To discover applications and services and their relationships and to access basic monitoring, you can either provide guest operating system credentials with appropriate privileges or use the credential-less approach to discover services.
Prerequisites
- You must have a vCenter Adapter instance configured and monitoring the same vCenter Server that is used to discover services.
For credential-based service discovery, the configured vCenter Server user must have the following privileges:
- key: VirtualMachine.GuestOperations.ModifyAliases, Localization: Guest operations -> Guest operation alias modification
- key: VirtualMachine.GuestOperations.QueryAliases, Localization: Guest operations -> Guest operation alias query
- key: VirtualMachine.GuestOperations.Modify, Localization: Guest operations -> Guest operation modifications
- key: VirtualMachine.GuestOperations.Execute, Localization: Guest operations -> Guest operation program execution
- key: VirtualMachine.GuestOperations.Query, Localization: Guest operations -> Guest operation queries
For credential-less service discovery, the configured vCenter Server user must have the following privileges:- key: VirtualMachine.Namespace.Management, Localization: Service Configuration -> Manage service configurations
- key: VirtualMachine.Namespace.ModifyContent, Localization: Service Configuration -> Modify service configuration
- key: VirtualMachine.Namespace.Query, Localization: Service Configuration -> Query service configurations
- key: VirtualMachine.Namespace.ReadContent, Localization: Service Configuration -> Read service configuration
- The ESXi instance that hosts the VMs where services should be discovered, must have HTTPS access to port 443 from the collector node on which the service discovery adapter instance is configured.
- Verify that the following types of commands and utilities are used:
Type Commands and Utilities UNIX Operating Systems Service Discovery ps
,ss
, andtop
Performance Metrics Collection : awk
,csh
,ps
,pgrep
, andprocfs
(file system)Windows Operating Systems Service Discovery wmic
,netstat
,findstr
,net
,reg
, andsort
Performance Metrics Collection wmic
,typeperf
, andtasklist
- User Access Restrictions
- For Linux operating systems, ensure that the user is a root or member of the sudo users group.
Note: For non-root users, the NOPASSWD option must be activated in /etc/sudoers file to avoid the metrics collector scripts from waiting for the interactive password input.
Steps to activate the NOPASSWD option for a particular sudo user:
- Login to the specific VM as a root user.
- Run the sudo visudo command that opens an editor.
- In the command section, add username ALL=(ALL) NOPASSWD:<ss path>, <awk path>, <netstat path>. The username must be replaced with an existing user name for which this option is activated. Example: vmware ALL=(ALL) NOPASSWD: /usr/sbin/ss, /usr/bin/netstat, /user/bin/awk.
When you perform the Execute Script action and you need to use command/utilities, for those commands that need a sudo user password provision, the full path of command/utility must be added to the NOPASSWD commands list.
- Save the file and close it. It is automatically reloaded.
- To discover services on Windows, the local administrator account must be configured.
Note: Services will not be discovered for administrator group members that are different from the administrator account itself if the policy setting User Account Control: Run all administrators in Admin Approval Mode is turned on. As a workaround, you can turn off this policy setting to discover services. However, if you turn the policy setting off, the security of the operating system is reduced.
- To discover services on Windows Active Directory, the domain administrator account must be configured.
- For Linux operating systems, ensure that the user is a root or member of the sudo users group.
- The system clock must be synchronized between the vRealize Operations nodes, the vCenter Server, and the VM if service discovery is working in credential-based mode and guest alias mapping is used for authentication.
- The configured user must have read and write privileges to the temp directory (execute privilege is also required on this directory in Linux systems). For Windows systems, the path can be taken from the environment variable TEMP. For Linux systems, it is /tmp and/or /var/tmp.
- The SSO Server URL must be reachable from the vRealize Operations node on which the service discovery adapter is located.
- For more information about supported platforms and versions, see Supported Platforms and Products for Service Discovery.
Note: If more than one
vRealize Operations instance is monitoring the same
vCenter Server and service discovery is activated for those
vRealize Operations instances, then service discovery might be unstable, which is a known VMware Tools problem. As a result, guest operations might fail to execute.
Procedure
What to do next
You can manage services supported by vRealize Operations on specific VMs.