Hi, french & junior (vmWare) but still alive
Existing :
1DC/1Cluster/3ESXI/Vsphere6.7u2
VMware PowerCLI 11.5.0 build 14912921
PowerShell 5/1/14409/1018
vswitch0(management), vswitch1(vm)
2 Usergroups (G,U)
20 users/group (G201,...G220 ; U101,...U120)
Each user got his own private space (ex for user G201)
VMs&templates/G/G201 : VM1,VM2,,,
storage/G : here, no private folder, all the G group VMs are stored here.
networking/Pedago/G/G201 : G-lan-2010, G-lan-2011,..
vSwitch2 created, nic attached, no vlan created in yet.
Expecting :
Create 10 new vlan for each user of group 'G' (using a .csv import) in vswitch2.
- With role/permission (each user can see & operate only its own vm, & same for it own vlan)
- Each user vlan should reach the network folder of the user (to not have to drag it by mouse)
Bonus :
How can I get the full path to a user folder ? Are the vPG at root or in specific folders ?
For example : Network folder of user G201 is in folder 'G', wich is (i think) in 'Students', wich is (i m still not sure) in 'Pedago', wich is in.... network folder. 'Get-Folder' gave me some informations but I m not sure of the real good fullpath. I have to manage something I didn't instal.
Thanks a lot for your help, I had already some hours of search over the net about it and tried some scripts, sadly without the expected result.
Are the pNICs used in the vSwitches connected to switch ports that have the same VLAN tagging?
This is probably not a VMware issue (since it works when on the same ESXi node) but might be a physical network issue.
Yes, for the VM migration question I would prefer a new thread.
Otherwise, this thread becomes too long and complex.
Make sure to document exactly what the current situation is and where you want to go.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Moderator: Moved to PowerCLI
This is similar to your previous thread: Individual permissions on Esx resources (networks/portgroup, datastore/directory,...) from a list of...
For the full path you could use my Get The Folderpath post.
The Portgroups on a VSS can be found in the Network folder of the Datacenter (although they are defined on each individual ESXi node).
I'm not sure about what you want to do with the new portgroups.
Since these are portgroup on a VSS, they need to be defined on each ESXi node in the cluster.
Is that what you want?
I'm not sure what you mean by "...Each user vlan should reach the network folder of the user"
Perhaps a screenshot of a sample setup would help?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks for your quick answer.
With Get-FolderPath, I got an error because of the 1st line (#requires -pssnapin..). After seeing your post here : ,
'VMWare.VimAutomation.Core' is not installed on this computer , I did a "Get-Folder | Get-FolderPath | Format-Table -AutoSize".
That will help me to be more understandable, I hope !
In the file getfolderpath.txt, I pasted just 1 user (UFA213 who is in the group GRETA (these users&groups exist in an AD)).
In the network-vsphere-client.jpg, a screenshot of the "networking page" in the vmware client.
You can see at the far bottom the vPG 'GRETA-LAN-2137' I created a few hours ago.
What I m looking forward to do is when I create it (or just after if it's not possible +/- at that moment ?) is to find it in its good folder.
In this example, 'GRETA-LAN-2137' should have been in the (net)folder 'UFA213', in group 'GRETA', itself in 'PEDAGO' ; to make me feel happy & efficient.
And yes, 'GRETA-LAN-2137' has been defined in each ESXi node in the cluster.
Users' VMs can go everywhere in the cluster (+vMotion/DRS) but have to able to communicate each other according to their own vlan. I hope this last sentence was not more confusing that clearing my thought.
If another screenshot of a sample setup or anything else can help you to completely understand me, just tell me wich kind of.
Thanks a lot.
Christophe
The New-VIPermission doesn't work for a VSS portgroup.
We have to revert to the API method.
See if the following is working for you?
Update the switch, ESXi node, portgroupname, principal and role
When it works for you, we can incorporate this in the original script (and replace the New-VIPermission).
