Reviewing and managing tags and tag association in VMware vCenter Server 6.0

search cancel

Reviewing and managing tags and tag association in VMware vCenter Server 6.0

book

Article ID: 341743

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 6.0 VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

The article is an overview of the tagging models of vCenter Server.

Beginning in vSphere 6.0, vSphere tags are no longer stored in the Inventory Service database table. They are relocated in the vCenter Server's database (VCDB) table CIS_KV_Keystore and the VMware Directory Services (Lotus) Service Provider tagging. After the tag association is created, this information is then pulled into the Inventory Service database for display within the vSphere Web Client.

Cause

What happens to the tag association when a virtual machine (or any other object) is removed from vCenter Server?

A tag association is not stored with its object and is not a part of the object's lifecycle.

When a virtual machine (or any object) is removed from the vCenter Server, the MOID of the object is removed from the vCenter Server database. When the object is re-registered to the vCenter Server, it attains a new MOID as it is considered brand new to the vCenter Server and the VCDB. Because the tag and category are associated based on the MOID of the virtual machine stored in the cis_kv_keyvalue table, this association is broken. The older tag associations are not removed from the cis_kv_keyvalue table. This in turn results in UI displaying that the object no longer has a tag associated and requires that the tag(s) be re-associated through the vSphere Web Client.

What happens to the tag association when the tag or category is removed from vCenter Server?

When a tag or category is removed from the vCenter Server, the tag and/or category object is removed from the Tagging Service Provider store within Lotus. Unlike removing an object from vCenter Server such as a virtual machine, removing a tag or category causes both the tag association within VCDB as well as the stored tag and category object(s) to be destroyed. This flushes any tag association stored in the cis_kv_keyvalue table and removes the tag and/or category from all Platform Services Controllers. If multiple vCenter Servers are all connected to the same vSphere domain and using the tag and/or category to their infrastructure, their cis_kv_keyvalue table also has the tag associations cleared as well. This in turn, results in the UI displaying that the object no longer exists within the tagging UI and requires that the tag and category be re-created and re-associated using the vSphere Web Client.

For more information on applying a tag, creating tags and Categories refer vCenter Server and Host Management Guide.

Resolution

Note: Take a backup and snapshot of the vCenter server before making changes.

vCenter Server Appliance 6.x

To access the local tagging association data stored in VCDB (Postgres):

Initiate an SSH connection to the vCenter Server Appliance.
Enter the root user name and password when prompted.
Enable the Bash shell:

shell.set --enable True
Access the Bash shell:

shell
Extract the vCenter Server's user account password:

cat /etc/vmware-vpx/vcdb.properties | grep "password =" | awk '{ print $3 }'

Example output:

hostname:~ # cat /etc/vmware-vpx/vcdb.properties | grep "password =" | awk '{ print $3 }'
<password>
Log in to the Postgres shell:

/opt/vmware/vpostgres/9.3/bin/psql -d VCDB vc
When prompted, provide the password obtained from step 5.

To obtain a list of the current tag associations on vCenter Server:

select surr_key, kv_key from cis_kv_keyvalue where kv_provider = 'tagging:TagAssociations:default-scope';

Example output:

surr_key	kv_key
`10`	`tag_association urn:vmomi:VirtualMachine:vm-51:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL`
`11`	`tag_association urn:vmomi:VirtualMachine:vm-92:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL`
`12`	`tag_association urn:vmomi:VirtualMachine:vm-69:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########0106:GLOBAL`
`13`	`tag_association urn:vmomi:VirtualMachine:vm-201:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########df80:GLOBAL`
`14`	`tag_association urn:vmomi:ClusterComputeResource:domain-c7:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########ad06:GLOBAL`
`15`	`tag_association urn:vmomi:HostSystem:host-71:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########5ad9:GLOBAL`

Breaking down one of these tag associations:

tag_association urn:vmomi:VirtualMachine:vm-51:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL

The above line can be read as:

Line: It is a virtual machine
The virtual machine managed object reference is 51.
It contains the tag: ########-####-####-####-########d2b1
Table:

The above table can be read as:

4 virtual machines tagged
1 host tagged
1 cluster tagged
2 of the 4 VMs have the tag: ########-####-####-####-########d2b1
1 of the 4 VMs have the tag: ########-####-####-####-########0106 while the other has the tag: ########-####-####-####-########df80
Host has tag: ########-####-####-####-########5ad9
Cluster has tag: ########-####-####-####-########ad06

To obtain the object name in order to determine its tagging association discussed above:

select id, name from VPX_ENTITY where id = VM_Number;

Example:
select id, name from VPX_ENTITY where id = '51';

Example Output:
51 | wCAI

The virtual machine wCAI was tagged with the above tag.

