VMware Cloud Community
LittleNickey
Enthusiast
Enthusiast
‎10-02-2023 04:12 AM
Jump to solution

vCenter 8u1 Configuration Desired State - how to configure override

Not sure if I put this under the correct topic, but I'm currently installing some new ESXi hosts and putting them in a new cluster. I wanted to make use of the new Desired State feature (Configuration Profiles) to simplify configuration and keeping it from drifting.

Since this is a new feature, I'm having a bit of trouble to finding where in the docs to read up on it, but I found this great article which has gotten me on the right path.

However, after setting it up I can see configuration drift for the ESXi hosts (which weren't the baseline) where it wants to update the password hash for the other ESXi hosts as well. This seem strange to me, since the hash always will be different for the different hosts. Should I configure Override for the password hash setting (/profile/esx/authentication/user_accounts/0/password_hash)? If so, how is this done?

I've seen that in 8u2 you can create a draft configuration and add overrides via the GUI, but currently we are running vCenter 8u1 so those options aren´t available.

I've found below "template" for using with the json file, but I'm unsure what values to change:

 

"host-override": {
        "type": "object",
        "title": "Host-Override Configuration",
        "properties": {
        },
        "description": "Container for configurations that override the profile for a given host as indexed by the host's BIOS UUID",
        "patternProperties": {
            "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$": {
                "$ref": "#/properties/profile"
            }
        }
    }

 

 
Should "type" be "esx" and "$ref" be "/profile/esx/authentication/user_accounts/0/password_hash"? Do I need to change "Title" and "Description" so that another admin better would understand the exception? And how do I add more override properties? Would below example be a correct syntax?

 

"host-override": {
        "type": "esx",
        "title": "ESXi99 Host-Override Configuration",
        "properties": {
        },
        "description": "Container for configurations that override the profile for a given host as indexed by the host's BIOS UUID",
        "patternProperties": {
            "11111111-2222-3333-4444-555555555555": {
                "$ref": "#/properties/profile/esx/authentication/user_accounts/0/password_hash"
            },
            "11111111-2222-3333-4444-555555555555": {
                "$ref": "#/properties/profile/same_host/Some_other_property"
            }
        }
    }

 

 
Thankful for help in understanding this new (potentially) awesome feature!
-- Oskar
0 Kudos
1 Solution

Accepted Solutions
MayurBhosle
VMware Employee
VMware Employee
‎10-03-2023 10:27 AM
Jump to solution

 

Here is the documentation which explains the different sections of the document.

https://core.vmware.com/resource/configuration-management-using-vsphere-configuration-profiles#secti...

host-override section is used to override configuration for a specific host in the cluster. The new configuration document has the following structure,

- profile/component/group/key., host-override/BIOS-UUID/component/group/key. In your example, component is esx, group is authentication and key is user_accounts. Here are the rules with host-override:

- Override can only happen at the key-level, which means you must override the entire user_accounts object.

- Overrides are complete. The overridden object must contain all the required properties of that configuration. Also, the overridden host will only get user_accounts defined in the host-override section.

 

With 8.0U2, the draft workflows help is creating this overridden configuration.

In 8.0 U1,  the original document extracted from a reference host will look like this.

{

"profile": {

       "esx":

"authentication": {

"user_accounts": [

{

"name": "root",

"description": "Administrator",

"password_hash": "$6$heHTknEe$O6uO35HLWYLiYZv7cDzwSvPwbcEN3HkeKNV4Ufxbzle5O2IFJ.UhnQTVgQKv2bTf1/FOCN.jMkBLLuiDqEQAb0"

}

]

}

You will get compliance errors because the password_hash is different for each host. You will have to copy the entire esx/authentication/user_account section from the profile section and add it to the host-override section for each host with a bios-uuid.

"host-override": {

   "uuid-1" : {

     "esx":

"authentication": {

"user_accounts": [

{

"name": "root",

"description": "Administrator",

"password_hash": ----> Update the value to the one specified in compliance result. "$6$heHTknEe$O6uO35HLWYLiYZv7cDzwSvPwbcEN3HkeKNV4Ufxbzle5O2IFJ.UhnQTVgQKv2bTf1/FOCN.jMkBLLuiDqEQAb0"

}

    ]

}

}

Once that section is created, you will have to update the password_hash field in the host-override section for each host with value host-value specified in the compliance result.

View solution in original post

2 Replies
MayurBhosle
VMware Employee
VMware Employee
‎10-03-2023 10:27 AM
Jump to solution

 

Here is the documentation which explains the different sections of the document.

https://core.vmware.com/resource/configuration-management-using-vsphere-configuration-profiles#secti...

host-override section is used to override configuration for a specific host in the cluster. The new configuration document has the following structure,

- profile/component/group/key., host-override/BIOS-UUID/component/group/key. In your example, component is esx, group is authentication and key is user_accounts. Here are the rules with host-override:

- Override can only happen at the key-level, which means you must override the entire user_accounts object.

- Overrides are complete. The overridden object must contain all the required properties of that configuration. Also, the overridden host will only get user_accounts defined in the host-override section.

 

With 8.0U2, the draft workflows help is creating this overridden configuration.

In 8.0 U1,  the original document extracted from a reference host will look like this.

{

"profile": {

       "esx":

"authentication": {

"user_accounts": [

{

"name": "root",

"description": "Administrator",

"password_hash": "$6$heHTknEe$O6uO35HLWYLiYZv7cDzwSvPwbcEN3HkeKNV4Ufxbzle5O2IFJ.UhnQTVgQKv2bTf1/FOCN.jMkBLLuiDqEQAb0"

}

]

}

You will get compliance errors because the password_hash is different for each host. You will have to copy the entire esx/authentication/user_account section from the profile section and add it to the host-override section for each host with a bios-uuid.

"host-override": {

   "uuid-1" : {

     "esx":

"authentication": {

"user_accounts": [

{

"name": "root",

"description": "Administrator",

"password_hash": ----> Update the value to the one specified in compliance result. "$6$heHTknEe$O6uO35HLWYLiYZv7cDzwSvPwbcEN3HkeKNV4Ufxbzle5O2IFJ.UhnQTVgQKv2bTf1/FOCN.jMkBLLuiDqEQAb0"

}

    ]

}

}

Once that section is created, you will have to update the password_hash field in the host-override section for each host with value host-value specified in the compliance result.

LittleNickey
Enthusiast
Enthusiast
‎10-04-2023 05:20 AM
Jump to solution

Thank you, much appreciated! Thanks for sharing the explanation of the structure and it's rules for the override.

(You are missing a { after "esx", but I cought it in vscode).

I also tried adding the "authentication" to host-specific section, but strangely enough it gave an error saying it should be of the cluster (profile) section. I mean, right now during lab/setup it's the same password for the hosts but they still have a unique hash, so they reasonably should never keep the same hash?

Adding it as an override works thought.

-- Oskar
0 Kudos