[cmdletbinding()]
param(
[string]$VMHost,
[string]$Portgroup,
[string]$Principal,
[string]$Role
)
$authMgr = Get-View AuthorizationManager
$pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup
$esx = Get-VMHost -Name $VMHost
$pgMoRef = (Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $Portgroup}).MoRef
$perm = New-Object VMware.Vim.Permission
$perm.Entity = $pgMoRef
$perm.RoleId = (Get-VIRole -Name $role).ExtensionData.RoleId
$perm.Principal = $principal
$perm.Group = $false
$perm.Propagate = $false
$authMgr.SetEntityPermissions($pgMoRef,@($perm))
}
$vssName = 'vSwitch0'
$pgName = 'TestPG'
$esxName = 'myesx'
$principal = 'domain\user'
$roleName = 'Admin'
$vss = Get-VirtualSwitch -Name $vssName -VMHost $esxName
Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -ErrorAction SilentlyContinue |
Remove-VirtualPortGroup -Confirm:$false
$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss
New-PGPermission -VMHost $esxName -Portgroup $pg.Name -Principal $principal -Role $roleName
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I'm not sure to understand everything you wrote, but I executed the script on each esxi.
I updated the switch, ESXi node, portgroupname, principal and role
esxi1, seems to be ok, no message at the end, just the prompt.
esxi2 and 3 returned the error in attached docs.
The portgroup has been removed from/in(?) esxi1&2 but not in esxi3...
That could mean two things.
What is returned when you do the following on esxi2 or esxi3?
Update the names for your environment.
$esxName = 'esxi2'
$esx = Get-VMHost -Name $esxName
(Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $portgroupName}).Name
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
A portgroup with the same name doesn't exist on another virtualswitch (checked in each vswitch of each esxi).
I launched the last short script you sent me. No return from esxi1 &2. esxi3 returned the name of the PG(GRETA-LAN-2137).
To be sure I've done the right things with the NewPGPermission script you sent me. Before I updated the variables, and launched the script on each esxi (the one after the other), I had already created the PG 'GRETA-LAN-2137' on the 3 esxi. Have I done the job in good order ?
I just tested to launch again several times the NewPGPermission script. Now, it creates the PG on esxi2&3 only, but not the both at the same time > the PG appears only on the last esxi I launched the script. Strange, no ? The esxi1 still returns the same error I got yesterday from esxi2&3. Finally, I launched again 2/3 times the script and esxi1 didn't return any error and created the PG 'GRETA-LAN-2137' in the vswitch2. But no more PG 'GRETA-LAN-2137' on esxi 2&3...
During these last tries, I have been disconnected from the client (but not in powercli/powershell), maybe nothing to do with, but ...?
For more information : This user account exists but no user or vm right now, so no use, actually, of its PG.
The script I sent earlier was only for creating the PG and the permission on 1 ESXi node.
The script removes the PG with the same name on that ESXi node if it should already exist.
Did you adapt the script for running over all ESXi nodes in the cluster?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes, I updated $esxName = 'esxi2' to 'esxi1' & 'esxi3'.
Ok, try with this version.
It should create the PG and assign the permission on each ESXi node in a cluster.
[cmdletbinding()]
param(
[string]$VMHost,
[string]$Portgroup,
[string]$Principal,
[string]$Role
)
$authMgr = Get-View AuthorizationManager
$pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup
$esx = Get-VMHost -Name $VMHost
$pgMoRef = (Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $Portgroup}).MoRef
$perm = New-Object VMware.Vim.Permission
$perm.Entity = $pgMoRef
$perm.RoleId = (Get-VIRole -Name $role).ExtensionData.RoleId
$perm.Principal = $principal
$perm.Group = $false
$perm.Propagate = $false
$authMgr.SetEntityPermissions($pgMoRef,@($perm))
}
$vssName = 'vSwitch0'
$pgName = 'TestPG'
$clusterName = 'cluster'
$principal = 'domain\user'
$roleName = 'Admin'
Get-Cluster -Name $clusterName | Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
$vss = Get-VirtualSwitch -Name $vssName -VMHost $esx
# Clean up old portgroup should it exist
Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -VMHost $esx -ErrorAction SilentlyContinue |
Remove-VirtualPortGroup -Confirm:$false
# Create new portgroup
$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss
# Assign permission
New-PGPermission -VMHost $esx.Name -Portgroup $pg.Name -Principal $principal -Role $roleName
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Nice,
On 1st try, I got PG created on the 3 esxi but with a final error message :
'
Exception calling "SetEntityPermissions" with "2" argument(s): "
Required parameter entity is missing
while parsing call information for method SetEntityPermissions
at line 1, column 171
while parsing SOAP body
at line 1, column 64
while parsing SOAP envelope
at line 1, column 0
while parsing HTTP request for method setEntityPermissions
on object of type vim.AuthorizationManager
at line 1, column 0"
At line:37 char:5
+ $authMgr.SetEntityPermissions($pgMoRef,@($perm))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException
Exception calling "SetEntityPermissions" with "2" argument(s): "
Required parameter entity is missing
while parsing call information for method SetEntityPermissions
at line 1, column 171
while parsing SOAP body
at line 1, column 64
while parsing SOAP envelope
at line 1, column 0
while parsing HTTP request for method setEntityPermissions
on object of type vim.AuthorizationManager
at line 1, column 0"
At line:37 char:5
+ $authMgr.SetEntityPermissions($pgMoRef,@($perm))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException
I launched the script one more time and then got the same result without any error msg.
