Reviewing and managing tags and tag association in VMware vCenter Server 6.0
Article ID: 341743
Updated On:
Products
VMware vCenter Server
Issue/Introduction
The article guides technical support engineers and customers to review the tagging models of vCenter Server and the vCenter Server Appliance.
With vSphere 6.0, vSphere tags are no longer stored in the Inventory Service database table as the source of truth. They are relocated to the vCenter Server's database (VCDB) table CIS_KV_Keystore and the VMware Directory Services (Lotus) Service Provider tagging. After the tag association is created, this information is then pulled into the Inventory Service database for display within the vSphere Web Client.
Environment
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.0.x
Cause
What happens to the tag association when a virtual machine (or any other object) is removed from vCenter Server?
A tag association is not stored with its object and is not a part of the object's lifecycle.
When a virtual machine (or any object) is removed from the vCenter Server, the MOID of the object is removed from the vCenter Server database. When the object is re-registered to the vCenter Server, it attains a new MOID as it is considered brand new to the vCenter Server and the VCDB. Because the tag and category are associated based on the MOID of the virtual machine stored in the cis_kv_keyvalue table, this association is broken. The older tag associations are not removed from the cis_kv_keyvalue table. This in turn results in UI displaying that the object no longer has a tag associated and requires that the tag (s) be re-associated through the vSphere Web Client.
For more information on applying a tag, see the Apply a tag to an Object section in the vCenter Server and Host Management guide.
What happens to the tag association when the tag or Category is removed from vCenter Server?
When a tag or category is removed from the vCenter Server, the tag and/or category object is removed from the Tagging Service Provider store within Lotus. Unlike removing an object from vCenter Server such as a virtual machine, removing a tag or category causes both the tag association within VCDB as well as the stored tag and category object (s) to be destroyed. This flushes any tag association stored in the cis_kv_keyvalue table and removes the tag and/or category from all Platform Services Controllers. If multiple vCenter Servers are all connected to the same vSphere domain and using the tag and/or category to their infrastructure, their cis_kv_keyvalue table also has the tag associations cleared as well. This in turn, results in the UI displaying that the object no longer exists within the tagging UI and requires that the tag (s) and Category (ies) be re-created and re-associated using the vSphere Web Client.
For more information on creating tags and Categories, see the tagging Objects section in the vCenter Server and Host Management guide.
Resolution
Note :- Please take backup and snapshot of the vCenter server before making changes.
vCenter Server Appliance 6.x
To access the Local tagging association data stored in VCDB (Postgres):
- Initiate an SSH connection to the vCenter Server Appliance.
- Enter the root user name and password when prompted.
- Run this command to enable the Bash shell:
shell.set --enable True
- Run this command to access the Bash shell:
shell
- Run this command to extract the vCenter Server's user account password:
cat /etc/vmware-vpx/vcdb.properties | grep "password =" | awk '{ print $3 }'
You see output similar to:
vcsa1:~ # cat /etc/vmware-vpx/vcdb.properties | grep "password =" | awk '{ print $3 }'
T7xWjE@OMVZtov!6
- Run this command to log in to the Postgres shell:
/opt/vmware/vpostgres/9.3/bin/psql -d VCDB vc
- When prompted, provide the password obtained from step 5.
- Run this command to obtain a list of the current tag associations on vCenter Server:
select surr_key, kv_key from cis_kv_keyvalue where kv_provider = 'tagging:TagAssociations:default-scope';
You see output similar to:
surr_key kv_key 10 tag_association urn:vmomi:VirtualMachine:vm-51:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL 11 tag_association urn:vmomi:VirtualMachine:vm-92:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL 12 tag_association urn:vmomi:VirtualMachine:vm-69:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:ccf36d15-8955-4c4c-89e1-3a9df7130106:GLOBAL 13 tag_association urn:vmomi:VirtualMachine:vm-201:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:aaf8f80d-3d56-42fe-ac58-ab1ed36edf80:GLOBAL 14 tag_association urn:vmomi:ClusterComputeResource:domain-c7:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:9a28a960-d4e4-4f57-ac7d-4b8fa12ead06:GLOBAL 15 tag_association urn:vmomi:HostSystem:host-71:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:1a337ca5-e4b5-4064-9dbf-6f94960b5ad9:GLOBAL
Breaking down one of these tag associations:
tag_association urn:vmomi:VirtualMachine:vm-51:e29107d1-565d-436e-a0ed-6ecf1eb613a7 InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL
You can see:
-
- It is a Virtual Machine
- The virtual machine managed object reference is 51
- It contains the tag: a06031dd-d671-4555-a780-671252dcd2b1
Addressing the table as a whole, you can see:
-
- There are 4 virtual machines tagged
- There is 1 host tagged
- There is 1 cluster tagged
- Two of those four virtual machines have the tag: a06031dd-d671-4555-a780-671252dcd2b1
- One of those four virtual machines have the tag: ccf36d15-8955-4c4c-89e1-3a9df7130106 while the other has the tag: aaf8f80d-3d56-42fe-ac58-ab1ed36edf80
- The Host has the tag: 1a337ca5-e4b5-4064-9dbf-6f94960b5ad9
- The Cluster has the tag: 9a28a960-d4e4-4f57-ac7d-4b8fa12ead06
- Run this command to obtain the object name in order to determine its tagging association discussed above:
select id, name from VPX_ENTITY where id = VM_Number;
For example:
select id, name from VPX_ENTITY where id = '51';
You see output similar to:
51 | wCAI
- The virtual machine wCAI was tagged with the above tag.
