Pimp my vCenter Orchestrator Virtual Appliance

alt

If you like the VMware vCenter Orchestrator (vCO) Appliance because it is easy to deploy, configure and use then you may want to improve it with enabling additional features.

I like very much the vCO appliance but I recognize it has a few shortcomings:

  • The vCO web start client does not work well on Mac since it does not preserve the client preferences.
  • I am missing local shell control and live logs.
  • I do not like to author my workflows as one of the hundreds "vcoadmin" out there. The appliance is missing user management.

Let's address these. Warning: The following is not documented, not supported and may not work in future vCO versions. It is intended for lab / educational usage.

First make sure your appliance is started. Note the appliance IP / hostname and remember the password you set to login as root from the console.

Installing the vCO client from the appliance

The appliance is not exposing all its gems. It is hiding a collection of vCenter Orchestrator clients for windows, Linux and MacOS.

If you open a browser and type in 

http://appliance/vco-client-install/
you will end ip on this page:

alt

You can download and install the client for Windows (exe), Linux (bin). Or MacOS (zip).

Make sure you install it on a system that will only need to connect to the vCO server of the appliance and not any other version of vCO (i.e any Windows base version). The system it is going to be installed on may not support any upgrade when installing a newer version of vCO.

Remote shell and remote logs

If like me you are not a fan of using the VM local console for administration purposes and find the web access to be too limited you may want to have a remote shell.

A simple way to enable remote shell is to permit the root login for ssh. To do so on the appliance command line type:

sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config

And then:

service sshd restart

Now you can use your favorite ssh client to connect to the appliance (ssh root@appliance)

There are several interesting things to do in command line on the vCO server but one is very important when developping / testing workflows : have a live view of the vCO server log file. To do so type:

tail /opt/vmo/app-server/server/vmo/log/server.log -f

You will see the last lines of the log file. If you try to run a workflow you will see it scrolling live.

Basic user management

The appliance has a simplified configuration using a built-in database and directory service. The directory service has a vcoadmins and vcousers group to allow to author and run workflows. In each of these groups there is a single member (vcoadmin and vco user). There are two issues with that. The first one is security. Someone may use the vcoadmin user name with the default vcoadmin password. The second one is that if everyone use the vcoadmin account to create content they loose the benefit of knowing or letting know who really created the workflows.

For the first issue Jörg Lew wrote a detailed article here. Changing the vCO Admin password is nice, adding new vCO admin would be better. It would even be better if you could do it with a workflow. This is what I did with providing this package. You can find the package in the VMware communities HERE.

Once imported you have a few options to manage your users:

alt

These workflows use SSH to connect remotely. Make sure you enable remote shell.

First run the configuration workflow.

alt

Enter the hostname or IP of the appliance, the user to SSH remotely (default = root), the password (the one you set for the appliance), the LDAP Admin user (default = vcoadmin) and its password (default = vcoadmin).

Make sure you have the credentials to access to the vCO web configuration since you will need to change the password there as well.

Run the "change user password" workflow.

alt

Select the vcoadmin (use the filter) and pick up a password (do not mistype since I did not use password check). Remember it !

Once submitted and successful (if not you have certainly wrongly entered the configuration in the previous step) you can close the client and open the vCO web configure (htps://appliance:8283).

You will notice some red warnings.

alt

Requiring to update the password in this tab:

alt

Apply the change. The LDAP tab should go back to green.

Now the Plug-in tab has still a warning.

alt

Update the password there as well:

alt

Since your vCO server may still be authenticating in LDAP using the previous credentials you need to restart the service.

alt

Now that your vCO server is secure you can authenticate as vcoadmin / your new password using the client. Now it is time to create a new user for you.

Run the "Create a new user" workflow.

alt

Fill with your username and display name, pick up a password. Submit.

The last step is to run the workflow "Add user to group".

alt

Select your new user and the vcoadmins group. Submit. Now close the client and log back in with your newly created user.

alt

You can now create your workflows using your user.