VMware Cloud Community
signalpower
Contributor
Contributor
‎04-14-2021 02:16 AM

Skyline health - Host Compliance check lockdown mode

In skyline for a vCSAN cluster I get a warning for "Host compliance check for hyperconverged cluster configuration" after I changed lockdown mode for all the hosts from 'disabled' to 'normal'. The recommendation is to change back to 'disabled'. According to the documantation in kb58896 the solution is to have all hosts in the same mode. Retesting does no help. Changing all back to 'diabled' will clear the warning, but re-enabling lockdown mode gives the same warning again.

Is there some way to define desired lockdown mode for a cluster?

 

VCSA is v 7.0.2 (17694817) and the hosts are 7.0.1 (16850804), installed using HPE image.

Labels (3)
Labels
Tags (3)
0 Kudos
3 Replies
TheBobkin
Champion
Champion
‎04-14-2021 02:40 AM

@signalpower, Any changes made to the hosts (e.g. NTP, lockdown, networking) made outside of initial configuration of Quickstart (e.g. the 'baseline') will result in these showing as non-compliant with that check as their settings don't match the baseline.

 

Unfortunately Quickstart is still very rigid in this respect (and believe me, we have been pushing for improvements of this since the start) and one can't just change to a new 'baseline' without configuring it through Quickstart from scratch with the desired settings.

0 Kudos
signalpower
Contributor
Contributor
‎04-14-2021 03:27 AM

"Starting over" is'nt an option. This, and all other baseline settings, need to be configurable.

With no way to change the baseline I'll just let the warning be and ignore it.

0 Kudos
TheBobkin
Champion
Champion
‎04-21-2021 01:35 PM

@signalpower "Starting over" should never be the only option IMO, this does need to be configurable, I agree with you 100% on this front and have been an advocate for improvement in this area basically since its inception (alongside basically anyone in vSAN GS that has had to explain this predicament to customers).

 

But until those change are implemented, silencing the relevant health checks for this once triggered is the alternative to re-rolling - note that this obviously doesn't have any impact whatsoever on the cluster stability or anything really.

0 Kudos