Configuration Management using vSphere Configuration Profiles
By: Date: 14/01/2023 Categories: VMware Tags:

With vSphere 7.0, VMware launched a feature called vSphere Lifecycle Manager Images (vLCM), which uses a declarative model, to holistically define the desired state of the ESXi host image, including the target ESXi version, firmware & drivers. This feature enables all the ESXi hosts, to adhere to the desired state; by enforcing consistency across the cluster. When a host drifts from the desired state, the host is remediated to be compliant to the desired state.

With vSphere Configuration Profiles, we are extending the declarative model to managing ESXi host configurations.

Requirements for vSphere Configuration Profiles

vSphere Configuration Profiles requires the following:

  • Cluster lifecycle must be managed with vSphere Lifecycle Manager Images (vLCM).
  • All hosts in the cluster must be on version ESXi 8.0 or newer.
  • Cluster hosts must be licensed with Enterprise Plus license.

Limitations in vSphere 8.0: In vSphere 8.0, vSphere Configuration Profiles is being launched as a supported Technology Preview feature. The reason for this is, there is no support for managing vSphere Distributed Switch (VDS) configurations yet. Enablement of vSphere Configuration Profiles on clusters that have NSX and VDS will be blocked. Therefore, during the Technology Preview phase, the use of this feature is limited to customers that use vSphere Standard Switch (VSS).

About vSphere Configuration Profiles

Managing ESXi configurations across hundreds of hosts, is a challenge. Example, if an admin accidentally reduces the required password complexity on a host, that host, becomes a security target. It is desirable to manage the configurations of all hosts to be compliant with the company’s desired host configuration.

vSphere Configuration Profiles is a new capability in vSphere 8.0, that allows Administrators to manage the host configuration at a cluster level. This capability allows administrators to

  • Set desired configuration at the cluster in form of a JSON document.
  • Check that hosts are compliant with desired configuration.
  • If non-compliant, remediate hosts to bring them into compliance.

The configuration document is a JSON document that is backed by a schema, which makes it easily editable using any JSON editor tool. It is human-readable and is not unwieldy since it only captures the changes to the default configuration. Customers can choose to either create the JSON document from scratch; or simply extract the configuration from a reference host. An example of a configuration document is below:

Using vSphere Configuration Profiles

The profile section of the document contains configuration applicable to all hosts in the cluster

The Host-specific section contains configurations that need to be specified per host. Example: Host name needs to be specified per host.

The Host-override section is used to override the cluster configuration, for specified hosts. Example: If the cluster configuration requires that the firewall be enabled; but certain hosts need to have firewall disabled.

Note: BIOS-UUID is used as the host identifier, for the host-override and host-specific sections.

Once the configuration documented is finalized, vSphere Configuration Profiles can enforce compliance to this specification, for all hosts in the cluster. The same document can also be used across multiple clusters.

Using vSphere Configuration Profiles

The general process to enabling and using vSphere Configuration Profiles to manage cluster configuration.

Let’s consider a specific scenario where a user wants to create a new cluster, whose lifecycle is managed with Images (vLCM); and whose configuration is managed with vSphere Configuration Profiles (VCP).

Create a New Cluster

Create a new cluster inside a datacenter or folder.

Using vSphere Configuration Profiles

Activate Cluster Level Lifecycle Options

In the new cluster wizard, select “Manage all hosts in the cluster with a single image” and “Manage configuration at a cluster level

Using vSphere Configuration Profiles

Note: You must activate single image management to be able to activate cluster level configuration

Select the ESXi version

vSphere Configuration Profiles is only supported on ESXi host with version 8.0 or later. Select an ESXi version with a 8.0 build. Optionally, select any Vendor Addon you may require.

Using vSphere Configuration Profiles
Finish the new cluster wizard as desired. Now we have a cluster whose lifecycle is managed with Images (vLCM); and whose configuration is managed with vSphere Configuration Profiles (VCP). However, the newly created cluster simply uses the default configurations. We have not yet specified a desired cluster configuration.

Navigate to the Cluster Desired State Settings

Select the newly created cluster and select Configure > Desired State > Configuration > Settings.

Using vSphere Configuration Profiles
The desired configuration can be set either by using a reference host approach or using an existing JSON document. The next steps outline how to use a reference host to specify the cluster configuration.

Generate Desired Configuration from a Reference Host

Generate desired configuration document from a reference host:

Add host to the cluster and configure the reference host using any existing configuration APIs/CLIs/UI workflows.

Go to Cluster > Configure > Desired State > Configuration > Settings > … > “Extract from Reference host”

Using vSphere Configuration Profiles
Select the reference host in the cluster.
Using vSphere Configuration Profiles
Finish the workflow by downloading the extracted configuration document in JSON format. This document will contain all configurations done on that reference ESXi host.

Setting the Desired Configuration

Setting the desired configuration for the cluster.

Use the document extracted from the reference host or an existing document. Goto Cluster > Configure > Desired State > Configuration > Settings > Import.

Using vSphere Configuration Profiles
Finish the workflow. Once the document is successfully validated, it will be imported into the cluster and the desired configuration of the cluster is set.
Using vSphere Configuration Profiles
Now that the desired configuration is set, vSphere Configuration Profiles can monitor compliance to this specification, and allows users to remediate drift.