Reviewing and managing tags and tag association in VMware vCenter Server 6.0

search cancel

Reviewing and managing tags and tag association in VMware vCenter Server 6.0

book

Article ID: 341743

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The article guides technical support engineers and customers to review the tagging models of vCenter Server and the vCenter Server Appliance.

With vSphere 6.0, vSphere tags are no longer stored in the Inventory Service database table as the source of truth. They are relocated to the vCenter Server's database (VCDB) table CIS_KV_Keystore and the VMware Directory Services (Lotus) Service Provider tagging. After the tag association is created, this information is then pulled into the Inventory Service database for display within the vSphere Web Client.

Environment

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x

Cause

What happens to the tag association when a virtual machine (or any other object) is removed from vCenter Server?

A tag association is not stored with its object and is not a part of the object's lifecycle.

When a virtual machine (or any object) is removed from the vCenter Server, the MOID of the object is removed from the vCenter Server database. When the object is re-registered to the vCenter Server, it attains a new MOID as it is considered brand new to the vCenter Server and the VCDB. Because the tag and category are associated based on the MOID of the virtual machine stored in the cis_kv_keyvalue table, this association is broken. The older tag associations are not removed from the cis_kv_keyvalue table. This in turn results in UI displaying that the object no longer has a tag associated and requires that the tag (s) be re-associated through the vSphere Web Client.

What happens to the tag association when the tag or Category is removed from vCenter Server?

When a tag or category is removed from the vCenter Server, the tag and/or category object is removed from the Tagging Service Provider store within Lotus. Unlike removing an object from vCenter Server such as a virtual machine, removing a tag or category causes both the tag association within VCDB as well as the stored tag and category object (s) to be destroyed. This flushes any tag association stored in the cis_kv_keyvalue table and removes the tag and/or category from all Platform Services Controllers. If multiple vCenter Servers are all connected to the same vSphere domain and using the tag and/or category to their infrastructure, their cis_kv_keyvalue table also has the tag associations cleared as well. This in turn, results in the UI displaying that the object no longer exists within the tagging UI and requires that the tag (s) and Category (ies) be re-created and re-associated using the vSphere Web Client.

For more information on applying a tag, creating tags and Categories refer vCenter Server and Host Management Guide.

vCenter Server and Host Management Guide 7.x

vCenter Server and Host Management Guide 8.x

Resolution

Note :- Please take backup and snapshot of the vCenter server before making changes.

vCenter Server Appliance 6.x

To access the Local tagging association data stored in VCDB (Postgres):

Initiate an SSH connection to the vCenter Server Appliance.
Enter the root user name and password when prompted.
Run this command to enable the Bash shell:

shell.set --enable True
Run this command to access the Bash shell:

shell
Run this command to extract the vCenter Server's user account password:

cat /etc/vmware-vpx/vcdb.properties | grep "password =" | awk '{ print $3 }'

You see output similar to:

hostname:~ # cat /etc/vmware-vpx/vcdb.properties | grep "password =" | awk '{ print $3 }'
<password>
Run this command to log in to the Postgres shell:

/opt/vmware/vpostgres/9.3/bin/psql -d VCDB vc
When prompted, provide the password obtained from step 5.

Run this command to obtain a list of the current tag associations on vCenter Server:

select surr_key, kv_key from cis_kv_keyvalue where kv_provider = 'tagging:TagAssociations:default-scope';

You see output similar to:

surr_key	kv_key
10	tag_association urn:vmomi:VirtualMachine:vm-51:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL
11	tag_association urn:vmomi:VirtualMachine:vm-92:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL
12	tag_association urn:vmomi:VirtualMachine:vm-69:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########0106:GLOBAL
13	tag_association urn:vmomi:VirtualMachine:vm-201:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########df80:GLOBAL
14	tag_association urn:vmomi:ClusterComputeResource:domain-c7:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########ad06:GLOBAL
15	tag_association urn:vmomi:HostSystem:host-71:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########5ad9:GLOBAL

Breaking down one of these tag associations:

tag_association urn:vmomi:VirtualMachine:vm-51:########-####-####-####-########13a7 InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL

You can see:

- It is a Virtual Machine
- The virtual machine managed object reference is 51
- It contains the tag: ########-####-####-####-########d2b1

Addressing the table as a whole, you can see:

- There are 4 virtual machines tagged
- There is 1 host tagged
- There is 1 cluster tagged
- Two of those four virtual machines have the tag: ########-####-####-####-########d2b1
- One of those four virtual machines have the tag: ########-####-####-####-########0106 while the other has the tag: ########-####-####-####-########df80
- The Host has the tag: ########-####-####-####-########5ad9
- The Cluster has the tag: ########-####-####-####-########ad06

Run this command to obtain the object name in order to determine its tagging association discussed above:

select id, name from VPX_ENTITY where id = VM_Number;

For example:

select id, name from VPX_ENTITY where id = '51';

You see output similar to:

51 | wCAI
The virtual machine wCAI was tagged with the above tag.

