Category Archives: VMware

Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 2

August 12, 2022VMwaresaltstack, vRA, vRealize Automation, Windows ServerDean

The first blog post of this two part series covered getting our vRealize Automation and SaltStack Config environments prepared, a Windows Server template prepared, and a testing a successful deployment that has the SaltStack minion installed.

In this second part, we’ll now focus on setting up out state files to configure the Windows Server to our example requirements and start deploying virtual machines using vRA that are configured by SaltStack Config.

We’ll cover the following areas:

For both blog posts I’ve also recorded an accompanying video detailing the configuration. Below is part two, and you can see the part one video on first blog post.

Configure the SaltStack State Files

The main part of SaltStack is the SLS, or SaLt State file. This is a representation of the state in which a system should be in, contains the configuration information that the system should adhere to, or be configured to. By default, a State file is built using the YAML format.

You can read more about State Files on the official Salt website which gives you a good introduction in getting started, and background information on the configuration I am going to detail below.

As a quick overview, but I really suggest you read the above link if this is your first look into Salt.

# The first line is the ID for the data that follows
my_first_state:
# The second line, two space indented, is state module to be run, in the format {module.function}
  service.enabled:
# The third line, four space indented, are the parameters for the state module
    - name: Spooler

Within a state file, you also have the ability to use a templating language, such as Jinja, which is the default for State Files. This language within a state file is evaluated and computed before the YAML itself, making it useful for writing statements, and computing user inputs or dynamic variables. You can learn more about this templating language in the Salt documentation.

For this blog post example, I am going to configure the following file structure, and explain what is going on in each step. I think the naming makes it obvious which configurations I’ll be passing through to my deployed Windows Server VMs.

Base
- Windows
  - ad-join
  - baseline
  - remote-desktop
  - services
  - software-install
  - users

Each state file will be configured on the SaltStack Config file server, via the UI. The file server, is actually a database on the backend, but looks like a file server configuration within the UI (we won’t dive into how the backend works in this blog post).

To create your folders and file structure: Continue reading Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 2 →

Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 1

August 12, 2022VMwaresaltstack, vRA, vRealize Automation, Windows ServerDean

In this two-part blog post series, I’m going to detail what I consider a basic customer use case when deploying new Windows Servers in their environment.

Deploy a Windows Server Virtual Machine
Add to the Active Directory Domain
Install software
Configure some system settings

To achieve this, I’m going to use vRealize Automation to deploy the virtual machine, and then the SaltStack Config component to configure the virtual machine once it’s up and running.

vRA SaltStack Config is part of the vRealize Automation product, it comes from the VMware acquisition of SaltStack (the company). VMware integrated SaltStack Enterprise (the product) into vRA, as either a licence stand-alone component, i.e. you can still buy just SaltStack on its own, or as part of vRealize Automation itself. Additionally, features such as SaltStack Protect+Comply, how now transformed into vRA SaltStack SecOps, an addon licence to the existing product.

You may have previously heard of Salt, the open-source project focusing on the core features of configuration management, but lacks the enterprise features of SaltStack Config, such as (but not limited to) centralised management UI and RBAC. This remains an open-source project, with VMware becoming the guardians of the product.

In this Part 1, we are going to cover the following:

For both blog posts I’ve also recorded an accompanying video detailing the configuration. Below is part one, and you can see the part two video on second blog post.

Preparing the Windows Server Template

For my example, I am using a Windows Server 2019 image. For no other reason than I already had one in my environment.

The following configurations need to be in place:

Create a firewall rule for TCP 445 – Allow on all profiles

New-NetFirewallRule -Name "SMB445" -DisplayName "SMB445" -Protocol TCP -LocalPort 445

Set-Item (dir wsman:\localhost\Listener\*\Port -Recurse).pspath 445 -Force

Restart-Service winrm

Ensure SMB2 is enabled

get-smbserverconfiguration | select EnableSMB2Protocol

Configure winrm
- ```
winrm quickconfig -transport:http
```

Set UAC to never notify

Select Start > Control Panel 

Click System Security

Under Action Center, choose Change User Account Control settings

Move the slider bar down to the Never notify selection and click OK

Reboot the machine for changes to take effect

CloudBase-Init installed with the machine syspreped and shutdown (this needs to be the last step of your preparation).
- Binaries download location
- VMware Blog – Windows guest initialization with Cloudbase-Init in vCenter
  - Configure as per this blog post, with the change added in below
- Cloudbase-init.conf
  - first_logon_behaviour=no
    - Control the behaviour of what happens at next logon. If this option is set to no, the user is never forced to change the password. (If this is set to always, the salt minion install will fail).

These steps should have you fully covered. The best SaltStack resource I could find on configuring your Windows images is here, however most of the information is pointed at examples for Salt running on a Windows image in AWS for example. Which has specific requirements. There is also this VMware Documentation page as well.

vRealize Automation with SaltStack Config integration

Continue reading Deploying a Windows VM using vRealize Automation & configuring with SaltStack Config – Part 1 →

A debugging example of Salt Win-Repo issues

August 5, 2022General, VMwaresalt, saltstack, vRA, win-repoDean

The Issue

I was hitting issues when trying to use the Salt Win-Repo to install software. Below is a copy of my state file.

ensure_malwarebytes_installed:
  pkg.installed:
    - pkgs:
      - malwarebytes

It would fail with the below helpful error messages. But most importantly, I’d check the minion, to find the software was actually installed.