Accessing the tags stored in Lotus (VMware Directory Services):
- Initiate an SSH connection to the Platform Services Controller Appliance or the vCenter Server Appliance.
- Enter the root user name and password when prompted.
- Run this command to enable the Bash shell:
shell.set --enable True
- Run this command to access the Bash shell:
shell
- Run this command to get a list of the tags and Categories:
If accessing the PSC remotely:
/opt/likewise/bin/ldapsearch -b "cn=Tagging,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=*" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '[email protected] Password' -H ldap://FQDN_of_External_PSC:389 | less
If accessing the PSC locally:
/opt/likewise/bin/ldapsearch -b "cn=Tagging,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=*" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '[email protected] Password' | less
If a customer is using a unique vSphere domain name, run this command to modify the preceding query:
/bin/install-parameter vmdir.domain-name
You see output similar to: unique_domain.local
Plug the colored portioned in appropriately to the query.
- You see output similar to:
Note: This is concatenated for easier reading. More entries may be present.
# One Master urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99:GLO
BAL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services
, vsphere.local
dn: cn=urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingCategoryVersion: 0
vmwTaggingCategoryCardinality: single
vmwTaggingCategoryName: Infrastructure
objectClass: top
objectClass: vmwTaggingCategoryModel
cn: urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99:GL
OBAL
# urn:vmomi:InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL,
urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: CA Servers
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL
...
# urn:vmomi:InventoryServiceTag:aaf8f80d-3d56-42fe-ac58-ab1ed36edf80:GLOBAL,
urn:vmomi:InventoryServiceCategory:4e055191-ad3c-4581-bc2c-f631e883fc1c:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:aaf8f80d-3d56-42fe-ac58-ab1ed36edf80:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:4e055191-ad3c-4581-bc2c-f631e883fc1c
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: TestingTag
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:aaf8f80d-3d56-42fe-ac58-ab1ed36edf80:GLOBAL
Breaking down one of these tagging entries:
# urn:vmomi:InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL,
urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99:GLOB
AL, urn:vmomi:InventoryServiceScope:default-scope:GLOBAL, Tagging, services,
vsphere.local
dn: cn=urn:vmomi:InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOB
AL,cn=urn:vmomi:InventoryServiceCategory:5cea7dbf-9bd2-4d4b-9671-df07b544ec99
:GLOBAL,cn=urn:vmomi:InventoryServiceScope:default-scope:GLOBAL,cn=Tagging,cn
=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAEgBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC28X00kchLtzP
jTfDadcGg9AEAAAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAAgBwAAMAAAAAABgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAACgAMwAAIAEGAAAAAAAHFQAAALbxfTSRyEu3M+NN8Np1waAgAgAAA
AAoADMAACABBgAAAAAABxUAAAC28X00kchLtzPjTfDadcGg9AEAAA==
vmwTaggingObjectState: CREATE
vmwTaggingTagVersion: 0
vmwTaggingTagName: CA Servers
objectClass: top
objectClass: vmwTaggingTagModel
cn: urn:vmomi:InventoryServiceTag:a06031dd-d671-4555-a780-671252dcd2b1:GLOBAL
You can see:
- The tag has the identifier: a06031dd-d671-4555-a780-671252dcd2b1
- The tag has the name CA Servers
- The objectClass is vmwTaggingTagModel indicating it is a tag
- The tag has never had a name change indicated by vmwTaggingTagModel 0
- The tag belongs to the Category identifier: 5cea7dbf-9bd2-4d4b-9671-df07b544ec99(belonging to the Infrastructure Category)
Reviewing the tags using vCenter Inventory Service:
- Open a browser and log in to the vCenter Inventory Service Managed Object Browser (MOB) at https://FQDN_of_vCenter_Server/invsvc/mob1
- Log in with the [email protected] user and password when prompted
- To review the current Categories:
Note: This queries Lotus directly for the information.
- Click EnumerateInventoryServiceCategories
- Clear the available information in the Value field
- Click Invoke Method
- In the val Row, you'll observe the current Categories that the Inventory Service can access in Lotus
- Click Managed Object ID (MOID) values in the val Row. On the next page, click Info to verify that the name of the category matches that pulled from Lotus by reviewing the name row.
- To review the current tags:
Note: This queries Lotus directly for the information.
- Click EnumerateInventoryServiceTags.
- Clear the available information in the Value field.
- Click Invoke Method.
- In the val Row, you observe the current Categories that the Inventory Service has an access in Lotus
- Click Managed Object ID (MOID) in the val Row. On the next page:
- Click Info to verify that the name of the tag matches that pulled from Lotus by reviewing the name row.
- Click category value to take you to the Category object that the tag belongs to. On the next page, click Info to verify that the name of the category matches that pulled from Lotus by reviewing the name row.
- To review the current tags and their associated objects, perform the following and query VCDB directly for the information.
- Click QueryAttachedInventoryServiceObjects button.
- In the Value field, provide the Managed Object ID of one of the tags from Parent Step 4. Use this tag as a model:
<tag type="InventoryServiceTag">a06031dd-d671-4555-a780-671252dcd2b1</tag>
- Click Invoke Method.
- In the val Row, you observe the current virtual machine MOIDs that belong to this tag. Use this example as a model output:
- Ensure this matches the information pulled from the VCDB in the top section.
val anyType - urn:vmomi:VirtualMachine:vm-51:e29107d1-565d-436e-a0ed-6ecf1eb613a7
- urn:vmomi:VirtualMachine:vm-92:e29107d1-565d-436e-a0ed-6ecf1eb613a7
- Repeat this operation for any other tags to review their association stored in the Inventory Service database.
Additional Information
Feedback
Yes
No
Powered by
