This page will provide OIT's VMWare service client community with information about our upgrade project, and will be updated to reflect progress with the project. The parent to this page is available to all OIT people and has more detailed technical information.
OIT primarily runs two VMWare vSphere 5.5 environments as a consequence of the OIT Consolidation. This project will finally combine the environments. The effort will bring the following benefits to our clients:
- Streamlined access management through use of self-service KSAMS authorization and UCInetID for logins (replacing 'AD' and 'SERVERAD' Active Directory)
- Enhanced security through use of mandatory DUO Two Factor authentication and trusted "signed" digital certificates as well as infrastructure security enhancements
- Preparation for enhanced integration with services such as ServiceNow for change management, notifications, alerting, etc.
The upgrade is designed to be non-disruptive to all VMs. That is, all virtual machines are expected to run non-disruptively as the upgrade takes place. However, due to the architecture changes needed, there may be gaps in access to low-level VM management operations (powering on/off, snapshots, console, etc.), which can be minimized based on each clients' level of preparation and cooperation with the migration process.
...
vShere service utilizes the campus' centralized authorization (KSAMS) and authentication systems (UCINetID/LDAP) for access. OIT DCI does not provision this access and is intended to be a self-service process.
KSAMS action items
KSAMS roles are used to provide authorization or permissions within vCenter. vCenter permissions are granted to members of LDAP groups that are automatically populated from KSAMS roles. Even an individual who needs vCenter permissions on a single VM needs to have a KSAMS role to get those permissions. KSAMS roles usually come in pairs; one role is used for the permissions, and another to approve memberships to the permission role. Figure A shows the list of these Roles as they appear in KSAMS.
...
- OIT's Data Center Infrastructure team uses the "vCenter - OIT vSphere Admins" and "vCenter - OIT vSphere Admins Approvers" roles.
- Using the KSAMS ZotPortal App, a request was made to add Ken Cooper and Brian Buckler to the "vCenter - OIT vSphere Admins Approvers" role.
- Each team member requested the "vCenter - OIT vSphere Admins" role.
- Ken approved each request using the app.
- vCenter access was granted.
Make sure all users requiring vCenter VM access have a DUO token set up through the DUO Enrollment App
VM identity data action items
VM ownership claim period has ended.
Due to various histories and actions, there may be mismatches and ambiguities about ownership and responsibility roles for VMs. In order to repair these issues and to help facilitate future automation plans, we are requiring all VMs to be 'tagged' with a mandatory set of data per Figure C. We have created a Google Apps form (UCI Google Apps registration required) to collect this information. If you have a large number of VMs under ownership and would like a bulk submission method, please contact Jason Noennig jnoennig@uci.edu for data import information. VMs in the end not claimed through this process will be placed in an 'Animal Shelter' environment where we will attempt to match them with their owners, and if one cannot be identified after a to-be-determined number of days, will be powered off, then deleted.
vCenter Login Procedure
Can be found at New OIT VMware vCenter Login Procedure
Future action items
As the migration moves forward, this page will be updated with new action items. These will include logistics for the migration itself, operational changes in the new environment, and other information.
Fig. A: KSAMS Roles
Dwayne PackPaul Bautista / Marc Palazzo
|
| vCenter - Law School Admins | vCenter - Law School Admins Approvers | Patty Furukawa / Joe Macavinta |
| vCenter - Library Admins | vCenter - Library Admins Approvers | (Nobody) |
| vCenter - OIT Academic Affairs Admins | vCenter - OIT Academic Affairs Admins Approvers | Max Garrick / Albert Chi |
| vCenter - OIT Athletics IT Admins | vCenter - OIT Athletics IT Admins Approvers |
Michael Koetsier| Tri Tran |
| vCenter - OIT AWT Admins | vCenter - OIT AWT |
Admins ApproversKelsey Layos| Admins Approvers | (Nobody) |
| vCenter - OIT Business Intelligence Admins | vCenter - OIT Business Intelligence Admins Approvers | Larry Coon / Valerie Jones |
| vCenter - OIT Database Admins | vCenter - OIT Database Admins Approvers | Deanna McMurray / Marina Arseniev
|
| vCenter - OIT eDocs Admins | vCenter - OIT eDocs Admins Approvers | Linh Nguyen / Robert Gallegos |
| vCenter - OIT EUS Admins | vCenter - OIT EUS Admins Approvers | Kyle Kurr /David Severance |
| vCenter - OIT Financial Svc Admins | vCenter - OIT Financial Svc Admins Approvers | James Hsu |
/Cecilia DoSon Nguyen| Jason Lin / Brian Craft |
| vCenter - OIT Network Engineer Admins | vCenter - OIT Network Engineer Admins Approvers | Albert Gonzalez / Bjorn Juslin |
| vCenter - OIT |
Specialized Desktop Support Admins Specialized Desktop Support Sarkis Daglian| Noah Margolis / Eric Taggart |
| vCenter - OIT |
Standard Desktop Support | Parking and Distribution Admins | vCenter - OIT |
Standard Desktop Support | Parking and Distribution Admins Approvers |
Jeremy Paje| Clint Maruki / Matthew Lorenzo |
