XenServer Management on Steroids with SCVMM 2012 Part 1
I recently took a deeper dive into XenServer for a large project I’m currently working on, and to my amazement a few features that have been around for a while in other hypervisors were missing in XenServer. I could go into some other features, but the two I want to focus on which were hindering me in this project were the lack of advanced delegation of administration, and no ability for host affinity rules once Workload balancing was enabled. I haven’t had a chance to test, but Arjan Beijer (@arbeijer) mentioned on twitter through the command line, he was able to set affinity rules even though Workload balancing was enabled, if this is true great, but still Mickey Mouse from a usability perspective. 🙂
To give you a brief background on these two features:
Lack of delegation of administration. Without going into the nuts and bolts, XenServer offer’s the ability for RBAC (Role Based Access Control). Both CTX126442 and CTX126441dig into each of the roles, and how they can be applied. They even go into how to create custom roles! At first I was like AWESOME! But once digging in I quickly realized roles were applied POOL WIDE!! (Please take a second and re-read this last sentence… POOL WIDE) So what that means is, If I take the time to create this new role which is going to lock a specific user group down to only handle power operations and snapshotting, guess what… He get’s it for every VM in the POOL! There is no ability like VMware vCenter (YES, I said it…) to create folders and assign roles to folder’s, or any object for that matter. The goal I was looking to accomplish was to allow specific admin groups only access to there specific virtual machines. This way when they log into XenCenter they only see there VM’s.
This was a major blocking point in my project. I was in disbelief at first, and did some more research and came across XenServer’s Web Self Service Appliance! Cool concept, VERY easy to install, in short it provides Web based access to your VM’s, ability for remote access, power operations, I could even hide VM’s from other admins. Even though it was pretty neat, it was missing many of the features which XenConsole provides, SR management, snapshotting, VM Resource management etc. So I had to toss this idea out…
Lack of Host Affinity rules – XenServer provides a feature for you to tie a Virtual Machine to a specific host, also known as the home server. This is nice, especially when your working with critical server’s which provide HA functionality inside of the OS. For instance Citrix’s Desktop Delivery Controllers, Provisioning Server, etcetc. these VM’s should not be on the same host as each other. In some cases, you might have two on the same host, but what’s important is the other Infrastructure VM’s which would be the HA partner’s aren’t allowed on the same host. This is done by host affinity rules. VMware does this through DRS rules, XenServer has DRS type functionality with the workload balancing appliance, but from what I can see hinders your ability to apply affinity rules.
Hence System Center Virtual Machine Manager 2012…
Do to the size of this Article I decided to split it up into 7 parts. I’ll release each part every few days.
- Part 1 – SCVMM 2012 supplemental pack installation
- Part 2 –Adding your XenServer hosts to SCVMM
- Part 3 – Creating your Private Cloud – Delegation of Administration
- Part 4 – Assigning resources & Defining roles in your Private Cloud
- Part 5 – Configuring App Controller 2012 – Self-Service
- Part 6 – Creating Resource affinity rules AKA Custom Placement Rules
- Part 7 – SCVMM & App Controller 2012 SP1 + XenServer 6.1 updates
Before I jump into the meat of setting everything up, I wanted to cover a few gotcha’s upfront. Especially if you decide to just look a the pictures, and get started. 🙂
1. SCVMM 2012 has an issue with a recent Microsoft update.(KB258552) which breaks Windows to Linux host communication. After some research I came across the following article: VMM is unable to complete the request / VMM cannot establish a trust relationship for the SSL/TLS secure channel which explained exactly what I was going through. I uninstalled the update and all was well. I later found this KB article from Microsoft KB2728902 which acknowledged this issue and provides a work around. Unfortunately the link to the KB article provided for the registry workaround is broken, the correct link for this is KB2643584 Please review both KB articles. Microsoft also posted a TechNet blog on this issue. As suggested in the Article, I enabled the Registry fix which also solved the problem.
2. If you would like to manage the XenServer host’s by DNS name and use secure communication your certificate must be FQDN for SCVMM to communicate with your hosts. You also must import the XenServer cert into your personal trusted store for the computer. By default when you install XenServer the self signed certificate contains the IP address of the host. In order for it to communicate correctly with SCVMM you will need to re generate the certificate utilizing the FQDN. I cooked up a quick script to automate the steps required for regenerating the certificate on the XenServer host. See the “Manual installation of Supplemental Pack” section below for the script.