Accessing the tags stored in Lotus (VMware Directory Services):

Initiate an SSH connection to the Platform Services Controller Appliance or the vCenter Server Appliance.
Enter the root user name and password when prompted.
Run this command to enable the Bash shell:

shell.set --enable True
Run this command to access the Bash shell:

shell
Run this command to get a list of the tags and Categories:

If accessing the PSC remotely:

/opt/likewise/bin/ldapsearch -b "cn=Tagging,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=*" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '[email protected] Password' -H ldap://FQDN_of_External_PSC:389 | less

If accessing the PSC locally:

/opt/likewise/bin/ldapsearch -b "cn=Tagging,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=*" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '[email protected] Password' | less

If a customer is using a unique vSphere domain name, run this command to modify the preceding query:

/bin/install-parameter vmdir.domain-name

You see output similar to: unique_domain.local

Plug the colored portioned in appropriately to the query.
You see output similar to:

Note: This is concatenated for easier reading. More entries may be present.

# One Master urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GLO
BAL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services
, vsphere.local
dn: cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingCategoryVersion: 0
vmwTaggingCategoryCardinality: single
vmwTaggingCategoryName: Infrastructure
objectClass: top
objectClass: vmwTaggingCategoryModel
cn: urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GL
OBAL

# urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL,
urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: CA Servers
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL

...

# urn:vmomi:InventoryServiceTag:########-####-####-####-########df80:GLOBAL,
urn:vmomi:InventoryServiceCategory:########-####-####-####-########fc1c:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:########-####-####-####-########df80:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########fc1c
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: TestingTag
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:########-####-####-####-########df80:GLOBAL

Breaking down one of these tagging entries:

# urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL,
urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:########-####-####-####-########ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: CA Servers
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:########-####-####-####-########d2b1:GLOBAL

You can see:

The tag has the identifier: ########-####-####-####-########d2b1

The tag has the name CA Servers

The objectClass is vmwTaggingTagModel indicating it is a tag

The tag has never had a name change indicated by vmwTaggingTagModel 0

The tag belongs to the Category identifier: ########-####-####-####-########ec99(belonging to the Infrastructure Category)

Reviewing the tags using vCenter Inventory Service:

Open a browser and log in to the vCenter Inventory Service Managed Object Browser (MOB) at https://FQDN_of_vCenter_Server/invsvc/mob1
Log in with the [email protected] user and password when prompted
To review the current Categories:

Note: This queries Lotus directly for the information.
1. Click EnumerateInventoryServiceCategories
2. Clear the available information in the Value field
3. Click Invoke Method
4. In the val Row, you'll observe the current Categories that the Inventory Service can access in Lotus
5. Click Managed Object ID (MOID) values in the val Row. On the next page, click Info to verify that the name of the category matches that pulled from Lotus by reviewing the name row.
To review the current tags:

Note: This queries Lotus directly for the information.
1. Click EnumerateInventoryServiceTags.
2. Clear the available information in the Value field.
3. Click Invoke Method.
4. In the val Row, you observe the current Categories that the Inventory Service has an access in Lotus
5. Click Managed Object ID (MOID) in the val Row. On the next page:
  1. Click Info to verify that the name of the tag matches that pulled from Lotus by reviewing the name row.
  2. Click category value to take you to the Category object that the tag belongs to. On the next page, click Info to verify that the name of the category matches that pulled from Lotus by reviewing the name row.
To review the current tags and their associated objects, perform the following and query VCDB directly for the information.
1. Click QueryAttachedInventoryServiceObjects button.
2. In the Value field, provide the Managed Object ID of one of the tags from Parent Step 4. Use this tag as a model:
  
  <tag type="InventoryServiceTag">########-####-####-####-########d2b1</tag>
3. Click Invoke Method.
4. In the val Row, you observe the current virtual machine MOIDs that belong to this tag. Use this example as a model output:
5. Ensure this matches the information pulled from the VCDB in the top section.
  val anyType
  
  urn:vmomi:VirtualMachine:vm-51:########-####-####-####-########13a7
  
  urn:vmomi:VirtualMachine:vm-92:########-####-####-####-########13a7
6. Repeat this operation for any other tags to review their association stored in the Inventory Service database.

Feedback

thumb_up Yes

thumb_down No