Next-level Data Center control: Runecast Analyzer REST API

Now let’s find some potential issue to resolve. Looking from Runecast Analyzer at the applicable KBs in my environment, one of them caught my attention - KB2149941. It’s relatively new, last updated about 2 weeks ago. It describes a scenario where a VM can “PANIC” and reboot. At the time of writing this post there is no resolution, but instead there is a workaround – setting the guest_rpc.rpci.usevsocket advanced VM parameter to "FALSE". This is an excellent example to demonstrate how you can use Runecast Analyzer with vRO to remediate issues in your environment.

Runecast Analyzer List of Issues VMware KB

Time to switch to vRO in order to start developing our workflow addressing KB2149941. What operations will I need for my workflow? Below is an illustrated high level draft of what we’re trying to achieve:

I identify two interactions with Runecast Analyzer: Pulling results for a KB (GET request) and triggering scan of a vCenter Server (POST request). Therefore, I’ve added those operations to my Runecast REST Host in vRO.
Next step would be to generate workflows for those REST operations. The procedure for that is covered in the “Getting Started with Runecast Analyzer API” post.

At this point, we can create a new workflow and start putting together the blocks. In my case, the end results looks like this:

I decided not to have any manual input, but instead to place the necessary information as Attributes:

Now we can cover the main workflow elements and what are they used for. Many of them have a Log element connected to their Failure branch for logging purposes.

Item 1: "Get results for KB" workflow
IN: kbId
OUT: statusCode, contentAsString
Workflow to retrieve the last scan results from Runecast Analyzer for specific KB. Don’t forget to add the authentication token in the header of your request. For reference take a look at the “Getting Started with Runecast Analyzer API” post.

Item 2: Scriptable task
IN: contentAsString, kbID
OUT: affectedVMsSTR, vCenters, AffectedVMsIDs
Here is the logic for getting the affected VMs. First, we need to parse the response and take the information that we are looking for. Also, it’s a good idea to have some additional checks, like the status of the last vCenter Server scan. Despite the affected VM names, I decided to also collect the vCenters that are managing the affected VMs. In separate array, I’m including VM to Managed Object ID (MOID) relation. We will get to the use of that a little later.

Item 3: Decision element
IN: affectedVMsSTR
Checks the number of collected VMs from previous workflow element. If more than 0, the workflow continues forward, otherwise the workflow will end as there were no affected VMs by this KB.

Item 4: User Interaction
External Inputs: selectedVMsSTR
Used to provide the ability to select which VMs to be remediated. In the presentation tab it is specified that the predefined answers are taken from affectedVMsSTR array. The “Allow same values” property is set to False.
The chosen VMs are stored in selectedVMsSTR array.

Item 5: Decision element
IN: selectedVMsSTR
Checks the number of selected VMs for remediation. If more than 0, the workflow continues forward, otherwise the workflow will end as no VMs were selected.

Item 6: Scriptable task
IN: selectedVMsSTR, affectedVMsIDs, vCenters
OUT: selectedVMs
Here the selected VMs will be converted to actual VC:VirtualMachine objects so we could manage them. The first use case of vCenters array is here as well. As I may have many vCenter Servers registered with vRO, I want to be searching for VMs only on those, which we know are managing affected VMs. The affectedVMsIDs comes into play when there is more than one VM returned when searching by name. In that case, I’ll be mapping the name with the MOID in order to track down the correct VM.
The result is array of VC:VirtualMachine objects.

Item 7: Decision element
IN: selectedVMs
Checks the number of VM objects. If more than 0, the workflow continues forward, otherwise the workflow will end as there are no VM objects in the array.

Item 8: "VM advanced setting" workflow in for each loop
Array to be traversed: selectedVMs
Separate workflow which was created to edit the advanced settings of a VM. It first checks the power state of the VM, and depending on it there are two options:

If powered off – Applies the advanced settings
If powered on – Shuts down the guest OS, applies the advanced setting and powers back on the VM

Item 9: Scriptable task
OUT: timer
Prepares 15 seconds timer. When working with powered off VMs and rescan of the vCenter Server is triggered right after the adjustment of the advanced setting, Runecast Analyzer may scan the environment before the setting is reflected on vCenter Server level.

Item 10: Waiting timer
IN: timer
Waits for 15 seconds before executing the next element of the workflow.

Item 11: "Scan one vCenter" workflow in for each loop
Array to be traversed: vCenters
Separate workflow sending POST request against Runecast Analyzer to trigger rescan of each vCenter Server which was managing affected VMs so we can validate that the remediated VMs are no longer reported.

We are ready to run the workflow. The Logs section provides a nice summary of what has been done:

You can see that I have two vCenter Servers connected to Runecast Analyzer, but the affected VMs are only on one of them. Then I selected 2 out of the 3 VMs to remediate and the advanced setting was applied.
Attached you can find vRO package containing all workflows which are part of the main one. It cannot be used right away against different environment as there would be differences in your access token value, REST host ID and others. Adjustment and testing is required.
This was an example on how to interact with Runecast Analyzer API to further automate your daily tasks. You can apply such approach to Best Practices and Security Hardenings.

Awesome! So much manual work can now be avoided so you can have more time to innovate.

Ivaylo Ivanov, VMware Engineer

UPDATE: KB2149941 was updated on June 23, 2017 with more specifics on what is affected and provided patch resolution. Those additional details will be included in the next update of Runecast Analyzer.

Full list of CVEs listed in this patch