3. If you are installing SCVMM for the first time, DO NOT use a hostname with *-SCVMM-* so basically SCVMM in-between two dashes. Your install will fail. After some research, I see multiple people have had this issue since SCVMM 08R2, and it still exists today. Two dashes is fine for any other hostname as long as it’s not SCVMM. I cam across this article when troubleshooting and if you notice in the comment’s a few people mentioned they saw same issue in SCVMM 2012. It would be nice if a KB was created for this issue.
4. As a side note: The SCVMM Self-Service portal is currently no longer under development, it is being deprecated. App Controller will be the permanent replacement. You can find out more about App Controller before under the Configuring App Controller 2012 section
Prepping for your Management steroids. (Pre-Workout)
Before we can dive into the workout and get pumped on management steroids we will need to take care of a few pre-work steps.
SCVMM 2012 Supplemental pack Installation
There are two main methods to install a supplemental pack in XenServer. I’ll quickly go through both methods.
Both options will require you downloading the XenServer-6.0.2-integration-suite from the Citrix website. www.citrix.com/downloads. In order to download, you will be required to login with your MyCitrix account. Once your logged in under the download’s section click the drop down button to select “XenServer” As you can see in the screen shot below you will be taken to a page which contains all of the XenServer downloads. Expand “Citrix XenServer” and download the “Microsoft Systems Center Integration Pack 6.0.2” Once this is complete, you can proceed to either Option 1, or Option 2 for the installation.
Option 1: Install during XenServer installation.
Most of you have seen this method, and might not even have realized it before. Below I’ll show you three screen shot’s which show how simple it is to install the supplemental pack during the XenServer installation. This method should be used if you’re working with a brand new Host installation of XenServer.
1. During the installation of XenServer you will be prompted to install Supplemental Packs. This is the point when you will need to either insert your XenServer-6.0.2-integration-suite CD, or attach the ISO to your console session. Once this is complete, select “YES” This is shown in Figure 1 below.
2. Once the supplemental pack is loaded you will be prompted showing you that the “XenServer Integration Suite” was found. This is shown below in Figure 2. Click “Use” to continue on with the installation.
3. The install goes pretty quick, once it’s complete you will be prompted asking if you would like to install additional Supplemental Packs as seen in Figure 3. If you have no more to install than at this point it’s safe to click “Skip”. This will continue on with the XenServer installation like normal. Further down in this section we will discuss how to tell if your SCVMM integration pack is working correctly.
Option 2: Manual installation of Supplemental Pack.
1. Upload your XenServer-6.0.2-integration-suite.iso to each XenServer host in the pool. I suggest uploading it to a newly created directory under /tmp called scvmm. You can upload the ISO by utilizing many of the SSH/SFTP client’s out there, WINSCP, Transmit, SCP, etc. It doesn’t matter which client you use as long as the ISO file is uploaded to the /tmp/scvmm directory. Once this is complete proceed to step two.
Now that you have your Supplemental pack ISO uploaded to your XenServer host’s a decision needs to be made by you in order to determine if you want to proceed with the next few steps, or jump right to Step 6, which goes into mounting / installing the pack. If you are looking to connect to your host’s via it’s FQDN, than you should proceed in order. If you could care less about DNS name, and don’t mind managing your host’s with IP’s in the console, than jump ahead to the Installation of the pack section.
2. By default in XenServer if you do not pre-create you’re A record in DNS for your XenServer Host’s, or do not include the DNS Server’s IP it will self sign it’s certificate with it’s IP address. This is fine, if your planning on managing the host’s by IP, as the IP on the cert, and the IP being typed in the browser will match fine. If you plan on using secure communication and DNS to your XenServer host’s if the steps mentioned above aren’t complete your communication to the host will fail because the FQDN doesn’t match the Cert. Since you have chosen to proceed with the DNS name for your XenServer host’s it’s extremely important that your XenServer host’s are named with the FQDN.
In order to verify your XenServer host’s certificate is signed with it’s FQDN, just enter it’s FQDN in a web browser, for example: https://ABC-XEN-01.kleinert.lab and make sure there aren’t any certificate warnings. If there is a warning click “Continue to this website (not recommended).” to enter the website, and click the Certificate Error in the Security Status bar and select “View certificates”. You should see your XenServer host’s FQDN, if you don’t than proceed to running the script (scvmm-prep.sh) mentioned below. If you’re XenServer host’s certificate is signed with it’s FQDN you can skip steps 4 and 5 and jump ahead to Supplemental Pack ISO Install section below.