But the PG
That seems to indicate that the PG is not created or found.
Or there is a kind of ghost ESXi node in the cluster.
How many ESXi nodes are returned when you do a Get-Cluster | Get-VMHost?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
PS C:\Windows\system32> Get-Cluster | Get-VMHost
Name ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz MemoryUsageGB MemoryTotalGB Version
---- --------------- ---------- ------ ----------- ----------- ------------- ------------- -------
al-esxi-02.sio.local Connected PoweredOn 24 4450 50280 185,505 382,458 6.7.0
al-esxi-03.sio.local Connected PoweredOn 24 3036 50280 174,881 382,458 6.7.0
al-esxi-01.sio.local Connected PoweredOn 24 3689 50280 164,894 382,458 6.7.0
PS C:\Windows\system32> Get-VirtualPortGroup -Name "GRETA-LAN-2137" | Format-Table -AutoSize
Name Key VLanId PortBinding NumPorts
---- --- ------ ----------- --------
GRETA-LAN-2137 key-vim.host.PortGroup-GRETA-LAN-2137 2137
GRETA-LAN-2137 key-vim.host.PortGroup-GRETA-LAN-2137 2137
GRETA-LAN-2137 key-vim.host.PortGroup-GRETA-LAN-2137 2137
(I added in your script the VLanID '2137')
Can you add a debug statement in there, for example a Write-Host inside the foreach loop.
That shows which ESXi node is being handled.
That way we could know for which ESXi node the issue occurs
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I don't know how to do what you ask and in which script.
Do you mean this :
PS C:\Windows\system32> Get-Cluster | Get-VMHost | Write-Host | Format-Table -AutoSize
al-esxi-02.sio.local
al-esxi-03.sio.local
al-esxi-01.sio.local
PS C:\Windows\system32> Get-VirtualPortGroup -Name "GRETA-LAN-2137" | Write-Host | Format-Table -AutoSize
GRETA-LAN-2137
GRETA-LAN-2137
GRETA-LAN-2137
or this :
ForEach-Object -Process {
$vss = Get-VirtualSwitch -Name $vssName -VMHost $esx | Write-Host
# Clean up old portgroup should it exist
Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -VMHost $esx -ErrorAction SilentlyContinue |
Remove-VirtualPortGroup -Confirm:$false | Write-Host
# Create new portgroup
$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId 2137 | Write-Host
# Assign permission
New-PGPermission -VMHost $esx.Name -Portgroup $pg.Name -Principal $principal -Role $roleName | Write-Host
}
Result :
vSwitch2
New-VirtualPortGroup : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null or empty. Provide an argument that is not null or empty, and then
try the command again.
At line:67 char:61
+ ... $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId ...
+ ~~~~
+ CategoryInfo : InvalidData: (:) [New-VirtualPortGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.NewVirtualPortGroup
Get-VirtualPortGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
command again.
At line:19 char:64
+ ... $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-VirtualPortGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVirtualPortGroup
Exception calling "SetEntityPermissions" with "2" argument(s): "
Required parameter entity is missing
while parsing call information for method SetEntityPermissions
at line 1, column 171
while parsing SOAP body
at line 1, column 64
while parsing SOAP envelope
at line 1, column 0
while parsing HTTP request for method setEntityPermissions
on object of type vim.AuthorizationManager
at line 1, column 0"
At line:37 char:5
+ $authMgr.SetEntityPermissions($pgMoRef,@($perm))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException
vSwitch2
New-VirtualPortGroup : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null or empty. Provide an argument that is not null or empty, and then
try the command again.
