Configuration drift is a common challenge in virtualized environments, where changes to the configuration of hosts or clusters can lead to inconsistencies and potential issues. You want to be able to monitor potential configuration drift within larger VMware vSphere environments. In this blog post, we’ll explore how to set up and use vSphere 8 and Configuration profiles to ensure your environment remains compliant and stable.
Understanding Configuration Drift
Configuration drift occurs when the actual configuration of a cluster or host deviates from its desired state. This can happen due to manual changes, automated processes, or even misconfigurations. Over time, configuration drift can lead to performance issues, security vulnerabilities, and compliance problems. Monitoring and managing configuration drift is essential to maintain the health and stability of your virtualized environment.
Since vSphere 8 U1 administrators have a feature called configuration profiles. We have already blogged about this feature here – vSphere 8.0 U1 Configuration Profiles, and here for v8.0 U2 – vSphere Configuration Profiles – How VMware vCenter Server 8.0 U2 Can Simplify and Optimize vSphere Infrastructure Administration.
vSphere Configuration Profiles
vSphere Configuration Profiles are a feature in VMware vSphere that allows administrators to define and enforce a desired configuration state for clusters and hosts. By creating configuration profiles, you can specify the settings and policies that should be applied to your environment. These profiles can include network settings, security policies, storage configurations, and more.
We’ll have a look at how can we easily monitor vSphere 8 configuration drift with Configuration profiles via custom alarm definition.
If you have a drift in your vSphere configuration, you’d like to be notified, right? We can do that. You can create a custom alarm which will trigger when a host (or multiple hosts), in your cluster, is not compliant with the cluster configuration.
Requirements
vSphere Configuration Profiles requires the following:
- Cluster lifecycle must be managed with vSphere Lifecycle Manager Images (vLCM).
- Hosts must be on versions ESXi 8.0 and above.
- This feature is available with Enterprise Plus license.
Limitatons
Now none, but previous releases of vSphere had some. There were limitations to vSphere configuration profiles and vDS (distributed vSwitch). However, since 8.0 U1, vDS are supported.
Starting with vSphere 8.0 Update 1, you can enable vSphere Configuration Profiles on a cluster that uses a vSphere Distributed Switch.
Also, there was another limitation which has been solved in U3:
Quote:
Starting with vSphere 8.0 Update 3, you can enable vSphere Configuration Profiles on a cluster that you manage with baselines. The transition workflow starts with selecting a reference host which configuration schema is imported and used as a desired cluster configuration schema.
How to create a custom alarm definition and at which level?
While in vCenter server, it depends at which level you create a new alarm. (Host level, cluster, or datacenter).
Depending on what you want to achieve, but you can also create several alarm definitions and apply them to the different types of clusters (production, testing, monitoring). Then a production cluster will trigger a critical level alarm, and a test cluster only trigger a warning level alarm.
Note: for now, we need to create a custom alarm, but future release of vSphere will have a built-in alarm definition created by default.
The configuration check runs every 8 hours so the vSphere Configuration profiles does compare the cluster against the configuration. The alarms triggers when both manual and automatic compliance checks are invoked. (Yes, you can run the compliance test manually too).
Open vSphere client and go to:
navigate to vCenter > Configure > Alarm Definitions > ADD
Click Next and in the argument field, paste this:
com.vmware.vcIntegrity.ClusterConfigurationOutOfCompliance
Note: there are two types or more of alarm rule arguments:
com.vmware.vcIntegrity.HostConfigurationOutOfCompliance for host alarms or com.vmware.vcIntegrity.ClusterConfigurationOutOfCompliance for cluster alarms.
Then trigger the alarm and show as warning, then enable the email notification.
Click next to move on and validate the alarm creation.
Once done, you should see it created in the Alarm Definition sections.
You can then test the alarm by changing some value within your cluster. You can add a new vNic without uplink or create empty vSwitch on one host.
Then when you go and navigate to the desired state configuration of your cluster, you can check compliance and see that your host will appear as non-compliant there should be a new alarm triggered at the cluster level. You will see all hosts that differs from the config, with an alarm, at the vCenter or cluster level monitor tab.
Source: vSphere blog
Final Words
Monitoring configuration drift with alarms for vSphere Configuration Profiles in vSphere 8.0 U3 is a powerful way to maintain the health and stability of your virtualized environment. By setting up configuration profiles and alarms, you can ensure that your VMs and hosts remain compliant with your desired configuration state. This proactive approach helps prevent performance issues, security vulnerabilities, and compliance problems, keeping your environment running smoothly. Future version of VMware vSphere shall have those alarm built-in. Hopefully the configuration drift and configuration profiles will get even more enhancements in the future.