I happen to be having a communication issues with my SCVMM server, and XenServer host, after doing some research I came across this article: Which dove into steps to change the hostname and regenerate your cert. I decided to take the steps, and cook up a quick bash script to perform the tasks, and additionally prompt the end user for the FQDN and change the hostname. Future release will download ISO/Mount/Install. The Bash script can be downloaded at SCVMM-Prep Script
3. Next step is copying up the scvmm-prep.sh shell script to your /tmp directory on your XenServer hosts. Once the file is copied, SSH into your XenServer host cd over to /tmp and run chmod +x scvmm-prep.sh this will make the script executable.
4. As you can see in the Figure 4 below in order to execute the script you will need to type ./scvmm-prep.sh It will fail, if you do not change the permissions to execute by running chmod +x on the shell script. Once executed you will be prompted to enter your host name. Type the FQDN of your XenServer hostname and press enter. You will then be prompted to validate that the host name entered is correct. It’s important to enter either Y or N. It’s case insensitive. By typing “Y”, this will proceed on with the script. If you type “N” you will see a screen like Figure 5. The script will loop until the hostname is validated.
5. Once you type “Y” to validate your hostname you will see a screen like Figure 6 below. As you can see at the bottom you will see “Scvmm-Prep Complete Type Http://<HOSTNAME> in web browser – Validate the FQDN is displayed on certificate” This is how you will know the script ran successful. In order to verify your hostname was changed you can run a xe host-list command on your XenServer host.
Supplemental Pack ISO Install:
6. Once you have completed the pre-req for the manual installation it’s now time to actually mount the ISO, and run the installer. Below you will find the command’s required to mount the ISO. A screen shot of the commands to run are below in Figure 7. Once the ISO is mounted, executing the Install script, by typing ./install.sh will kick off the installer script. Pay attention to the next step, it’s VERY important.
2: mount -o loop /tmp/scvmm/XenServer-6.0.2-integration-suite.iso /tmp/scvmm
The installation of the supplemental pack takes about 2-3 min. Be careful NOT to try and escape the process, it will break the install. At that point you are hosed, as there is no supported way to uninstall the supplemental packs. I tried to go down the RPM route to uninstall and everything went ape. From here, this would require a re-install of the XenServer OS. At that point, I would just install the SCVMM supplemental pack during installation.
As seen in Figure 8 – The installation can take from 2-3 min so PLEASE be patient. I ran into not being patient and I can tell you from experience, unless you completely rebuild the host you will not get the l SCVMM agent to start. I put a call into Citrix Support, and they mentioned the same thing.
Once your pack is installed, you will need to test communication from your SCVMM server. In order to test communication to your host’s run the following winrm command from the command prompt to test remote communication, and to ensure the supplemental pack was installed correctly.
-r:https://<HOSTNAME>:5989 -encoding:utf-8 -a:basic -u:<ROOT USER>
-p:<PASSWORD> –skipcacheck –skipcncheck
If you have successful communication to your host you will get a response in the command window which contains information about your hosts. Similar to what you see below in Figure 9:
App Controller 2012 Installation- In order to provide the XenServer lacking advanced delegation of administration, either Self-Service portal or the App Controller are required. I chose to focus on the App Controller as it’s the successor to the Self-Service Portal. I’m not going to dive into the installation, because there are plenty of articles out there going over the installation. Instead, I’ll point you to a few good resources for the installation. I will say the Installation is VERY straight forward, and will install the prerequisites for you (.NET 4, IIS role, Silverlight) if they are not installed already.
I should also note, If your testing in the lab, you should be aware that only one instance of App Controller can be installed per SQL Instance. This is detailed in the Official TechNet documentation below.
- Understanding App Controller 2012– Great Overview
- Microsoft TechNet App Controller 2012 Installation– Official Installation Instructions
- Installing App Controller 2012 – Great Overview
That’s it for Part 1, In Part 2 “Adding you XenServer Hosts to SCVMM” we will start digging into the management workout! This is my first post in over a year, I’d like to take a second and toss a big thanks to both Jarian Gibson (@jariangibson) and Dane Young (@youngtech), Jarian for giving me the kick to get back to blogging again and reviewing this post and Dane Young as well for reviewing this post and giving me the opportunity to post on ITVCE.com. Please make comments and suggestions, as they will help me grow as a blogger as well as an engineer! Till next time!