Host Profiles are a new feature to vSphere 4 but are only available to Enterprise+ licencees. As my company haven’t yet found a need for Enterprise+ features I’d not really worked with them before so this section was new to me. Interestingly the main reference given in the blueprint is the Datacenter Administration Guide which has very little about host profiles. The ESX/ESXi configuration guides have a small section on host profiles but not much, so the best reference is probably the VMware Host Profiles – Technical Overview whitepaper.
Skills and Abilities
- Use Profile Editor to edit and/or disable policies
- Create sub?profiles
- Use Host Profiles to deploy vDS
Tools & learning resources
- Product Documentation
- vSphere Datacenter Administration Guide
- VMware vSphere™ 4: Deployment Methods for the VMware® vNetwork Distributed Switch
- VMware vNetwork Distributed Switch migration and configuration
- vSphere Client
- Technical Deep Dive – Host Profiles (VM3433, VMworld ’09)
- VMware Management blog article on host profiles
Host Profiles (VCP revision)
Basically host profiles are the equivalent of Microsoft’s Group Policy, but for VMware hosts.
- Two primary uses
- Ease deployment challenges (faster, more consistent)
- Ongoing configuration control and audit reporting
- Policy options (determining how a configuration setting is applied)
- Use a fixed configuration
- Ask the user how to configure it
- Use an intelligent policy (using one or multiple criterion)
- Disregard a setting
- Works in a similar fashion to Update Manager;
- Create a baseline from a reference host.
- Attach the host profile to the hosts or clusters you want to configure
- Remediate (configure) the hosts or clusters
- Review compliance status
- Unlike VUM it can’t remediate all the hosts in a cluster automatically (it won’t put them into maintenance mode for you etc). You can attach a profile to the cluster but you have to apply to each host manually (this is largely because the host profile may require user input).
- Can only be used on vSphere hosts (not VI 3.x)
- Must be created using a reference host, or imported from a previously created host profile.
- Can be exported (in VMware Profile Format, *.vcf, which is XML content). Host Profiles are not shared using vCentre Linked Mode, you have to export/import to other vCentre instances.
NOTE: Administrator passwords aren’t exported as a security measure. - An ESX reference host can be applied to either ESX or ESXi. An ESXi reference host can ONLY be applied to another ESXi host.
- When updating a host using a host profile you have to manually put the host in maintenance mode first. This is a significant issue for some people (although if you’re licenced for host profiles you’ve also got licences for vMotion and DRS so moving VMs off the host is potentially easier). Note that you need to enter maintenance mode even for trivial settings such as setting the time, timezone etc. Any setting which normally requires a reboot (changing service console memory for example) will still need a reboot.
- You must have both host profile privileges (create, delete, edit etc) AND privileges to configure the area in question (Networking, Storage etc) for the operation to be allowed.
REAL WORLD: When building a new ESX/ESXi host it will have a 60 day eval period with all features enabled so even if you don’t have Enterprise+ licencing you can use host profiles for initial configuration.
REAL WORLD: Host profiles can’t manage every configuration option you might want – for example they can’t configure jumbo frame support when using iSCSI, can’t configure iSCSI HBAs (in fact host profiles won’t even notice from a compliance point of view if iSCSI is enabled or not), can’t set VM swapfile location, can’t enable lockdown mode, and can’t configure the load balancing algorithm for Pluggable Storage Path (PSP) among others. Some larger shops skip host profiles for this reason – if you have to use scripts at all you might as well script everything and have one place for all your settings being the logic. Interesting post on SearchServerVirtualization. They’re also not that flexible – if you only want to configure storage for example (maybe because a scripted build configures networking) you can’t turn off selected configurations. See this blogpost for details. Host Profiles are not hierarchical like MS Group Policy, so you can’t apply multiple profiles to increase flexibility – it’s one profile per host, and one profile only. Pretty limiting!
Once you’ve exported and reimported a host profile its connection to the original reference host is lost. This means you can’t use the ‘Update profile from reference host’ option to refresh the profile if the source host changes.
You access host profiles under the Management node (using CTRL-SHIFT-P) or from a host’s right mouse button context menu;
NOTE: Host Profiles will appear in the VI client regardless of your licencing level but if you try to create a host profile using a non-licenced host as the reference host you’ll get an error message;
Sub Profiles
Each host profile consists of two parts;
- Configuration settings. These determine the desired configuration of the host, for example ‘connect vmnic0 and vmnic1 to vSwitch0’.
- Compliance checks. These determine how the compliance check is validated, for example are vmnic0 & 1 connected to vSwitch0? If the host only has one pNIC the configuration won’t apply correctly and this check will fail.
The configuration is split into various sub-profiles, each aligned to a functional area. Sub-profiles can also be nested (as you can see in the example for the networking sub-profile below;
The main (default) sub-profiles are;
- Memory reservation (service console)
- Network configuration
- Storage configuration
- Date and time
- Firewall
- Security
- Users and user groups – these are NOT captured from the reference host and must be created manually. Likewise while a host profile can add users/group it will NOT remove extras or alert if extra users are added manually (Technical Overview p19).
- Authentication (new to vSphere 4.1). This can be used when AD integrated authentication is enabled on a host.
You’ll probably need to create extra sub-profiles of your own, based on your infrastructure and what you need host profiles to do. If you wanted to mount four NFS datastores on every host for example you’d have to create an extra three sub-profiles under Storage -> NFS storage configuration. Each sub-profile would hold details for one NFS export (IP, path, read/write etc).
NOTE: Not all options can be ‘ticked’ for compliance checking (or not)
Host Profile policies
Policies allow host profiles to be more flexible (compared to fixed values) by specifying what to do instead of how to do it. A typical use is networking. Rather than specifying just the number of NICs for a vSwitch you may want to be more specific and choose the NICs based on name, PCI namespace, bandwidth etc (this is useful for blade environments in particular). Policies allow you to do this.
Deploying vDistributed switch using host profiles
Another typical use for host profiles is deploying the vDistributed Switch. There are two variations which both (as usual) require you to configure a reference host with a vDS first;
- Configure a host with a single vSS (it needs network connectivity to join the vDS)
- Create a vDS using the VI client connected to vCentre, with no hosts attached.
- Add the host to the vDS, then delete the vSS on the host.
- Create a host profile and apply to the remaining hosts
- Reconfigure VMs to use the vDS instead of the vSS
The alternative method is very similar but minimises the ‘per VM’ configuration. At step 3 simply leave the vSS in place and continue to create and apply the host profile. On the vDS use the ‘Migrate virtual machine networking’ option to seamlessly migrate the VMs. Finally remove the vSS from the reference host, recreate the host profile and reapply. Voila!
Full details of this process and more details about the vDS can be found in VMware’s vNetwork Distributed Switch migration and configuration whitepaper.
Host profiles with PowerCLI
What about PowerCLI cmdlets for host profiles? Good example at Damian Karlson’s site, or Hal Rottenberg’s guide to using host profiles with PowerCLI.
Create a baseline;
- Get-VMHostProfile
- New-VMHostProfile
- Import-VMHostProfile
- Export-VMHostProfile
Attach a baseline to a host;
- Apply-VMHostProfile
- Remove-VMHostProfile
- Set-VMHostProfile
Remediate;
- Test-VMHostProfileCompliance
You can view from the host’s summary tab whether it’s in compliance with a profile;