| vCenter - OIT |
WSG | Production and Operations Management Admins | vCenter - OIT |
WSG | Production and Operations Management Admins Approvers |
Jeff Martin Engineering Engineering John Romine/Dan Melzer| Michael Story / Jason Lin / Thomas Bindewald |
| vCenter - |
Social Ecology | OIT Security Admins | vCenter - |
Social Ecology | OIT Security Admins Approvers |
Jennifer Lane| Josh Drummond / Paul Kang |
| vCenter - |
Social Science | OIT Specialized Desktop Support Admins | vCenter - |
Social Science | OIT Specialized Desktop Support Admins Approvers |
Jonathan Nilsson| Sarkis Daglian / Jeremy Paje |
| vCenter - |
Strategic Comm | OIT Standard Desktop Support Admins | vCenter - |
Strategic Comm | OIT Standard Desktop Support Admins Approvers |
Jim Kreuziger VCSA | OIT vSphere Admins | vCenter - |
VCSA | OIT vSphere Admins Approvers |
Wayne Fields| Ken Cooper / Henry Jenkins |
| vCenter - OIT |
MAI MAI Jason Lin OIT vSphere | Social Ecology Admins | vCenter - |
OIT vSphere | Social Ecology Admins Approvers |
Ken Cooper OIT Security | Social Science Admins | vCenter - |
OIT Security | Social Science Admins Approvers |
Josh Drummond| Jonathan Nilsson / Andrew Hill / Dominic Fiorello |
| vCenter - |
OIT Parking and Distribution | Strategic Comm Admins | vCenter - |
OIT Parking and Distribution | Strategic Comm Admins Approvers |
Clint Maruki| Jim Kreuziger / Todd McGill |
vCenter - |
OIT Database OIT Database Deanna McMurrayWayne Fields / Steven Tajiri |
| vCenter - |
OIT Production and Operations Management | Applied Innovation Admins | vCenter - |
OIT Production and Operations Management | Applied Innovation Admins Approvers |
Brian Roode| Marek Mandau |
| vCenter - OIT |
eDocs | Facilities Mgmt Admins | vCenter - OIT |
eDocs | Facilities Mgmt Admins Approvers |
Linh Nguyen | Jyoti Razdan |
| vCenter - WHCS Admins | vCenter - |
OIT Graduate Division Admins| WHCS Admins Approvers | Jerome Reuter / Herbert Chan |
| vCenter - Read Only Users | vCenter - OIT |
Graduate Division Approvers Office of Research | OVPTL Admins | vCenter - OIT |
Office of Research | Brian Lance / Jeremy Thacker |
| vCenter - |
Library | Physiology Admins | vCenter - |
Library | Physiology Admins Approvers |
Ashley Burke| Rie Nakajima / Aarti Jain/ Gildas Cadin |
| vCenter - |
Nanosystems | OIT Research Cyberinfrastructure Center Admins | vCenter - |
Nanosystems Research Admins ApproverPaul Bautista | ...
| OIT Research Cyberinfrastructure Center Aprovers | Phil Papadopoulos |
Fig. B: VM Permissions
Initially, all assigned users will have the set of permissions listed below:
- Cryptographic Operations
- Direct Access (allows console access to vTPM enabled VMs)
- Encrypt (allows console power on/off vTPM enabled VMs)
- Encrypt new (allows console power on/off vTPM enabled VMs)
- Register VM (allows console power on/off vTPM enabled VMs)
- Virtual Machine
- Configuration
- Modify Device Settings
- Settings
- Upgrade virtual machine compatibility
- Interaction
- Answer Questions
- Configure CD Media
- Console Interaction
- Device Connection (NICs and removable media)
- Power On
- Power Off
- Reset
- VMware Tools Install
- Snapshot Management
- Create Snapshot
- Remove Snapshot
- Rename Snapshot
- Revert Snapshot
- Folder (This will only work on the sub-folders of where the role is assigned.)
- Datastore (This is only to facilitate mounting ISO images from the shared ISO repository)
- Browse datastore
- Low level file operation
Fig. C: VM Tag data
PaaS Owner (Platform as a Service Owner) UCInetID of user or group responsible for OS tasks. This UCInetID will be contacted for low-level changes such as disk space changes, VMWare Tools upgrades, etc. | - UCInetID of Owner(s) or Group(s)
|
Data Owner UCInetID of user or group responsible for app/data. This UCInetID will be contacted for (un)scheduled interruptions or other changes interrupting access to VM's data. | - UCInetID of Owner(s) or Group(s)
|
Purpose The VM’s primary purpose. These are tags in existence in ServiceNow and may be expanded. | application database domain_controller file mail utility web
|
Protection Level The VM protection level |
classification is the assigned number representing represents the level of security protection needed for Institutional Information or an IT Resource |
. Level 1 being the lowest and 3 being the most critical data. Definitions can be found |
at httpsecurity-plan/plan-classification.htmlhighmediumlowHA Restart Priority high availability (HA) restart priority determines the order in which virtual machines (VMs) are restarted when the ESXi host fails. Higher priority virtual machines are started first. This priority applies only on a per-host basis. If multiple hosts fail, all virtual machines are migrated from the first host in order of priority, then all virtual machines from the second host in order of priority, and so on. The restart priority will also be used to determine which VMs to power off during an incident that severely reduces our ESXi cluster capacity. The default is medium.HA4-high
HA3-medium
HA2-low
HA1-disabledVM availability represents the business impact a disruption in the resource's availability has. This is used to determine the level of disaster recoverability, as well as the priority level of VM restart when there are infrastructure failures (via vSphere HA). | A4 - Major A3 - Moderate A2 - Minor A1 - Minimal
|
vm_Backup_Job The VM's Veeam backup job. |
|