Versions Compared

Version Old Version 46 New Version Current
Changes made by

Kazuto Okayasu

Kazuto Okayasu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page will provide OIT's VMWare service client community with information about our upgrade project, and will be updated to reflect progress with the project. The parent to this page is available to all OIT people and has more detailed technical information.

OIT primarily runs two VMWare vSphere 5.5 environments as a consequence of the OIT Consolidation. This project will finally combine the environments. The effort will bring the following benefits to our clients:

  • Streamlined access management through use of self-service KSAMS authorization and UCInetID for logins (replacing 'AD' and 'SERVERAD' Active Directory)
  • Enhanced security through use of mandatory DUO Two Factor authentication and trusted "signed" digital certificates as well as infrastructure security enhancements
  • Preparation for enhanced integration with services such as ServiceNow for change management, notifications, alerting, etc.

The upgrade is designed to be non-disruptive to all VMs. That is, all virtual machines are expected to run non-disruptively as the upgrade takes place. However, due to the architecture changes needed, there may be gaps in access to low-level VM management operations (powering on/off, snapshots, console, etc.), which can be minimized based on each clients' level of preparation and cooperation with the migration process.

Client Action Items

vShere service utilizes the campus' centralized authorization (KSAMS) and authentication systems (UCINetID/LDAP) for access. OIT DCI does not provision this access and is intended to be a self-service process.

KSAMS action items

KSAMS roles are used to provide authorization or permissions within vCenter.  vCenter permissions are granted to members of LDAP groups that are automatically populated from KSAMS roles. Even an individual who needs vCenter permissions on a single VM needs to have a KSAMS role to get those permissions. KSAMS roles usually come in pairs; one role is used for the permissions, and another to approve memberships to the permission role. Figure A shows the list of these Roles as they appear in KSAMS.

...

  • OIT's Data Center Infrastructure team uses the "vCenter - OIT vSphere Admins" and "vCenter - OIT vSphere Admins Approvers" roles.
  • Using the KSAMS ZotPortal App, a request was made to add Ken Cooper and Brian Buckler to the "vCenter - OIT vSphere Admins Approvers" role.
  • Each team member requested the "vCenter - OIT vSphere Admins" role.
  • Ken approved each request using the app.
  • vCenter access was granted.

DUO action items

Make sure all users requiring vCenter VM access have a DUO token set up through the DUO Enrollment App

vCenter Login Procedure

Can be found at New OIT VMware vCenter Login Procedure

...

As the migration moves forward, this page will be updated with new action items. These will include logistics for the migration itself, operational changes in the new environment, and other information.

Fig. A: KSAMS Roles

KSAMS Role NameKSAMS Approver Role NameIdentified Contact
vCenter - Arts AdminsvCenter - Arts Admins ApproversJason Valdry / Adalid Aguilar
vCenter - Bio Sci AdminsvCenter - Bio Sci Admins ApproversEric Sanchez / Matthew Martinez
vCenter - CALIT2 AdminsvCenter - CALIT2 Admins Approvers(Nobody)
vCenter - Education AdminsvCenter - Education Admins ApproversHyuk Kang
vCenter - Engineering AdminsvCenter - Engineering Admins ApproversJohn Romine / Dan Melzer
vCenter - Humanities AdminsvCenter - Humanities Admins Approvers
Dwayne Pack
(Nobody)
vCenter - Informatics AdminsvCenter - Informatics Admins Approvers(Nobody)

vCenter - Integrated Nanosystem Research Facility Admins

vCenter - Integrated Nanosystem Research Facility Admins ApproversPaul Bautista / Marc Palazzo
vCenter - Law School AdminsvCenter - Law School Admins ApproversPatty Furukawa / Joe Macavinta
vCenter - Library AdminsvCenter - Library Admins Approvers
Ashley Burke
(Nobody)
vCenter - OIT Academic Affairs AdminsvCenter - OIT Academic Affairs Admins ApproversMax Garrick / Albert Chi
vCenter - OIT Athletics IT AdminsvCenter - OIT Athletics IT Admins Approvers
Michael Koetsier
Tri Tran
vCenter - OIT AWT AdminsvCenter - OIT AWT Admins Approvers(Nobody)
vCenter - OIT Business Intelligence AdminsvCenter - OIT Business Intelligence Admins Approvers
Kelsey Layos
Larry Coon / Valerie Jones
vCenter - OIT Database AdminsvCenter - OIT Database Admins ApproversDeanna McMurray / Marina Arseniev
vCenter - OIT eDocs AdminsvCenter - OIT eDocs Admins ApproversLinh Nguyen / Robert Gallegos
vCenter - OIT EUS AdminsvCenter - OIT EUS Admins ApproversKyle Kurr /David Severance
vCenter - OIT Financial Svc AdminsvCenter - OIT Financial Svc Admins ApproversJames Hsu
/Cecilia Do
vCenter - OIT Graduate Division Admins  vCenter - OIT Graduate Division Admins Approvers
Rachel Tam
James Tang