Accessing the tags stored in Lotus (VMware Directory Services):

Initiate an SSH connection to the Platform Services Controller Appliance or the vCenter Server Appliance.
Enter the root user name and password when prompted.
Enable the Bash shell:

shell.set --enable True
Access the Bash shell:

shell
To get a list of the tags and categories:

If accessing the PSC remotely:

/opt/likewise/bin/ldapsearch -b "cn=Tagging,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=*" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '[email protected] Password' -H ldap://FQDN_of_External_PSC:389 | less

If accessing the PSC locally:

/opt/likewise/bin/ldapsearch -b "cn=Tagging,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=*" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '[email protected] Password' | less

If using a unique vSphere domain name, modify the preceding query:

/bin/install-parameter vmdir.domain-name

There is an output similar to: unique_domain.local

Plug the portioned in appropriately to the query.
There is an output similar to:

Note: This is concatenated for easier reading. More entries may be present.

# One Master urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GLO
BAL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services
, vsphere.local
dn: cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingCategoryVersion: 0
vmwTaggingCategoryCardinality: single
vmwTaggingCategoryName: Infrastructure
objectClass: top
objectClass: vmwTaggingCategoryModel
cn: urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GL
OBAL

# urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL,
urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: CA Servers
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL

...

# urn:vmomi:InventoryServiceTag:########-####-####-####-########df80:GLOBAL,
urn:vmomi:InventoryServiceCategory:########-####-####-####-########fc1c:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:########-####-####-####-########df80:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########fc1c
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: TestingTag
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:########-####-####-####-########df80:GLOBAL

Breaking down one of these tagging entries:

# urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL,
urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: CA Servers
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL

The following should be visible:

The tag has the identifier: ########-####-####-####-########d2b1

The tag has the name CA Servers

The objectClass is vmwTaggingTagModel indicating it is a tag

The tag has never had a name change indicated by vmwTaggingTagModel 0

The tag belongs to the Category identifier: ########-####-####-####-########ec99(belonging to the Infrastructure Category)

Reviewing the tags using vCenter Inventory Service:

Open a browser and log in to the vCenter Inventory Service Managed Object Browser (MOB) at https://FQDN_of_vCenter_Server/invsvc/mob1
Log in with the [email protected] user and password when prompted
To review the current categories:

Note: This queries Lotus directly for the information.
1. Click EnumerateInventoryServiceCategories
2. Clear the available information in the Value field
3. Click Invoke Method
4. In the val Row, observe the current Categories that the Inventory Service can access in Lotus
5. Click Managed Object ID (MOID) values in the val Row. On the next page, click Info to verify that the name of the category matches that pulled from Lotus by reviewing the name row.
To review the current tags:

Note: This queries Lotus directly for the information.
1. Click EnumerateInventoryServiceTags.
2. Clear the available information in the Value field.
3. Click Invoke Method.
4. In the val Row, observe the current Categories that the Inventory Service has an access in Lotus
5. Click Managed Object ID (MOID) in the val Row. On the next page:
  1. Click Info to verify that the name of the tag matches that pulled from Lotus by reviewing the name row.
  2. Click category value to guide to the Category object that the tag belongs to. On the next page, click Info to verify that the name of the category matches that pulled from Lotus by reviewing the name row.
To review the current tags and their associated objects, perform the following and query VCDB directly for the information.
1. Click QueryAttachedInventoryServiceObjects button.
2. In the Value field, provide the Managed Object ID of one of the tags from Parent Step 4. Use this tag as a model:
  
  <tag type="InventoryServiceTag">########-####-####-####-########d2b1</tag>
3. Click Invoke Method.
4. In the val Row, observe the current virtual machine MOIDs that belong to this tag. Use this example as a model output:
5. Ensure this matches the information pulled from the VCDB in the top section.
  val anyType
  
  urn:vmomi:VirtualMachine:vm-51:########-####-####-####-########13a7
  
  urn:vmomi:VirtualMachine:vm-92:########-####-####-####-########13a7
6. Repeat this operation for any other tags to review their association stored in the Inventory Service database.

Feedback

thumb_up Yes

thumb_down No