Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Next »

This page will provide OIT's VMWare service client community with information about our upgrade project, and will be updated to reflect progress with the project. The parent to this page is available to all OIT people and has more detailed technical information.

OIT primarily runs two VMWare vSphere 5.5 environments as a consequence of the OIT Consolidation. This project will finally combine the environments. The effort will bring the following benefits to our clients:

  • Streamlined access management through use of self-service KSAMS authorization and UCInetID for logins (replacing 'AD' and 'SERVERAD' Active Directory)
  • Enhanced security through use of mandatory DUO Two Factor authentication and trusted "signed" digital certificates as well as infrastructure security enhancements
  • Preparation for enhanced integration with services such as ServiceNow for change management, notifications, alerting, etc.

The upgrade is designed to be non-disruptive to all VMs. That is, all virtual machines are expected to run non-disruptively as the upgrade takes place. However, due to the architecture changes needed, there may be gaps in access to low-level VM management operations (powering on/off, snapshots, console, etc.), which can be minimized based on each clients' level of preparation and cooperation with the migration process.

Client Action Items

KSAMS action items

KSAMS roles are used to provide authorization or permissions within vCenter.  vCenter permissions are granted to members of LDAP groups that are automatically populated from KSAMS roles. Even an individual who needs vCenter permissions on a single VM needs to have a KSAMS role to get those permissions. KSAMS roles usually come in pairs; one role is used for the permissions, and another to approve memberships to the permission role. Figure A shows the list of these Roles as they appear in KSAMS.

  • Via KSAMS ZotPortal App, request the Approver role for those who will approve the "Admin" role to those needing vCenter access to VMs.  Generally, a manager and director would have Approver roles.  OIT recommends having 2 or more Approvers. Approvers do NOT gain access to VMs.
  • After the Approver role is set up, direct everyone requiring vCenter access to VMs to the KSAMS ZotPortal App to request the "Admin" role.
    • NOTE: Requests for "Admin" roles submitted before the corresponding group's "Approver" request is completed will result in KSAMS ERRORS so please make sure at least one Approver is set up before adding Admins.
  • For simplicity and expediency, all users will initially be assigned permissions per Figure B for their designated group of VMs. We welcome input for other permission levels, as well as different user groupings going forward.

KSAMS example:

  • OIT's Data Center Infrastructure team uses the "vCenter - OIT vSphere Admins" and "vCenter - OIT vSphere Admins Approvers" roles.
  • Using the KSAMS ZotPortal App, a request was made to add Ken Cooper and Brian Buckler to the "vCenter - OIT vSphere Admins Approvers" role.
  • Each team member requested the "vCenter - OIT vSphere Admins" role.
  • Ken approved each request using the app.
  • vCenter access was granted.

DUO action items

Make sure all users requiring vCenter VM access have a DUO token set up through the DUO Enrollment App

vCenter Login Procedure

Can be found at New OIT VMware vCenter Login Procedure

Future action items

As the migration moves forward, this page will be updated with new action items. These will include logistics for the migration itself, operational changes in the new environment, and other information.

Fig. A: KSAMS Roles

KSAMS Role NameKSAMS Approver Role NameIdentified Contact
vCenter - Arts AdminsvCenter - Arts Admins ApproversJason Valdry
vCenter - Bio Sci AdminsvCenter - Bio Sci Admins ApproversEric Sanchez
vCenter - CALIT2 AdminsvCenter - CALIT2 Admins Approvers(Nobody)
vCenter - Education AdminsvCenter - Education Admins ApproversHyuk Kang
vCenter - Engineering AdminsvCenter - Engineering Admins ApproversJohn Romine/Dan Melzer
vCenter - Humanities AdminsvCenter - Humanities Admins ApproversDwayne Pack
vCenter - Informatics AdminsvCenter - Informatics Admins Approvers(Nobody)

