Tag Archives: vRA

vRA SaltStack Config Header

Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 2

The first blog post of this two part series covered getting our vRealize Automation and SaltStack Config environments prepared, a Windows Server template prepared, and a testing a successful deployment that has the SaltStack minion installed.

In this second part, we’ll now focus on setting up out state files to configure the Windows Server to our example requirements and start deploying virtual machines using vRA that are configured by SaltStack Config.

We’ll cover the following areas:

For both blog posts I’ve also recorded an accompanying video detailing the configuration. Below is part two, and you can see the part one video on first blog post.

https://youtu.be/nwmb7HW8zYM

Configure the SaltStack State Files

The main part of SaltStack is the SLS, or SaLt State file. This is a representation of the state in which a system should be in, contains the configuration information that the system should adhere to, or be configured to. By default, a State file is built using the YAML format.

You can read more about State Files on the official Salt website which gives you a good introduction in getting started, and background information on the configuration I am going to detail below.

As a quick overview, but I really suggest you read the above link if this is your first look into Salt.

# The first line is the ID for the data that follows
my_first_state:
# The second line, two space indented, is state module to be run, in the format {module.function}
  service.enabled:
# The third line, four space indented, are the parameters for the state module
    - name: Spooler

Within a state file, you also have the ability to use a templating language, such as Jinja, which is the default for State Files. This language within a state file is evaluated and computed before the YAML itself, making it useful for writing statements, and computing user inputs or dynamic variables. You can learn more about this templating language in the Salt documentation.

For this blog post example, I am going to configure the following file structure, and explain what is going on in each step. I think the naming makes it obvious which configurations I’ll be passing through to my deployed Windows Server VMs.

Base
- Windows
  - ad-join
  - baseline
  - remote-desktop
  - services
  - software-install
  - users

Each state file will be configured on the SaltStack Config file server, via the UI. The file server, is actually a database on the backend, but looks like a file server configuration within the UI (we won’t dive into how the backend works in this blog post).

To create your folders and file structure: Continue reading Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 2

vRA SaltStack Config Header

Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 1

In this two-part blog post series, I’m going to detail what I consider a basic customer use case when deploying new Windows Servers in their environment.

  • Deploy a Windows Server Virtual Machine
  • Add to the Active Directory Domain
  • Install software
  • Configure some system settings

To achieve this, I’m going to use vRealize Automation to deploy the virtual machine, and then the SaltStack Config component to configure the virtual machine once it’s up and running.

vRA SaltStack Config is part of the vRealize Automation product, it comes from the  VMware acquisition of SaltStack (the company). VMware integrated SaltStack Enterprise (the product) into vRA, as either a licence stand-alone component, i.e. you can still buy just SaltStack on its own, or as part of vRealize Automation itself. Additionally, features such as SaltStack Protect+Comply, how now transformed into vRA SaltStack SecOps, an addon licence to the existing product.

You may have previously heard of Salt, the open-source project focusing on the core features of configuration management, but lacks the enterprise features of SaltStack Config, such as (but not limited to) centralised management UI and RBAC. This remains an open-source project, with VMware becoming the guardians of the product.

In this Part 1, we are going to cover the following:

For both blog posts I’ve also recorded an accompanying video detailing the configuration. Below is part one, and you can see the part two video on second blog post.

Preparing the Windows Server Template

For my example, I am using a Windows Server 2019 image. For no other reason than I already had one in my environment.

The following configurations need to be in place:

  • Create a firewall rule for TCP 445 – Allow on all profiles
    • New-NetFirewallRule -Name "SMB445" -DisplayName "SMB445" -Protocol TCP -LocalPort 445
      
      Set-Item (dir wsman:\localhost\Listener\*\Port -Recurse).pspath 445 -Force
      
      Restart-Service winrm
  • Ensure SMB2 is enabled
    • get-smbserverconfiguration | select EnableSMB2Protocol
  • Configure winrm
    • winrm quickconfig -transport:http
  • Set UAC to never notify
    • Select Start > Control Panel 
      
