This page will provide OIT's VMWare service client community with information about our upgrade project, and will be updated to reflect progress with the project. The parent to this page is available to all OIT people and has more detailed technical information.
OIT primarily runs two VMWare vSphere 5.5 environments as a consequence of the OIT Consolidation. This project will finally combine the environments. The effort will bring the following benefits to our clients:
- Streamlined access management through use of self-service KSAMS authorization and UCInetID for logins (replacing 'AD' and 'SERVERAD' Active Directory)
- Enhanced security through use of mandatory DUO Two Factor authentication and trusted "signed" digital certificates as well as infrastructure security enhancements
- Preparation for enhanced integration with services such as ServiceNow for change management, notifications, alerting, etc.
The upgrade is designed to be non-disruptive to all VMs. That is, all virtual machines are expected to run non-disruptively as the upgrade takes place. However, due to the architecture changes needed, there may be gaps in access to low-level VM management operations (powering on/off, snapshots, console, etc.), which can be minimized based on each clients' level of preparation and cooperation with the migration process.
Client Action Items
KSAMS action items
KSAMS roles are used to provide authorization or permissions within vCenter. vCenter permissions are granted to members of LDAP groups that are automatically populated from KSAMS roles. Even an individual who needs vCenter permissions on a single VM needs to have a KSAMS role to get those permissions. KSAMS roles usually come in pairs; one role is used for the permissions, and another to approve memberships to the permission role. Figure A shows the list of these Roles as they appear in KSAMS.
- Via KSAMS ZotPortal App, request the Approver role for those who will approve the "Admin" role to those needing vCenter access to VMs. Generally, a manager and director would have Approver roles. OIT recommends having 2 or more Approvers. Approvers do NOT gain access to VMs.
- After the Approver role is set up, direct everyone requiring vCenter access to VMs to the KSAMS ZotPortal App to request the "Admin" role.
- NOTE: Requests for "Admin" roles submitted before the corresponding group's "Approver" request is completed will result in KSAMS ERRORS so please make sure at least one Approver is set up before adding Admins.
- For simplicity and expediency, all users will initially be assigned permissions per Figure B for their designated group of VMs. We welcome input for other permission levels, as well as different user groupings going forward.
KSAMS example:
- OIT's Data Center Infrastructure team uses the "vCenter - OIT vSphere Admins" and "vCenter - OIT vSphere Admins Approvers" roles.
- Using the KSAMS ZotPortal App, a request was made to add Ken Cooper and Brian Buckler to the "vCenter - OIT vSphere Admins Approvers" role.
- Each team member requested the "vCenter - OIT vSphere Admins" role.
- Ken approved each request using the app.
- vCenter access was granted.
DUO action items
Make sure all users requiring vCenter VM access have a DUO token set up through the DUO Enrollment App
VM identity data action items
VM ownership claim period has ended.
Due to various histories and actions, there may be mismatches and ambiguities about ownership and responsibility roles for VMs. In order to repair these issues and to help facilitate future automation plans, we are requiring all VMs to be 'tagged' with a mandatory set of data per Figure C. We have created a Google Apps form (UCI Google Apps registration required) to collect this information. If you have a large number of VMs under ownership and would like a bulk submission method, please contact Jason Noennig jnoennig@uci.edu for data import information. VMs in the end not claimed through this process will be placed in an 'Animal Shelter' environment where we will attempt to match them with their owners, and if one cannot be identified after a to-be-determined number of days, will be powered off, then deleted.
vCenter Login Procedure
Can be found at New OIT VMware vCenter Login Procedure
Future action items
As the migration moves forward, this page will be updated with new action items. These will include logistics for the migration itself, operational changes in the new environment, and other information.
