Now that we’ve got all the system-wide roles (System / Infrastructure & Fabric Admin) fully configured and each user has done their configuration tasks, next in the to-do-list is the configuration items to be performed by the Tenant Administrator. We wont be looking at everything a Tenant Admin can do here, but only focus on key items relating to blueprints.
First of all, lets briefly look at the Tenant Administrator role (note that the System Administrator assigned the Tenant Administrator role during a previous stage mentioned here)
Tenant Administrator is a key user that is typically a business manager or an IT administrator who is responsible for a tenant who configure vRA according to the needs of the company. He / She is responsible for the followings primarily,
- Manages and configures the tenant
- Manages the users and groups (within the tenant)
- Manages catalog services
- Creates approval policies & entitlements
- Manage tenant brandings
- Manage business groups within the tenant
- Tracking resource usage by all tenant users
- Create & manage global (shared) blueprints
Key Tenant Admin tasks
- Tenant Configuration Tasks
- Configure Identity Stores – This should have already been done at an earlier stage by the System Admin
- Configure custom groups
- Configure Identity store users such as business group admins, business group users and support users and configure additional privileges to these users (Administration->Users&Groups->Identity Store Users & Groups)
- Configure Tenant branding if this is required (Administration->Branding)
- Configure notification providers such as email servers to be used within the Tenant for the approval notifications via Administration->Notification->Email servers (I’m not doing this here)
- Create Business groups (We’ve already created a business group earlier as Tenant Admin user)
- Create & Publish IaaS blueprints
- Create an IaaS blueprint
- Notes:
- We’ll create a simple VM provisioning blueprint here using a CentOS 6.6 template & a customization specification (both need to have been pre-created and be registered in the compute / production cluster vCenter server)
- We will be using a basic cloning as the provisioning method (linked cloning and NetApp FlexClone options are also available)
- Go to Infrastructure->Blueprints and use new blueprint button to create a new virtual vSphere blueprint and fill out the basic Blueprint information
- Go to the build information tab and select the appropriate options (as below)
- You can use custom properties to achieve various functions. A full list of available all custom properties are available here and a list of specific custom properties applicable for a cloning blueprint (similar to what we are creating here) are available here.
- Some key, useful custom properties are as follows
- Snapshot.Policy.Limit = <Depth of Snapshot limit. Default is 1, max is 31>
- Snapshot.Policy.AgeLimit = <Snapshot age limit in days. Default is no limit>
- VirtualMachine.Admin.ThinProvision = True/False (Applicable for VMware & Hyper-V using local or iSCSI storage)
- VMware.VirtualCenter.Folder = <Folder to place the VMs within vCenter>
- VirtualMachine.Admin.Owner=
- VirtualMachine.Admin.AddOwnerToAdmins=True
- VirtualMachine.Admin.AllowLogin=True
- VirtualMachine.Network0.Address=<IP address for Network 0>
- VirtualMachine.NetworkN.MacAddressType=generated/static
- VirtualMachine.NetworkN.MacAddress=<MAC Address>
- VirtualMachine.NetworkN.Name=<VMNetworkName>
- Machine.SSH=True
- We will cover the Build profiles and custom properties section separately
- Select the Actions that would be made available within the Blueprint definition (so they’d be available as entitlement actions to assigned users)
- Now we have the first basic blueprint definition created successfully.
- Notes:
- Publish the IaaS blueprint
- Create a service
- In order for a published blueprint to be made available on a catalog to the users, a service need to be created and the blueprint must be associated with that service
- Go to Administration->Catalog management -> Services and add a new service, populate the information required and add.
- Associate the blueprint with the service by selecting the service created and click on “manage catalog items”
- Add a catalog item and select the previously created blueprint
- You can create approval policies if required next(Administration->Approval Policies). I’m opting to not create approval policies and instead opt for no approvals.
- Create Entitlements
- Once a blueprint is created, and has been associated within a service, it (the service) need to be given entitlements. In other words, the service needs to be mapped to a user / group to be given access so that they can request a VM to be provisioned from this service / blueprint.
- Go to Administration->Catalog management->Entitlements and add a new entitlement. Provide a name for the entitlement (note: To avoid confusion, if the relationship between a blueprint:service:entilement is a 1:1:1, I keep the name identical for all 3 to keep thins simple and related) and select the AD groups / users that this blueprint / service is made available for within the online catalog. Click next
- Add the entitled services (created above), Catalog item (blueprint created above) and the appropriate entitled actions.
- Once added, the entitlements are complete
- Create an IaaS blueprint
- User request through the catalog
- All tasks required to make the blueprint listed on an IaaS catalog are now complete and the entitled users can now request a machine provisioning based on this blueprint through the portal
- Login to the vRA portal (URL “https://<FQDN of the vRA Appliance>/shell-ui-app” if using the default tenant) using the appropriate business group user (bg-user in our example based on the entitlements we set above) and you’ll see the CentOS 6.6 server is now available in the users catalog.
- Request a VM to be provisioned off of this catalog item.
- All submitted requests can be tracked within the requests tab.
- You can see the cloning task initiated by the vRA service account within vSphere client / web client. Note that there may be a slight delay before this is executed on the vCenter after being submitted via vRA. Note that the default custom properties set for the business group (explained in the previous post of this series) dictated where the VM is created within the vCenter folder hierarchy & the name of the VM is automatically based on the default machine prefix attached to the business group (also created earlier)
- Once successfully created, the item will appear under the “Items” tab within the vRA IaaS portal for the user to access based on the entitled actions previously defined.
That’s basically it. This effectively now concludes the basic deployment tasks I’ve intended to cover as the typical deployment & configuration tasks you’d have to do in the field to deploy vRA 6.2.1 along with vRO 6.0.1 and NSX 6.1.x all fully integrated for extensibility. Hopefully this series of posts gave you a summarized view of all the initial tasks that you’d need to do, in the exact order they need to be done, including any undocumented little quarks I’ve come across that potentially could have cost you some troubleshooting time in the field. Hope this was of use to some. I know I will refer back to this in the future for my own benefit.
I would appreciate any feedback
Cheers
Chan
P.S. While this post concludes the series of posts formally, I will continue to provide additional vRA articles for further extensibility where we will look at more extensibility options to leverage vCO workflows during the provisioning stage to achieve various results and creating custom actions, advanced service blueprints, using vRA for publishing non IaaS functions such as AD password resets…etc. However they are not really mandatory for a typical vRA deployment and would only be required depending on the end user’s needs.
Next: (Optional Fix) Missing Catalog / Entitlement Actions on vRA 6.2.x –>
Hello, great material, I really liked, but I just did not understand very well the fabric admin role, in some materials I can see that one fabric admin can assign reservation to any tenant, but I wonder how because a fabric admin work within its tenant, and should just perform activities that impact its own tenant, no?