At line:67 char:61
+ ... $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId ...
+ ~~~~
+ CategoryInfo : InvalidData: (:) [New-VirtualPortGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.NewVirtualPortGroup
Get-VirtualPortGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
command again.
At line:19 char:64
+ ... $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-VirtualPortGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVirtualPortGroup
Exception calling "SetEntityPermissions" with "2" argument(s): "
Required parameter entity is missing
while parsing call information for method SetEntityPermissions
at line 1, column 171
while parsing SOAP body
at line 1, column 64
while parsing SOAP envelope
at line 1, column 0
while parsing HTTP request for method setEntityPermissions
on object of type vim.AuthorizationManager
at line 1, column 0"
At line:37 char:5
+ $authMgr.SetEntityPermissions($pgMoRef,@($perm))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException
vSwitch2
New-VirtualPortGroup : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null or empty. Provide an argument that is not null or empty, and then
try the command again.
At line:67 char:61
+ ... $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId ...
+ ~~~~
+ CategoryInfo : InvalidData: (:) [New-VirtualPortGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.NewVirtualPortGroup
Get-VirtualPortGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
command again.
At line:19 char:64
+ ... $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-VirtualPortGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVirtualPortGroup
Exception calling "SetEntityPermissions" with "2" argument(s): "
Required parameter entity is missing
while parsing call information for method SetEntityPermissions
at line 1, column 171
while parsing SOAP body
at line 1, column 64
while parsing SOAP envelope
at line 1, column 0
while parsing HTTP request for method setEntityPermissions
on object of type vim.AuthorizationManager
at line 1, column 0"
At line:37 char:5
+ $authMgr.SetEntityPermissions($pgMoRef,@($perm))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException
No, I mean inserting a simple Write-Host to see which ESXi node is causing the error.
Like this
[cmdletbinding()]
param(
[string]$VMHost,
[string]$Portgroup,
[string]$Principal,
[string]$Role
)
$authMgr = Get-View AuthorizationManager
$pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup
$esx = Get-VMHost -Name $VMHost
$pgMoRef = (Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $Portgroup}).MoRef
$perm = New-Object VMware.Vim.Permission
$perm.Entity = $pgMoRef
$perm.RoleId = (Get-VIRole -Name $role).ExtensionData.RoleId
$perm.Principal = $principal
$perm.Group = $false
$perm.Propagate = $false
$authMgr.SetEntityPermissions($pgMoRef,@($perm))
}
$vssName = 'vSwitch0'
$pgName = 'TestPG'
$clusterName = 'cluster'
$principal = 'domain\user'
$roleName = 'Admin'
Get-Cluster -Name $clusterName | Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
Write-Host "Handling ESXi node $($_.Name)"
$vss = Get-VirtualSwitch -Name $vssName -VMHost $esx
# Clean up old portgroup should it exist
Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -VMHost $esx -ErrorAction SilentlyContinue |
Remove-VirtualPortGroup -Confirm:$false
# Create new portgroup
$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss
# Assign permission
New-PGPermission -VMHost $esx.Name -Portgroup $pg.Name -Principal $principal -Role $roleName
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I removed -VLanId 2137 in line :
# Create new portgroup |
$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId 2137 |
And done what you said :
ForEach-Object -Process {
Write-Host "Handling ESXi node $($_.Name)"
Then it worked and I got :
Handling ESXi node al-esxi-02.sio.local
Handling ESXi node al-esxi-03.sio.local
Handling ESXi node al-esxi-01.sio.local
Why did you remove the New-VirtualPortgroup line?
Without it, no portgroup will be created.
Try to run this after a stop/start of your PowerShell/PowerCLI session.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I didn't remove thewhole line, just what I added (-VLanId 2137), to respect the initial script you gave me to run.
So, I disconnected from VIServer, stopped Powershell and then reconnected to VIServer.
I ran the script you sent me with
ForEach-Object -Process {
Write-Host "Handling ESXi node $($_.Name)"
Result :
PS C:\Windows\system32> C:\Users\adminl\Desktop\10032020\NewPGPermission2.ps1
Handling ESXi node al-esxi-02.sio.local
Handling ESXi node al-esxi-03.sio.local
Handling ESXi node al-esxi-01.sio.local
PS C:\Windows\system32>
PG have been created in the 3 esxi without any error message (but still in the network general folder).