cyburdine/ January 13, 2017/ Cloud Automation

Recently I received a call from a client who was having issues with certain VM snapshots growing at an alarming rate during their weekly scheduled SmartState Analysis scan.  The servers were primarily database servers, and the rapid growth was due to the VMs having a high rate of change on their disks.   These changes were subsequently being written to the snapshot delta files which was filling up their datastores and setting off alarms.  The customer wanted to continue collecting SmartState data but needed a quick fix to exclude these DB servers.

The goal of this post is to understand the steps involved in building a policy that will exclude servers tagged with the built in exclusion tag, “Do not Analyze”.  It will walk through attaching that policy to a Policy Profile, attaching that Policy Profile to a provider or cluster, and then tagging specific VMs so that the policy is applied to them.

Kevin Morey has a control policy up on github so if you are looking for the most expedient path you can simply import his policy into Cloudforms and skip to step 8

To accomplish the task of excluding certain VMs from being scanned, we will first need to create a simple control policy; include that policy in a Policy Profile; we’ll assign that Policy Profile to the provider that contains the VMs we want to exclude, and then tag those VMs so that that the policy is applied to only those systems.  Below are the tasks required to accomplish this as well as videos and screenshots of what it looks like to implement this in Cloudforms 4.1.

What to do What does that look like

Step 1

In the left hand menu, click Control > Explorer

In the left hand accordion menu, select Policies and expand the tree view and select Vm Control Policies

With Vm Control Policies selected, click the Configuration button up top and click Add a New VM and Instance Control Policy

Step 2

Add a description. In this example we will use “Do Not Analyze

Ensure Active is checked

Enter a valid description in the Notes so that you know what this policy does.  Then click the Add button in the bottom right corner.

Step 3

Select the newly created Do Not Analyze control policy,

Click the Configuration button up top,

Select Create a new Condition assigned to this Policy

Step 4

Enter a Description “tagged as do not analyze

In the top drop down select Tag

In the next drop down select VM and Instance.[My Company] Tags

Note: your expression may look different, the [My Company] part will be the name of your company specified in Settings > Configuration 

and finally in the last drop down select Do not Analyze.

Then click the checkbox and it will populate the Expression field and change the ??? to the expression you just defined.

Once you have done that, click Save in the bottom right hand corner.

Step 5

In the left hand accordion, select Do Not Analyze,

Click the Configure button up top, then

Select Edit this Policy’s Condition assignments

In the left hand Available VM and Instance Conditions box, select the tagged as do not analyze condition you created in step 4

Click the top middle triangle to add it to the right hand Policy Conditions box then click Save in the bottom right corner.

Step 6

In the left hand accordion, select Do Not Analyze,

Click the Configure button up top, then

Select Edit this Policy’s Event assignments

Find Prevent current event from proceeding in the left hand column; click the top middle triangle to add it to the Selected Actions then click Save in the bottom right corner.

Step 7

Select the newly created event VM Analysis Request

Click the Configuration button

Select Edit Actions for this Policy Event

In the left hand box labeled Available Actions scroll down and select Prevent current event from proceeding

Click the top triangle in the middle of the two boxes which will move the action into the Selected Actions box

Click the Save button in the bottom right hand corner 

Step 8

You’ve now created a policy; we now need to attach it to a policy profile.  

Select the Policy Profile accordion on left

Select All Policy Profiles 

Click the Configuration button and

Click Add a New Policy Profile.

Step 9

Give it a description. I chose “My Policy

In the Available Policies select the policy that we created in the steps above.  It should be called VM and Instance Control: Do Not Analyze

Click the top triangle in the middle of the two boxes which will move the policy into the Profile Policies box

Click the Save button in the bottom right hand corner

Step 10

So we’ve now created a policy, we’ve attached it to a policy profile, and now we need to add the policy profile to the provider that contains the VMs we want to exclude.  In this case I am adding it to a VMware provider which is my VMsphere 6.0 environment.

To do this, click on Compute > Infrastructure > Providers

Select the vCenter provider, and then click the Policy button and click Manage Policies

Select the Policy Profile that we created and assign it to the provider.  

Then click the Save button in the bottom right hand corner.

Step 11

The last part we need to do is to tag the VMs we want to exclude; to do this navigate to the VMs that you want to exclude.

In the left hand menu, click Compute > Infrastructure > Virtual Machines.

Select a VM

Select Exclusions as the category and select Do not Analyze as the value.

Repeat Step 11 for every VM you want to exclude from the policy

You have now created a policy, attached it to a Policy Profile, and tagged the machines you want to exclude.  From now on if a SmartState Analysis scan is requested for any VM you tagged, the policy will prevent the scan request from proceeding.  You can verify this by using the main menu to navigate to Control > Log and search for entries that look similar to what you see below.

[—-] I, [2017-01-12T22:35:02.237780 #12661:be3994]  INFO — : MIQ(policy-enforce_policy): Resolving policy [Do Not Analyze]

[—-] I, [2017-01-12T22:35:02.242944 #12661:be3994]  INFO — : MIQ(condition-eval): Name: tagged as do not analyze, Expression evaluation result: [true]

[—-] I, [2017-01-12T22:35:02.318049 #12661:be3994]  INFO — : MIQ(action-invoke) Invoking action [Prevent current event from proceeding] for successful policy [Do Not Analyze], event: [VM Analysis Request], entity name: [Ansible Tower], entity type: [Virtual Machine (VMware)], sequence: [1], synchronous? [true]

[—-] I, [2017-01-12T22:35:02.318238 #12661:be3994]  INFO — : MIQ(action-invoke) [preventing current process from proceeding due to policy failure]

All knowledge it’s built upon collaboration, input and support from others.  This article is no different, the following people were influential in the compilation of this post.  Many thanks to fellow Red Hatters : Peter McGowan‌, John Hoffer‌, Lucy Kerner‌, Kevin Morey‌