VCF 9 – Configuration Drift Management Part 2 – Clusters
Welcome back, in Part 1 we covered Configuration Templates for vCenter Servers. In this post we’ll be covering the configuration of Drift templates for VCF Clusters.
Before we start, we must have already created a configuration profile for the vCenter server that hosts the Cluster – you can refer to Part 1 for this.
We create the cluster configurations in vCenter instead of VCF Operations.
First I’m going to configure a single host which will be used as a reference. I’ll pick some common security settings that organizations might want to apply.
Config.Etc.motd – Set an SSH login message advising that you must be authorized to access the system.
UserVars.ESXiShellInteractiveTimeOut – Set a timeout for the interactive console (Default 0)
Security.AccountLockFailures – Number of login failures before account lockout (Default 5)
After you have configured your reference host, select the cluster / Configure / Desired State – Configuration. Click Create Configuration and vCenter will run a quick pre-check to ensure that the vCenter Profiles are supported.
We’ll import from our Reference Host (esxi-1.vcf.sddc.lab)
Click Import
Click Next and the config from host 1 will be extracted and compared against the rest of the cluster.
Click Next
An impact summary will be shown, if you are happy with the results click “Finish and Apply”
Now this is a little strange – I’d made some changes on the reference host but they were not showing here. On further investigation it looks like some settings have an override configured which we’ll need to remove. In some instances this is useful (e.g. we don’t want to overwrite the root password of every host, or set their VMKs to the same IP) but in our example we want to apply the setting.
We want to remove the override – click on Draft and we’ll be prompted to re-import the reference host config.
Browse to System / etc_motd and we can see the custom MOTD that I set earlier.
Click on “Host Overrides” and we’ll delete the other 5 hosts from the cluster.
Repeat for every host.
Now if we run “Check Compliance” we’ll see the config drift alert.
Now we can run the pre-check and apply the config changes.
When we click “Apply Changes” this will start the remediation.
Remediation settings are used for any settings that require host reboots – this looks quite similar to the VMware Update Manager cluster remediation settings.
And lastly, we get a summary we can review before finalizing.
After we click “Remediate” the settings will be applied to all hosts.
So now all of these hosts are going to be compliant.
After some time, we’ll see this info populate into the Operations console.
Now I’ll force a drift to occur by changing the MOTD on host esxi-6.vcf.sddc.lab
We can now see the drift detection in vCenter
And this status will also flow through to the VCF Operations console.
We also have the option to download a JSON config export from vCenter, which can be used instead of the GUI to edit the settings. It’s probably a more efficient method than using the GUI to remove host overrides from large clusters.