Shared VMDK profile compliance issue in vSAN cross VC HCIMesh
search cancel

Shared VMDK profile compliance issue in vSAN cross VC HCIMesh

book

Article ID: 312046

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In Cross vCenter HCIMesh feature, user can mount vSAN datastore from a remote vCenter. If a VMDK is shared between multiple vCenter instances and different profiles are applied to the VMDK, user will encounter a compliance issue.
Such sharing of VMDK use cases is not encouraged, and user should avoid such usage.

Currently, we don't have a guardrail to prevent users from sharing VMDK among vCenter instances. To help users identify if a VM compliance issue is related to unintended VMDK sharing, we provide a python tool XvcAuditVmpolicy.py.

For using this script, there is a readme document, XvcAuditVmpolicy.md. The script and readme are attached to the KB.


Symptoms:
On vSphere UI page, when you check compliance of a virtual machine that has shared VMDK across VMware vCenters, it might show either of them.
 
1. Compliance status shows Out of Date.
     or
2. Pop up error message of "Profile not found."


Environment

VMware vCenter Server 8.0.1
VMware vCenter Server 8.0.x

Cause

SPBM design is vCenter-based, which means storage profiles created in each vCenter are not visible to other vCenter instances. When a VMDK is shared between vCenter instances and the user modifies the storage profile that was applied to the VMDK on one vCenter, the compliance issue will occur on the other vCenter instances.

Resolution

To resolve this issue, follow the below steps:

1. Run script tool XvcAuditVmpolicy.py on vCenter to identify the compliance issue.

For vCenter version 8.0U2 and above:
The tool is packaged in vCenter under path /usr/lib/vmware-vpx/vsan-health/bin/XvcAuditVmpolicy.pyc.

For vCenter 8.0U1 user:
The tool needs to be downloaded from KB attachment. Refer to the example shown below:

root@vc1 [ ~ ]# python XvcAuditVmpolicy.py --vmName vm1

Input username for vc1.vmware.com: [email protected]
Input password for vc1.vmware.com: xxxxxx
Entity vm-29:2000(virtualDiskId) of vm vm1 is outOfDate.
Input username for vc2.vmware.com: [email protected]
Input password for vc2.vmware.com: xxxxxx
The profile with unique Id aaaaaaaa-bbbb-cccc-aaaa-bbbbbbbbbbbb applied on virtual disk vm-29:2000 is named [policy2] on vCenter vc2.vmware.com.


2. Once the compliance issue is identified, detach the shared VMDK from all client vCenter virtual machines.

3. Reapply the proper profile to the issue-related VM, and then the compliance issue should be resolved.


Workaround:

 

For vCenter 8.0U1 user, download the XvcAuditVmpolicy.py from KB attachment then follow the steps in Resolution part.


Attachments

XvcAuditVmpolicy.md get_app
XvcAuditVmpolicy.py get_app
Powered by Wolken Software