vCenter - Integrated Nanosystem Research Facility Admins

vCenter - Integrated Nanosystem Research Facility Admins ApproversPaul Bautista
vCenter - Law School AdminsvCenter - Law School Admins ApproversPatty Furukawa
vCenter - Library AdminsvCenter - Library Admins ApproversAshley Burke
vCenter - OIT Academic Affairs AdminsvCenter - OIT Academic Affairs Admins ApproversMax Garrick
vCenter - OIT Athletics IT AdminsvCenter - OIT Athletics IT Admins ApproversMichael Koetsier
vCenter - OIT AWT AdminsvCenter - OIT AWT Admins ApproversKelsey Layos
vCenter - OIT Database AdminsvCenter - OIT Database Admins ApproversDeanna McMurray
vCenter - OIT eDocs AdminsvCenter - OIT eDocs Admins ApproversLinh Nguyen
vCenter - OIT EUS AdminsvCenter - OIT EUS Admins ApproversKyle Kurr
vCenter - OIT Financial Svc AdminsvCenter - OIT Financial Svc Admins ApproversJames Hsu/Cecilia Do
vCenter - OIT Graduate Division Admins  vCenter - OIT Graduate Division Admins ApproversRachel Tam
vCenter - OIT ILCS AdminsvCenter - OIT ILCS Admins ApproversSon Nguyen
vCenter - OIT MAI AdminsvCenter - OIT MAI Admins ApproversJason Lin
vCenter - OIT Network Engineer AdminsvCenter - OIT Network Engineer Admins ApproversAlbert Gonzalez
vCenter - OIT Office of Research Admins vCenter - OIT Office of Research Admins ApproversNoah Margolis
vCenter - OIT Parking and Distribution AdminsvCenter - OIT Parking and Distribution Admins ApproversClint Maruki
vCenter - OIT Production and Operations Management AdminsvCenter - OIT Production and Operations Management Admins ApproversBrian Roode
vCenter - OIT Security AdminsvCenter - OIT Security Admins ApproversJosh Drummond
vCenter - OIT Specialized Desktop Support AdminsvCenter - OIT Specialized Desktop Support Admins ApproversSarkis Daglian
vCenter - OIT Standard Desktop Support AdminsvCenter - OIT Standard Desktop Support Admins ApproversJeremy Paje
vCenter - OIT vSphere AdminsvCenter - OIT vSphere Admins ApproversKen Cooper
vCenter - OIT WSG AdminsvCenter - OIT WSG Admins ApproversHeindrick Yu
vCenter - Social Ecology AdminsvCenter - Social Ecology Admins ApproversJennifer Lane
vCenter - Social Science AdminsvCenter - Social Science Admins ApproversJonathan Nilsson
vCenter - Strategic Comm AdminsvCenter - Strategic Comm Admins ApproversJim Kreuziger

vCenter - VCSA Admins

vCenter - VCSA Admins Approvers

Wayne Fields

vCenter - Applied Innovation AdminsvCenter - Applied Innovation Admins ApproversMarek Mandau
vCenter - OIT Facilities Mgmt AdminsvCenter - OIT Facilities Mgmt Admins ApproversJyoti Razdan
vCenter - WHCS AdminsvCenter - WHCS Admins ApproversJerome Reuter
vCenter - Read Only UsersvCenter - OIT vSphere AdminsDCI Team

 

Fig. B: VM Permissions

Initially, all assigned users will have the set of permissions listed below:

    • Virtual Machine
      • Configuration
        • Modify Device Settings
        • Settings
        • Upgrade virtual machine compatibility
      • Interaction
        • Answer Questions
        • Configure CD Media
        • Console Interaction
        • Device Connection (NICs and removable media)
        • Power On
        • Power Off
        • Reset
        • VMware Tools Install
      • Snapshot Management
        • Create Snapshot
        • Remove Snapshot
        • Rename Snapshot
        • Revert Snapshot
    • Folder (This will only work on the sub-folders of where the role is assigned.)
      • Create
      • Delete
      • Rename
      • Move
    • Datastore (This is only to facilitate mounting ISO images from the shared ISO repository)
      • Browse datastore
      • Low level file operation

Fig. C: VM Tag data

PaaS Owner (Platform as a Service Owner)

UCInetID of user or group responsible for OS tasks. This UCInetID will be contacted for low-level changes such as disk space changes, VMWare Tools upgrades, etc.

  • UCInetID of Owner(s) or Group(s)

Data Owner

UCInetID of user or group responsible for app/data. This UCInetID will be contacted for (un)scheduled interruptions or other changes interrupting access to VM's data.

  • UCInetID of Owner(s) or Group(s)

Purpose

The VM’s primary purpose. These are tags in existence in ServiceNow and may be expanded.

  • application

  • database

  • domain_controller

  • file

  • mail

  • utility

  • web

Protection Level

The VM protection level classification is the assigned number representing the level of security protection needed for Institutional Information or an IT Resource. Level 1 being the lowest and 3 being the most critical data. Definitions can be found at http://security.uci.edu/security-plan/plan-classification.html

  • P3-high

  • P2-medium

  • P1-low

HA Restart Priority

The high availability (HA) restart priority determines the order in which virtual machines (VMs) are restarted when the ESXi host fails. Higher priority virtual machines are started first. This priority applies only on a per-host basis. If multiple hosts fail, all virtual machines are migrated from the first host in order of priority, then all virtual machines from the second host in order of priority, and so on. The restart priority will also be used to determine which VMs to power off during an incident that severely reduces our ESXi cluster capacity. The default is medium.

  • HA4-high

  • HA3-medium

  • HA2-low

  • HA1-disabled

vm_Backup_Job

The VM's Veeam backup job.

 


  • No labels