Fig. A: KSAMS Roles
| KSAMS Role Name | KSAMS Approver Role Name | Identified Contact |
|---|---|---|
| vCenter - Arts Admins | vCenter - Arts Admins Approvers | Jason Valdry |
| vCenter - Bio Sci Admins | vCenter - Bio Sci Admins Approvers | Eric Sanchez |
| vCenter - Education Admins | vCenter - Education Admins Approvers | Hyuk Kang |
| vCenter - Humanities Admins | vCenter - Humanities Admins Approvers | Dwayne Pack |
| vCenter - Law School Admins | vCenter - Law School Admins Approvers | Patty Furukawa |
| vCenter - OIT Academic Affairs Admins | vCenter - OIT Academic Affairs Admins Approvers | Max Garrick |
| vCenter - OIT Athletics IT Admins | vCenter - OIT Athletics IT Admins Approvers | Michael Koetsier |
| vCenter - OIT AWT Admins | vCenter - OIT AWT Admins Approvers | Kelsey Layos |
| vCenter - OIT EUS Admins | vCenter - OIT EUS Admins Approvers | Kyle Kurr |
| vCenter - OIT Financial Svc Admins | vCenter - OIT Financial Svc Admins Approvers | James Hsu/Cecilia Do |
| vCenter - OIT ILCS Admins | vCenter - OIT ILCS Admins Approvers | Son Nguyen |
| vCenter - OIT Network Engineer Admins | vCenter - OIT Network Engineer Admins Approvers | Albert Gonzalez |
| vCenter - OIT Specialized Desktop Support Admins | vCenter - OIT Specialized Desktop Support Admins Approvers | Sarkis Daglian |
| vCenter - OIT Standard Desktop Support Admins | vCenter - OIT Standard Desktop Support Admins Approvers | Jeremy Paje |
| vCenter - OIT WSG Admins | vCenter - OIT WSG Admins Approvers | Jeff Martin |
| vCenter - Engineering Admins | vCenter - Engineering Admins Approvers | John Romine/Dan Melzer |
| vCenter - Social Ecology Admins | vCenter - Social Ecology Admins Approvers | Jennifer Lane |
| vCenter - Social Science Admins | vCenter - Social Science Admins Approvers | Jonathan Nilsson |
| vCenter - Strategic Comm Admins | vCenter - Strategic Comm Admins Approvers | Jim Kreuziger |
| vCenter - VCSA Admins | vCenter - VCSA Admins Approvers | Wayne Fields |
| vCenter - OIT MAI Admins | vCenter - OIT MAI Admins Approvers | Jason Lin |
| vCenter - OIT vSphere Admins | vCenter - OIT vSphere Admins Approvers | Ken Cooper |
| vCenter - OIT Security Admins | vCenter - OIT Security Admins Approvers | Josh Drummond |
| vCenter - OIT Parking and Distribution Admins | vCenter - OIT Parking and Distribution Admins Approvers | Clint Maruki |
| vCenter - OIT Database Admins | vCenter - OIT Database Admins Approvers | Deanna McMurray |
| vCenter - OIT Production and Operations Management Admins | vCenter - OIT Production and Operations Management Admins Approvers | Brian Roode |
| vCenter - OIT eDocs Admins | vCenter - OIT eDocs Admins Approvers | Linh Nguyen |
| vCenter - OIT Graduate Division Admins | vCenter - OIT Graduate Division Admins Approvers | |
| vCenter - OIT Office of Research Admins | vCenter - OIT Office of Research Admins Approvers | |
| vCenter - Library Admins | vCenter - Library Admins Approvers | Ashley Burke |
| vCenter - Nanosystems Research Admins | vCenter - Nanosystems Research Admins Approver | Paul Bautista |
Fig. B: VM Permissions
Initially, all assigned users will have the set of permissions listed below:
- Virtual Machine
- Configuration
- Modify Device Settings
- Settings
- Upgrade virtual machine compatibility
- Interaction
- Answer Questions
- Configure CD Media
- Console Interaction
- Device Connection (NICs and removable media)
- Power On
- Power Off
- Reset
- VMware Tools Install
- Snapshot Management
- Create Snapshot
- Remove Snapshot
- Rename Snapshot
- Revert Snapshot
- Configuration
- Folder (This will only work on the sub-folders of where the role is assigned.)
- Create
- Delete
- Rename
- Move
- Datastore (This is only to facilitate mounting ISO images from the shared ISO repository)
- Browse datastore
- Low level file operation
- Virtual Machine
Fig. C: VM Tag data
PaaS Owner (Platform as a Service Owner) UCInetID of user or group responsible for OS tasks. This UCInetID will be contacted for low-level changes such as disk space changes, VMWare Tools upgrades, etc. |
|
Data Owner UCInetID of user or group responsible for app/data. This UCInetID will be contacted for (un)scheduled interruptions or other changes interrupting access to VM's data. |
|
Purpose The VM’s primary purpose. These are tags in existence in ServiceNow and may be expanded. |
|
Protection Level The VM protection level classification is the assigned number representing the level of security protection needed for Institutional Information or an IT Resource. Level 1 being the lowest and 3 being the most critical data. Definitions can be found at http://security.uci.edu/security-plan/plan-classification.html |
|
HA Restart Priority The high availability (HA) restart priority determines the order in which virtual machines (VMs) are restarted when the ESXi host fails. Higher priority virtual machines are started first. This priority applies only on a per-host basis. If multiple hosts fail, all virtual machines are migrated from the first host in order of priority, then all virtual machines from the second host in order of priority, and so on. The restart priority will also be used to determine which VMs to power off during an incident that severely reduces our ESXi cluster capacity. The default is medium. |
|