      Click System Security
      
      Under Action Center, choose Change User Account Control settings
      
      Move the slider bar down to the Never notify selection and click OK
      
      Reboot the machine for changes to take effect

These steps should have you fully covered. The best SaltStack resource I could find on configuring your Windows images is here, however most of the information is pointed at examples for Salt running on a Windows image in AWS for example. Which has specific requirements. There is also this VMware Documentation page as well.

vRealize Automation with SaltStack Config integration

Continue reading Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 1

vRA SaltStack Config - Salt Project - Header

A debugging example of Salt Win-Repo issues

The Issue

I was hitting issues when trying to use the Salt Win-Repo to install software. Below is a copy of my state file.

ensure_malwarebytes_installed:
  pkg.installed:
    - pkgs:
      - malwarebytes

It would fail with the below helpful error messages. But most importantly, I’d check the minion, to find the software was actually installed.

  {
    "return": {
      "pkg_|-ensure_malwarebytes_installed_|-ensure_malwarebytes_installed_|-installed": {
        "name": "ensure_malwarebytes_installed",
        "__id__": "ensure_malwarebytes_installed",
        "result": false,
        "__sls__": "Windows.software-install.malwarebytes",
        "changes": {
          "malwarebytes": "Unable to locate package malwarebytes"
        },
        "comment": "The following packages failed to install/update: malwarebytes",
        "duration": 343.731,
        "start_time": "13:07:43.183808",
        "__run_num__": 0
      }

If I instead ran the command from my salt master, it would be successful with no error outputs:

salt {minion_name} pkg.install malwarebytes -l debug
The Debugging Effort

Because the software is installed on the minion, I run the “pkg.list_pkgs” command, so I can detail exactly what the system returns.

C:\Users\Administrator>salt-call pkg.list_pkgs
local:
    ----------
...
    Malwarebytes version 4.5.12.204:
        4.5.12.204
...

Next, I want to remove the package, before I continue to debug, however I hit another issue. Continue reading A debugging example of Salt Win-Repo issues

vRA GKE Header

vRealize Automation – Deploying a GKE Cluster with Code Stream, add to Tanzu Mission Control & Tanzu Service Mesh

This walk-through will detail the technical configurations for using vRA Code Stream to deploy Google Kubernetes Clusters (GKE), register them as:

  • Kubernetes endpoints in vRA Cloud Assembly and Code Stream
  • An attached in Tanzu Mission Control
  • Onboard in Tanzu Service Mesh

This post mirrors my other blog posts following similar concepts:

Requirement

After covering EKS and AKS, I thought it was worthwhile to finish off the gang and deploy GKE clusters using Code Stream.

Building on my previous work, I also added in the extra steps to onboard this cluster into Tanzu Service Mesh as well.

High Level Steps
  • Create a Code Stream Pipeline
    • Create a Google GKE Cluster
    • Create GKE cluster as endpoint in both vRA Code Stream and Cloud Assembly
    • Register GKE cluster in Tanzu Mission Control
    • Onboard the cluster to Tanzu Service Mesh
Pre-Requisites
Creating a Code Stream Pipeline to deploy a Azure AKS Cluster and register the endpoints with vRA and Tanzu Mission Control
Create the variables to be used

Continue reading vRealize Automation – Deploying a GKE Cluster with Code Stream, add to Tanzu Mission Control & Tanzu Service Mesh

vRealize Automation Header

vRealize Automation – Active Directory Integration – Configure LDAPS

In this blog post, I am going to cover the setup of the Active Directory integration with vRealize Automation using LDAPS.

Cloud Assembly supports integration with Active Directory servers to provide out of the box creation of computer accounts in a specified Organizational Unit (OU) within an Active Directory server prior to provisioning a virtual machine.

Note: to join to AD within the Guest OS, you can use CloudConfig properties or vSphere CustomizationSpec.

The VMware official documentation doesn’t really call out LDAPS configuration, only LDAP. So after helping a customer configure this, I thought I’d quickly write something up.

To get started, login into vRealize Automation and select Cloud Assembly.

  • Select the Infrastructure Tab
  • Select Integrations under the Connections header
  • Click the Add Integration button
  • Select Active Directory

vRealize Automation - Configure LDAPS - Cloud Assembly - Integrations - Active Directory Continue reading vRealize Automation – Active Directory Integration – Configure LDAPS