vCenter - OIT IAM Admins ApproversJosh Drummond / Warren Leung / Dana Watanabe
vCenter - OIT ILCS AdminsvCenter - OIT ILCS Admins Approvers
Son Nguyen
Derrek Gabagat
vCenter - OIT MAI AdminsvCenter - OIT MAI Admins ApproversJason Lin /  Brian Craft
vCenter - OIT Network Engineer AdminsvCenter - OIT Network Engineer Admins ApproversAlbert Gonzalez / Bjorn Juslin
vCenter - OIT Office of Research Admins vCenter - OIT Office of Research Admins ApproversNoah Margolis / Eric Taggart
vCenter - OIT Parking and Distribution AdminsvCenter - OIT Parking and Distribution Admins ApproversClint Maruki / Matthew Lorenzo
vCenter - OIT Production and Operations Management AdminsvCenter - OIT Production and Operations Management Admins ApproversMichael Story
vCenter - QA AdminsvCenter - QA Admins Approvers
Brian Roode
Michael Story / Jason Lin / Thomas Bindewald
vCenter - OIT Security AdminsvCenter - OIT Security Admins ApproversJosh Drummond / Paul Kang
vCenter - OIT Specialized Desktop Support AdminsvCenter - OIT Specialized Desktop Support Admins ApproversSarkis Daglian / Jeremy Paje
vCenter - OIT Standard Desktop Support AdminsvCenter - OIT Standard Desktop Support Admins ApproversJeremy Paje
vCenter - OIT vSphere AdminsvCenter - OIT vSphere Admins ApproversKen Cooper / Henry Jenkins
vCenter - OIT WSG AdminsvCenter - OIT WSG Admins ApproversHeindrick Yu
vCenter - Social Ecology AdminsvCenter - Social Ecology Admins ApproversJennifer Lane
vCenter - Social Science AdminsvCenter - Social Science Admins ApproversJonathan Nilsson / Andrew Hill / Dominic Fiorello
vCenter - Strategic Comm AdminsvCenter - Strategic Comm Admins ApproversJim Kreuziger / Todd McGill

vCenter - VCSA Admins

vCenter - VCSA Admins Approvers

Wayne Fields / Steven Tajiri

vCenter - Applied Innovation AdminsvCenter - Applied Innovation Admins ApproversMarek Mandau
vCenter - OIT Facilities Mgmt AdminsvCenter - OIT Facilities Mgmt Admins ApproversJyoti Razdan
vCenter - WHCS AdminsvCenter - WHCS Admins ApproversJerome Reuter / Herbert Chan
vCenter - Read Only UsersvCenter - OIT vSphere AdminsDCI Team
vCenter - OIT OVPTL AdminsvCenter - OIT OVPTL Admins ApproversBrian Lance / Jeremy Thacker
vCenter - Physiology AdminsvCenter - Physiology Admins ApproversRie Nakajima / Aarti Jain/ Gildas Cadin
vCenter - OIT Research Cyberinfrastructure Center AdminsvCenter - OIT Research Cyberinfrastructure Center AproversPhil Papadopoulos

 


Fig. B: VM Permissions

Initially, all assigned users will have the set of permissions listed below:

    • Cryptographic Operations
      • Direct Access (allows console access to vTPM enabled VMs)
      • Encrypt (allows console power on/off vTPM enabled VMs)
      • Encrypt new (allows console power on/off vTPM enabled VMs)
      • Register VM (allows console power on/off vTPM enabled VMs)
    • Virtual Machine
      • Configuration
        • Modify Device Settings
        • Settings
        • Upgrade virtual machine compatibility
      • Interaction
        • Answer Questions
        • Configure CD Media
        • Console Interaction
        • Device Connection (NICs and removable media)
        • Power On
        • Power Off
        • Reset
        • VMware Tools Install
      • Snapshot Management
        • Create Snapshot
        • Remove Snapshot
        • Rename Snapshot
        • Revert Snapshot
    • Folder (This will only work on the sub-folders of where the role is assigned.)
      • Create
      • Delete
      • Rename
      • Move
    • Datastore (This is only to facilitate mounting ISO images from the shared ISO repository)
      • Browse datastore
      • Low level file operation

Fig. C: VM Tag data

PaaS Owner (Platform as a Service Owner)

UCInetID of user or group responsible for OS tasks. This UCInetID will be contacted for low-level changes such as disk space changes, VMWare Tools upgrades, etc.

  • UCInetID of Owner(s) or Group(s)

Data Owner

UCInetID of user or group responsible for app/data. This UCInetID will be contacted for (un)scheduled interruptions or other changes interrupting access to VM's data.

  • UCInetID of Owner(s) or Group(s)

Purpose

The VM’s primary purpose. These are tags in existence in ServiceNow and may be expanded.

  • application

  • database

  • domain_controller

  • file

  • mail

  • utility

  • web

Protection Level

The VM protection level

classification is the assigned number representing the

represents the level of security protection needed for Institutional Information or an IT Resource

. Level 1 being the lowest and 3 being the most critical data

. Definitions can be found

at http

at https://www.security.uci.edu/program/

security-plan/plan-classification.html

classification/

  • P4 - Critical

  • P3 -

high

  • High

  • P2 -

medium

  • Medium

  • P1 -

lowHA Restart Priority

  • Low

Availability Level

The

high availability (HA) restart priority determines the order in which virtual machines (VMs) are restarted when the ESXi host fails. Higher priority virtual machines are started first. This priority applies only on a per-host basis. If multiple hosts fail, all virtual machines are migrated from the first host in order of priority, then all virtual machines from the second host in order of priority, and so on. The restart priority will also be used to determine which VMs to power off during an incident that severely reduces our ESXi cluster capacity. The default is medium.

  • HA4-high

  • HA3-medium

  • HA2-low

    • HA1-disabled

    VM availability represents the business impact a disruption in the resource's availability has. This is used to determine the level of disaster recoverability, as well as the priority level of VM restart when there are infrastructure failures (via vSphere HA).

    • A4 - Major

    • A3 - Moderate

    • A2 - Minor

    • A1 - Minimal

    vm_Backup_Job

    The VM's Veeam backup job.