2021 e tivemos grandes anúncios para a plataforma VMware Cloud on AWS, sem querer dar spolier...mas vocês viram a possibilidade de apresentar um datastore NFS para os seus hosts ?! isso e muito mais pode ser visto no anuncio aqui.

 

 Fique de olho

 

Não fique sem suporte !!!

Suporte ao vSphere 6.5 e 6.7 foi prorrogado até 15 de Outubro de 2022, permitindo que vocês tenham tempo para se planejar e realizar a atualização, mais detalhes podem ser encontrados na Matrix de ciclo de vida.

 

vRealize Automation 8.6 ou inferior tem como data final de suporte o dia 31 de Outubro de 2022, detalhes na Matrix de ciclo de vida.Recomendamos o upgrade para a versão mais recente a fim de estender o suporte a solução, tarefa essa que pode ser incrivelmente simplificada e automatizada com o VMware LifeCycle Manager. 

 

Comece hoje o seu planejamento para migração/atualização de seu ambiente.



 

 

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive