Overview

Skill Level: Any Skill Level

The strategic partnership of IBM and VMware accelerates the end-to-end delivery and management of infrastructure by enabling IBM Power Systems, interoperable with cloud orchestrators that is based on OpenStack technology.

Ingredients

vra-21-1

The objective of this document is to showcase as how VMware’s vRealize Automation (vRA) leverages IBM PowerVC built on OpenStack APIs, provides a complete automation platform for Infrastructure as a Service (IaaS) offerings based on IBM Power Systems. Installation and Configuration of IBM PowerVC and VMware vRealize Automation is not the scope of this document (You can refer section: References). The intended audience of this document are: Infrastructure as a Service (IaaS) administrators, Cloud Service Providers, Program managers and technologists or anyone deploying IBM PowerVC and seeks orchestration extensibility.

We have done a PoC to callout the best practices for IBM PowerVC upward Integration with VMware vRealize Automation (vRA), that allows provisioning methodology, service entitlements, resource reservations, custom properties and lifecycle management of virtual machines on IBM Power Systems.

 

Considerations for creating PowerVC Endpoint in VMware’s vRealize Automation
 

1. IBM PowerVC endpoint component functionality is available in vRealize Automation 7.1 through OpenStack endpoint.
2. Endpoint URL: Previously, API URLs were given in this format: https://<ip-hostname>/powervc/openstack/<service>/. This URL will still work. However, the preferred format is: https://<ip-hostname>:<service-port>/.
3. DEM Worker communicates with PowerVC to collect data, therefore, must be configured to support proper TLS 1.2 communication. To enable TLS v1.2 protocol on Windows 2008 DEM Host –

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
 

4. If the certificates used by the PowerVC instance are not already trusted by your DEM node, import the certificate from PowerVC into the DEM node's Trusted Root Certificate Authorities store.
5. Always use host names (FQDN) for CN (common name) and SAN (subject alternative name) in certificates. Using an IP address is not supported.
6. Ensure that the PowerVC hostname is included in the certificate. If PowerVC was installed before hostname resolution was working on that system, the certificate may be missing the hostname. Correct the hostname resolution issues on the PowerVC host and then run the following command to update PowerVC and its certificate with the hostname: powervc-config general ifconfig –set"
7. Creation and deletion features like Fabric Group, Prefix, Reservations, Policies and Business and Custom Groups are all dependent on each other. Ensure to create or delete properly in an order with appropriate cloud admin or user credentials.
8. Establish policies to control which Services are available to which vRA cloud users, and under what conditions.
9. If the Data Collection for PowerVC endpoint fails, then verify the error message in Logs and recheck the above considerations to ensure a successful data collection.

 

Step-by-step

  1. Introduction

    To maximize the efficiency and to simplify the management of heterogeneous clouds, requires a consumable solution that aids optimized service delivery.  IBM® Power® Virtualization Center (IBM PowerVC) and VMware vRealize Automation (vRA) work in concert providing complete automation platform for heterogenous cloud environments reducing the complexity of managing heterogenous resources from a common portal.

    IBM PowerVC provides simplified virtualization management and cloud deployments for IBM AIX®, IBM i and Linux virtual machines (VMs) running on IBM Power Systems. While, VMWare vRA supports a wide range of on-premises virtualization technologies, such as VMWare, Kernel-based Virtual Machine (KVM), Microsoft HyperV, including IBM PowerVC and IBM zVM in addition to public cloud infrastructures, such as IBM Softlayer, Amazon EC2, and Microsoft Azure.

    Enabling VMware’s vRealize Automation Platform for IBM Power Systems allows administrators to provision virtualized workloads for AIX and Linux on PowerVM, along with Linux on z/VM and KVM on z Systems through OpenStack enabled APIs. This helps quick deploy of images using standardized blueprints combined with policy-based governance, assuring automated delivery of infrastructure services that meet the changing business opportunities.

    Here’s a step-by-step guide to provision AIX LPAR on IBM Power System from VMware vRealize Automation tool

    vRa-1-1

     

     

  2. Create IBM PowerVC Endpoint

    Creating IBM PowerVC Endpoint, enables vRealize Automation to communicate with infrastructure source (IBM PowerVC).

    – Configure the endpoint url in the format: https://FQDN/powervc/openstack/service or https://<FQDN> or <IP_Address>:5000
    Note: Do not include the /v2.0 suffix in the endpoint address)

    Add credentials and project information. The credentials should be for a user with the administrator role in the specified project (opt/ibm/powervc/powervcrc). PowerVC’s default project is ibm-default, but creating additional projects is supported and encouraged. Each vRA endpoint is specific to an individual PowerVC project, i.e. you may create multiple endpoints pointing to different projects on the same PowerVC host.

    – Custom properties: The version property must always be set and it must always have the value “3”. The domain name property must be set if you have vRA 7.3 or later, and it must always have the value “Default”.

    For example:

    VMware.Endpoint.Openstack.IdentityProvider.Version – specifies the version of Openstack Identity provider (Keystone) to use when authenticating an Openstack endpoint.

    vra-2

  3. Data Collection

    vRealize Automation collects data from IBM PowerVC endpoints and updates information about virtualization hosts, templates, and images for virtualization environments.

    – Data Collection can be initiated manually or can be scheduled to trigger at regular intervals.
    – Data Collection can be initiated either from infrastructure source endpoint or compute resources with appropriate credentials.

     vra-6-1

     

     

  4. Create Fabric Group, Prefix, Reservation and its Policy, Business and Custom Groups.

    a. Fabric Groups are a way of segmenting our endpoints into different types of resources or to separate them by intent.
    b. Create Prefix: When defining a machine component in the blueprint design canvas, Prefixes (names for machines) is required.
    c. Create Business & Custom Group: The job of a business group is to associate a set of resources with a set of users while Custom Group enables you to have permissions besides just requesting a blueprint.
    d. Creating Reservations and Policies: Allows you to allocate provisioning resources to a business group in a tenant.

    Note: You can also create multiple endpoints with different OpenStack tenants, segregated by reservation policies for each tenant to ensure that machines are provisioned to the appropriate tenant resources.

    vra-7

  5. Blueprint

    Designing blueprints, allows the admin to create virtual machines blueprints that includes complete specifications of a machine such as build information, networking, security and other software components. This can be employed as a building block to create customized provisioned machines for consumers.

    vra-8

    Provisioning workflow: This feature allows blueprint to specify the workflow to be used to provision a machine including specifications such as CPU, memory, and storage. Here’s a brief note on types of workflows that a admin can choose from

    · CloudLinuxKickstartworkflow: Provision a machine by booting from an ISO image, using a kickstart or autoYaSt configuration file and a Linux distribution image to install the operating system on the machine.

    · CloudWIMImageworkflow: Provision a machine by booting into a WinPE environment and installing an operating system using a Windows Imaging File Format (WIM) image of an existing Windows.

    · CloudProvisioning workflow: Launch an instance from a virtual machine instance or cloud-based image

    vra-9

    – For IBM PowerVC the workflow selected is “CloudProvisioning”.
    – Multiple flavors can be selected. Note that the flavors listed here, are created in PowerVC UI.
    – “All blueprints are initially created in draft mode. When you’re ready to start using it, publish the blueprint. This will create a catalog item.”

    Note: If the “OpenStack image” template does not list the Operating Systems or images from infrastructure source (PowerVC), then add reservation to the associated endpoint and run data collection again. 

     

  6. Create Service Catalog, Add Entitlements and Create Catalog Items

    5.1 Service Catalog : Services are used to organize catalog items into related offerings to make it easier for service catalog users to browse for the catalog items they need and it is designed to list provisioned resources.

    – Adding Entitlement to the services determines which users and groups can perform specific actions as shown in below figure.
    – Entitlements can also be prioritized and they are specific to business group.

     

    vra-10

     5.2 Create catalog item: Users can browse the service catalog for catalog items that they are entitled to request.  

    vra-11

     

     

  7. Deploy VM from Catalog

    Access the catalog on vRA and deploy the VMs using blueprints displayed as catalog items.

    vra-12

    Select the Catalog Item and make a request for the deployment. You can mention the number of instances, choose pre-defined flavor of deployment.

    vra-13-1

    The status of the Request can be viewed from “Request”Tab.

    vra-14

    View Details of the deployed VM from the “Items” tab.  – Users can manage their provisioned items on the Items tab.

    vra-15

     

    While the VM gets deployed through vRA, the same can be verified from the PowerVC. The state and health of the VM deployed should show as Active and OK.

    vra-16

    From the Actions menu, click on “Connect using Console” and then Click open the Address link and provide credentials to Connect to VM console.

    vra-17-1

     

     

     

     

     

  8. Troubleshooting: Possible error messages that you may encounter while integrating IBM PowerVC with VMware vRealize Automation (vRA).

    1.      When the Data Collection for PowerVC endpoint fails, few possible errors that you may encounter are as shown below. Ensure that DEM Worker node is properly configured to meet the PowerVC and OpenStack requirements and PowerVC self-signed or untrusted certificate, is added to the Trusted Root of DEM Node. You can the check considerations mentioned above in this document.

     Error Message 1:

    Endpoint Data Collection failed for endpoint PowerVC-TEST [Workflow Instance Id=261881]
    Unable to connect to the remote server.
    Inner Exception: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host failed to respond.

     Error Message 2:

    Endpoint Data Collection failed for endpoint PowerVC-HCST [Workflow Instance Id=269843]
    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
    Inner Exception: The remote certificate is invalid according to the validation procedure.

     

    2. Another possible error message when Data Collection of PowerVC fails.

    Error Message :

    Inventory Data Collection failed for HostID f5299ef7-xx..xx..xxx…- [Workflow Instance Id=11521]net.openstack.Core.Exceptions.Response.UserNotAuthorizedException: Policy doesn’t allow os_compute_api:os-security-groups to be performed.
    at net.openstack.Providers.Openstack.Validators.HttpResponseCodeValidator.Validate(Response response)
    at net.openstack.Providers.Openstack.ProviderBase`1.ExecuteRESTRequest[T](CloudIdentity identity, Uri absoluteUri, HttpMethod method, Object body, Dictionary`2

    Workaround: Edit the /opt/ibm/powervc/policy/nova/policy.json file to to replace “!” with “role:admin”
    for the “os_compute_api:os-security-group” policy rule;

    Note: PowerVC does not officially support editing policy.json files

    3.      Accessing the Infrastructure tabs fails in VMware vRealize Automation (vRA) tool. This issue could be due to limited privileges. Check the credentials and privileges.

    vra-18

     

    4.   The “Suspend” action is not supported on PowerVC, so suspend will fail with an error: “NotImplentedError”.

  9. Lifecycle Management of Virtual Machines on vRA and PowerVC

    The below tables lists the operations that can be triggered on VMs when managed from PowerVC and vRA.

    vra-20-new

  10. Summary

    Using endpoint framework and openstack APIs, VMware vRealize Automation(vRA) can now provision virtualized workloads on IBM Power systems, providing more options and improved user experience for its clients by interacting with IBM PowerVC. This capability in VMware vRA management tool gives flexibility to manage a wide range of on-premises virtualization platforms and public cloud infrastructure from a single console.

    IBM PowerVC coupled with vRA allows administrators to provision and configure cloud workloads to automate IT service delivery and simplify hybrid cloud infrastructure management, thereby reducing maintenance and operations costs.

     

     

     

    References:

    1. https://www.ibm.com/support/knowledgecenter/en/SSXK2N_1.3.1/com.ibm.powervc.standard.help.doc/kc_welcome-standard-supermap.html

    2. https://docs.vmware.com/en/vRealize-Automation/index.html

    3. https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2150230&sliceId=1&docTypeID=DT_KB_1_1&dialogID=448674583&stateId=0%200%20525838565

    4. https://blogs.vmware.com/management/2016/10/vrealize-automation-managing-powervc.html

     

     

     

    Co-Authors: Manjunatha Hr, Leena Kushwaha

    Setareh Mehrabanzad ,Marty Fullam and Alise Spence.

     

3 comments on"IBM PowerVC upward Integration with VMware vRealize Automation (vRA)"

  1. Hello Leena,

    Beside provisioning AIX instance from Vrealize, Can we also do LPM, remote restart and other powerVC feature from Vrealize?

  2. Bibek Das May 01, 2018

    Hello Leena,

    Can vRA discover, import and manage existing Power VC workloads for brownfield customers. This is not migration of existing workloads , but discovery and import onto vRA and perform management operations ( start, stop, expire, recycle, detroy, resize etc ) ?

Join The Discussion