Hey all,
A few students and I are working on a senior design project that involves using the VI SDK against either VI Foundation or VI Standard. We are just finishing the requirements spec, and we want to make sure we can do certain things with the SDK (as we'll be building our own custom GUI as opposed to using VMWare's tools). For the following tasks, I annotated with a SDK member if I think it'll work. If I'm wrong, please let me know 
So, is it possible to:
Create a copy of a template VM (I'm gussing CloneVM_Task will do this nicely).
Create different folders in the DataStore (CreateFolder)
Create and move VMs across VSwitches. Change VLAN's, etc..., hopefully in real-time (UpdateNetworkConfig? How much can I do with this?)
Assign a "Access Console" permission for a certain group and a certain VM (I'm guessing SetEntityPermissions)
Assign a "View Console" permission for a certain group and a certain VM (Maybe SetEntityPermissions?)
Out of all of these, I'm most concerned about #4. We messed with the evaluation version of 3i, but it didn't have the ability (at least in the Virtual Infrastructure Client) to create permissions for individual VMs. I've heard that the more advanced (read: more expensive) versions of VI do have the ability. I just want to make sure that we can do it from the SDK as well. I've heard there is no "Read Only" type of permission (in terms of only being able to view the console, not being able to actually access the VM) in VMWare ESX Server, but I was wondering if anyone knew of anything else.
We'll be installing an evaluation version of ESX 3.5 here in a bit, so we'll be able to do some testing, but I thought I might ask for some help before we start.
Thanks!
Johann MacDonagh
Accepted Solutions
Hi Johann,
Sorry for the delay - been busy.
Right - to your questions.
1. This is complicated - normally a template is a unique entity and is used to deploy many VMs. I see that you have a need to replicate your template for lab use whilst protecting the original. You could simply make copies of the file structure to the various labs and add them to the inventory of the lab. I'm not sure how this would work if you only have one Virtual Centre running all the labs. The other way to do it would be to convert the template to a VM, Clone and rename the VM as many times as you needed and then convert all the VMs back to templates !
3. a. To isolate the vSwitches between labs you would create each vSwitch with no Physical adapters. Effectively you then have a completely stand alone network. Not sure how clever the viruses are and whether they could find a way through the logical segregation of the switches. I bet VMWare would love to know the outcome of you lab work on this one 
b. You would have to use VLANs to segregate VMs within the vSwitches (at the Virtual Machine Port Group level) and then firewall rules to allow only certain VLANs access to the internet.
4/5. I WOULD LOVE TO BE PROVED WRONG ON THIS BUT...
the only way I can see that you can retrieve the roles in the Virtual Center is to look up the VPX_ROLE table in the Virtual Centre database and there you will find a mapping of ID to NAME. The ID field can be used as the RoleID in your code and NAME is the name of the role (obviously) such as VirtualMachineUser.
Then you have the information you need to use the following snippet which sets permissions against the Datacenter.
Dim DataCenterRef as ManagedObjectReference
Dim searchIndex as new ManagedObjectReference()
searchIndex = _sic.searchIndex ' I'm assuming you know all about this bit
DataCenterRef = _service.FindByInventoryPath(searchIndex, "Name of Datacenter")
Dim AuthMan as ManagedObjectReference = _sic.authorizationManager
Dim p1 as Permission
p1 = New Permission
p1.group = True
p1.principal = "<group name>" 'for this bit use DOMAIN\group or localgroup names
p1.propogate = false 'do not propagate to child entities - set to true if you want it to obviously
p1.roleid = "<RoleID>" 'The number you got from the VPX_ROLE ID field
_service.SetEntityPermissions(AuthMan, DataCenterRef, New Permission() )
If anyone can shed any light on retrieving the roles via the SDK that would be brilliant.
ISYS
Good Morning Johann
First of all - good luck with the project:-)
Now to your questions
1. Do you mean you want to copy the template and create a new template? Or do you mean deploy a VM from the template?
2. Yes - CreateFolder is the Method that you need here.
3. UpdateNetworkConfig works at a host level. What you need to do here is to obtain the Managed Object Reference of the network you wish the VM to connect to and use the VirtualMachineConfigSpec devicechange method on the VM - I have attached an example written in VB.net
4. Yes - SetEntityPermissions is the right way to go.
5. see 4
Hope this helps
ISYS
Hi Johann,
Sorry for the delay - been busy.
Right - to your questions.
1. This is complicated - normally a template is a unique entity and is used to deploy many VMs. I see that you have a need to replicate your template for lab use whilst protecting the original. You could simply make copies of the file structure to the various labs and add them to the inventory of the lab. I'm not sure how this would work if you only have one Virtual Centre running all the labs. The other way to do it would be to convert the template to a VM, Clone and rename the VM as many times as you needed and then convert all the VMs back to templates !
3. a. To isolate the vSwitches between labs you would create each vSwitch with no Physical adapters. Effectively you then have a completely stand alone network. Not sure how clever the viruses are and whether they could find a way through the logical segregation of the switches. I bet VMWare would love to know the outcome of you lab work on this one
b. You would have to use VLANs to segregate VMs within the vSwitches (at the Virtual Machine Port Group level) and then firewall rules to allow only certain VLANs access to the internet.
4/5. I WOULD LOVE TO BE PROVED WRONG ON THIS BUT...
the only way I can see that you can retrieve the roles in the Virtual Center is to look up the VPX_ROLE table in the Virtual Centre database and there you will find a mapping of ID to NAME. The ID field can be used as the RoleID in your code and NAME is the name of the role (obviously) such as VirtualMachineUser.
Then you have the information you need to use the following snippet which sets permissions against the Datacenter.
Dim DataCenterRef as ManagedObjectReference
Dim searchIndex as new ManagedObjectReference()
searchIndex = _sic.searchIndex ' I'm assuming you know all about this bit
DataCenterRef = _service.FindByInventoryPath(searchIndex, "Name of Datacenter")
Dim AuthMan as ManagedObjectReference = _sic.authorizationManager
Dim p1 as Permission
p1 = New Permission
p1.group = True
p1.principal = "<group name>" 'for this bit use DOMAIN\group or localgroup names
p1.propogate = false 'do not propagate to child entities - set to true if you want it to obviously
p1.roleid = "<RoleID>" 'The number you got from the VPX_ROLE ID field
_service.SetEntityPermissions(AuthMan, DataCenterRef, New Permission() )
If anyone can shed any light on retrieving the roles via the SDK that would be brilliant.
ISYS
ISYS2,
No problem
We've been messing around with an evaluation version of ESX and VirtualCenter, and we can do pretty much everything we need using the Virtual Infrastructure Client.
By "separate labs", I meant separate concurrently running sets of VMs (managed by our software). They would be running on the same physical host.
As for the permissions question, it looks like we will have to use VirtualCenter. I'm assuming SetEntityPermissions will do what we need.
Thanks!
Johann