  {
    "return": {
      "pkg_|-ensure_malwarebytes_installed_|-ensure_malwarebytes_installed_|-installed": {
        "name": "ensure_malwarebytes_installed",
        "__id__": "ensure_malwarebytes_installed",
        "result": false,
        "__sls__": "Windows.software-install.malwarebytes",
        "changes": {
          "malwarebytes": "Unable to locate package malwarebytes"
        },
        "comment": "The following packages failed to install/update: malwarebytes",
        "duration": 343.731,
        "start_time": "13:07:43.183808",
        "__run_num__": 0
      }

If I instead ran the command from my salt master, it would be successful with no error outputs:

salt {minion_name} pkg.install malwarebytes -l debug

The Debugging Effort

Because the software is installed on the minion, I run the “pkg.list_pkgs” command, so I can detail exactly what the system returns.

C:\Users\Administrator>salt-call pkg.list_pkgs
local:
    ----------
...
    Malwarebytes version 4.5.12.204:
        4.5.12.204
...

Next, I want to remove the package, before I continue to debug, however I hit another issue. Continue reading A debugging example of Salt Win-Repo issues →

vRealize Automation – Deploying a GKE Cluster with Code Stream, add to Tanzu Mission Control & Tanzu Service Mesh

July 26, 2022Kubernetes, VMwareCode Stream, Deploy, gke, Google Cloud, Tanzu Mission Control, Tanzu Service Mesh, vRA, vRealize AutomationDean

This walk-through will detail the technical configurations for using vRA Code Stream to deploy Google Kubernetes Clusters (GKE), register them as:

Kubernetes endpoints in vRA Cloud Assembly and Code Stream
An attached in Tanzu Mission Control
Onboard in Tanzu Service Mesh

This post mirrors my other blog posts following similar concepts:

Requirement

After covering EKS and AKS, I thought it was worthwhile to finish off the gang and deploy GKE clusters using Code Stream.

Building on my previous work, I also added in the extra steps to onboard this cluster into Tanzu Service Mesh as well.

High Level Steps

Create a Code Stream Pipeline
- Create a Google GKE Cluster
- Create GKE cluster as endpoint in both vRA Code Stream and Cloud Assembly
- Register GKE cluster in Tanzu Mission Control
- Onboard the cluster to Tanzu Service Mesh

Pre-Requisites

vRA Cloud access
- The pipeline can be changed easily for use with vRA on-premises
Google Cloud account that can provision GKE clusters
- The Kubernetes Engine API needs to be enabled
- Basic knowledge of deploying GKE
  - This is a good beginners guide if you need
- You will need to create a Service Account that the gcloud CLI tool can use for authentication
A Docker host to be used by vRA Code Stream
- Ability to run the container image: gcr.io/google.com/cloudsdktool/google-cloud-cli
Tanzu Mission Control account that can register new clusters
VMware Cloud Console Tokens for vRA Cloud, Tanzu Mission Control and Tanzu Service Mesh API access
The configuration files for the pipeline can be found in this GitHub repository

Creating a Code Stream Pipeline to deploy a Azure AKS Cluster and register the endpoints with vRA and Tanzu Mission Control

Create the variables to be used

Continue reading vRealize Automation – Deploying a GKE Cluster with Code Stream, add to Tanzu Mission Control & Tanzu Service Mesh →

VMware Cloud on AWS – Managed Tanzu Kubernetes Grid with Tanzu Mission Control

July 5, 2022VMware, KubernetesKubernetes, Tanzu, Tanzu Mission Control, TKG, TMC, VMCDean

In my previous blog post, I detailed a full end to end guide in deploying and configurating the managed Tanzu Kubernetes Service offering as part of VMware Cloud on AWS (VMC), finishing with some example application deployments and configurations.

In this blog post, I am moving on to show you how to integrate this environment with Tanzu Mission Control, which will provide fleet management for your Kubernetes instances. I’ve wrote several blog posts on TMC previous which you can find below:

Tanzu Mission Control 
- Getting Started Tanzu Mission Control 
- Cluster Inspections 
- Workspaces and Policies  
- Data Protection 
- Deploying TKG clusters to AWS 
- Upgrading a provisioned cluster 
- Delete a provisioned cluster 
- TKG Management support and provisioning new clusters
- TMC REST API - Postman Collection
- Using custom policies to ensure Kasten protects a deployed application

Management with Tanzu Mission Control

The first step is to connect the Supervisor cluster running in VMC to our Tanzu Mission Control environment.

Connecting the Supervisor Cluster to TMC

Within the TMC console, go to:

Administration
Management Clusters
Register Management Cluster
- Select “vSphere with Tanzu”

On the Register Management Cluster page:

Set the friendly name for the cluster in TMC
Select the default cluster group for managed workload clusters to be added into
Set any description and labels as necessary

Proxy settings for a Supervisor Cluster running in VMC are not supported, so ignore Step 2.

Copy the registration URL.

Log into your vSphere with Tanzu Supervisor cluster.
Find the namespace that identifies your cluster and is used for TMC configurations, “kubectl get ns”
- It will start “svc-tmc-xx”
- Copy this namespace name

Continue reading VMware Cloud on AWS – Managed Tanzu Kubernetes Grid with Tanzu Mission Control →

vEducate.co.uk

Fixing issues and blogging